Título: Themida v2.x Unpack Publicado por: ByJørGe en 15 Noviembre 2018, 20:48 pm Hola! Este dll esta protegido con Themida v2.x, quisiera saber si me podria ayudar a quitarle esa proteccion, esa dll contiene ciertas funciones que necesito, intente viendo videos o tutoriales sobre desempacar themida, pero no me ha servido ninguno, se que aca encontrare gente con un nivel alto sobre el desempaque de protecciones, se lo agradecere muchisimo :) Link de descarga del DLL : https://www.sendspace.com/file/9bcihv (https://scontent.flim1-2.fna.fbcdn.net/v/t1.0-9/46389052_1914077478899822_6151957944717017088_n.jpg?_nc_cat=110&_nc_ht=scontent.flim1-2.fna&oh=2864aad09e727cd1795826833504c542&oe=5C7460DB) Título: Re: Themida v2.x Unpack Publicado por: Geovane en 15 Noviembre 2018, 20:55 pm ¡Hola
wiatrace.dll usted puede descargar en la web También puede descargar de la memoria, para quitar Themida. saludos Título: Re: Themida v2.x Unpack Publicado por: ByJørGe en 15 Noviembre 2018, 21:11 pm ¡Hola wiatrace.dll usted puede descargar en la web También puede descargar de la memoria, para quitar Themida. saludos Hola, no entendi bien lo que me dijo, como descargar de la memoria? Título: Re: Themida v2.x Unpack Publicado por: MCKSys Argentina en 15 Noviembre 2018, 21:59 pm Hola!
wiatrace.dll es una dll de windows (ubicada en System32). A menos que el programa traiga una dll con el mismo nombre, no debería estar protegida. Fíjate si los exports coinciden. Quizás no tengasque desempacar nada... Saludos! Título: Re: Themida v2.x Unpack Publicado por: Geovane en 15 Noviembre 2018, 22:31 pm Hola, no entendi bien lo que me dijo, como descargar de la memoria? ¡Hola si tienes el programa que usa este dll, puedes hacer dump de la DLL, si este mismo empaquetado, va descomprimir, no se ejecuta, pero puede analizar las funciones estaticamente Título: Re: Themida v2.x Unpack Publicado por: ByJørGe en 16 Noviembre 2018, 00:06 am Hola! wiatrace.dll es una dll de windows (ubicada en System32). A menos que el programa traiga una dll con el mismo nombre, no debería estar protegida. Fíjate si los exports coinciden. Quizás no tengasque desempacar nada... Saludos! Hola, la dll en realidad no se llama wiatrace.dll, solo que el creador de esa dll, le puso ese nombre para poderlo confundir :) Título: Re: Themida v2.x Unpack Publicado por: ByJørGe en 16 Noviembre 2018, 00:08 am ¡Hola Geovane te envie un imbox!si tienes el programa que usa este dll, puedes hacer dump de la DLL, si este mismo empaquetado, va descomprimir, no se ejecuta, pero puede analizar las funciones estaticamente Título: Re: Themida v2.x Unpack Publicado por: Geovane en 16 Noviembre 2018, 00:56 am ola
https://1drv.ms/u/s!Atrdu75vJCB1h21lNh97xC4hLXvv Está en el lenguaje C Tal vez encuentras funciones. saludos info..... filename: wiatrace.dll DOS-stub: 232 bytes built for machine: Intel 80386 processor (32-bit-word machine) Bytes of machine word are not reversed Relocation info not stripped Line nunbers not stripped Local symbols not stripped Debugging info not stripped need not copy to swapfile if run from removable media need not copy to swapfile if run from network runs on MP or UP machine working set trimmed normaly executable file not a system file File is a DLL do not notify on ProcAttach do not notify on ThreadAttach do not notify on ProcDetach do not notify on ThreadDetach 0 entries in symbol table 5 sections created (GMT): Fri Oct 30 02:40:18 2015 Linker version: 12.10 .text start: 0x1000, length: 10752 bytes .data start: 0x4000, length: 4096 bytes .bss start: -/-, length: 0 bytes execution starts at 0x2310 Preferred load base is 0x10000000 Image size in RAM: 32 KB Sections aligned to 4096 bytes in RAM, 512 bytes in file Versions: NT 10.0, Win32 10.0, App 10.0 Checksum: 0x0000b462 uses Win32 graphical subsystem Stack: 256 KB reserved, 4 KB committed Heap: 1024 KB reserved, 4 KB committed Size of headers / offset to sections in file: 0x400 ".text" (virt. Size/Address: 0x295f) 10752 bytes at offset 0x1000 in RAM, 0x400 in file contains code default alignment (16 bytes) is executable is readable at offset 0x1310: execution start at offset 0x2820 (319 bytes): Export Directory module name: "wiatrace.dll" created (GMT): Fri Oct 30 01:38:31 2015 version: 0.0 8 exported functions, list at 3848 8 exported names, list at 3868 Ordinal base: 1 Ord. Hint Name RVA ---- ---- ---- --- 1 0 WIATRACE_DecrementIndentLevel ‹ÿVÿ5PC 2 1 WIATRACE_GetIndentLevel ÿ5PC 3 2 WIATRACE_GetTraceSettings ‹ÿU‹ìV‹u…ötÿ5XC 4 3 WIATRACE_IncrementIndentLevel ‹ÿVÿ5PC 5 4 WIATRACE_Init 6 5 WIATRACE_OutputString ‹ÿU‹ì¸ 7 6 WIATRACE_SetTraceSettings ‹ÿU‹ìÿuÿ5XC 8 7 WIATRACE_Term ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌh€ at offset 0x1d0 (56 bytes): Debug Directory at offset 0x228 (104 bytes): Load Configuration Directory ".data" (virt. Size/Address: 0x364) 512 bytes at offset 0x4000 in RAM, 0x2e00 in file contains initialized data default alignment (16 bytes) is readable is writeable ".idata" (virt. Size/Address: 0x396) 1024 bytes at offset 0x5000 in RAM, 0x3000 in file contains initialized data default alignment (16 bytes) is readable at offset 0x8c (60 bytes): Import Directory from "msvcrt.dll": not bound name table at 0x5128, address table at 0x5060 hint name ---- ---- 362 _except_handler4_common 488 _initterm 1277 malloc 1221 free 273 _amsg_exit 111 _XcptFilter 874 _splitpath_s 998 _vsnprintf 1293 memset from "KERNEL32.dll": not bound name table at 0x50c8, address table at 0x5000 hint name ---- ---- 1290 SetFilePointerEx 1393 TerminateProcess 522 GetCurrentProcess 1363 SetUnhandledExceptionFilter 1426 UnhandledExceptionFilter 758 GetTickCount 729 GetSystemTimeAsFileTime 527 GetCurrentThreadId 1078 QueryPerformanceCounter 1378 Sleep 1413 TlsGetValue 1412 TlsFree 1411 TlsAlloc 1414 TlsSetValue 594 GetLocalTime 340 ExpandEnvironmentStringsA 611 GetModuleFileNameA 523 GetCurrentProcessId 1468 WaitForSingleObject 1271 SetEndOfFile 1524 WriteFile 1176 ReleaseMutex 157 CopyFileA at offset 0 (136 bytes): Import Address Table ".rsrc" (virt. Size/Address: 0x3f0) 1024 bytes at offset 0x6000 in RAM, 0x3400 in file contains initialized data default alignment (16 bytes) is readable at offset 0 (1008 bytes): Resource Directory version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970 version info, version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970 id: 0x1, version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970 id: 0x409, English (United States), 912 bytes from 0x6060, codepage 0x0000 ".reloc" (virt. Size/Address: 0x254) 1024 bytes at offset 0x7000 in RAM, 0x3800 in file contains initialized data default alignment (16 bytes) can be discarded is readable at offset 0 (596 bytes): Base Relocation Table (relocations skipped) Version Info: File Version: 10.0.10586.0 Product Version: 10.0.10586.0 Flags: (none) OS: Win32 on NT Type: Exe - Inglês (Estados Unidos) CompanyName : Microsoft Corporation FileDescription : WIA Tracing FileVersion : 10.0.10586.0 (th2_release.151029-1700) InternalName : WIA Tracing LegalCopyright : ¸ Microsoft Corporation. All rights reserved. OriginalFilename: WIATRACE.DLL ProductName : Microsoft© Windows© Operating System ProductVersion : 10.0.10586.0 Título: Re: Themida v2.x Unpack Publicado por: ByJørGe en 16 Noviembre 2018, 02:05 am ola https://1drv.ms/u/s!Atrdu75vJCB1h21lNh97xC4hLXvv Está en el lenguaje C Tal vez encuentras funciones. saludos info..... filename: wiatrace.dll DOS-stub: 232 bytes built for machine: Intel 80386 processor (32-bit-word machine) Bytes of machine word are not reversed Relocation info not stripped Line nunbers not stripped Local symbols not stripped Debugging info not stripped need not copy to swapfile if run from removable media need not copy to swapfile if run from network runs on MP or UP machine working set trimmed normaly executable file not a system file File is a DLL do not notify on ProcAttach do not notify on ThreadAttach do not notify on ProcDetach do not notify on ThreadDetach 0 entries in symbol table 5 sections created (GMT): Fri Oct 30 02:40:18 2015 Linker version: 12.10 .text start: 0x1000, length: 10752 bytes .data start: 0x4000, length: 4096 bytes .bss start: -/-, length: 0 bytes execution starts at 0x2310 Preferred load base is 0x10000000 Image size in RAM: 32 KB Sections aligned to 4096 bytes in RAM, 512 bytes in file Versions: NT 10.0, Win32 10.0, App 10.0 Checksum: 0x0000b462 uses Win32 graphical subsystem Stack: 256 KB reserved, 4 KB committed Heap: 1024 KB reserved, 4 KB committed Size of headers / offset to sections in file: 0x400 ".text" (virt. Size/Address: 0x295f) 10752 bytes at offset 0x1000 in RAM, 0x400 in file contains code default alignment (16 bytes) is executable is readable at offset 0x1310: execution start at offset 0x2820 (319 bytes): Export Directory module name: "wiatrace.dll" created (GMT): Fri Oct 30 01:38:31 2015 version: 0.0 8 exported functions, list at 3848 8 exported names, list at 3868 Ordinal base: 1 Ord. Hint Name RVA ---- ---- ---- --- 1 0 WIATRACE_DecrementIndentLevel ‹ÿVÿ5PC 2 1 WIATRACE_GetIndentLevel ÿ5PC 3 2 WIATRACE_GetTraceSettings ‹ÿU‹ìV‹u…ötÿ5XC 4 3 WIATRACE_IncrementIndentLevel ‹ÿVÿ5PC 5 4 WIATRACE_Init 6 5 WIATRACE_OutputString ‹ÿU‹ì¸ 7 6 WIATRACE_SetTraceSettings ‹ÿU‹ìÿuÿ5XC 8 7 WIATRACE_Term ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌh€ at offset 0x1d0 (56 bytes): Debug Directory at offset 0x228 (104 bytes): Load Configuration Directory ".data" (virt. Size/Address: 0x364) 512 bytes at offset 0x4000 in RAM, 0x2e00 in file contains initialized data default alignment (16 bytes) is readable is writeable ".idata" (virt. Size/Address: 0x396) 1024 bytes at offset 0x5000 in RAM, 0x3000 in file contains initialized data default alignment (16 bytes) is readable at offset 0x8c (60 bytes): Import Directory from "msvcrt.dll": not bound name table at 0x5128, address table at 0x5060 hint name ---- ---- 362 _except_handler4_common 488 _initterm 1277 malloc 1221 free 273 _amsg_exit 111 _XcptFilter 874 _splitpath_s 998 _vsnprintf 1293 memset from "KERNEL32.dll": not bound name table at 0x50c8, address table at 0x5000 hint name ---- ---- 1290 SetFilePointerEx 1393 TerminateProcess 522 GetCurrentProcess 1363 SetUnhandledExceptionFilter 1426 UnhandledExceptionFilter 758 GetTickCount 729 GetSystemTimeAsFileTime 527 GetCurrentThreadId 1078 QueryPerformanceCounter 1378 Sleep 1413 TlsGetValue 1412 TlsFree 1411 TlsAlloc 1414 TlsSetValue 594 GetLocalTime 340 ExpandEnvironmentStringsA 611 GetModuleFileNameA 523 GetCurrentProcessId 1468 WaitForSingleObject 1271 SetEndOfFile 1524 WriteFile 1176 ReleaseMutex 157 CopyFileA at offset 0 (136 bytes): Import Address Table ".rsrc" (virt. Size/Address: 0x3f0) 1024 bytes at offset 0x6000 in RAM, 0x3400 in file contains initialized data default alignment (16 bytes) is readable at offset 0 (1008 bytes): Resource Directory version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970 version info, version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970 id: 0x1, version: 0.0, created (GMT): Thu Jan 1 00:00:00 1970 id: 0x409, English (United States), 912 bytes from 0x6060, codepage 0x0000 ".reloc" (virt. Size/Address: 0x254) 1024 bytes at offset 0x7000 in RAM, 0x3800 in file contains initialized data default alignment (16 bytes) can be discarded is readable at offset 0 (596 bytes): Base Relocation Table (relocations skipped) Version Info: File Version: 10.0.10586.0 Product Version: 10.0.10586.0 Flags: (none) OS: Win32 on NT Type: Exe - Inglês (Estados Unidos) CompanyName : Microsoft Corporation FileDescription : WIA Tracing FileVersion : 10.0.10586.0 (th2_release.151029-1700) InternalName : WIA Tracing LegalCopyright : ¸ Microsoft Corporation. All rights reserved. OriginalFilename: WIATRACE.DLL ProductName : Microsoft© Windows© Operating System ProductVersion : 10.0.10586.0 Te envie nuevamente un imbox,, por ahi conversamos ! Título: Re: Themida v2.x Unpack Publicado por: ByJørGe en 16 Noviembre 2018, 02:49 am Si alguien puede desempacarlo y puede enviarmelo porfavor
se lo agradeceria eternamente :) If someone can unpack it and can send it please I would appreciate it forever: |