OK guys, I need a consult.

Any of you ever worked on a Thinstall target? (JMI, YES I've read all the threads concerning it here, even the one with you giving "helpful guidance" to someone else)

I have one that seems to be of the "single process" type, as there doesn't seem to be another process running, just the MAIN one. Also, unlike most (all?) of the others, this one has the weird embedded filesystem populated with files used by the application. I've found the place where they're pulled out, and I've dumped them from memory, but they don't disassemble very well.

Does anyone know if they're mangled?


I've found the place where it nicely tells you that it's calling the application, and then proceeds to do a far call to an address on the stack. This address seems to be too far away to be a valid OEP for the application. (Granted, I'm not the king of identifying .NET application OEPs, but this one looks weird).

So, I've tried dumping it, and get something that I can look at enough to tell it's been Dotfuscated. Problem being, it's "Not a valid win32 application", so I can't deobfuscate it. Yes, there are 100 unpacker scripts, and I've tried MOST of them. Even the tutorials on how to DIY, and I'm still getting no where.

So I guess the BIG question. Does anyone know anything about this thing?

Thanks!
FF

OK, further info, it appears to be Thinstall V 2.705. Which is nice, as there are no tuts on this version, and the tools/scripts for previous versions fail, as do the scripts for the later versions.

Some pics of what I'm talking about:

2475

This is the normal breakpoint where you can see the call to the OEP.

But, when you get there, the address that it's calling looks weird. (Is this a trick?)

2476

And stepping into this location yields this:

2477

I understand that this possibly COULD be the OEP, but my dump using it as such doesn't work. (Invalid win32 application).

Hi Frank,
There's a little unpack tool that goes by the name of unThinstall by vcasm which would at least let you compare your dumps to the tools. You can grab the file from http://bbs.pediy.com/upload/file/2005/1/unthinstall.rar_594.rar.

Be aware thought that the tool seems to have a problem with .NET programs.

MrAnonymous on the Exetools forum posted:

See the link reference http://forum.exetools.com/showthread.php?t=6306&langid=13 here for more details. Maybe you too are looking at an app with the "Hide EXE contents" option enabled too?

I also seem to remember reading that Thinstall files are temporarily written to file and can be got that way.
I'll see if I can find the source of this information for you and post back.

I hope this is of some help to you. I know nothing of .NET apps so I can't help you there but I do know there is a lot of tools, info and knowledgeable folks out there that should help you on your way.

PS. CFFexplorer supports .NET PE structures which could be helpful for you to get an understanding of the format.

Cheers,
5aLIVe.

I also found this little gem which might do the trick:
http://hashem20.persiangig.com/crack%20tools/Thinstall%20Extractor.rar

Have you made any headway with this one?