Jump to content

Themida - Help required


Recommended Posts

Hello ,

I have been trying to use Themida with the following code but I just dont seem to get it right.

I am using XBundler with the attached configuration.

ExtractType[1]="Never write to disk"
ExtractType[2]="Never write to disk"
FileName[1]="D:\tools\psexec.exe"
FileName[2]="D:\tools\POC.exe"

Below are the two scripts which are being used.

This code is being protected by Themida

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include<file.au3>
#include<array.au3>
$array = _FileListToArray(@ScriptDir)
_ArrayDisplay($array)
$var = RunWait(@ComSpec & " /c psexec.exe /accepteula -s -i -d POC.exe", @ScriptDir, @SW_SHOW)
MsgBox(0, '1', $var & @CRLF & @error)
$var = RunWait(@ComSpec & " /c poc.exe", @ScriptDir, @SW_SHOW)
MsgBox(0, '2', $var & @CRLF & @error)

This Code is called by the protected exe , whose conf has been displayed above.

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_outfile=D:\tools\POC.exe
#AutoIt3Wrapper_Compression=4
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
$var1=Run(@ComSpec & " /c  calc", @ScriptDir, @SW_SHOW)
FileWriteLine('c:\ac.log',$var1)

Can anyone help me in resolving this issue. as I need to execute the exe's which are a part of XBundler.

Regards

DeltaRocked

[EDIT/UPDATE]

It seems ShellExecute, ShellExecuteWait, Run and RunWait are unable to find the file which has been bundled by XBundler. But _FileListtoArray is able to view the files.

I think , opening the file in read mode and then executing it directly in memory will do the trick... hmmmm ... writing my thoughts aloud --- I think there is a UDF available.... need to find it... and understand how to use it....

:D No Shortcuts...

[EDIT/UPDATE]

Found the UDF .... its by TranceXX runBinary.au3 .... but struggling with the code execution from within Themida .... :oops:

Any Help ?

Edited by deltarocked
Link to comment
Share on other sites

Well I skimmed the Themida/XBundler Trial help files. The help files didn't help me understand how Themida/XBundler work exactly although a virtual machine was mentioned. If you can tell me exactly how the code is "protected" I could probably help or you can try using Sysinternals/NirSoft tools. Also, why isn't obfuscator (included in the full SciTe4autoit good enough?

My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.

My Projects

WhyNotWin11
Cisco FinesseGithubIRC UDFWindowEx UDF

 

Link to comment
Share on other sites

The code is not protected but the exe is....

Why is the code not protected ? because code protection is available for C C++ Delphi etc and not for autoit .

[EDIT/UPDATE]

XBundler will bundle up DLLs and Other files but not exe's . So I have to find some other way ....

Edited by deltarocked
Link to comment
Share on other sites

  • 2 weeks later...
  • 3 months later...

You can protect autoit programs too if you manipulate the exe a little. Steps required:

  • Compile the script to an exe.
  • Extract the encoded script which is found right after the end of the resource section, and save it.
  • Delete the encoded script from the exe.
  • Open the exe in a PE editor and add the encoded script as a new section.
  • Protect the exe with Themida.
Recommended PE editor; http://www.cgsoftlabs.ro/studpe.html

I verified this working with a 3 year old version of Themida.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...