There are three sections in the remaining of this tutorial:
1. Introduction.
2. Finding OEP, Dumping.
3. Fixing Imports, Anti-Dump, & Running.
4. Conclusion.

Well.... I am here again.. with a pretty straight forward tutorial on the subject of Thinstall.. While is is not so commonly used at all... I think this is the first time I have seen it used on a commercial Application.  This specific target is pretty simple to unpack, and crack.. (which is not covered here).  The author only decided to use the "Single Process" option.. If there is such a thing.  I have seen a crackme that used 2 processes.  Which posed a sorta different threat.. but wasn't that hard after all :).  Heres a few things that Thinstall does to our target application:

1. Take note of the file structure.  There is only 2 sections..

    A. PE HEADER

    B. Code, Resource.

2. You enter the Thinstall portion of the application by executing a JMP EAX.

3. Which in turns decrypts the real code section. 

4. Then Thinstall Calls the OEP after decryption is completed.

This is about the sum of it all.  There is almost no room to inline patch the app itself.. Which I thought I found a way, until I tried to add more than like 10 bytes.  But I was successful in redirecting it to the Header, then returning.  So I guess that stands for something. 

Anyways.. on with the show......

Okay all.. we start like normal.. The EP of the Protection.

First we will remove analysis on this...  By right clicking then select "analysis - Remove Analysis From Module"

then you should see shit like this:

Well this still looks like ass but a lot better than unrecognized code.

So this tutorial will be as easy as 1,2,3... :)

unlike others I wrote...

So to get as close as we can to the OEP.... Set a BP on GetEnvironmentVariableA in your command box.

Now hit F9 to run it, once you enable the BP.

You should land here:

This is not what we are interested in though..

Look in your stack and you'll see why :)

See that?

TS_LOADER = ThinStall_Loader

So we are close to loading the real app...

Hit F9 again...

Now we are almost at the OEP :)

So Hit F9 again:

Now if we hit CTRL+F9 .. we will eventually get there.. but this way is much faster...

So hit ALT+F9..

Now scroll down a bit until you see this:

Yes it that retarded...  This is the Call to the OEP... So just Set a BP on this Call

Don't forget to remove our BP on GetEnvironmentVariableA, Then hit F9..

See we now know the OEP is 00411D68 :)

So hit F7 then you'll see our real exe.

So there you have it..

Now just Dump with Olly Dump (not Lord-PE), Make sure you uncheck the "Rebuild Imports" option.  Then all that left is to rebuild it...

So start up IMPREC... Now this is prolly the easiest objective of all of them.. :)

Then enter in our details like usual...

OEP, then click the "IAT Autosearch" button

Now click the "Get Imports" button...

Then click the "Show Invalid" button...

Then right click - cut thunks.

Now we are left a clean table.. :)

Now just attach the table to our dumped file.. :)

That's it for the imports part...

Now on to the Anti-Dump ....

To see what I am talking about please run the rebuilt exe now.. What happens?

Seems the exe isn't valid anymore.. Well this is a easy fix also..

Just use Lord-PE and rebuild the dumped file..

Yup.. that's all. :)

Now click the "Rebuild PE" button and select our dumped file...

Then click "OK"..

Now we are ready to run the app.. :)

So go ahead and run it...

BUT...... before you do... the app has yet another trick in its arsenal....  If you run the exe.. you will hang on a caption about updating the exe...

The reason is it is actually updating the exe... But it's updating the original Hackman.exe to what we have now... So our original will become unpacked in the process.. which really doesn't matter at all... But just so you know why it is gonna hang.. if you don't wanna rename it.. then run the dumped file, then after a few seconds... kill it.. then... the original hackman.exe is unpacked :)

So go ahead (for the scope of this tutorial) run the unpacked exe...

Now go ahead and kill it.  then if you want you can see the original exe and how its unpacked.. but I wont go there... Believe me it is :)  But just to be safe go ahead and save the original exe somewhere else... then rename our unpacked file to HackMan.exe.. and run it...

(CUT to conserve space)

BAM!

it runs...

Well I hoped you learned something new from this tutorial...

If you have any questions (ie. how to crack it :)... dont hesitate to ask me on the ARTeam forum)

Until next time...

I remain MaDMAn_H3rCuL3s

1. How to get around Thinstall, and it's anti-whatever tricks.

2. That ARTeam is still your #1 source for knowledge (besides Ricardo).

[MAIN TEAM]
[Nilrem] [JDog45] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr][Eggi] [EJ12N] [Stickman 373] [Bone Enterprise] [Release Team]

[TSRH] [some 0day grps] [BriteDream] [Exetools] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0] [JohnWho] [C0n3r0n3] [ILCH]