HomeОбразованиеRelated VideosMore From: OALabs

Unpacking Themida 2.x 64bit … Without Actually Unpacking - REDUX!

192 ratings | 11219 views
Open Analysis Live! In this tutorial we show how to unpack a Themida 2.x 64bit PE file.... kind of : ) Instead of attacking the Themida protection directly we will demonstrate how a bad architecture decision to use process injection (runpe) made it easy to dump the unpacked PE. This video is a re-post of a video we made last week. In this video we use a sample that we built ourselves to mimic a common malware technique for demonstration purposes. The demo code was from is great demo repository maintained by @hasherezade https://github.com/hasherezade/demos. We build the sample using CMAKE and Visual Studio Express 2015 x64 compiler. More information about the commercial packer Themida and WinLicense can be found on the Oreans website here: https://www.oreans.com/themida.php The x64dbg debugger with Scylla can be downloaded here: https://x64dbg.com/#start PE-bear is one of our favorite PE manipulation tools (also from @hasherezade). It is no longer supported but you can still download a copy here https://hshrzd.wordpress.com/pe-bear/ Die - Detect it easy can be downloaded here: http://ntinfo.biz/index.html Feedback, questions, and suggestions are always welcome : ) Sergei https://twitter.com/herrcore Sean https://twitter.com/seanmw As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
Html code for embedding videos on your blog
Text Comments (61)
Anon 123 (10 days ago)
Nice of you to take it down but technically you didn't have to because of fair use.
TradingFuturo (11 days ago)
Disapointing to no see actual themida unpacking. This video should be named dumping refilled hollow process.
OALabs (8 days ago)
Lolol that's the point 😂😂
Rearm (12 days ago)
i bet you cant unpack this make a video about this https://www.mediafire.com/file/9rgr4l0auif9yu0/Unpack_me_LEVEL_GOD.rar/file
Rearm (11 days ago)
+OALabs hehe i hope you unpack it hehe
OALabs (11 days ago)
Lol! A fresh take on plz unpack!! I like it 🤣🤣
Samurai Metropolis (1 month ago)
Thank you so much for sharing this with us i didn't understand some parts but it's okay. I really wanna get into the world of malware analysis and reverse engineering in general but unfortunately i don't know from where to start. would you kindly help me with some book recommendations , advices or a place where i can start anything ,anything will be appreciated.
Samurai Metropolis (1 month ago)
Thank you so much for your kindness
OALabs (1 month ago)
Hey for sure! I think I've posted a response to this sort of question before but it's worth repeating. So technical books aren't really my go-to for learning new skills, I find them to be a good reference but in terms of actually learning new RE skills I personally prefer videos or blog posts with lots of instructional photos (just a personal preference). Probably the best guides I have seen for getting started are Hasherezade's post here https://hshrzd.wordpress.com/how-to-start/ and Todd's list of resources here: https://malwareanalysisforums.com/topic/7/malware-analysis-resources-noobs-read-first. I also really like the Dr. Fu tutorial series (a bit dated but it covers the basics very well) http://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html. This should get you started : )
G F (1 month ago)
How should i unpack Unopix(0.94)? Thx !
Tim Abdiukov (4 months ago)
Thanks so much! This is what I always had in mind, and I'm glad someone had actually figured out such approach Question, is it ever realistically possible to dump the process memory, and then manually cherrypick the original EXE and then restore the appropriate header, VA+RVA, OEP and so on, manually by hand?
David Tom (4 months ago)
Nice video. You are awesome. But it is not working for x86 exe. Can you unpack for x86 exe? and then in x86 exe, there is packed section in memory.
far2ez (6 months ago)
First, let me say: thanks for the videos! Your quick editing style actually make this one of the most, dare I say, PACKED packer-related resources I've found online. That said, there's a piece of software I had already reversed in the past that was "protected" via Thinstall (VM ThinApp 2.X). I knew it had created a second process, so I wanted to revisit it and try your method here, just out of curiosity/learning. Interestingly, all steps worked fine (including dumping out the second process, locating its entry point, etc). Executing it didn't work, however, and popping it into x32dbg shows me there it's doing direct, hard-coded comparisons against memory regions that aren't in bounds. That is to say: if .text is 0x00401000 and has a size of 0x65000, the maximum address is 0x00465FFF, the next (protected) region begins at 0x004F0000; meanwhile, hard-coded memory addresseses reference, for example: cmp dword ptr ds:[0x0047628C], esi As you can see, 0x0047628C is out of bounds (> 0x00465FFF, < 0x004F0000), and so I'm getting a C5 EXCEPTION_ACCESS_VIOLATION. Are you familiar with this issue in post-dumped processes? Is this a scenario where I can just increase the "Size of Code" segment in PE-bear, or do you have experience that indicates I'm barking up a wrong tree? Thank you!
far2ez (6 months ago)
I see! I hadn't realized that the goal was static analysis in IDA! I thought the method was not working for me because I was trying to perform dynamic analysis on the new PE. Whoops :) In my particular case, I cannot attach x32dbg to the secondary (created) process while it is running. If I try, I immediately get a "[Terminated] Debugger stopped!" red message in the bottom-left corner of the debugger. This happens regardless of whether I attempt to attach to the process with the already-opened x32dbg or whether I attempt to connect to it with a secondary x32dbg; it also happens whether I attempt to connect to it IMMEDIATELY after the "NtCreateUserPRocess" is called by kernel32 or whether I wait for the "NtResumeThread" to happen first. I'm unsure why it happens, and it's what stops me from being able to perform dynamic analysis on the inner packed file directly. I hate to ask, but do you have links for those videos where you mentioned reconstructing injected code? I've seen several for dumping it, but none yet for reconstructing it! In fact, I hadn't even realized that there'd be so much involved with reconstructing code before, but I suppose it makes sense that I'd need to find and frankenstein together all of the old sections. Thanks again!
OALabs (6 months ago)
Interesting! So usually when we are unpacking software it is with the goal of being able to load it in IDA and start reverse engineering it statically. Because of this we rarely take the time to fix up the unpacked PE to the point where it can actually be run as a stand-alone exe. In this tutorial we didn't cover fixing the IAT or direct memory dumping (without scylla) because it was just supposed to be a simple example. I can however suggest three things to check that might help in your case; 1) Instead of using scylla to dump the second process PE attache to it with a debugger and dump each PE section to a file on disk (you may notice that these sections are much larger and include the references you are missing). Combine these sections with a hex editor to make one large PE "blob". Don't exit the process, just keep it paused with the debugger attached as you will need it for the next few steps. 2) Load the PE blob in peBear and update the PE base address to match the start address of the first section you dumped (address of the MZ in memory). Also in peBear edit the section table so that the raw section addresses and sizes are the same as the virtual ones. Save this fixed PE to disk. 3) Check the IAT and make sure it has properly defined. If they aren't you can use Scylla to fix them. Attach Scylla to the running process and change the OEP to the one from your dumped file. Then use the auto-locate to find the IAT. Then use the fix-dump feature in Scylla to add the IAT to your fixed PE file. These steps have been covered in some of our other videos where we discuss different ways to dump and reconstruct injected code. If this still doesn't give you a working PE file you may have run into a case where the injected code isn't a full PE and you may have to build the PE by hand, or the injected code is still packed in some way. These are both more advanced topics that we may cover in future videos. Good luck! P.S. Glad you enjoyed the tutorial : )
sent4dc (6 months ago)
just from curiosity. what was the commercial product that they unpacked in the first video that was removed?
Leroy C (6 months ago)
New to unpacking, does this work on all process injection or just process hollow? And which API call could we breakpoint on to check if this will work if you dont mind? Thank you in advance. Really good lesson.
OALabs (6 months ago)
Yes this will work for any scenario where unprotected code is injected into another process. If the code that is injected is not protected then you can dump it. You can check out some of our other videos on different injection techniques to see which APIs to set breakpoints on, it varies depending on the scenario : )
Mahmoud Sheikhan (6 months ago)
HI , I did one by one but i get this warring in PE Bear Wrong RVA supplied! RVA is out of image scope! and i try in Win license 2.4 and this way does not works
kota wale (6 months ago)
Pl help me i want unprotected my enigma exe
Ted Mosby (7 months ago)
nice video bro i am goner have to try this 100% , what about encrypted rar - zips anyone of exploits or public bugs - i dont think brute force will cut it with what i want to crack , i will add that its not privet software its a rar of malware which i wish to study
OALabs (6 months ago)
I'm assuming you are talking about a self-extracting rar in which case it runs just like a normal PE file so these techniques might work... if the rar runs and it creates a sub-process then you may be in luck. We are attacking the fact that this is doing injection into a second process not the actual protection of the PE so the same technique will work with any protection that uses the same injection techniques. Good luck!
chérif Aly (9 months ago)
Is it possible to do the same thing with just a DLL file protected with themida? I can't find a way to dumb the file..
OALabs (9 months ago)
This trick only works if the developer makes the same mistake we demonstrate in the tutorial and inject an unpacked PE into a process. If they do it from a DLL or an exe the results will be the same.
Nagumo yagami (10 months ago)
How would you like to know if you can do a job for me?
OALabs (10 months ago)
If it's unpacking Themida I think you are out of luck : ) Feel free to contact us though, we are always happy to answer questions and help analyze malware. As usual you will find our contact info on the website http://www.openanalysis.net/#contact
Gmgamestr (10 months ago)
No by all Soft (PE) ist work, because like by me the entrypoint was 0000 in Debugger, like that it will not executing after write over PE-Bear in to exe the 0000 to entrypoint!
zelo (11 months ago)
How is this done when antipatch is enabled?
OALabs (10 months ago)
Part of what we were trying to demonstrate is that it doesn't matter what protections you enable in the packer if you injected your unpacked code into memory it can be dumped : )
Tio Peperino (1 year ago)
10:24 - I'm analyzing a target which is protected by Themida, it's a DLL module, and that is being injected into an unprotected process, will the same technique work? I could also just check it for myself, but better get feedback from the pros before I get my hands dirty and maybe try it and fail cuz I'm doing something wrong :D
OALabs (11 months ago)
It depends on how the DLL was protected... if the developers made the mistake of injecting their code outside of the Themida protector then this technique may work but the fact that they protected the DLL itself suggests that they used Themida correctly and this probably won't work. The best way to find out is to just give it a try : )
Anthony DiDonato (1 year ago)
Nice work, and thanks for sharing your knowledge
SoftDat CLS (1 year ago)
Very Good!!! nice video Thanks friend
COB RCE (1 year ago)
hi, thanks for the video! I have some questions, the first one is : since scylla and x32dbg are targeting the same process how it comes that the header dumped by the first one is different from the one seen in the second one the second question is about PE-Bear, for the same purpose I usually use CFF explorer and it's perfect with both native and .net, so do you advice PE-Bear over CFF and why? Thanks in advance
OALabs (1 year ago)
Yeh this got me before, I thought I had that unchecked when I made the dump but maybe not! Good point!
COB RCE (1 year ago)
OALabs so if the reason of the difference is caused by scylla "trying to do some fancy stuff" I think that it's because of "get EIP as OEP", I'm not sure of this and didn't check it, it's just a guess because we have this option in OllyDump.
OALabs (1 year ago)
Hey that's a great question about the header difference, I actually don't know what caused it! Scylla does try to do some fancy stuff once in a while and I'm not familiar enough with the tool to actually know what's going on under the hood. My guess is that it tried to automatically re-calculate the OEP but I really don't know... since Scylla is OSS I'm going to add this to my rainy day reading list, and I'll follow up once I figure it out : ) In the mean time if anyone else has any suggestions leave a comment, I'm super curious! As for CFF vs. PE-Bear there is no advantage of PE-Bear over CFF, in-fact CFF is more powerful in many ways, and I definitely take advantage of its built in UPX extractor when I need to. It just comes down to personal preference, I like the layout of PE-Bear better, it feels easier to navigate. It's funny, they are almost identical and yet a bit of colour and some rearranged buttons makes all the difference... Sadly PE-Bear isn't in development anymore : ((
Thanks from Italy
OALabs (1 year ago)
Thank you! From snowy Canada : )
RealGordonRamsay (1 year ago)
do vmprotect
chérif Aly (8 months ago)
RealGordonRamsay this method is by far the best method to unpack any protector wether it is cheap or extremely expensive like themida or vmp.
sandra marin (11 months ago)
Hi friend winlicense ?
OALabs (1 year ago)
I have to admit you made me lol! Also, I think you did a better job of me explaining why it would be pointless to do a video on VMProtect, two thumbs up and four lolling cats! 👍👍 😹 😹 😹 😹
SoftDat CLS (1 year ago)
yes please thanks.
COB RCE (1 year ago)
look at the diagram in 2:00, the brown round rectangle represents themida, now let's represent vmprotect and since you say that it has more protections just replace the brown with a more aggressive color and add spikes, we still see that the protection remains only in the injector while the injected code is left without protection
Виталий к (1 year ago)
Scylla cannot dump image when "Use PE Header from disk" is unchecked. What could be the problem?
OALabs (1 year ago)
Hmm there could be a lot of things going on... Scylla chokes on lots of stuff but the most common thing to check for is to make sure that if the process is running with elevated privileges you run Scylla with elevated privileges. Also check to make sure that Scylla is not trying to read a PE file that is protected or write to a directory that is protected... If that doesn't help then there is probably some more troubleshooting required : (
Jurjen de Jonge (1 year ago)
Cool video thanks for uploading!
Mahmud Rahman (1 year ago)
https://github.com/x64dbg/ScyllaHide (User mode) https://github.com/mrexodia/TitanHide (kernel Mode) Best Plugins Ever For Hiding Debugger... :P
OALabs (1 year ago)
Whoa nice! I knew about ScyllaHide but not about TitanHide. I'll definitely check it out. I'm not as well versed with the kernel level cloaking in general, certainly something I want to learn more about. Thanks!
EnduranceT (1 year ago)
Thanks for the great videos always. I got a request: Can you guys do a video about decrypting and decoding encrypted data inside of malware/binaries? For example, often we see some resource or data in memory which has been encrypted or encoded and we have to find the data first, then figure out the algorithm and/or locate the place in memory where the data is exposed etc.... This can be tricky. Thank you.
OALabs (1 year ago)
That's a great idea. I think the next sample that we will use to demonstrate some analysis techniques is the emotet one that you submitted to our last video. I think it has some data that will allow us to demonstrate this technique. If not, we will definitely find a sample that does.
Mercenary Frank (1 year ago)
lol ArtificialAiming cried or something?
lexa (7 months ago)
This doesn't matter for cheat providers lolz
Tio Peperino (1 year ago)
Many cheat makers are crying xD
ISquishWorms (1 year ago)
Thanks for covering the unpacking topic it is one that I sometimes struggle with.  I agree it is important as packing is used by malware.
0x0FD3CD (1 year ago)
Great video!
std:: cat (1 year ago)
awesome work!
Nathan (1 year ago)
Loving the vids.

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.