Themida v2.x Unpack

ByJørGe · 15 Noviembre 2018, 20:48 PM

Hola!
Este dll esta protegido con Themida v2.x, quisiera saber si me podria ayudar a
quitarle esa proteccion, esa dll contiene ciertas funciones que necesito, intente viendo videos o tutoriales sobre desempacar themida,
pero no me ha servido ninguno, se que aca encontrare gente con un nivel alto sobre el desempaque de protecciones, se lo agradecere muchisimo

Link de descarga del DLL :
https://www.sendspace.com/file/9bcihv

Geovane · 15 Noviembre 2018, 20:55 PM

¡Hola

wiatrace.dll usted puede descargar en la web

También puede descargar de la memoria, para quitar Themida.

saludos

ByJørGe · 15 Noviembre 2018, 21:11 PM

Cita de: Geovane en 15 Noviembre 2018, 20:55 PM
¡Hola

wiatrace.dll usted puede descargar en la web

También puede descargar de la memoria, para quitar Themida.

saludos

Hola, no entendi bien lo que me dijo, como descargar de la memoria?

MCKSys Argentina · 15 Noviembre 2018, 21:59 PM

Hola!

wiatrace.dll es una dll de windows (ubicada en System32). A menos que el programa traiga una dll con el mismo nombre, no debería estar protegida.

Fíjate si los exports coinciden. Quizás no tengasque desempacar nada...

Saludos!

Geovane · 15 Noviembre 2018, 22:31 PM

Cita de: ByJørGe en 15 Noviembre 2018, 21:11 PM
Hola, no entendi bien lo que me dijo, como descargar de la memoria?

¡Hola

si tienes el programa que usa este dll, puedes hacer dump de la DLL, si este mismo empaquetado, va descomprimir, no se ejecuta, pero puede analizar las funciones estaticamente

ByJørGe · 16 Noviembre 2018, 00:06 AM

Cita de: MCKSys Argentina en 15 Noviembre 2018, 21:59 PM
Hola!

wiatrace.dll es una dll de windows (ubicada en System32). A menos que el programa traiga una dll con el mismo nombre, no debería estar protegida.

Fíjate si los exports coinciden. Quizás no tengasque desempacar nada...

Saludos!

Hola, la dll en realidad no se llama wiatrace.dll, solo que el creador de esa dll, le puso ese nombre para poderlo confundir

ByJørGe · 16 Noviembre 2018, 00:08 AM

Cita de: Geovane en 15 Noviembre 2018, 22:31 PM
¡Hola

si tienes el programa que usa este dll, puedes hacer dump de la DLL, si este mismo empaquetado, va descomprimir, no se ejecuta, pero puede analizar las funciones estaticamente

Geovane te envie un imbox!

Geovane · 16 Noviembre 2018, 00:56 AM

ola

https://1drv.ms/u/s!Atrdu75vJCB1h21lNh97xC4hLXvv

Está en el lenguaje C
Tal vez encuentras funciones.
saludos

info.....

filename: wiatrace.dll
DOS-stub: 232 bytes
built for machine: Intel 80386 processor
(32-bit-word machine)
Bytes of machine word are not reversed
Relocation info not stripped
Line nunbers not stripped
Local symbols not stripped
Debugging info not stripped
need not copy to swapfile if run from removable media
need not copy to swapfile if run from network
runs on MP or UP machine
working set trimmed normaly
executable file
not a system file
File is a DLL
do not notify on ProcAttach
do not notify on ThreadAttach
do not notify on ProcDetach
do not notify on ThreadDetach
0 entries in symbol table
5 sections
created (GMT): Fri Oct 30 02:40:18 2015
Linker version: 12.10
.text start: 0x1000, length: 10752 bytes
.data start: 0x4000, length: 4096 bytes
.bss start: -/-, length: 0 bytes
execution starts at 0x2310
Preferred load base is 0x10000000
Image size in RAM: 32 KB
Sections aligned to 4096 bytes in RAM, 512 bytes in file
Versions: NT 10.0, Win32 10.0, App 10.0
Checksum: 0x0000b462
uses Win32 graphical subsystem
Stack: 256 KB reserved, 4 KB committed
Heap: 1024 KB reserved, 4 KB committed
Size of headers / offset to sections in file: 0x400

".text" (virt. Size/Address: 0x295f)
10752 bytes at offset 0x1000 in RAM, 0x400 in file
contains code
default alignment (16 bytes)
is executable
is readable
at offset 0x1310: execution start

at offset 0x2820 (319 bytes): Export Directory
module name: "wiatrace.dll"
created (GMT): Fri Oct 30 01:38:31 2015
version: 0.0
8 exported functions, list at 3848
8 exported names, list at 3868
Ordinal base: 1
Ord. Hint Name RVA
---- ---- ---- ---
1 0 WIATRACE_DecrementIndentLevel ‹ÿVÿ5PC
2 1 WIATRACE_GetIndentLevel ÿ5PC
3 2 WIATRACE_GetTraceSettings ‹ÿU‹ìV‹u...ötÿ5XC
4 3 WIATRACE_IncrementIndentLevel ‹ÿVÿ5PC
5 4 WIATRACE_Init
6 5 WIATRACE_OutputString ‹ÿU‹ì¸
7 6 WIATRACE_SetTraceSettings ‹ÿU‹ìÿuÿ5XC
8 7 WIATRACE_Term ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌh€

at offset 0x1d0 (56 bytes): Debug Directory

at offset 0x228 (104 bytes): Load Configuration Directory

".data" (virt. Size/Address: 0x364)
512 bytes at offset 0x4000 in RAM, 0x2e00 in file
contains initialized data
default alignment (16 bytes)
is readable
is writeable

".idata" (virt. Size/Address: 0x396)
1024 bytes at offset 0x5000 in RAM, 0x3000 in file
contains initialized data
default alignment (16 bytes)
is readable

at offset 0x8c (60 bytes): Import Directory

from "msvcrt.dll":
not bound
name table at 0x5128, address table at 0x5060
hint name
---- ----
362 _except_handler4_common
488 _initterm
1277 malloc
1221 free
273 _amsg_exit
111 _XcptFilter
874 _splitpath_s
998 _vsnprintf
1293 memset

from "KERNEL32.dll":
not bound
name table at 0x50c8, address table at 0x5000
hint name
---- ----
1290 SetFilePointerEx
1393 TerminateProcess
522 GetCurrentProcess
1363 SetUnhandledExceptionFilter
1426 UnhandledExceptionFilter
758 GetTickCount
729 GetSystemTimeAsFileTime
527 GetCurrentThreadId
1078 QueryPerformanceCounter
1378 Sleep
1413 TlsGetValue
1412 TlsFree
1411 TlsAlloc
1414 TlsSetValue
594 GetLocalTime
340 ExpandEnvironmentStringsA
611 GetModuleFileNameA
523 GetCurrentProcessId
1468 WaitForSingleObject
1271 SetEndOfFile
1524 WriteFile
1176 ReleaseMutex
157 CopyFileA

at offset 0 (136 bytes): Import Address Table

".rsrc" (virt. Size/Address: 0x3f0)
1024 bytes at offset 0x6000 in RAM, 0x3400 in file
contains initialized data
default alignment (16 bytes)
is readable

at offset 0 (1008 bytes): Resource Directory
version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970
version info, version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970
id: 0x1, version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970
id: 0x409, English (United States), 912 bytes from 0x6060, codepage 0x0000

".reloc" (virt. Size/Address: 0x254)
1024 bytes at offset 0x7000 in RAM, 0x3800 in file
contains initialized data
default alignment (16 bytes)
can be discarded
is readable

at offset 0 (596 bytes): Base Relocation Table
(relocations skipped)

Version Info:
File Version: 10.0.10586.0
Product Version: 10.0.10586.0
Flags: (none)
OS: Win32 on NT
Type: Exe
- Inglês (Estados Unidos)
CompanyName : Microsoft Corporation
FileDescription : WIA Tracing
FileVersion : 10.0.10586.0 (th2_release.151029-1700)
InternalName : WIA Tracing
LegalCopyright : ¸ Microsoft Corporation. All rights reserved.
OriginalFilename: WIATRACE.DLL
ProductName : Microsoft© Windows© Operating System
ProductVersion : 10.0.10586.0

ByJørGe · 16 Noviembre 2018, 02:05 AM

Cita de: Geovane en 16 Noviembre 2018, 00:56 AM
ola

https://1drv.ms/u/s!Atrdu75vJCB1h21lNh97xC4hLXvv

Está en el lenguaje C
Tal vez encuentras funciones.
saludos

info.....

filename: wiatrace.dll
DOS-stub: 232 bytes
built for machine: Intel 80386 processor
(32-bit-word machine)
Bytes of machine word are not reversed
Relocation info not stripped
Line nunbers not stripped
Local symbols not stripped
Debugging info not stripped
need not copy to swapfile if run from removable media
need not copy to swapfile if run from network
runs on MP or UP machine
working set trimmed normaly
executable file
not a system file
File is a DLL
do not notify on ProcAttach
do not notify on ThreadAttach
do not notify on ProcDetach
do not notify on ThreadDetach
0 entries in symbol table
5 sections
created (GMT): Fri Oct 30 02:40:18 2015
Linker version: 12.10
.text start: 0x1000, length: 10752 bytes
.data start: 0x4000, length: 4096 bytes
.bss start: -/-, length: 0 bytes
execution starts at 0x2310
Preferred load base is 0x10000000
Image size in RAM: 32 KB
Sections aligned to 4096 bytes in RAM, 512 bytes in file
Versions: NT 10.0, Win32 10.0, App 10.0
Checksum: 0x0000b462
uses Win32 graphical subsystem
Stack: 256 KB reserved, 4 KB committed
Heap: 1024 KB reserved, 4 KB committed
Size of headers / offset to sections in file: 0x400

".text" (virt. Size/Address: 0x295f)
10752 bytes at offset 0x1000 in RAM, 0x400 in file
contains code
default alignment (16 bytes)
is executable
is readable
at offset 0x1310: execution start

at offset 0x2820 (319 bytes): Export Directory
module name: "wiatrace.dll"
created (GMT): Fri Oct 30 01:38:31 2015
version: 0.0
8 exported functions, list at 3848
8 exported names, list at 3868
Ordinal base: 1
Ord. Hint Name RVA
---- ---- ---- ---
1 0 WIATRACE_DecrementIndentLevel ‹ÿVÿ5PC
2 1 WIATRACE_GetIndentLevel ÿ5PC
3 2 WIATRACE_GetTraceSettings ‹ÿU‹ìV‹u...ötÿ5XC
4 3 WIATRACE_IncrementIndentLevel ‹ÿVÿ5PC
5 4 WIATRACE_Init
6 5 WIATRACE_OutputString ‹ÿU‹ì¸
7 6 WIATRACE_SetTraceSettings ‹ÿU‹ìÿuÿ5XC
8 7 WIATRACE_Term ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌh€

at offset 0x1d0 (56 bytes): Debug Directory

at offset 0x228 (104 bytes): Load Configuration Directory

".data" (virt. Size/Address: 0x364)
512 bytes at offset 0x4000 in RAM, 0x2e00 in file
contains initialized data
default alignment (16 bytes)
is readable
is writeable

".idata" (virt. Size/Address: 0x396)
1024 bytes at offset 0x5000 in RAM, 0x3000 in file
contains initialized data
default alignment (16 bytes)
is readable

at offset 0x8c (60 bytes): Import Directory

from "msvcrt.dll":
not bound
name table at 0x5128, address table at 0x5060
hint name
---- ----
362 _except_handler4_common
488 _initterm
1277 malloc
1221 free
273 _amsg_exit
111 _XcptFilter
874 _splitpath_s
998 _vsnprintf
1293 memset

from "KERNEL32.dll":
not bound
name table at 0x50c8, address table at 0x5000
hint name
---- ----
1290 SetFilePointerEx
1393 TerminateProcess
522 GetCurrentProcess
1363 SetUnhandledExceptionFilter
1426 UnhandledExceptionFilter
758 GetTickCount
729 GetSystemTimeAsFileTime
527 GetCurrentThreadId
1078 QueryPerformanceCounter
1378 Sleep
1413 TlsGetValue
1412 TlsFree
1411 TlsAlloc
1414 TlsSetValue
594 GetLocalTime
340 ExpandEnvironmentStringsA
611 GetModuleFileNameA
523 GetCurrentProcessId
1468 WaitForSingleObject
1271 SetEndOfFile
1524 WriteFile
1176 ReleaseMutex
157 CopyFileA

at offset 0 (136 bytes): Import Address Table

".rsrc" (virt. Size/Address: 0x3f0)
1024 bytes at offset 0x6000 in RAM, 0x3400 in file
contains initialized data
default alignment (16 bytes)
is readable

at offset 0 (1008 bytes): Resource Directory
version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970
version info, version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970
id: 0x1, version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970
id: 0x409, English (United States), 912 bytes from 0x6060, codepage 0x0000

".reloc" (virt. Size/Address: 0x254)
1024 bytes at offset 0x7000 in RAM, 0x3800 in file
contains initialized data
default alignment (16 bytes)
can be discarded
is readable

at offset 0 (596 bytes): Base Relocation Table
(relocations skipped)

Version Info:
File Version: 10.0.10586.0
Product Version: 10.0.10586.0
Flags: (none)
OS: Win32 on NT
Type: Exe
- Inglês (Estados Unidos)
CompanyName : Microsoft Corporation
FileDescription : WIA Tracing
FileVersion : 10.0.10586.0 (th2_release.151029-1700)
InternalName : WIA Tracing
LegalCopyright : ¸ Microsoft Corporation. All rights reserved.
OriginalFilename: WIATRACE.DLL
ProductName : Microsoft© Windows© Operating System
ProductVersion : 10.0.10586.0

Te envie nuevamente un imbox,, por ahi conversamos !

ByJørGe · 16 Noviembre 2018, 02:49 AM

Si alguien puede desempacarlo y puede enviarmelo porfavor
se lo agradeceria eternamente

If someone can unpack it and can send it please
I would appreciate it forever: