[Article Title]: Themida. V1.9.1.0 hands-off XP notepad notes
[Author]: Dummies
[Author mailbox]: dm_bcc@hotmail.com
[Software name]: NOTEPAD.exe
[Shelling method]: Themida. V1.9.1.0
[Protection method]: Code deformation iat encryption oep theft
[Language]: Microsoft Visual C ++ 7.0 Method2 [Debug]
[Tools]: OllyICE (Hideod 0.17) LordPE ImportREC
[Operating platform]: Pirated XP SP2
[Author's statement]: Themida has too few hands-off tutorials. For errors, please enlighten us!
[Detailed process ]:
1. Check the shell: Themida/WinLicense V1.8.X. X +-V1.9.X. X-> Oreans Technologies * Sign. By. dm_bcc *
Okay, OD loading, ignore all exceptions, and use Hideod plug-in to hide OD!
Reference:
01014014> B8 00000000 mov eax, 0-> Themida/WinLicense V1.8.X. X +-V1.9.X. X entry
01014019 60 pushad
0101401A 0BC0 or eax, eax
0101401C 74 68 je short notepad1_1014086
0101401E E8 00000000 call notepad1_1014023
01014023 58 pop eax
01014024 05 53000000 add eax, 53
01014029 8038 E9 cmp byte ptr ds: [eax], 0E9
0101402C 75 13 jnz short notepad1_1014041
0101402E 61 popad
0101402F EB 45 jmp short notepad1_1014076
01014031 DB2D 37400101 running tbyte ptr ds: [1014037]
We write breakpoints in the memory under the CODE segment.
Reference:
01119D6B F3: A4 rep movs byte ptr es: [edi], byte ptr ds: [esi]-> here we use F7 + F8 to run the program
01119D6D C685 45217409 56 mov byte ptr ss: [ebp + 9742145], 56
01119D74 68 pushed d1fd4 push D41F6D39
01119D79 FFB5 DD257409 push dword ptr ss: [ebp + 97366dd]
01119D7F 8D85 A1C67709 lea eax, dword ptr ss: [ebp + 977C6A1]
Run the program with F9. We will stop at the following address:
Reference:
011287F5 8913 mov dword ptr ds: [ebx], edx; comdlg32.PageSetupDlgW-> stop here
011287F7 5B pop ebx
011287F8 5A pop edx
011287F9 F9 stc
011287FA AD lods dword ptr ds: [esi]
011287FB 60 pushad
011287FC 60 pushad
011287FD 0FB7FB movzx edi, bx
01128800 81D1 96A16064 adc ecx, 6460A196
01128806 61 popad
01128807 66: B9 3E29 mov cx, 293E
0112880B 61 popad
We can see that 011287F5 stores an API address in the dword ptr ds: [ebx] array. What is the purpose? We can cancel the memory breakpoint and use F8 to go down. Go to the following code
Reference:
01128A90 803F 90 cmp byte ptr ds: [edi], 90; compare the CALL address data to be written with NOP
01128A93 0F84 2B000000 je notepad1_1128ac4
01128A99 F5 cmc
01128A9A 50 push eax
01128A9B B8 05000000 mov eax, 5
01128AA0 01C7 add edi, eax
01128AA2 8B0424 mov eax, dword ptr ss: [esp]
01128AA5 83C4 04 add esp, 4
01128AA8 FC cld
01128AA9 E9 E5010000 jmp notepad1_1128c93
01128AAE FC cld
01128AAF E9 10000000 jmp notepad1_1128ac4
01128AB4 D6 salc
01128AB5 81C2 4EA6589A add edx, 9A58A64E
In the sentence 01128A90, we found the address ds: [0100643D] Why should we compare the data with 90? Run Ctrl + G to 0100643D to see it
Reference:
01006428 833D ACA40001 00 cmp dword ptr ds: [100A4AC], 0
0100642F 75 40 jnz short notepad1_1006471
01006431 800D B1A40001 04 or byte ptr ds: [100A4B1], 4
01006438 68 A0A40001 push notepad1_100a4a0
0100643D 90 nop
0100643E 90 nop
0100643F 90 nop
01006440 90 nop
01006441 90 nop
01006442 90 nop
It looks familiar here, a bit like an unshelled program. Let's open the original version to see if there is any connection?
Reference:
ORIGINAL VERSION
01006428/$ 833D ACA40001 00 cmp dword ptr ds: [100A4AC], 0
0100642F |. 75 40 jnz short NOTEPAD? 01006471
01006431 |. 800D B1A40001 04 or byte ptr ds: [100A4B1], 4
01006438 |. 68 A0A40001 push NOTEPAD? 0100A4A0
0100643D |. FF15 C4120001 call dword ptr ds: [<& comdlg32.PageSetupDlgW>]; comdlg32.PageSetupDlgW
See 0100643D,