Title: Unpacking Themida / WinLicense 1.8.x
Author: Richie86
Preparation Tool: OD + Phantom + okdodo script + PEiD + ImportRec
Packer Used: WinLicense 1.8.9.0
Software Name: Cpp1.exe
Software Size: 152Kb (Original), 1.37Mb (Packed)
Operating System: Windows XP SP2
Cpp1.exe (Packed) Download
Cpp1_src.exe (Non-Packed) Download
------------------------------------
Software Introduction:
1. OD
Also Known as OllyDbg. It's a 32-bit assembler level debugger analysis. Powerful tool to analyze 32-bit assembler. More info seehttp://en.wikipedia.org/wiki/OllyDbg
2. Phantom
It's a plugin for OllyDbg. Used to Prevent the OllyDbg from being detected by anti-debugger engine for Themida / WInLicense.
3. okdodo script
This is the script unpacks We Will use in this tutorial.
4. PEiD
PEiD detects most common packers, cryptors and compilers for PE files. Can It currently detect more than 600 Different signatures in PE files.
5. ImpportRec
Import Reconstructor is a tool That Used to fix the IAT of the dump image and reconstruct Them.
You Can Easily Get These tools from http://www.unpack.cn
------------------------------------
Okay let's get started.
We first have to determine what is the first packer. Drag Cpp1.exe into PEiD. You need the latest will of the signature database. Here we found it's packed with Themida / WinLicense 1.8.2.0 above.
Start your OllyDbg, make sure your phantom setting is like below. Configure it by pressing Plugins> Phantom> Option. Will you need to restart OllyDbg for setting to take effect.
After That drag Cpp1.exe into OllyDbg. See the yellow line in main thread. B8 00 00 00 60, the common entry point Used by Themida / WinLicense.
Pressing ALT + M to switch into the Memory Map tab. Drag a little bit down the list and you will from msvcrt found on the PE Header. Shows That this EXE is using C + + Runtime.
Let's continue. Run the script by pressing okdodo Plugins> ODbgScript> RunScript> then select okdodo.osc
The script will from automatic runs. After you being prompt That the script has completed. The debugger will from a stop at the OEP (Original Entry Point) of your EXE.
Take note of the OEP address above. We will from using it later on. 00401151
Next We Will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.
Then you will of see in the status box. Image Base: 00.4 million. So calculate the OEP by 00401151-00400000 = 1151
Fill in the OEP into the box and press IAT Auto Search. That you will from it inform the OEP is found.
Get Press Import to get all import function. From the Imports status, shows That Valid: YES. Which means all function pointers are Imports match.
So dump the image by RightClick> Advanced Commands> Select Code Section (s)
Press Full Dump. then save it at somewhere as cpp1_dump.exe
Then continue to reconstruct the dump base on new OEP. At the main menu. Press Fix Dump, then select the dump image cpp1_dump.exe We create just now.
After reconstruct. Cpp1_dump_.exe New image is created. And now try to open the cpp1_dump_.exe and you will of acres sucessfully see you unpacked it.
Credit: okdodo for the script. unpack.cn for the resources.
Author: Richie86
Preparation Tool: OD + Phantom + okdodo script + PEiD + ImportRec
Packer Used: WinLicense 1.8.9.0
Software Name: Cpp1.exe
Software Size: 152Kb (Original), 1.37Mb (Packed)
Operating System: Windows XP SP2
Cpp1_src.exe (Non-Packed) Download
------------------------------------
1. OD
Also Known as OllyDbg. It's a 32-bit assembler level debugger analysis. Powerful tool to analyze 32-bit assembler. More info seehttp://en.wikipedia.org/wiki/OllyDbg
It's a plugin for OllyDbg. Used to Prevent the OllyDbg from being detected by anti-debugger engine for Themida / WInLicense.
This is the script unpacks We Will use in this tutorial.
PEiD detects most common packers, cryptors and compilers for PE files. Can It currently detect more than 600 Different signatures in PE files.
Import Reconstructor is a tool That Used to fix the IAT of the dump image and reconstruct Them.
Start your OllyDbg, make sure your phantom setting is like below. Configure it by pressing Plugins> Phantom> Option. Will you need to restart OllyDbg for setting to take effect.
Pressing ALT + M to switch into the Memory Map tab. Drag a little bit down the list and you will from msvcrt found on the PE Header. Shows That this EXE is using C + + Runtime.
Next We Will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.
Fill in the OEP into the box and press IAT Auto Search. That you will from it inform the OEP is found.