A Themida shelling program LOADER cracking

[Article Title]: A themida shelling program LOADER cracking
[Author]: rockhard
[Author mailbox]: wnh1@sohu.com
[Software name]: test.exe
[Shelling method]: themida
[Protection method]: themida
[Tools]: ollydbg, VC
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
--------------------------------------------------------------------------------
[Detailed process]
You can run a program to modify some key points in the Ollydbg. However, because THEMIDA is used for shelling, horizontal food cannot be removed from the shell.
In OLLYDBG, I want to write a LOADER for him to load and then modify the memory. An error is reported when CreateProcess, ShellExecute, and WinExec are used,
It seems that the ANTI of LOADER is added. It cannot be shelled. It can only be used on LOADER.


The most direct idea is to simulate the explorer to start it and then modify it. The idea is as follows:

1. Create an Event for inter-process synchronization.
2. Inject DLL into explorer,
3. Loader calls WaitForObject to enter the waiting state.
4. Create a thread in the DLL's DLL_PROCESS_ATTACH and start the target program with CreateProcess. In this case, use the create_suincluded flag to avoid flying.
5. Use OpenEvent in DLL to locate the above Event, notify once, and activate the LOADER thread.
6. LOADER searches for the Directory program, and then continuously SUSPEND the target process to check whether the modification has been decoded. If the decoded, PATCH, or no, it will resume the target process for a short time.

There are no comments in the source code. Here we post some comments:

The PATCH code snippet is as follows:
//////////////////////////////////////// //////////////////////////////////
/**
* DwProcessID: Process ID which wanted to patch
*
* Return: return TRUE if patch successfully, otherwise return FALSE
*/

# Define PATCH_ADDRESS 0x401019 // address to be patched in the target process
# Define PATCH_SIZE 16 // number of bytes read from the target process
# Define KEY_CODE ("x72x12x68x3Cx60x40x00x6Ax00xFFx15xA0x50x40x00x33") // This is the program code not modified after shell decoding.
# Define NEW_CODE ("xEBx12x68x3Cx60x40x00x6Ax00xFFx15xA0x50x40x00x33") // code to be modified
# Define TRY_TIMES 400 // try to search for N times only. If it does not appear, it will not be searched.


BOOL CrackIt (DWORD dwProcessID)
{
BOOL bContinueRun = TRUE;
BOOL bPatchSucess = FALSE;
DWORD dwTryTimes = 0;
DWORD dwOldProtection, dwDummy;

HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwProcessID );
VirtualProtectEx (hProcess, (LPVOID) PATCH_ADDRESS, PATCH_SIZE, PAGE_EXECUTE_READWRITE, & dwOldProtection );

// If the PATCH is successful, set bContinue to false, or after N attempts, you cannot find the code to be modified and give up.
While (bContinueRun & ++ dwTryTimes <TRY_TIMES)
{
BYTE OldKeyCode [17];

// Let the target program run for 3 ms and stop. Then, read the process of the Target Program and check whether the program has been decoded.
SuspendResumeProcess (dwProcessID, FALSE );
Sleep (3 );
SuspendResumeProcess (dwProcessID, TRUE );

// Read the data at the PATCH address of the target process
ReadProcessMemory (hProcess, (LPVOID) PATCH_ADDRESS, OldKeyCode, PATCH_SIZE, & dwDummy );

// Determine whether the decoding is complete.
If (! Memcmp (OldKeyCode, (BYTE *) KEY_CODE, 16 )){

// Same, it indicates that it has been decoded and is written into our new value.
WriteProcessMemory (hProcess, (LPVOID) PATCH_ADDRESS, NEW_CODE, PATCH_SIZE, & dwDummy );
// We have patched, stop check :-)
BPatchSucess = TRUE;
BContinueRun = false;
}
}
VirtualProtectEx (hProcess, (LPVOID) PATCH_ADDRESS, PATCH_SIZE, dwOldProtection, & dwDummy );

// For debug
If (dwTryTimes> = TRY_TIMES)
OutputDebugString ("Cannot Match Code In Program! ");

// Restore the execution of the Target Program
SuspendResumeProcess (dwProcessID, FALSE );

Return bPatchSucess;

}

In addition, the absolute path cannot be written when the target process is created. I don't know why. Later, I changed the working directory through SetCurrentDirectory to solve this problem:
# Define WORK_DIRECTORY "C: \ test"
# Define CRACK_PROGRAM_NAME "test.exe" // if it is written as c: \ test \ test.exe, it is passed to CreateProcess. Although the target program is running, the explorer will fail.

Dword winapi StartProcess (LPVOID lpParam)
{
STARTUPINFO si = {sizeof (si )};
PROCESS_INFORMATION pi;

Si. dwFlags = STARTF_USESHOWWINDOW;
Si. wShowWindow = TRUE;

SetCurrentDirectory (WORK_DIRECTORY); // IMPORTANT !!

BOOL bRet = CreateProcess (NULL, CRACK_PROGRAM_NAME,
NULL, NULL, FALSE, create_suincluded,
NULL, NULL, & si, & pi );

If (bRet ){
CloseHandle (pi. hThread );
CloseHandle (pi. hProcess );
}

HANDLE hEvent = OpenEvent (EVENT_ALL_ACCESS, FALSE, EVENT_OBJECT_NAME );
SetEvent (hEvent );

Return 0;
}

Code injected into explorer (thanks to the help of kesummer on CSDN ):
BOOL CInjector: InjectModuleInto (DWORD dwProcessId)
{
// Do not inject yourself
If (GetCurrentProcessId () = dwProcessId)
Return FALSE;

// The following code is used to find whether the dll has been injected in explorer.
BOOL bFound = FALSE;
MODULEENTRY32 me32 = {0 };
Me32.dwSize = sizeof (MODULEENTRY32 );

HANDLE hModuleSnap = createconlhelp32snapshot (TH32CS_SNAPMODULE, dwProcessId );
If (Module32First (hModuleSnap, & me32 )){
Do {
If (lstrcmpiA (me32.szExePath, m_szDllName) = 0 ){
BFound = TRUE;
Break;
}
}
While (Module32Next (hModuleSnap, & me32 ));
}
CloseHandle (hModuleSnap );

If (bFound) return FALSE;


HANDLE hProcess = OpenProcess (
PROCESS_VM