Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Log data
- Address Message
- Themida - Winlicense Ultra Unpacker 1.4
- -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- 00340A0F Breakpoint at 00340A0F
- 00340A10 Breakpoint at 00340A10
- 00350054 Breakpoint at 00350054
- OS=x64 64-Bit
- Warning!
- The StrongOD KernelMode will not work on a 64 Bit OS!
- Use the TitanHide tool instead or ScyllaHide plugin!
- 00350056 Breakpoint at 00350056
- 00370021 Breakpoint at 00370021
- 00370028 Breakpoint at 00370028
- 2.000 MB +/-
- 4.796 MB +/-
- Dll Can Move Option is Enabled! = Diffrent loading of targetbase!
- You need to disable this option or system ASLR!
- Dll Can Move was disabled in PE Header now before dumping later!
- Your target is a >>> Dynamic <<< Link Library!
- Note: If possible then don't use the VM OEP for dlls if real OEP is not stolen!
- Change VM OEP after popad to JMP Target OEP!
- Or
- Just set a another push 0 before VM OEP push = 2 pushes before jump to WL VM!
- OEP change if you want to keep VM OEP for Dll
- -------------------------------------------------
- popad
- mov ebp, Align
- push 0
- push VM OEP Value
- jmp WL VM
- -------------------------------------------------
- Exsample: Not stolen Dll OEP!
- -------------------------------------------------
- 100084D2 MOV EDI,EDI
- 100084D4 PUSH EBP
- 100084D5 MOV EBP,ESP
- 100084D7 CMP DWORD PTR SS:[EBP+0xC],0x1 <-- check for 1 must be inside to run the Dll
- 100084DB JNZ SHORT 100084E2 <-- Don't jump if value 1 is inside stack
- Stack: At Target OEP / Not stolen
- -------------------------------------------------
- $ ==> 7C91118A RETURN to ntdll.7C91118A
- $+4 10000000 Dll_X.10000000 <-- Base
- $+8 00000001 <-- 1
- $+C 00000000
- ImageBase in PE keep same = File was loaded with original ImageBase!
- PE HEADER: 6D920000 | 1000
- CODESECTION: 6D921000 | 114000
- PE HEADER till CODESECTION Distance: 1000 || Value of 1000 = Normal!
- Your Target seems to be a normal file!
- Unpacking of NET targets is diffrent!
- Dump running process with WinHex and then fix the whole PE and NET struct!
- 0038064B Breakpoint at 0038064B
- Overlay found & dumped to disk!
- Disasembling Syntax: MASM (Microsoft) <=> OK
- Show default segments: Enabled
- Always show size of memory operands: Enabled
- Extra space between arguments: Disabled
- StrongOD Found!
- ----------------------------------------------
- HidePEB=1 Enabled = OK
- KernelMode=1 Enabled = OK
- KillPEBug=1 Enabled = OK
- SkipExpection=1 Enabled = OK
- Custom Exceptions Enabled = 00000000-FFFFFFFF
- DriverName=TitanHid
- DRX=1 Enabled = OK
- ----------------------------------------------
- Basic Olly & Plugin Settings seems to be ok!
- No InfoBox to User to show now!
- 6DDCE009 Breakpoint at x3.6DDCE009
- 6DDCE00B Breakpoint at x3.6DDCE00B
- Windows 7 or higher found!
- Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!
- Kernel Ex Table Start: 76BA01A0
- 003C003F Breakpoint at 003C003F
- PE DUMPSEC: VA 6DDD0000 - VS 3F000
- PE ANTISEC: VA 6DDD1000
- PE OEPMAKE: VA 6DDD1600
- SETEVENT_VM: VA 6DDD21D0
- PE I-Table: VA 6DDD3000
- VP - STORE: VA 6DDD2F00
- and or...
- API JUMP-T: VA 6DDD3000
- 003C003F Breakpoint at 003C003F
- RISC VM Store Section VA is: 6DE10000 - VS 200000
- 003C0041 Breakpoint at 003C0041
- 6DA889C4 Hardware breakpoint 1 at x3.6DA889C4
- Found WL Intern Export API Access at: 6DA88DF2
- Use this address to get all intern access WL APIs!
- 76AF1832 Hardware breakpoint 2 at kernel32.VirtualAlloc
- ---------- Loaded File Infos ----------
- Target Base: 6D920000
- Kernel32 Base: 76AE0000
- Kernel32 SORD: 76AE01F0 | D0000
- Kernel32 SORD: 76AE01F8
- User32 Base: 761E0000
- Advapi32 Base: 763A0000
- ---------------------------------------
- WL Section: 6DA85000 | 21F000
- WL Align: 61B15014 | EBP Pointer Value
- XBundler Prepair Sign not found!
- CISC VM is located in the Themida - Winlicense section 6DA85000 | 21F000.
- No VMWare Check Pointer Inside WL found yet!
- Found No SetEvent WL Location!
- Found No LoadLibraryA WL Location!
- Found No FreeLibrary WL Location!
- TF_FIRST: 6DBC88ED
- Auto XBundler Checker & Dumper is enabled!
- If XBunlder Files are found in auto-modus then they will dumped by script!
- If the auto XBunlder Dumper does fail etc then disable it next time!
- Anti Access Stop on Code Section was Set!
- Moddern MJM Scan Chosen!
- Normal IAT Patch Scan Was Written!
- No VMWare Check Pointer Inside WL found yet!
- 70070000 Module C:\Windows\SysWOW64\winmm.dll
- 004C0306 Hardware breakpoint 3 at 004C0306
- VMWare Address: 6DA8880A | 0
- VMWare Checks are not Used & Disabled by Script!
- 004A0033 Hardware breakpoint 1 at 004A0033
- 771DE1AC Hardware breakpoint 3 at ntdll_12.771DE1AC
- Heap Prot was redirected!
- 75FB0000 Module C:\Windows\SysWOW64\wininet.dll
- 758A0000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
- 765C0000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
- 75DE0000 Module C:\Windows\SysWOW64\shlwapi.dll
- 75A10000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
- 72480000 Module C:\Windows\SysWOW64\version.dll
- 761C0000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
- 74B70000 Module C:\Windows\SysWOW64\normaliz.dll
- 75BA0000 Module C:\Windows\SysWOW64\iertutil.dll
- 75F60000 Module C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
- 76BF0000 Module C:\Windows\SysWOW64\userenv.dll
- 75F50000 Module C:\Windows\SysWOW64\profapi.dll
- 769B0000 Module C:\Windows\SysWOW64\crypt32.dll
- 76950000 Module C:\Windows\SysWOW64\msasn1.dll
- 765D0000 Module C:\Windows\SysWOW64\setupapi.dll
- 76770000 Module C:\Windows\SysWOW64\cfgmgr32.dll
- 76960000 Module C:\Windows\SysWOW64\devobj.dll
- 71D50000 Module C:\Windows\SysWOW64\hid.dll
- 71D60000 Module C:\Windows\SysWOW64\IPHLPAPI.DLL
- 761D0000 Module C:\Windows\SysWOW64\nsi.dll
- 71D40000 Module C:\Windows\SysWOW64\winnsi.dll
- 74B80000 Module C:\Windows\SysWOW64\shell32.dll
- 75F70000 Module C:\Windows\SysWOW64\ws2_32.dll
- 6DC46135 Hardware breakpoint 2 at x3.6DC46135
- 6D921000 Problems when disabling memory breakpoint:
- 6D921000 Access to memory changed from RE to RWE (original RWECopy)
- 6DC4E1AB Memory breakpoint when writing to [6D921000]
- 6DC4E1AB - REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
- 6DC4E1AD Breakpoint at x3.6DC4E1AD
- 004C02AF Breakpoint at 004C02AF
- First Found 4 Magic Jumps!
- ------------------------------
- MJ_1: 6DC650FE
- MJ_2: 6DC6511A
- MJ_3: 6DC65158
- MJ_4: 6DC65187
- ------------------------------
- Modern TM WL Version Found!
- -------- IAT RD DATA ---------
- 6DBE7A14 - CMP R32, 10000
- 6DC64597 - Prevent Crasher
- 6DC650FE - Prevent IAT RD
- 6DC6511A - Prevent IAT RD
- 6DC65158 - Prevent IAT RD
- 6DC65187 - Prevent IAT RD
- --------------------------------
- 6DC650FE Hardware breakpoint 2 at x3.6DC650FE
- ----- First API In EAX -----
- API ADDR: 76AF1AF4 | MODULE NAME: kernel32 | API NAME: GetFileAttributesW
- ----------------------------
- MJs and Nopper was patched!
- IAT LOG & COUNT WAS SET!
- IAT WAS MANUALLY PATCHED!
- 6DBAFD6B Breakpoint at x3.6DBAFD6B
- EFL Patch at: 6DBAFD6B
- 6DB267C9 Breakpoint at x3.6DB267C9
- Found no base in registers!
- 6DC63DE5 Hardware breakpoint 2 at x3.6DC63DE5
- Special >> NEW << IAT Patch was written!
- 6DC67F4C Hardware breakpoint 1 at x3.6DC67F4C
- It can be that the VM OEP can not found yet at this moment!
- In some cases the WL code is not created at this late point!
- So if the created VM OEP data will fail then use the real OEP!
- Or find the VM OEP manually!
- Come close at the end and find VM On/Off switch!
- Do Input 1 / Output 0 steps via HWBP write!
- Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]
- Now set HWBP on GetProcessHeap and return = close at the end!
- VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!
- For newer version you need to use Align to EBP before entering the VM!
- Find that later created commands at OEP in WL section...
- MOV R32,R32 | ADD R32,R32 | JMP R32
- Break on the founds and trace forward till Handler start and check push values!
- Check out my video to see a exsample about it!
- SetEvent VM AD was redirected to: 6DDD21D0 x 1!
- 2.) NEWER VM SIGN FOUND!
- 02610193 Breakpoint at 02610193
- Possible VM OEP STOP FOUND AT: 6DBC88ED
- 004A0033 Hardware breakpoint 1 at 004A0033
- 771DE1AC Hardware breakpoint 2 at ntdll_12.771DE1AC
- Heap One was redirected!
- 004A0033 Hardware breakpoint 1 at 004A0033
- 771DE1AC Hardware breakpoint 2 at ntdll_12.771DE1AC
- Heap Two was redirected!
- 6D9883B6 Memory breakpoint when executing [6D9883B6]
- 000002DB
- 00379C19
- 0054011C Breakpoint at 0054011C
- FOUND_API_COUNTS: 00000113
- 00580149 Breakpoint at 00580149
- 00580174 Breakpoint at 00580174
- Problem!Logged API was not found in Code!
- ++++++++++++++++++++++++++++++++++
- Search Section: 6D921000
- Search End : 6DA34FF0
- API_TOP: 02630010
- API_END: 0263045C
- API_ADDR: 76AF1AF4
- API_ADDR: 75F73EB8
- FOUND_API_COUNTS: 00000113
- API_TOP_NAME: kernel32.GetFileAttributesW
- API_END_NAME: ws2_32.socket
- ++++++++++++++++++++++++++++++++++
- 00580174 Breakpoint at 00580174
- Problem!Logged API was not found in Code!
- ++++++++++++++++++++++++++++++++++
- Search Section: 6D921000
- Search End : 6DA34FF0
- API_TOP: 02630010
- API_END: 0263045C
- API_ADDR: 76AF1AF4
- API_ADDR: 75F73EB8
- FOUND_API_COUNTS: 00000113
- API_TOP_NAME: kernel32.GetFileAttributesW
- API_END_NAME: ws2_32.socket
- ++++++++++++++++++++++++++++++++++
- 00580174 Breakpoint at 00580174
- Problem!Logged API was not found in Code!
- ++++++++++++++++++++++++++++++++++
- Search Section: 6D921000
- Search End : 6DA34FF0
- API_TOP: 02630010
- API_END: 0263045C
- API_ADDR: 76AF1AF4
- API_ADDR: 75F73EB8
- FOUND_API_COUNTS: 00000113
- API_TOP_NAME: kernel32.GetFileAttributesW
- API_END_NAME: ws2_32.socket
- ++++++++++++++++++++++++++++++++++
- 00580174 Breakpoint at 00580174
- Problem!Logged API was not found in Code!
- ++++++++++++++++++++++++++++++++++
- Search Section: 6D921000
- Search End : 6DA34FF0
- API_TOP: 02630010
- API_END: 0263045C
- API_ADDR: 76AF1AF4
- API_ADDR: 75F73EB8
- FOUND_API_COUNTS: 00000113
- API_TOP_NAME: kernel32.GetFileAttributesW
- API_END_NAME: ws2_32.socket
- ++++++++++++++++++++++++++++++++++
- 00580174 Breakpoint at 00580174
- Problem!Logged API was not found in Code!
- ++++++++++++++++++++++++++++++++++
- Search Section: 6D921000
- Search End : 6DA34FF0
- API_TOP: 02630010
- API_END: 0263045C
- API_ADDR: 76AF1AF4
- API_ADDR: 75F73EB8
- FOUND_API_COUNTS: 00000113
- API_TOP_NAME: kernel32.GetFileAttributesW
- API_END_NAME: ws2_32.socket
- ++++++++++++++++++++++++++++++++++
- 00580174 Breakpoint at 00580174
- Problem!Logged API was not found in Code!
- ++++++++++++++++++++++++++++++++++
- Search Section: 6D921000
- Search End : 6DA34FF0
- API_TOP: 02630010
- API_END: 0263045C
- API_ADDR: 76AF1AF4
- API_ADDR: 75F73EB8
- FOUND_API_COUNTS: 00000113
- API_TOP_NAME: kernel32.GetFileAttributesW
- API_END_NAME: ws2_32.socket
- ++++++++++++++++++++++++++++++++++
- 00580174 Breakpoint at 00580174
- Problem!Logged API was not found in Code!
- ++++++++++++++++++++++++++++++++++
- Search Section: 6D921000
- Search End : 6DA34FF0
- API_TOP: 02630010
- API_END: 0263045C
- API_ADDR: 76AF1AF4
- API_ADDR: 75F73EB8
- FOUND_API_COUNTS: 00000113
- API_TOP_NAME: kernel32.GetFileAttributesW
- API_END_NAME: ws2_32.socket
- ++++++++++++++++++++++++++++++++++
- 00580174 Breakpoint at 00580174
- Problem!Logged API was not found in Code!
- ++++++++++++++++++++++++++++++++++
- Search Section: 6D921000
- Search End : 6DA34FF0
- API_TOP: 02630010
- API_END: 0263045C
- API_ADDR: 76AF1AF4
- API_ADDR: 75F73EB8
- FOUND_API_COUNTS: 00000113
- API_TOP_NAME: kernel32.GetFileAttributesW
- API_END_NAME: ws2_32.socket
- ++++++++++++++++++++++++++++++++++
- 0058017B Breakpoint at 0058017B
- 6D9D0000
- 6D9D0474
- 00000478
- Found IAT start and end!
- No Second SAD Found!
- Found no first SAD in target!
- ---------- NEW INFO ----------
- NEW VM OEP SCAN
- WL ALIGIN Mov EBP is: 61B15014
- VM OEP Push Pre is: 379C19
- VM OEP Push is: 2DB
- VM OEP Jump is: 6DBC88ED
- ------------------------------
- No VM OEP Routines to rebuiled!
- 005B0180 Breakpoint at 005B0180
- ----- SLEEP APIS -----
- ----- Found 1 --------
- VM Sleep API Fixed at: 6DBDB472
- ----------------------
- 02610146 Breakpoint at 02610146
- 02610149 Breakpoint at 02610149
- VM OEP Address found! - Is in use!
- VM ADDR: 6DC9A74E
- VM ALIGN MOV : 61B15014
- VM PUSH PRE : 379C19
- VM PUSH : 2DB
- VM JUMP : 6DBC88ED
- New Created OEP is: VA 6DDD1600
- Your target is a DLL file so to use a VM OEP is a bad idea!
- Choose to use the real DLL OEP if its not stolen!
- Stack:
- ------------------------------
- $ ==> | CFC38 | 771E9364
- $+4 | CFC3C | 6D920000
- $+8 | CFC40 | 1
- $+C | CFC44 | 1
- ------------------------------
- Using VM OEP in DLL was disabled by user choice!
- 0261018D Breakpoint at 0261018D
- 0261018D Breakpoint at 0261018D
- 02610190 Breakpoint at 02610190
- 0261018D Breakpoint at 0261018D
- 02610190 Breakpoint at 02610190
- 026101E8 Breakpoint at 026101E8
- ---------- SDK API LIST ----------
- ----------------------------------
- 026101A8 Breakpoint at 026101A8
- 026101AA Breakpoint at 026101AA
- 026101B0 Breakpoint at 026101B0
- 02610173 Breakpoint at 02610173
- Found no JMP to wsprintfA APIs x2!
- CRYPT-to-CODE will not fixed!
- --------------------------
- Check Code Integrity Macro Found at: 6DC960C0
- Check Code Integrity Macro Found at: 6DC9621D
- Check Code Integrity Macro Found at: 6DC963B3
- Patch Check Code Integrity Macro Manually!
- --------------------------
- 02610197 Breakpoint at 02610197
- 02610199 Breakpoint at 02610199
- 02610197 Breakpoint at 02610197
- 02610199 Breakpoint at 02610199
- 02610129 Breakpoint at 02610129
- 0261018D Breakpoint at 0261018D
- 0261018D Breakpoint at 0261018D
- 02610190 Breakpoint at 02610190
- ---------- IAT DATA ----------
- IAT START: 6D9D0000 | 763B141E | advapi32.RegSetValueExW
- IAT END : 6D9D0474 | 758F9CBB | ole32.CoCreateInstance
- IAT SIZE : 478
- IAT APIs : 275 | Dec
- ------------------------------
- Start of new direct IAT fixing!
- Better search and fix pattern used!
- Only fixing direct APIs of real entered IAT start til End by user!
- 02A60020 Breakpoint at 02A60020
- 02A60039 Breakpoint at 02A60039
- 02A60039 Breakpoint at 02A60039
- 02A60031 Breakpoint at 02A60031
- 02A60031 Breakpoint at 02A60031
- 02A6002E Breakpoint at 02A6002E
- 02A60033 Breakpoint at 02A60033
- 02A60035 Breakpoint at 02A60035
- 02A60035 Breakpoint at 02A60035
- 02A60035 Breakpoint at 02A60035
- 02A60041 Breakpoint at 02A60041
- 02A60035 Breakpoint at 02A60035
- 02A60035 Breakpoint at 02A60035
- 02A6003E Breakpoint at 02A6003E
- 02A6002F Breakpoint at 02A6002F
- 02A60031 Breakpoint at 02A60031
- 02A60036 Breakpoint at 02A60036
- 02A6003C Breakpoint at 02A6003C
- 02A60041 Breakpoint at 02A60041
- 02A60041 Breakpoint at 02A60041
- 02A60029 Breakpoint at 02A60029
- 02A60029 Breakpoint at 02A60029
- 02A60039 Breakpoint at 02A60039
- New IAT Patching way was executed!
- API FOUND : 1403 and fixed DIRECT APIs to original IAT by user data.
- 02610142 Breakpoint at 02610142
- 02A80001 Breakpoint at 02A80001
- 02A80015 Breakpoint at 02A80015
- No Delphi Sign found and no TLS deleted!
- Codesection was set to writeable by script before dumping!
- IATStore-Section is already set to writeable!
- 02A90047 Breakpoint at 02A90047
- The old original Import Table was deleted!
- No SetEvent to fix!
- No LoadLibraryA to fix!
- No FreeLibrary to fix!
- eax: 02AA0000 | ASCII "D:\_RE\tools\odbg201\plugins\ARImpRec.dll"
- ecx: 76AF499F | kernel32.LoadLibraryA
- 40000000 Module D:\_RE\tools\odbg201\plugins\ARImpRec.dll
- eax: 40000000 | ASCII "MZP"
- ecx: 02AA0000 | ASCII "TryGetImportedFunction@24"
- eax: 40000000 | ASCII "MZP"
- edi: 76AF1222 | kernel32.GetProcAddress
- eax: 4001F894 | ARImpRec.TryGetImportedFunction@24
- esi: 6D9D0000
- edi: 02BD0000
- ecx: 00000478
- ---------- Pre Calculated Table datas ----------
- I_TABLE Start VA: 6DDD3000 - Size: 2CD8
- P_TABLE Start VA: 6DDD5CD8 - Size: 11F0
- S_TABLE Start VA: 6DDD6EC8 - Size: OpenEnd
- ------------------------------------------------
- ---------- ITA ----------
- Import Table Address RVA: 16406D
- Import Table Size : 95
- -------------------------
- 02BF02C4 Breakpoint at 02BF02C4
- --------- ITA NEW --------
- Import Table Address RVA: 4B3000
- Import Table Size : 157C
- -------------------------
- VP STORE: 6DDD2F00 - 76AF4327 - kernel32.VirtualProtect
- 02BF02C4 Breakpoint at 02BF02C4
- PE ADS + IAT: VA 6DDD0000 | RVA 4B0000 | 9092 Raw
- 02BF02C4 Breakpoint at 02BF02C4
- 02BF02D8 Breakpoint at 02BF02D8
- PE was dumped to disk!
- PE_ADS - 6DDD0000 - 9092
- eax: 02C40000 | ASCII "D:\Games\GarenaAVA\GameData\Apps\AVA\Binaries\XIGNCODE.TPE\x3.xem"
- eax: 02C4003B | ASCII "x3.xem"
- x3.xem
- eax: 02C40041 | ASCII "msvcrt.dll"
- edi: 76AF499F | kernel32.LoadLibraryA
- eax: 75AF0000
- malloc: 75AF9CEE | msvcrt.malloc
- free: 75AF9894 | msvcrt.free
- ldiv: 75AFF908 | msvcrt.ldiv
- OEP_RVA: 004B1600
- 02C60192 Breakpoint at 02C60192
- CodeStart VA: 6D921000 | CODE-FIRST-ZERO-BYTE-TILL-END VA: 6DA1B6D8 | CODERAWSIZE: FA6E0 +8
- Codesection Splitting with Auto-optimizing not necessary!
- 02C8057D Breakpoint at 02C8057D
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement