PDA

View Full Version : [Help] Unpacking AeriaGunZ [Themida v2.x]



Ixeman
12-25-2012, 08:08 AM
Ok so here's the dealio, I'm having troubles unpacking this themida v2.x packed file as seen here:

http://i49.tinypic.com/35jf2gj.png

I'm using Ollydbg v1.10 here are the settings:
I'm also running on windows 7 64-bit Ultimate SP1

http://i47.tinypic.com/35i6kg4.png


Here's my olly plugin I'm using to bypass debugger detections (anti debuggers):

http://i49.tinypic.com/ffa54n.png


So what I've researched and looked into was that first, you need to evade the anti debugging. So as of now, it works I believe.
The issue I'm having is getting near or finding the oep.

So the steps I'm doing is to of course, setting a breakpoint on ZwFreeVirtualMemory: http://msdn.microsoft.com/en-us/library/windows/hardware/ff566460%28v=vs.85%29.aspx

The ZwFreeVirtualMemory routine releases, decommits, or both, a region of pages within the virtual address space of a specified process.


NTSTATUS ZwFreeVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG FreeType
);


So what we want is there dump of the Gunz.exe from memory. For Gunz.exe to properly run, it must unpack itself and execute in memory. So logically, we would want to get the dump of it from memory because it's unpacked in memory right?
So that's why you would breakpoint ZwFreeVirtualMemory because it would copy the unpacked executable into memory right? So after bping, I would run it once (shift+f9). Here's an image so you can follow:

http://i49.tinypic.com/sesgig.png

I shift+f9 2 times and get to the module entry point (I SELECT NO, since what i've heard is that is junk):
http://i45.tinypic.com/2h3pslg.png

Shift+f9 one time and breakpoint hits@ZwFreeVirtualMemory and you can see that "ntice.sys" is being look for/at?:
http://i50.tinypic.com/25pgzl0.png

I shift+f9 a couple more times and more drivers are being looked at consecutively- iceext.sys, syser.sys, HanOlly.sys, extrem.sys, FRDTSC.sys, fengyue.sys
I'm assuming here that it's checking for debuggers.

Then, i'll shift+f9 one more time and i notice that user32.findwindowa is called for some odd reason:
http://i48.tinypic.com/av0sjs.png

I'm guessing it's still checking for debuggers too. I double checked by turning off the anti debugger plugin and when the findwindowa is called, then the Themida Detecting a debugger messagebox pops up.

So enabling the plugin lets me go further. So now when i run through it, EBX is the only thing that changes (It increments by 2000) - Example:


ECX F3EA0000
EDX 0008E3C8
EBX 00012000
ESP 0018FE58
EBP 0018FEA0
ESI 0018FF10
EDI 00000000
EIP 7703FB4D ntdll.7703FB4D


When i run through that a few more times, then all of a sudden, 5 registers change:
http://i45.tinypic.com/4i3gh.png

Then i shift+f9 once more and notice a wierd ascii: "hjz"
http://i47.tinypic.com/jutq8o.png


Well, that's all i got at so far. I'm not sure when to breakpoint .code section to get near the oep. Suggestions, advices, info would be appreciated. Thanks.

Ixeman
12-25-2012, 09:40 AM
I noticed on the when you're in the reverse engineering category, i named the thread "Unpacking AeriaGunz" by mistake, it's misleading. It should be "[HELP]". I changed it in the edit thread options but it doesn't show up when you're in the RE category. If someone can fix it, it'd be awesome. I don't wanna get people the wrong idea ha

Departure
12-25-2012, 09:10 PM
Ixeman, you have the right idea with general packers, but Themida is a little different in that it wont unpack the code until its needed, and it uses a virtual machine to execute the code once unpacked. I personally have not played much with themida and if I had to I would first try to use a ollyscript for themida if I needed to unpack it, BUT... even after getting it unpacked and dumped you will still need to rebuild the invalid import tables. LCF-AT made some script and I think there is also a modded ollydebug version floating around designed for Themida and Winlicense, here is the script with video tutorials

http://forum.tuts4you.com/topic/25554-themida-winlicense-1x-2x-multi-pro-edition-12/

Ixeman
12-26-2012, 02:52 AM
@Departure
Thanks for the reply! Ahh, I read on some virtualizations related stuff going on with Themida too but wasn't quite sure the purpose. Yeah, rebuilding the import tables seem like the easiest part, just trying to get the oep then calculating the size of the sections makes it easier from what i've read. When I get time, I'll try the script and update the thread. Thanks Departure.

Ixeman
01-11-2013, 10:18 PM
Well I was able to dump the memory image with imports and all just as before the rootkit Anti-cheat loaded itself, but the only problem is that, alot of it's imports are missing besides a few. I'm guessing some bytes were virtualized or stolen? Is that what happened?

Wessel
06-05-2013, 03:38 PM
Themida is using import redirection so you should find the place where this happends and patch it