Themida. V1.9.1.0 take notes from XP notepad

Source: Internet
Author: User


[Article Title]: Themida. V1.9.1.0 hands-off XP notepad notes
[Author]: Dummies
[Author mailbox]: dm_bcc@hotmail.com
[Software name]: NOTEPAD.exe
[Shelling method]: Themida. V1.9.1.0
[Protection method]: Code deformation iat encryption oep theft
[Language]: Microsoft Visual C ++ 7.0 Method2 [Debug]
[Tools]: OllyICE (Hideod 0.17) LordPE ImportREC
[Operating platform]: Pirated XP SP2
[Author's statement]: Themida has too few hands-off tutorials. For errors, please enlighten us!
[Detailed process ]:
1. Check the shell: Themida/WinLicense V1.8.X. X +-V1.9.X. X-> Oreans Technologies * Sign. By. dm_bcc *
Okay, OD loading, ignore all exceptions, and use Hideod plug-in to hide OD!
Reference:
01014014> B8 00000000 mov eax, 0-> Themida/WinLicense V1.8.X. X +-V1.9.X. X entry
01014019 60 pushad
0101401A 0BC0 or eax, eax
0101401C 74 68 je short notepad1_1014086
0101401E E8 00000000 call notepad1_1014023
01014023 58 pop eax
01014024 05 53000000 add eax, 53
01014029 8038 E9 cmp byte ptr ds: [eax], 0E9
0101402C 75 13 jnz short notepad1_1014041
0101402E 61 popad
0101402F EB 45 jmp short notepad1_1014076
01014031 DB2D 37400101 running tbyte ptr ds: [1014037]
We write breakpoints in the memory under the CODE segment.
Reference:
01119D6B F3: A4 rep movs byte ptr es: [edi], byte ptr ds: [esi]-> here we use F7 + F8 to run the program
01119D6D C685 45217409 56 mov byte ptr ss: [ebp + 9742145], 56
01119D74 68 pushed d1fd4 push D41F6D39
01119D79 FFB5 DD257409 push dword ptr ss: [ebp + 97366dd]
01119D7F 8D85 A1C67709 lea eax, dword ptr ss: [ebp + 977C6A1]
Run the program with F9. We will stop at the following address:
Reference:
011287F5 8913 mov dword ptr ds: [ebx], edx; comdlg32.PageSetupDlgW-> stop here
011287F7 5B pop ebx
011287F8 5A pop edx
011287F9 F9 stc
011287FA AD lods dword ptr ds: [esi]
011287FB 60 pushad
011287FC 60 pushad
011287FD 0FB7FB movzx edi, bx
01128800 81D1 96A16064 adc ecx, 6460A196
01128806 61 popad
01128807 66: B9 3E29 mov cx, 293E
0112880B 61 popad
We can see that 011287F5 stores an API address in the dword ptr ds: [ebx] array. What is the purpose? We can cancel the memory breakpoint and use F8 to go down. Go to the following code
Reference:
01128A90 803F 90 cmp byte ptr ds: [edi], 90; compare the CALL address data to be written with NOP
01128A93 0F84 2B000000 je notepad1_1128ac4
01128A99 F5 cmc
01128A9A 50 push eax
01128A9B B8 05000000 mov eax, 5
01128AA0 01C7 add edi, eax
01128AA2 8B0424 mov eax, dword ptr ss: [esp]
01128AA5 83C4 04 add esp, 4
01128AA8 FC cld
01128AA9 E9 E5010000 jmp notepad1_1128c93
01128AAE FC cld
01128AAF E9 10000000 jmp notepad1_1128ac4
01128AB4 D6 salc
01128AB5 81C2 4EA6589A add edx, 9A58A64E
In the sentence 01128A90, we found the address ds: [0100643D] Why should we compare the data with 90? Run Ctrl + G to 0100643D to see it
Reference:
01006428 833D ACA40001 00 cmp dword ptr ds: [100A4AC], 0
0100642F 75 40 jnz short notepad1_1006471
01006431 800D B1A40001 04 or byte ptr ds: [100A4B1], 4
01006438 68 A0A40001 push notepad1_100a4a0
0100643D 90 nop
0100643E 90 nop
0100643F 90 nop
01006440 90 nop
01006441 90 nop
01006442 90 nop
It looks familiar here, a bit like an unshelled program. Let's open the original version to see if there is any connection?
Reference:
ORIGINAL VERSION
01006428/$ 833D ACA40001 00 cmp dword ptr ds: [100A4AC], 0
0100642F |. 75 40 jnz short NOTEPAD? 01006471
01006431 |. 800D B1A40001 04 or byte ptr ds: [100A4B1], 4
01006438 |. 68 A0A40001 push NOTEPAD? 0100A4A0
0100643D |. FF15 C4120001 call dword ptr ds: [<& comdlg32.PageSetupDlgW>]; comdlg32.PageSetupDlgW
See 0100643D,

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.