How Unpack Themida 2.x.x (WXP)

[Unicornuxx]

hi everybody
i test my exe file by "RDG Packer Detector" and it shown me that packet by themida but when i use "Protection ID V0.6.6.7" it say : "file appears to have no protection or is using an unkown protection"
why?
can everyone help me?
thanks

[kalypte]

i have 1 packed file protected with Themida/Winlicense(2.X) and Unopix(0.94)

Can you unpack it?
http://www.mediafire.com/file/yg92u1bfj ... 8.exe/file

[vongcohay]

I need full binaries to unpack it, because in the process when unpacking it, it ask for dll called opencv_core242.dll and you only upload a exe.

Can you help me extract the program in the link below? Did I try to follow your tutorial but failed? I need to unpack and find a way to register it (crack). This is a program I need. Can you help me? My email is blubinary2018@gmail.com. If you can do a video tutorial, then you mail it to me? Thank you very much and look forward to your response. respectfully greet!


download link: https://drive.google.com/open?id=1NZwcy ... v8IuXW5KEg

[madammar]

nt api missing on windows 10

[noobso]

Hi Everyone,
Please help me unpack this file
Thanks.

[Aison]

hi everybody!

there is a program that I would like to translate into my language, but the problem is that it is protected by Themida((
I tried to translate according to this instruction, but nothing came of it. if not difficult, please remove the protection

download link: http://www.mediafire.com/file/yscofxgv9 ... 1.rar/file
to make Sure it's not a virus, I'll attach a virustotal report: https://www.virustotal.com/#/file/c4d59 ... /detection

[kkmak2019]

Tried to use 1.4 script. With unpackme work well
With my program extract dumped program but.."Send-Don't send" Error.
https://mega.nz/#!gEA3WKZY!zGIcFrh0tCIL ... ZNwIbvAkUE

Where i wrong?

[kees]

I am new here, so Hi guys.

I did read some about the themida but the later versions get much better, and I have a problem that scyllahide in 32dbg can not dump mine target.

Also it is not only protected with themida but also with rocky dongle everkey, this I had dissolved already a time ago, the known yes/no decision from laze programmers
packing is maybe a better way but include adresses into a rocky dongle is even better, but nobody does it needs more programming skills and also it can be cracked if a donge is present, honestly, everything can be cracked, but learning van each other and the fun, it is great..

regards

[kees]

@CriticalError
Maybe you can provide a zip containing the whole ollydbg folder already setup and with all the necessary plugins and modifications so that the users can just unzip and use it without looking for dead links and editing stuff.

done mate, here is the ollydbg folder I use before I think all is there but maybe not xD long time ago doing it and leave it so well it still there and hope it works.

http:// REMOVED www.mediafire.com REMOVED /file/1xvqcqguxfci99i/odbg110.7z

The ollydbg into this zip file? it has something strange, and it looks it is a virus or something, run it once and the other olly,s does also not load plugins anymore.

Well I am right, all the ollydebug folders I have on the disk, are all defective, non do load the plugins anymore, none, this is a very dangerous download, please remove it.

I did search in it, oke, what happens ollydbg get,s bigger after refres the file it works again, but with a quick langcher from desktop windows, it is bad again, file grows from 1.06 Mb tot 1.26 Mb clearly something gets in it, a virus or other bad stuff, so remove this shit.

[kees]

Hi aluigi


Have change the post by these.

I have infections from that download as when download this ollydbg and run it everything dit nowt work, special the ollydbg did not load plugins anymore.

I have a VM one qemu is in linux the other is in windows, and use a older pc afcourse, not mine, I do electronics and this contains designs incl pcb, but for some relaxing I do dig into code, It is relaxing, and it is not for cracking software.

I do have rfead things about critical error, nice learnings.


Regards

[aluigi]

@kees
please don't open topics in other sections.

I can do nothing about that file, CriticalError has ever been a trusted user (he wasn't even interested in sharing it) and in any case it's clearly stated to use an WinXP virtual machine.
If you have doubts don't use and for sure don't use this type of stuff outside a VM.

[JeoJ1]

made an account just to post this, because the files in OP are alarming

>False positive
would be one hell of a false positive
>hurr he even says use inside a vm
that doesnt change the fact that these files are suspicious and that not everyone is going to follow the directions or even read him saying that, which is pretty damn good motive
>trusted
hitler was trusted

incoming wall of text

virustotals:
original ollydbg.exe, same version:
https://www.virustotal.com/gui/file/1a6 ... /detection
ZERO DETECTIONS

exe provided by op:
https://www.virustotal.com/gui/file/77d ... /detection
60/65 detected

ScyllaHideIDASrvx86 orig, found on github
https://www.virustotal.com/gui/file/ad8 ... a2/details
1/56 engines detected

ScyllaHideIDASrvx86.exe provided by op:
https://www.virustotal.com/gui/file/2fe ... 64/details
51/56 engines detected

more digging:

These exe files call WH_MSGFILTER? "The WH_MSGFILTER and WH_SYSMSGFILTER hooks enable you to monitor messages about to be processed by a menu, scroll bar, message box, or dialog box". im thinking possible keylogger here, windows antivirus even reports this as a password stealer.

And other antiviruses report these files as a worm
Sure enough, the files in the op behave just like that--strange behavior such as communicating on the local network, makes suspicious registry accesses, and even infects other olly installs according to kees, ALL OF WHICH THE ORIGINAL FILES DO NOT DO

avg detected as w32/morfksys:
"W32/Mofksys can spread via copying itself to network shares and removable drives."
wouldnt be surprised if these files did exactly that to leave the VM, also the file communicates on the local network
HMM
if that were the case, they might not even be super safe running inside a vm if you were to execute one of the files he modified outside of the vm

finally, the infected files also load a bunch of extra system dlls that the original didnt need

Unless OP has an explanation for this, these files shouldnt be used and the safest bet would be to download all the files from other sources. Tutorial was at least okay though

[atom0s]

@kees
please don't open topics in other sections.

I can do nothing about that file, CriticalError has ever been a trusted user (he wasn't even interested in sharing it) and in any case it's clearly stated to use an WinXP virtual machine.
If you have doubts don't use and for sure don't use this type of stuff outside a VM.

The MediaFire link is infected. (The very last link in the post.)

The OllyDbg.exe and loaddll.exe in that archive are fake and is instead a virus written in VB6. (Basically, every exe is the same virus in that archive.)

[aluigi]

@JeoJ1 @atom0s
ok link of CriticalError removed, left part of the URL just in case.
No idea why he posted a virus... mah

[atom0s]

@JeoJ1 @atom0s
ok link of CriticalError removed, left part of the URL just in case.
No idea why he posted a virus... mah

Not sure why he would either. Perhaps got fed up with beggers spamming him after posting this tutorial, still not a reason to do it.

Using web archive:

Code: Select all

Aug 18, 2015:
https://web.archive.org/web/20150818135421/http://zenhax.com/viewtopic.php?t=1051

Jan 16, 2017:
https://web.archive.org/web/20170116083422/https://zenhax.com/viewtopic.php?t=1051

So the link was added between that timeframe, seems to also be the only thing really ever edited/added to the post.

[tonzsm]

i have 1 packed file protected with Themida/Winlicense(2.X) and Unopix(0.94)

Can you unpack it?
http://www.mediafire.com/file/yg92u1bfj ... 8.exe/file

I am also,other people can help this post

[lyliucn]

Thank you very much

[CriticalError]

@JeoJ1 @atom0s
ok link of CriticalError removed, left part of the URL just in case.
No idea why he posted a virus... mah

I don't share a virus because the files located in my HDD, for what reason would post a virus and make all this tutorial? thats don't have sense, don't know how they test is a virus, anyway in case it's have original ollydbg from his website, the only thing I do is post resources to unpack it, sorry if somebody infected with a malware of whatever you wanna call, but I don't upload a virus.

[atom0s]

@JeoJ1 @atom0s
ok link of CriticalError removed, left part of the URL just in case.
No idea why he posted a virus... mah

I don't share a virus because the files located in my HDD, for what reason would post a virus and make all this tutorial? thats don't have sense, don't know how they test is a virus, anyway in case it's have original ollydbg from his website, the only thing I do is post resources to unpack it, sorry if somebody infected with a malware of whatever you wanna call, but I don't upload a virus.

While it may not have been intentional, the file that was linked from your post was definitely infected. Every single exe file in the package was a fake VB5/6 program intended to infect users. None of the files were legit or just modded originals. They were all the same virus with the original file name it should have been, along with having the original file icons.

[xdvb]

Thank you