working with Themida & packed executables in general

[YoungX7]

sup, here to make some friends that shares my interests, as my first post I'd like to discuss working with packed binaries, I'm open to discuss the best approaches on such matter, so let's start.
as y'all know packed binaries are mostly used by enterprise software to protect them from reversing / patching, obfuscating the original code & anti debugging
but at the end of the day the final instructions will end on memory, so my usual approach is running the packed program on a VM then dumping the entire ram of that VM when the program gets executed, then analyze the dumped file using volatility to extract the final asm code of the specific process.

first u wanna make sure to start your virtualbox vm with debugging option:

 vboxmanage --startvm "VM Name" --dbg

you'll notice that whenever u try to execute the program on the VM themida will stop the program with an error message looking like this:

I should note that I'm using virtualbox for the case of simplicity, there's a work around this so the program cannot detect it is a virtual machine by modifying the following paths in the windows registry:
remember to backup the original keys.

 HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System

you're gonna look up for

VideoBiosVersion

and delete all the value that looks similar to this:

Oracle VM VirtualBox Version 6.0.13 VGA BIOS
Oracle VM VirtualBox Version 6.0.13 VGA BIOS
Oracle VM VirtualBox Version 6.0.13
Oracle VM VirtualBox Version 6.0.13

then you're gonna find the following:

 HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__\VBOXBIOS

here rename

VBOXBIOS

to something else, and restore it's name when you're done to avoid messing up the VM

after that the program seems to run fine:

once the program is currently running you're gonna navigate to the top bar of your VM & click on the Debug button, you'll get something similar to this window:

the next step is dumping the entire RAM of the VM while the program is running using the following cmd:

 .pgmphystofile 'dump.bin'

it will dump the entire VM memory to the filename chosen.
so now we have the memory we can use volatility to extract code from a specific process from the dumped memory we've obtained to analyze it & make a keygen.

another approach would be, like reconstructing the PE as we have the extracted code.
I'd like to see your suggestions & your ways of approaching such situation.

 

[ObiWanSkywalker]

afaik, themida uses virtualized functions in the binary, often it uses multiple nested virtualization, so I don't think your approach de-virtualizes themida. Is your method any different than dumping process memory with some debugger instead of dumping the whole vm?

 

[YoungX7]

afaik, themida uses virtualized functions in the binary, often it uses multiple nested virtualization, so I don't think your approach de-virtualizes themida. Is your method any different than dumping process memory with some debugger instead of dumping the whole vm?

that's another issue too for sure, but in the end the virtualized instructions set can be analyzed, for your question, themida uses anti debugging, sure there's some plugins for debuggers to bypass it, it's an approach after all, it would be interesting if i can make a tool to convert the virtualized instructions to x86_64 set for example. is there any existing util that does that?

 

[ObiWanSkywalker]

that's another issue too for sure, but in the end the virtualized instructions set can be analyzed, for your question, themida uses anti debugging, sure there's some plugins for debuggers to bypass it, it's an approach after all, it would be interesting if i can make a tool to convert the virtualized instructions to x86_64 set for example. is there any existing util that does that?

yes it would be interesting if you could manage to produce a generic solution for themida virtual machines. If you're familiar with LLVM and compiler theory you may use VTIL (search on google or github if you will) in order to de-virtualize themida.

 

[display]

that's another issue too for sure, but in the end the virtualized instructions set can be analyzed, for your question, themida uses anti debugging, sure there's some plugins for debuggers to bypass it, it's an approach after all, it would be interesting if i can make a tool to convert the virtualized instructions to x86_64 set for example. is there any existing util that does that?

Devirtualizing a modern Themida VM is leagues above anything covered in this post. It's already complex enough to do so in far inferior protectors (eg. VMP), so you'd have to put in a lot of time in it. In regards to tools, I'm not too sure if VTIL would cover your needs, it's been a while since I've touched it. You could try your luck writing your own devirtualization tools, there are some good projects out there to assist with deobfuscation.

 

[mebious]

sup, here to make some friends that shares my interests, as my first post I'd like to discuss working with packed binaries, I'm open to discuss the best approaches on such matter, so let's start.
as y'all know packed binaries are mostly used by enterprise software to protect them from reversing / patching, obfuscating the original code & anti debugging
but at the end of the day the final instructions will end on memory, so my usual approach is running the packed program on a VM then dumping the entire ram of that VM when the program gets executed, then analyze the dumped file using volatility to extract the final asm code of the specific process.

first u wanna make sure to start your virtualbox vm with debugging option:

 vboxmanage --startvm "VM Name" --dbg

you'll notice that whenever u try to execute the program on the VM themida will stop the program with an error message looking like this:

Посмотреть вложение 53440

I should note that I'm using virtualbox for the case of simplicity, there's a work around this so the program cannot detect it is a virtual machine by modifying the following paths in the windows registry:
remember to backup the original keys.

 HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System

you're gonna look up for

VideoBiosVersion

and delete all the value that looks similar to this:

Oracle VM VirtualBox Version 6.0.13 VGA BIOS
Oracle VM VirtualBox Version 6.0.13 VGA BIOS
Oracle VM VirtualBox Version 6.0.13
Oracle VM VirtualBox Version 6.0.13

then you're gonna find the following:

 HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__\VBOXBIOS

here rename

VBOXBIOS

to something else, and restore it's name when you're done to avoid messing up the VM

after that the program seems to run fine:

Посмотреть вложение 53441

once the program is currently running you're gonna navigate to the top bar of your VM & click on the Debug button, you'll get something similar to this window:

Посмотреть вложение 53442

the next step is dumping the entire RAM of the VM while the program is running using the following cmd:

 .pgmphystofile 'dump.bin'

it will dump the entire VM memory to the filename chosen.
so now we have the memory we can use volatility to extract code from a specific process from the dumped memory we've obtained to analyze it & make a keygen.

another approach would be, like reconstructing the PE as we have the extracted code.
I'd like to see your suggestions & your ways of approaching such situation.

This is very very awful to doing this just dump the program with scylla is same :/

 

[YoungX7]

This is very very awful to doing this just dump the program with scylla is same :/

sure I'll give it a try