Unpack and unwrapping executables protected with Themida 3.1.3 by BOB11_Bobalkkagi
Project description
TEAM Bobalkkagi
BOB11 project
Unpacking & Unwrapping & Devirtualization(Not yet) of Themida 3.1.3 packed program(Tiger red64)
API Hook
Hooking API based win10_v1903
How to
Install
pip install bobalkkagi
or
pip install git+https://github.com/hackerhoon/bobalkkagi.git
Notes
Need default Dll folder(win10_v1903) or you can give dll folder path
win10_v1903 folder is in https://github.com/hackerhoon/bobalkkagi
Use
NAME
bobalkkagi
SYNOPSIS
bobalkkagi PROTECTEDFILE <flags>
POSITIONAL ARGUMENTS
PROTECTEDFILE
Type: str
FLAGS
--mode=MODE
Type: str
Default: 'f'
--verbose=VERBOSE
Type: str
Default: 'f'
--dllPath=DLLPATH
Type: str
Default: 'win10_v1903'
--oep=OEP
Type: str
Default: 't'
--debugger=DEBUGGER
Type: str
Default: 'f'
NOTES
You can also use flags syntax for POSITIONAL ARGUMENTS
Option Description
Mode: f[fast], c[hook_code], b[hook_block]
Description: Mean emulating mode, we implement necessary api to unpack protected excutables by themida 3.1.3.
Running on fast mode compare rip with only hook API function area size 32(0x20), but hook_block mode and hook_code mode compare rip with all mapped DLL memory (min 0x1000000) to check functions. block mode emulate block size(call, jmp) code mode do it opcode by opcode.
verbose
verbose show Loaded DLL on memory, we will update it to turn on/off HOOKING API CALL info.
dllPath
dllPath is directory where DLLs to load on memory exists. DLLs are different for each window version. This tool may be not working with your window DLL path(C:\Windows\System32)
oep
oep is option to find original entry point. If you turn off this option, you can emulate program after oep**(fast mode can't do it, it works on hook_block and hook_code)**
debugger
If you want unpack another protector or different version of themida, you should add necessary hook_api functions(anti debugging, handle, syscall). you can analyze protected program hook_code mode or hook_block mode(more detail in https://github.com/unicorn-engine/unicorn) with debugger ** option(working only hook_code mode!)**
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file bobalkkagi-0.2.1.tar.gz.
File metadata
- Download URL: bobalkkagi-0.2.1.tar.gz
- Upload date:
- Size: 7.9 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.0 CPython/3.10.9 Windows/10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8d8886c45fda957e05c93a13ad5d0723e29f0d71c22d2f5ccdff5497b32ff976
|
|
| MD5 |
e011fe34eab2a22ae6fee7eb28133921
|
|
| BLAKE2b-256 |
2d0ad1f73fab3e7e1cbf32b75c1768eb3fa27bf17e4ae8f42019fd210d4e52d4
|
File details
Details for the file bobalkkagi-0.2.1-py3-none-any.whl.
File metadata
- Download URL: bobalkkagi-0.2.1-py3-none-any.whl
- Upload date:
- Size: 7.9 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.0 CPython/3.10.9 Windows/10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
436c152c2349821ed2c59f38b03fe1c2855d9d825418e0c712ab4f6229412842
|
|
| MD5 |
c9aebd1ef5c0594a73c2c95ea0c361e8
|
|
| BLAKE2b-256 |
8713e269cd714da85107e2a1f0410c51375909c2a6677e0b12b1b0734977dc1f
|
