bobalkkagi - Themida 3.1.3 static unpacker and unwrapper
# TEAM BobalkkagiBOB11 project
Unpacking & Unwrapping & Devirtualization(Not yet) of Themida 3.1.3 packed program(Tiger red64)
### API Hook
Hooking API based win10_v1903
## How to
### Install
```
pip install bobalkkagi
```
**or**
```
pip install git+https://github.com/bobalkkagi/bobalkkagi.git
```
### Notes
Need default Dll folder(win10_v1903) or you can give dll folder path
win10_v1903 folder is in https://github.com/bobalkkagi/bobalkkagi
### Use
```
NAME
bobalkkagi
SYNOPSIS
bobalkkagi PROTECTEDFILE <flags>
POSITIONAL ARGUMENTS
PROTECTEDFILE
Type: str
FLAGS
--mode=MODE
Type: str
Default: 'f'
--verbose=VERBOSE
Type: str
Default: 'f'
--dllPath=DLLPATH
Type: str
Default: 'win10_v1903'
--oep=OEP
Type: str
Default: 't'
--debugger=DEBUGGER
Type: str
Default: 'f'
NOTES
You can also use flags syntax for POSITIONAL ARGUMENTS
```
### Option Description
---
#### Mode: f, c, b
---
Description: Mean emulating mode, we implement necessary api to unpack protected excutables by themida 3.1.3.
Running on **fast mode** compare rip with only hook API function area size 32(0x20), but **hook_block mode** and **hook_code mode** compare rip with all mapped DLL memory (min 0x1000000) to check functions. block mode emulate block size(call, jmp) code mode do it opcode by opcode.
#### verbose
---
**verbose** show Loaded DLL on memory, we will update it to turn on/off HOOKING API CALL info.
#### dllPath
---
**dllPath** is directory where DLLs to load on memory exists. DLLs are different for each window version.
This tool may be not working with your window DLL path(C:\Windows\System32)
#### oep
---
**oep** is option to find original entry point. If you turn off this option, you can emulate program after oep
**(fast mode can't do it, it works on hook_block and hook_code)**
#### debugger
---
If you want unpack another protector or different version of themida, you should add necessary hook_api functions(anti debugging, handle, syscall). you can analyze protected program hook_code mode or hook_block mode(more detail in https://github.com/unicorn-engine/unicorn) with **debugger option(working only hook_code mode!)**
https://github.com/bobalkkagi/bobalkkagi 这个好像很牛逼的样子?
TEAM Bobalkkagi一个新团队 bobalkkagi-Themida3.1.3静态拆包器和拆包器
Bobalkkagi团队
BOB11 项目
Themida 3.1.3打包程序(Tiger red64)的开箱、拆包和虚拟化(尚未)
API Hook
API的挂钩 基于win10_v1903
如何
安装
复制代码
pip install bobalkkagi
和
复制代码
pip install git+https://github.com/bobalkkagi/bobalkkagi.git
备注
需要默认的Dll文件夹(win10_v1903),或者您可以提供Dll文件夹路径
win10_v1903文件夹位于https://github.com/bobalkkagi/bobalkkagi
使用
复制代码
NAME
bobalkkagi
SYNOPSIS
bobalkkagi PROTECTEDFILE <flags>
POSITIONAL ARGUMENTS
PROTECTEDFILE
Type: str
FLAGS
--mode=MODE
Type: str
Default: 'f'
--verbose=VERBOSE
Type: str
Default: 'f'
--dllPath=DLLPATH
Type: str
Default: 'win10_v1903'
--oep=OEP
Type: str
Default: 't'
--debugger=DEBUGGER
Type: str
Default: 'f'
NOTES
You can also use flags syntax for POSITIONAL ARGUMENTS
选项说明
模式: f, c, b
描述:意味着模拟模式,我们通过主题3.1.3实现了必要的api来解包受保护的可执行文件。
在快速模式下运行时,rip只与hook API函数区域大小32(0x20)进行比较,但hook_block模式和hook_code模式将rip与所有映射的DLL内存(最小0x1000000)进行比较以检查函数。块模式模拟块大小(call, jmp) 代码模式逐个操作码。
verbose
verbose 显示加载的DLL在内存中,我们将更新它以打开/关闭HOOKING API CALL信息。
dllPath
dllPath是存在要加载到内存中的DLL的目录。每个窗口版本的DLL都不同。
此工具可能无法使用您的窗口DLL路径(C:\Windows\System32)
oep
oep是查找原始入口点的选项。如果关闭此选项,则可以在oep之后模拟程序
(快速模式无法做到这一点,它适用于hook_block和hook_code)
调试器
如果您想解压缩另一个保护程序或不同版本的themida,您应该添加必要的hook_api函数(反调试、句柄、系统调用)。您可以分析受保护程序的hookcode模式或hookblock模式(更多详细信息请参阅https://github.com/unicorn-engine/unicorn)带有调试器选项(仅在hook_code模式下工作!)
https://github.com/bobalkkagi/bobalkkagi
哈哈~谢谢分享,亲爱的lz。{:1_893:} 好东西好东西,感谢分享。{:1_893:} 谢谢分享 都没说怎么运行 我拿到东西一脸懵逼
页:
[1]