Title: Unpacking Themida/WinLicense 1.8.x
Tool Preparation: OD + Phantom + okdodo script + PEiD + ImportRec
Packer Used: WinLicense 220.127.116.11
Software Name: Cpp1.exe
Software Size: 152Kb(Original), 1.37Mb(Packed)
Operating System: Windows XP SP2
Also known as OllyDbg. It’s a 32-bit assembler level analysis debugger. Powerful tool to analyze 32-bit assembler. More info see http://en.wikipedia.org/wiki/OllyDbg
It’s a plugin for OllyDbg. Used to prevent the OllyDbg from being detected by anti-debugger engine for Themida/WInLicense.
3. okdodo script
This is the unpack script we will use in this tutorial.
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.
Import Reconstructor is a tool that used to fix the IAT of dump image and reconstruct them.
You can get these tool easily from http://www.unpack.cn
Okay let’s get started.
First we have to determine what is the packer first. Drag Cpp1.exe into PEiD. You will need the latest signature database. Here we found it’s pack with Themida/WinLicense 18.104.22.168 above.
Start your ollydbg, make sure your phantom setting is like below. Configure it by pressing Plugin>Phantom>Option . You will need to restart ollydbg for setting to take effect.
After that drag Cpp1.exe into ollydbg. See the yellow line in main thread. B8 00 00 00 60, common entry point used by Themida/WinLicense.
Pressing ALT+M to switch into Memory Map tab. Drag down a little bit the list and you will found msvcrt on PE Header. Shows that this EXE is using C++ Runtime.
Let’s continue. Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc
Take note of the OEP address above. We will using it later on. 00401151
Next we will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.
Then you will see in the status box. Image Base: 00400000. So calculate the OEP by 00401151-00400000 = 1151
Fill in into the OEP box and press IAT Auto Search. It will inform you that the OEP is found.
Press Get Import to get all import function. From the Imports status, shows that valid:YES. Which means all imports function pointer are match.
Credit: okdodo for the script. unpack.cn for the resources.