Hi,

My target is a VB executable packed with Themida (presumably version 2.0.3).

I deduced it was Themida based on the following information:
PEiD revealed nothing (other than a packed entropy).
RDG (on M-A mode) detected "Themida (PE Hide Type 1)"
While tracing through some of the decryption/decompression I noted a large string of the equivelant 'Themida Professional by Oreans Software"
int3 opcode in first code block.
Numerous SEHs littered throughout the code.
RTDSCs littered throughout the code.

I've tried a few scripts written for older versions (of Themida) to no avail.

I'm not very experienced with unpacking, though have done a few basic unpackmes.

I can attach to the process, but as soon as I resume the process it kills itself.

I was wondering if anyone could point me in the direction of a generic unpacker/script/tutorial for MUPing this version of Themida.

Cheers .

My advice: Forget it!!!
You are far away from unpacking it.

Regards,
OHPen

Dunno, if you've got at least some experience and some stamina you might be able to do it.. VB isn't that hard Themida wise.. Let's hope it doesn't have any macro's though, and you might have some luck..

As far as I know LCF_AT, Nooby & computer angel released a script for this version. There are some other tuts around as well.. try tuts4you.

Themida on VB is a piece of cake. Just take any tutorial and follow it. I think LCF-AT wrote one on how to solve VB unpackmes.

@rendari: it is pretty strange that you call themida a "piece of cake". it is one of the longest unbroken protections out there till the first people managed to unpack it. and yet it is still a very strong protection if the user of themida is using all features like code virtualization an so on.
a protection is not a "piece of cake" if there is a script which is able to unpack a certain version of it with the minimal set of protection options applied...

think about it

regards,
OHPen

Imho I agree with rendari, Themida is a piece of cake on VB.. It usually is only the packer.

Strong dunno, it's still pretty good. But with the latest successful attacks Themida ain't what it used to be.

OHPen,

I never said Themida was a piece of cake in general. I agree that it can be difficult at times if the VM is enabled. However, with a VB6 target the only thing that can possibly be VM'd is the entrypoint, and that is only two instructions!! (push/call). Fixing imports is easy, fixing entrypoint is easy (2 instructions!!) and that is all that Themida changes. So I stand by what I said, Themida is a piece of cake with VB.

Now on a C++ app where the reg routine is in the RISC VM, now that is a pain in the ass >.<

-rendari

@rendari: Ok, maybe limited to VB application themida is easy to break. Didn't know that only EP can be virtualized. But regarding the pcode-thinggy it sounds reasonable.
But Themida on native applications, for example written in C/C++ it is still hard to manage

Regards,
OHPen