Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Themida 2.3 #18

Open
i486 opened this issue May 16, 2024 · 1 comment
Open

Themida 2.3 #18

i486 opened this issue May 16, 2024 · 1 comment

Comments

@i486
Copy link

i486 commented May 16, 2024

Libraries: https://sourceforge.net/projects/x64dbg/files/snapshots/snapshot_2024-01-06_21-29.zip
Target: x32dbg.zip

image
@Hendi48
Copy link
Owner

Hendi48 commented Jun 5, 2024

This target has been quite painful, I might just stop to be honest.

  • Debugger detection is pretty strict. Scylla's hooks are detected, so it must not be used. Magicmida's built-in bypasses work, but only on a 64-bit host.
  • The usual way of preventing IAT wrapping doesn't work, possibly because this target only imports a single DLL and the code path that is forced by the patch is not taken during normal execution.
  • The IAT code that crashes on said code path is doubly virtualized, which is an extreme pain to deal with.

I see a potential different way to fix the IAT stuff, but it'd require adding option switches to the unpacker, since it doesn't seem possible to determine beforehand whether the different way needs to be applied.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@i486 @Hendi48