Issue unpacking a Themida ["Very NEW Version TIGER & FISH : 2.

Hi,

I am new to unpacking.

I use LCF-AT script. I watched his videos. I unpacked his files that are related to mine with his video (IE i skipped xbundler because I don't have it).

I did all you said to the letter : I installed both win 7 32 bit and win 64 32 bit sp3 OS where I run the scripts.

I use non modded Olly with exactly the settings you said.

I am trying to unpack a game.exe that is supposed to started with a launcher (not sure if it matters so i mention it here).

I unpacked the game with the unpack script 1.0 but it does not work, this is the log :

 

Themida - Winlicense Ultra Unpacker 1.0 

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

 

 

TERA 

************************************************************ 

Packed Size: 10.708 MB +/-     <=>     UnPack Size: 39.160 MB +/- 

************************************************************ 

TM WL VM Protection: CISC | Dumped: Intern WL Section 

 

Very NEW Version TIGER & FISH : 2.2.6.0+ 

************************************************************

Direct VM OEP Address not found! - But is in use! -Rebuild Manually Push & JUMP Values! 

 

VM ADDR: Custom 

VM ALIGN: E3B59014 

VM PUSH PRE: 454 

VM PUSH: 200216 

VM JUMP: 278CEC7 

********************

UnVirtualizer data: 

 

No VM Entrys to fix! 

********************

Possible VM Entrys: 

 

VM Entrys:      0 

VM Reg | Trial: 0 <=> Or API wsprintfA 

Code-Replace:   0 

Crypt-to-Code:  0 

Macro DE - EN:  0 

SDK VM APIs:    0 

********************

VM Sleep APIs:  1 

********************

XBundler Files: 0 

********************

IAT START  : 1BF0000 | 77DE49CE | ADVAPI32.RegQueryInfoKeyW 

IAT END    : 1BF0C08 | 8EE34E0 | vorbisfi.ov_time_seek 

IAT SIZE   : C0C 

IAT COUNT  : 743 

API FOUND  : 1 and fixed DIRECT APIs to original IAT by user data. 

******************** 

LCF-AT

I know it does not work because when i open packed it says "this game should be launched with launcher" but when I open unpacked it says :

"...... has stopped working"

 

Problem signature:

  Problem Event Name: APPCRASH

  Application Name: TERA_DP_win made.exe

  Application Version: 2.0.1.1

  Application Timestamp: 550fd621

  Fault Module Name: StackHash_0a9e

  Fault Module Version: 0.0.0.0

  Fault Module Timestamp: 00000000

  Exception Code: c0000005

  Exception Offset: 00000000

  OS Version: 6.1.7601.2.1.0.768.11

  Locale ID: 1036

  Additional Information 1: 0a9e

  Additional Information 2: 0a9e372d3b4ad19135b953a78882e789

  Additional Information 3: 0a9e

  Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

 

When I run with 1.4 script I the full process doesn't go through and It stops here :

 

Log data

Address    Message

           Themida - Winlicense Ultra Unpacker 1.4

           -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

 

02E50A0F   Breakpoint at 02E50A0F

02E50A10   Breakpoint at 02E50A10

02E60054   Breakpoint at 02E60054

 

           OS=x86 32-Bit

02E60056   Breakpoint at 02E60056

02E80021   Breakpoint at 02E80021

02E80028   Breakpoint at 02E80028

 

           10.708 MB +/-

 

           39.160 MB +/-

 

           Your target is a >>> Executable <<< file!

 

 

           PE HEADER:   400000 | 1000

           CODESECTION: 401000 | 2234000

           PE HEADER till CODESECTION Distance: 1000 || Value of 1000 = Normal!

           Your Target seems to be a normal file!

 

           Unpacking of NET targets is diffrent!

           Dump running process with WinHex and then fix the whole PE and NET struct!

 

02E907AA   Breakpoint at 02E907AA

 

           No Overlay used!

 

           Disasembling Syntax: MASM (Microsoft)     <=> OK

 

           Show default segments:               Enabled

           Always show size of memory operands: Enabled

           Extra space between arguments:       Disabled

 

           StrongOD Found!

           ----------------------------------------------

           HidePEB=1          Enabled   = OK

           KernelMode=1       Enabled   = OK

           KillPEBug=1        Enabled   = OK

           SkipExpection=0    Disabled  = Enable this!

           DriverName=ulysse

 

           DRX=1              Enabled   = OK

 

           ----------------------------------------------

 

02A3C009   Breakpoint at TERA.02A3C009

02A3C00B   Breakpoint at TERA.02A3C00B

 

           Windows 7 or higher found!

 

 

           Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!

 

 

           Kernel Ex Table Start: 774956FC

03AD003F   Breakpoint at 03AD003F

 

           PE DUMPSEC:  VA 3AE0000 - VS 3E000

           PE ANTISEC:  VA 3AE1000

           PE OEPMAKE:  VA 3AE1600

           SETEVENT_VM: VA 3AE21D0

           PE I-Table:  VA 3AE3000

           VP - STORE:  VA 3AE2F00

           and or...

           API JUMP-T:  VA 3AE3000

03AD003F   Breakpoint at 03AD003F

 

           RISC VM Store Section VA is: 3B20000 - VS 200000

03AD0041   Breakpoint at 03AD0041

0264B6EF   Hardware breakpoint 1 at TERA.0264B6EF

 

           Found WL Intern Export API Access at: 264BB8C

 

           Use this address to get all intern access WL APIs!

755F0000   Module C:\Windows\system32\SspiCli.dll

7742C4EA   Hardware breakpoint 2 at kernel32.VirtualAlloc

 

           ---------- Loaded File Infos ----------

 

           Target    Base: 400000

 

           Kernel32  Base: 773E0000

 

           Kernel32  SORD: 773E01F8 | C5000

           Kernel32  SORD: 773E0200

 

           User32    Base: 77610000

           Advapi32  Base: 76AE0000

           ---------------------------------------

 

           WL Section: 2649000   |  271000

 

           WL Align:   E3B59014 |  EBP Pointer Value

 

 

           XBundler Prepair Sign not found!

           CISC VM is located in the Themida - Winlicense section 2649000 | 271000.

 

 

           VMWare Address: 264B077 | 0

 

 

           VMWare Checks are not Used & Disabled by Script!

 

 

           Auto XBundler Checker & Dumper is enabled!

           If XBunlder Files are found in auto-modus then they will dumped by script!

           If the auto XBunlder Dumper does fail etc then disable it next time!

 

 

           Anti Access Stop on Code Section was Set!

 

           Moddern MJM Scan Chosen!

 

           Normal IAT Patch Scan Was Written!

73A20000   Module C:\Windows\system32\winmm.dll

75C10000   Module C:\Windows\system32\Shell32.dll

75C10000   Unload C:\Windows\system32\Shell32.dll

03DA0306   Hardware breakpoint 3 at 03DA0306

026493F7   New thread with ID 00000EC8 created

026493F7   New thread with ID 00000318 created

026493F7   New thread with ID 00000BAC created

026493F7   New thread with ID 00000668 created

026493F7   New thread with ID 00000DE4 created

026493F7   New thread with ID 00000160 created

026493F7   New thread with ID 00000DDC created

026493F7   New thread with ID 000006C4 created

026493F7   New thread with ID 00000C48 created

026493F7   New thread with ID 000003B8 created

026493F7   New thread with ID 000006D8 created

026493F7   New thread with ID 00000378 created

026493F7   New thread with ID 00000B70 created

026493F7   New thread with ID 00000BA0 created

026493F7   New thread with ID 00000598 created

026493F7   New thread with ID 000008BC created

026493F7   New thread with ID 000007A8 created

026493F7   New thread with ID 00000658 created

026493F7   New thread with ID 00000C9C created

026493F7   New thread with ID 00000AA4 created

026493F7   New thread with ID 0000083C created

026493F7   New thread with ID 000007D4 created

026493F7   New thread with ID 000003E4 created

026493F7   New thread with ID 000004C8 created

03D90033   Hardware breakpoint 1 at 03D90033

77792EBC   Hardware breakpoint 3 at ntdll.77792EBC

 

           Heap Prot was redirected!

089B0000   Module C:\Users\Glenn\Desktop\Binaries\dbghelp.dll

778D0000   Module C:\Windows\system32\PSAPI.DLL

604E0000   Module C:\Windows\system32\DSOUND.dll

74070000   Module C:\Windows\system32\POWRPROF.dll

75A70000   Module C:\Windows\system32\SETUPAPI.dll

75960000   Module C:\Windows\system32\CFGMGR32.dll

759A0000   Module C:\Windows\system32\DEVOBJ.dll

18000000   Module C:\Users\Glenn\Desktop\Binaries\binkw32.dll

75C10000   Module C:\Windows\system32\SHELL32.dll

76FA0000   Module C:\Windows\system32\SHLWAPI.dll

5EEF0000   Module C:\Users\Glenn\Desktop\Binaries\awesomium.dll

60E30000   Module C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\COMCTL32.dll

75760000   Module C:\Windows\system32\USERENV.dll

75750000   Module C:\Windows\system32\profapi.dll

71CD0000   Module C:\Windows\system32\WINHTTP.dll

71C80000   Module C:\Windows\system32\webio.dll

71E80000   Module C:\Windows\system32\dhcpcsvc.DLL

770A0000   Module C:\Windows\system32\WS2_32.dll

76860000   Module C:\Windows\system32\NSI.dll

74BF0000   Module C:\Windows\system32\VERSION.dll

73B00000   Module C:\Windows\system32\MSIMG32.dll

6F850000   Module C:\Windows\system32\OLEACC.dll

755D0000   Module C:\Windows\system32\Secur32.dll

757E0000   Module C:\Windows\system32\CRYPT32.dll

75740000   Module C:\Windows\system32\MSASN1.dll

73400000   Module C:\Windows\system32\IPHLPAPI.DLL

733F0000   Module C:\Windows\system32\WINNSI.DLL

5EE70000   Module C:\Users\Glenn\Desktop\Binaries\MSVCP120.dll

5ED80000   Module C:\Users\Glenn\Desktop\Binaries\MSVCR120.dll

10000000   Module C:\Users\Glenn\Desktop\Binaries\PhysXExtensions.dll

08BB0000   Module C:\Users\Glenn\Desktop\Binaries\NxCooking.dll

76900000   Module C:\Windows\system32\WININET.dll

75950000   Module C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll

759C0000   Module C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

75940000   Module C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll

75780000   Module C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll

76E90000   Module C:\Windows\system32\normaliz.DLL

76B80000   Module C:\Windows\system32\iertutil.dll

75930000   Module C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll

74240000   Module C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll

6ED90000   Module C:\Users\Glenn\Desktop\Binaries\vorbisfile.dll

74530000   Module C:\Users\Glenn\Desktop\Binaries\ogg.dll

5EBD0000   Module C:\Users\Glenn\Desktop\Binaries\vorbis.dll

73D90000   Module C:\Windows\system32\WSOCK32.dll

672D0000   Module C:\Windows\system32\d3d9.dll

6F840000   Module C:\Windows\system32\d3d8thk.dll

74550000   Module C:\Windows\system32\dwmapi.dll

5E7B0000   Module C:\Users\Glenn\Desktop\Binaries\d3dx9_41.dll

6EBB0000   Module C:\Windows\system32\DINPUT8.dll

09180000   Module C:\Users\Glenn\Desktop\Binaries\XINPUT1_3.dll

028482B0   Hardware breakpoint 2 at TERA.028482B0

00401000   Problems when disabling memory breakpoint:

00401000     Access to memory changed from RE to RWE (original RWECopy)

0284C2C3   Memory breakpoint when writing to [00401000]

 

           284C2C3 - REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]

0284C2C5   Breakpoint at TERA.0284C2C5

026493F7   New thread with ID 00000EBC created

03DA02AF   Breakpoint at 03DA02AF

 

           First Found 4 Magic Jumps!

           ------------------------------

           MJ_1: 028600F3

           MJ_2: 02860101

           MJ_3: 0286010F

           MJ_4: 0286011D

           ------------------------------

 

           Modern TM WL Version Found!

 

 

           --------  IAT RD DATA  ---------

 

           27A5028 - CMP R32, 10000

 

           285FEAD - Prevent Crasher

 

           28600F3 - Prevent IAT RD

           2860101 - Prevent IAT RD

           286010F - Prevent IAT RD

           286011D - Prevent IAT RD

           --------------------------------

 

028600F3   Hardware breakpoint 2 at TERA.028600F3

 

           ----- First API In EAX -----

           API ADDR: 89DCB70 | MODULE NAME: dbghelp | API NAME: SymInitialize

           ----------------------------

 

           MJs and Nopper was patched!

 

 

           IAT LOG & COUNT WAS SET!

 

 

           IAT WAS MANUALLY PATCHED!

0285FD5D   Hardware breakpoint 2 at TERA.0285FD5D

02860D07   Hardware breakpoint 1 at TERA.02860D07

 

           It can be that the VM OEP can not found yet at this moment!

           In some cases the WL code is not created at this late point!

           So if the created VM OEP data will fail then use the real OEP!

           Or find the VM OEP manually!

           Come close at the end and find VM On/Off switch!

           Do Input 1 / Output 0 steps via HWBP write!

           Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]

           Now set HWBP on GetProcessHeap and return = close at the end!

           VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!

           For newer version you need to use Align to EBP before entering the VM!

           Find that later created commands at OEP in WL section...

           MOV R32,R32 | ADD R32,R32 | JMP R32

           Break on the founds and trace forward till Handler start and check push values!

           Check out my video to see a exsample about it!

 

           2.) RISC VM SIGN FOUND!

09280193   Breakpoint at 09280193

           Possible VM OEP STOP FOUND AT: 278CEC7

0278CEC7   Breakpoint at TERA.0278CEC7

           00000454

           00200206

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200202

0278CEC7   Breakpoint at TERA.0278CEC7

           00000454

           00200206

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200203

0278CEC7   Breakpoint at TERA.0278CEC7

           00000454

           00200216

0278CEC7   Breakpoint at TERA.0278CEC7

           00000454

           00200212

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200202

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200202

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200202

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200A07

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200A07

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200202

03D90033   Hardware breakpoint 1 at 03D90033

77792EBC   Hardware breakpoint 2 at ntdll.77792EBC

 

           Heap One was redirected!

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200246

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200246

03D90033   Hardware breakpoint 1 at 03D90033

77792EBC   Hardware breakpoint 2 at ntdll.77792EBC

 

           Heap Two was redirected!

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200246

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200246

0278CEC7   Breakpoint at TERA.0278CEC7

           00000454

           00200202

0278CEC7   Breakpoint at TERA.0278CEC7

           00000454

           00200212

0278CEC7   Breakpoint at TERA.0278CEC7

           0000026E

           00200202

0278CEC7   Breakpoint at TERA.0278CEC7

           00000454

           00200216

019A6EF6   Memory breakpoint when executing [019A6EF6]

 

           FOUND_API_COUNTS: 000002E7

09260174   Breakpoint at 09260174

 

           Problem!Logged API was not found in Code!

           ++++++++++++++++++++++++++++++++++

           Search Section: 00401000

           Search End    : 02634FF0

 

           API_TOP: 092A0010

           API_END: 092A0BAC

 

           API_ADDR: 60D42F30

           API_ADDR: 77194C7D

 

           FOUND_API_COUNTS: 000002E7

 

           API_TOP_NAME: 00000000

           API_END_NAME: IMM32.ImmSetConversionStatus

           ++++++++++++++++++++++++++++++++++

 

           No API in eax register!!!!

 

I also followed the instructions of Asian Dragon video I found here : https://forum.tuts4you.com/topic/36822-unpacking-themida-help/

I am puzzled, When i run in 1.0 i get unpacked but it says OEM not found, manually change push and jump but it also says that in Asian Dragon video and it still works.

It took me tens of hours to get here (I was really new and had to follow some tuts), could anyone send me on the right track (tell me what's wrong and maybe if I can fix it).

Thanks