Themida 1.8.x shell-removing bubble Hall No-dead plug-in 3.16

Themida 1.8.x shell-removing bubble Hall No-dead plug-in 3.16

Themida 1.8.x shell-removing bubble Hall No-dead plug-in 3.16

First, use peid to check the shell: Nothing is found. Check that the section name has the word themida. The initial estimate is 1.8.x.

After loading, hide our OD inCodeMemory write breakpoint under Section

0041d014> B8 00000000 mov eax, 0; load point. Check the code.
0041d019 60 pushad
0041d01a 0bc0 or eax, eax; The themida shell is visible in the eye.
0041d01c 74 68 je short invincible plug-in. 0041d086
0041d01e E8 00000000 call invincible plug-in. 0041d023
0041d023 58 pop eax
0041d024 05 53000000 add eax, 53
0041d029 8038 E9 CMP byte ptr ds: [eax], 0e9
0041d02c 75 13 jnz short invincible plug-in. 0041d041
0041d02e 61 popad
0041d02f EB 45 JMP short invincible plug-in. 0041d076

========================================================== ========================================================

Shift + F9 run. The first interruption is as follows:

004f14a2 F3: A4 rep movs byte ptr es: [EDI], byte ptr ds: [>; f8 once after F7
004f14a4 c685 cd2a1b07 5> mov byte ptr ss: [EBP + 71b2acd], 56
004f14ab 68 127d1fd4 push history
effecffb5 fd051b07 push dword ptr ss: [EBP + 71b05fd]
004f14b6 8d85 e87c1e07 Lea eax, dword ptr ss: [EBP + 71e7ce8]
004f14bc ffd0 call eax
004f14be 68 00800000 push 8000
004f14c3 6a 00 push 0
004f14c5 52 push edX
004f14c6 call eax

========================================================== ========================================================

Shift + F9 continues to run and is disconnected below:

004f52e1 8908 mov dword ptr ds: [eax], ECx; interrupt here, find the code above

========================================================== ========================================================

004f4a80/0f84 17000000 je invincible plug-in. 004f4a9d
004f4a86 | 83bd 310e1b07 0> cmp dword ptr ss: [EBP + 71b0e31], 0
004f4a8d | 0f85 0a000000 jnz invincible plug-in. 004f4a9d ====changed to JMP 004f4a9d ========
004f4a93 | c785 running c1b07 0> mov dword ptr ss: [EBP + 71b0c41], 1
004f4a9d \ 61 popad
004f4a9e B9 46a60308 mov ECx, 803a646
004f4aa3 Ba 9ad13616 mov edX, 1636d19a

........................................ ......

004f4bc4 5E pop ESI
004f4bc5 83bd 31011b07 0> cmp dword ptr ss: [EBP + 71b0131], 1
004f4bcc 0f84 39000000 je invincible plug-in. 004f4c0b "====changed to JMP 004f4bf6 ============
004f4bd2 3b8d 29081b07 CMP ECx, dword ptr ss: [EBP + 71b0829]
004f4bd8 0f84 2d000000 je invincible plug-in. 004f4c0b
004f4bde 3b8d 1d171b07 CMP ECx, dword ptr ss: [EBP + 71b171d]
004f4be4 0f84 21000000 je invincible plug-in. 004f4c0b
004f4bea 3b8d 552a1b07 CMP ECx, dword ptr ss: [EBP + 71b2a55]
004f4bf0 0f84 15000000 je invincible plug-in. 004f4c0b
004f4bf6 8d9d e2fd2107 Lea EBX, dword ptr ss: [EBP + 721fde2]
004f4bfc ffd3 call EBX
004f4bfe 8bf8 mov EDI, eax
004f4c00 8985 1d2f1b07 mov dword ptr ss: [EBP + 71b2f1d], eax
004f4c06 E9 b4060000 JMP invincible plug-in. 004f52bf
004f4c0b 8d9d e2fd2107 Lea EBX, dword ptr ss: [EBP + 721fde2]
004f4c11 ffd3 call EBX
004f4c13 83bd 31011b07 0> cmp dword ptr ss: [EBP + 71b0131], 0

========================================================== ========================================================

Modify the above two jumps (to avoid encryption) and return to the interrupt location. Use hideod to apply for a memory address (My address is 2a30000)

004f52e1 8908 mov dword ptr ds: [eax], ECx; interrupt location, changed to JMP 2a30000
004f52e3 ad lods dword ptr ds: [esi]
004f52e4 c746 FC 0000000> mov dword ptr ds: [ESI-4], 0
004f52eb 89b5 6d301b07 mov dword ptr ss: [EBP + 71b306d], ESI; address a, write down
004f52f1 83f8 ff cmp eax,-1
004f52f4 0f85 20000000 jnz invincible plug-in. 004f531a
004f52fa 813e dddddddd cmp dword ptr ds: [esi], dddddddd
004f5300 0f85 14000000 jnz invincible plug-in. 004f531a
004f5306 c706 00000000 mov dword ptr ds: [esi], 0
004f530c 83c6 04 add ESI, 4
004f530f 89b5 6d301b07 mov dword ptr ss: [EBP + 71b306d], ESI
004f5315 ^ E9 e6f6ffff JMP invincible plug-in. 004f4a00
004f531a c1c0 03 ROL eax, 3
004f531d 0385 11171b07 add eax, dword ptr ss: [EBP + 71b1711]
004f5323 83bd 99221b07 0> cmp dword ptr ss: [EBP + 71b2299], 1
004f532a 0f84 9d000000 je invincible plug-in. 004f53cd
004f5330 813e aaaaaaaa cmp dword ptr ds: [esi], aaaaaaaa
004f5336 0f85 12000000 jnz invincible plug-in. 004f534e
004f533c 83c6 04 add ESI, 4
004f533f c746 FC 0000000> mov dword ptr ds: [ESI-4], 0
004f5346 97 xchg eax, EDI
004f5347 B0 E9 mov Al, 0e9
004f5349 E9 03000000 JMP invincible plug-in. 004f5351
004f534e 97 xchg eax, EDI
004f534f B0 E8 mov Al, 0e8
004f5351 50 push eax
004f5352 83bd 31011b07 0> cmp dword ptr ss: [EBP + 71b0131], 1
004f5359 0f84 3e000000 je invincible plug-in. 004f539d
004f535f B8 00010000 mov eax, 100
004f5364 83bd c7e82107 0> cmp dword ptr ss: [EBP + 721e8c7], 0
004f536b 0f84 08000000 je invincible plug-in. 004f5379
004f5371 8d9d 61712107 Lea EBX, dword ptr ss: [EBP + 7217161]
004f5377 ffd3 call EBX
004f5379 803f 90 CMP byte ptr ds: [EDI], 90
004f537c 0f84 08000000 je invincible plug-in. 004f538a
004f5382 83c7 05 add EDI, 5
004f5385 E9 43000000 JMP invincible plug-in. 004f53cd
004f538a 83f8 50 CMP eax, 50
004f538d 0f82 0a000000 JB invincible plug-in. 004f539d
004f5393 B0 90 mov Al, 90
004f5395 AA STOs byte ptr es: [EDI]
004f5396 58 pop eax
004f5397 AA STOs byte ptr es: [EDI]
004f5398 E9 24000000 JMP invincible plug-in. 004f53c1; changed to JMP 2a30014
004f539d 58 pop eax
004f539e AA STOs byte ptr es: [EDI]
004f539f 807f FF E9 CMP byte ptr ds: [EDI-1], 0e9
004f53a3 0f85 18000000 jnz invincible plug-in. 004f53c1; changed to JMP 2a30036
004f53a9 83bd c7e82107 0> cmp dword ptr ss: [EBP + 721e8c7], 0; address C, write down
004f53b0 0f84 08000000 je invincible plug-in. 004f53be
004f53b6 8d9d 31712107 Lea EBX, dword ptr ss: [EBP + 7217131]
004f53bc ffd3 call EBX
004f53be 8847 04 mov byte ptr ds: [EDI + 4], Al; NOP here
004f53c1 8b85 1d2f1b07 mov eax, dword ptr ss: [EBP + 71b2f1d]; address B, write down
004f53c7 2bc7 sub eax, EDI
004f53c9 83e8 04 Sub eax, 4
004f53cc AB STOs DWORD PTR ES: [EDI]; NOP here
004f53cd ad lods dword ptr ds: [esi]
004f53ce c746 FC 0000000> mov dword ptr ds: [ESI-4], 0
004f53d5 ^ E9 11 ffffff JMP invincible plug-in. 004f52eb; changed to JMP 02a3005f
004f53da 89b5 6d301b07 mov dword ptr ss: [EBP + 71b306d], ESI
004f53e0 52 push edX
004f53e1 68 00800000 push 8000
004f53e6 6a 00 push 0
004f53e8 ffb5 f5211b07 push dword ptr ss: [EBP + 71b21f5]
004f53ee ff95 49347b07 call dword ptr ss: [EBP + 71b1349]
004f53f4 5A pop edX
004f53f5 8b8d 9d121b07 mov ECx, dword ptr ss: [EBP + 71b129d]
004f53fb c701 00000000 mov dword ptr ds: [ECx], 0
004f5401 83c1 04 add ECx, 4
004f5404 898d 9d121b07 mov dword ptr ss: [EBP + 71b129d], ECx
004f540a ^ E9 10f5ffff JMP invincible plug-in. 004f491f
004f540f E9 a4060000 JMP invincible plug-in. 004f5ab8; here F2 next breakpoint
004f5414 60 pushad
004f5415 8b8d 9d121b07 mov ECx, dword ptr ss: [EBP + 71b129d]
004f541b 8b09 mov ECx, dword ptr ds: [ECx]
004f541d 898d c3e82107 mov dword ptr ss: [EBP + 721e8c3], ECx
004f5423 8138 4e54444c cmp dword ptr ds: [eax], 4c44544e

........................................ ......

CTRL + G at 2a30000 and write the following code:

02a30000 A3 0004a302 mov dword ptr ds: [2a30400], eax
02a30005 8908 mov dword ptr ds: [eax], ECx
02a30007 ad lods dword ptr ds: [esi]
02a30008 c746 FC 0000000> mov dword ptr ds: [ESI-4], 0
02a3000f-E9 d752acfd JMP invincible plug-in. 004f52eb; address
02a30014 50 push eax
02a30015 A1 0004a302 mov eax, dword ptr ds: [2a30400]
02a3001a 8907 mov dword ptr ds: [EDI], eax
02a3001c 807f FF E8 CMP byte ptr ds: [EDI-1], 0e8
02a30020 75 08 jnz short 02a3002a
02a30022 66: c747 Fe ff15 mov word ptr ds: [EDI-2], 15ff
02a30028 EB 06 JMP short 02a30030
02a3002a 66: c747 Fe ff25 mov word ptr ds: [EDI-2], 25ff
02a30030 58 pop eax
02a30031-E9 8b53acfd JMP invincible plug-in. 004f53c1; address B
02a30036 50 push eax
02a30037 A1 0004a302 mov eax, dword ptr ds: [2a30400]
02a3003c 8947 01 mov dword ptr ds: [EDI + 1], eax
02a3003f 807f FF E8 CMP byte ptr ds: [EDI-1], 0e8
02a30043 75 08 jnz short 02a3004d
02a30045 66: c747 FF ff15 mov word ptr ds: [EDI-1], 15ff
02a3004b EB 06 JMP short 02a30053
02a3004d 66: c747 FF ff25 mov word ptr ds: [EDI-1], 25ff
02a30053 58 pop eax
02a30054-0f85 6753 acfd jnz invincible plug-in. 004f53c1; address B
02a3005a-E9 4a53acfd JMP invincible plug-in. 004f53a9; address c
02a3005f 83c7 04 add EDI, 4
02a30062-E9 8452 acfd JMP invincible plug-in. 004f52eb; address
02a30067 90 NOP

(Binary Code)

A3 00 04 A3 02 89 08 ad C7 46 FC 00 00 00 00 E9 D7 52 ac fd 50 A1 00 04 A3 02 89 07 80 7f FF E8
75 08 66 C7 47 Fe FF 15 EB 06 66 C7 47 Fe FF 25 58 E9 8B 53 ac fd 50 A1 00 04 A3 02 89 47 01 80
7f FF E8 75 08 66 C7 47 FF 15 EB 06 66 C7 47 ff 25 58 0f 85 67 53 ac fd E9 4A 53 ac fd 83
C7 04 E9 84 52 ac fd 90

========================================================== ==========================================================

After writing the code, delete the previously written breakpoint in the code segment, Shift + F9, and interrupt at 004f540f. Now IAT is obtained.

Find OEP. Here I use the themida OEP method circulating on the world:

Cancel the breakpoint at 004f540f, ALT + M open the memory View window, and directly break the breakpoint under code segment F2. Shift + F9 is interrupted at the OEP.

004013a8-ff25 dc104000 jmp dword ptr ds: [4010dc]; msvbvm60.thunrtmain
004013ae 0000 add byte ptr ds: [eax], Al
004013b0 da00 fiadd dword ptr ds: [eax]
004013b2 5C pop ESP
004013b3 A7 CMPs dword ptr ds: [esi], dword ptr es: [Ed>
004013b4 9e sahf
004013b5 d20f ror byte ptr ds: [EDI], Cl
004013b7 EE out dx, Al; I/O command
004013b8 8bed mov EBP, EBP
004013ba 0000 add byte ptr ds: [eax], Al
004013bc 0000 add byte ptr ds: [eax], Al
004013be 0000 add byte ptr ds: [eax], Al
004013c0 3000 XOR byte ptr ds: [eax], Al
004013c2 0000 add byte ptr ds: [eax], Al
004013c4 3800 CMP byte ptr ds: [eax], Al
004013c6 0000 add byte ptr ds: [eax], Al
004013c8 0000 add byte ptr ds: [eax], Al
004013ca 0000 add byte ptr ds: [eax], Al
004013cc d9f2 fptan

Through the above Code, we obviously found thatProgramIt was compiled with VB and OEP has been stolen by themida.

Fix the OEP manually. Let's first find a shell-free vbprogram and load it with od for comparison.

004011d0 $-ff25 80104000 jmp dword ptr ds: [<& msvbvm60. #100>]; msvbvm60.thunrtmain
004011d6 00 dB 00
004011d7 00 dB 00
004011d8> $68 7c184000 push variant.0040187c; pay attention to this: (search vb5 !)
004011dd. E8 eeffffff call <JMP. & msvbvm60. #100>; this call points to the preceding JMP
004011e2. 0000 add byte ptr ds: [eax], Al
004011e4. 0000 add byte ptr ds: [eax], Al
004011e6. 0000 add byte ptr ds: [eax], Al
004011e8. 3000 XOR byte ptr ds: [eax], Al
004011ea. 0000 add byte ptr ds: [eax], Al
004011ec. 40 Inc eax
004011ed. 0000 add byte ptr ds: [eax], Al
004011ef. 0000 add byte ptr ds: [eax], Al
004011f1. 0000 add byte ptr ds: [eax], Al
004011f3. 0058 2C add byte ptr ds: [eax + 2C], BL
004011f6. 114a dB adc dword ptr ds: [EDX-25], ECx
004011f9. 43 Inc EBX
004011fa. 8645 Ba xchg byte ptr ss: [EBP-46], Al
004011fd. 1822 SBB byte ptr ds: [edX], ah
004011ff. 6D ins dword ptr es: [EDI], DX; I/O command
00401200. Ce
00401201. C3 retn

........................................ ......

Modify the following code to manually fix the OEP:

004013a8-ff25 dc104000 jmp dword ptr ds: [4010dc]; msvbvm60.thunrtmain
004013ae 0000 add byte ptr ds: [eax], Al
004013b0 68 d07e4000 push invincible plug-in. 00407ed0; ASCII "vb5! 6 & vb6chs. dll"
004013b5 E8 eeffffff call invincible plug-in. 004013a8; JMP to msvbvm60.thunrtmain
004013ba 0000 add byte ptr ds: [eax], Al
004013bc 0000 add byte ptr ds: [eax], Al
004013be 0000 add byte ptr ds: [eax], Al
004013c0 3000 XOR byte ptr ds: [eax], Al
004013c2 0000 add byte ptr ds: [eax], Al
004013c4 3800 CMP byte ptr ds: [eax], Al
004013c6 0000 add byte ptr ds: [eax], Al
004013c8 0000 add byte ptr ds: [eax], Al
004013ca 0000 add byte ptr ds: [eax], Al
004013cc d9f2 fptan

========================================================== ========================================================

After the repair, you can use load PE to shell out and importrec to repair the input table.

OEP: 12713ae

RVA: 00001000

Size: 00000118

Remove an invalid pointer and fix it. Run the shell repair program.

Peid shell check Microsoft Visual Basic 5.0/6

It is found that the file after shelling is huge. Use load PE to clear the themida section, save it, and re-build it with load PE.

Re-open the re-built program and run normally. The file size is 98.1kb, so it will be shelled, repaired, and optimized.