In this tutorial we will use first way. That is actually the most hardest one because target can have large number of files packed within.
For example, what if our target have DLL's packed inside, Now you see the problem. We could spend days or weeks extracting those files. Ofcourse, better examning inside Thinstall work could result a smart unpacker tool that would be able to extract all files. As said before, we will unpack Teddy's unpackme which has three dependencies.
It will not be too hard. First that I noticed is, that target can be just patched after LoadLibraryA and unpackme will run fine cracked without need of those DLL's. But that is lame thing because our target is dummy application that doesn't needs those files. In case that we have "reall" app, our file would just crush.
Fix imports like I described it in first tutorial second way in that tutorial is better and cleaner, it is even easier.
And you will have main dump. So this is OEP: B0. API's that are replaced are all those what executable uses for accessing outside files and libraries. If our file wants to open some file, Thisntall will check is that file bundled as a virtual file. It just compares name of that file with internal list. If file is bundled, it will allocate block for it, extract it and return it's handle to main exe. If file is not bundled, then it will use acctuall API to open that file.
In case of our DLL, Thinstall will extract it to ome virtual block, then fill it with imports and return it's block base as module handle. There are several problems that we have while traying to dump these DLL's.
Dumping is easy. We use LordPE to dump that memory block. But we need to repair those DLL's and that is interesting part. We place breakpoint on fbf line and we just run.
Now we just use LordPE to dump memory range at , size Note that this library will probably be loaded at different base. It can be without. We can check now our first dumped dll withth LordPE. You will see that this is just resource dll with two sections. Dll can be loaded in memory and we dumped first file, but if our target is not just dummy one, we still would have problem.
It is because file on disk have image alignment like in memory but in PE header is information for file alignment. When I started Nlite and chose the folder, after Nlite did its thing, it showed "arabic" as the language instead of English.
Thanks so much. I would love to get going on this. Spent hours combing the net and these forums for answers. So its a clean install with the necessary drivers. On behalf of all the regular posters here at HTG, I'd like to extend my sincere apologies that you didn't get an answer in the requisite amount of time before becoming "very disappointed". Unfortunately, due the amount of threads on this forum and the small amount of regular posters it is not possible for all the questions to be answered within 1 day or even a few days in some cases.
I agree it is a little disappointing when a thread isn't answered within a day though but that is how things work. To answer your question you can use a program like 7-Zip to extract files from exe archives. Here is how with 7-Zip: 1.
Open 7-Zip and browse to the folder containing the exe. Right click on the exe file and click "Open Inside". Mark Forums Read. Thinstall unpacking Hi all, are the any tutorials or other informations about unpacking a thinstall-packed program out there? You have a target I can try?
Join Date: Sep Posts: Rept. Given: 0 Rept. Find all posts by peleon. N0P Friend. I'd add multiple sandboxes, but I can't find a way to change the stored data folder on real-time. Maybe a external program that runs before Thinstall loads itself and renames any folder to ThinData, and then renames it back again after finishing would do the trick, but then you would be able to run one sandbox at once. I'm looking at the scripting functions, but I still have to figure out how to run them from AutoIt.
Another thing is, standard autoit icon? About the actual direction of the project, instead of aiming this toward your exe being used as a launch platform, why not make it a sort of use on runtime sort of thing. You should make it so that after running it the first time, it saves it's run settings the exe it runs with in an INI file, that way you can seamlessly use the ThinLoader exe instead of the app's from that point out.
Alternatively, you could fall back to using only an INI file to choose the exe, this would reduce space in the autoit exe If you want to do it this way, you should focus a lot of your attention towards minimizing the exe's size and memory footprint. In autoit, make sure you use the "Highest" level of UPX compression and remove all unnecessary code. Hurray for difficult to understand posts, sorry I was in a rush. I read that in the code, I guess I just wasn't quite getting it.
Honestly, I think it's pretty solid as is. The only thing I'd do code wise is create a function that handles the FileOpenDialog lines, so that code isn't repeated so much
0コメント