Title: Unpacking Themida/WinLicense 1.8.x
Author: Richie86
Tool Preparation: OD + Phantom + okdodo script + PEiD + ImportRec
Packer Used: WinLicense 1.8.9.0
Software Name: Cpp1.exe
Software Size: 152Kb(Original), 1.37Mb(Packed)
Operating System: Windows XP SP2
Cpp1.exe (Packed) Download
Cpp1_src.exe (Non Packed) Download
———————————————————————————————————-
Software Introduction:
1. OD
Also known as OllyDbg. It’s a 32-bit assembler level analysis debugger. Powerful tool to analyze 32-bit assembler. More info see http://en.wikipedia.org/wiki/OllyDbg
2. Phantom
It’s a plugin for OllyDbg. Used to prevent the OllyDbg from being detected by anti-debugger engine for Themida/WInLicense.
3. okdodo script
This is the unpack script we will use in this tutorial.
4. PEiD
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.
5. ImpportRec
Import Reconstructor is a tool that used to fix the IAT of dump image and reconstruct them.
You can get these tool easily from http://www.unpack.cn
———————————————————————————————————-
Okay let’s get started.
First we have to determine what is the packer first. Drag Cpp1.exe into PEiD. You will need the latest signature database. Here we found it’s pack with Themida/WinLicense 1.8.2.0 above.
Start your ollydbg, make sure your phantom setting is like below. Configure it by pressing Plugin>Phantom>Option . You will need to restart ollydbg for setting to take effect.
After that drag Cpp1.exe into ollydbg. See the yellow line in main thread. B8 00 00 00 60, common entry point used by Themida/WinLicense.
Pressing ALT+M to switch into Memory Map tab. Drag down a little bit the list and you will found msvcrt on PE Header. Shows that this EXE is using C++ Runtime.
Let’s continue. Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc
The script will automatic run. After you being prompt that the script has completed. The debugger will stop at the OEP (Original Entry Point) of your EXE.
Take note of the OEP address above. We will using it later on. 00401151
Next we will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.
Then you will see in the status box. Image Base: 00400000. So calculate the OEP by 00401151-00400000 = 1151
Fill in into the OEP box and press IAT Auto Search. It will inform you that the OEP is found.
Press Get Import to get all import function. From the Imports status, shows that valid:YES. Which means all imports function pointer are match.
So dump the image by RightClick>Advanced Commands>Select Code Section(s)
Press Full Dump. then save it at somewhere as cpp1_dump.exe
Then continue to reconstruct the dump base on new OEP. At main menu. Press Fix Dump, then select the dump image cpp1_dump.exe we create just now.
After reconstruct. New image cpp1_dump_.exe is created. And now try to open the cpp1_dump_.exe and you will see you are sucessfully unpacked it.
Credit: okdodo for the script. unpack.cn for the resources.
