Sign in to follow this  
Followers 0
DeltaRocked

Themida - Help required

5 posts in this topic

#1 ·  Posted (edited)

Hello ,

I have been trying to use Themida with the following code but I just dont seem to get it right.

I am using XBundler with the attached configuration.

ExtractType[1]="Never write to disk"
ExtractType[2]="Never write to disk"
FileName[1]="D:\tools\psexec.exe"
FileName[2]="D:\tools\POC.exe"

Below are the two scripts which are being used.

This code is being protected by Themida

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include<file.au3>
#include<array.au3>
$array = _FileListToArray(@ScriptDir)
_ArrayDisplay($array)
$var = RunWait(@ComSpec & " /c psexec.exe /accepteula -s -i -d POC.exe", @ScriptDir, @SW_SHOW)
MsgBox(0, '1', $var & @CRLF & @error)
$var = RunWait(@ComSpec & " /c poc.exe", @ScriptDir, @SW_SHOW)
MsgBox(0, '2', $var & @CRLF & @error)

This Code is called by the protected exe , whose conf has been displayed above.

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_outfile=D:\tools\POC.exe
#AutoIt3Wrapper_Compression=4
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
$var1=Run(@ComSpec & " /c  calc", @ScriptDir, @SW_SHOW)
FileWriteLine('c:\ac.log',$var1)

Can anyone help me in resolving this issue. as I need to execute the exe's which are a part of XBundler.

Regards

DeltaRocked

[EDIT/UPDATE]

It seems ShellExecute, ShellExecuteWait, Run and RunWait are unable to find the file which has been bundled by XBundler. But _FileListtoArray is able to view the files.

I think , opening the file in read mode and then executing it directly in memory will do the trick... hmmmm ... writing my thoughts aloud --- I think there is a UDF available.... need to find it... and understand how to use it....

:D No Shortcuts...

[EDIT/UPDATE]

Found the UDF .... its by TranceXX runBinary.au3 .... but struggling with the code execution from within Themida .... :oops:

Any Help ?

Edited by deltarocked

Share this post


Link to post
Share on other sites



Well I skimmed the Themida/XBundler Trial help files. The help files didn't help me understand how Themida/XBundler work exactly although a virtual machine was mentioned. If you can tell me exactly how the code is "protected" I could probably help or you can try using Sysinternals/NirSoft tools. Also, why isn't obfuscator (included in the full SciTe4autoit good enough?


My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.

MY PROJECTS


Active: IRC UDF, WindowEx UDF
Discontinued: GithubBubbleSort UDF

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

The code is not protected but the exe is....

Why is the code not protected ? because code protection is available for C C++ Delphi etc and not for autoit .

[EDIT/UPDATE]

XBundler will bundle up DLLs and Other files but not exe's . So I have to find some other way ....

Edited by deltarocked

Share this post


Link to post
Share on other sites

It seems, there is no way to execute an exe created with Autoit in memory

.... and my troubles are far from over....

Share this post


Link to post
Share on other sites

You can protect autoit programs too if you manipulate the exe a little. Steps required:

  • Compile the script to an exe.
  • Extract the encoded script which is found right after the end of the resource section, and save it.
  • Delete the encoded script from the exe.
  • Open the exe in a PE editor and add the encoded script as a new section.
  • Protect the exe with Themida.
Recommended PE editor; http://www.cgsoftlabs.ro/studpe.html

I verified this working with a 3 year old version of Themida.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0