Issue Description
When unpacking a Themida-protected executable, the program crashes after the following instruction:
00007FF84E8B259F | 48:FF15 BA380700 | call qword ptr ds:[]
Stepping from this instruction to the next causes a crash. This behavior is observed during the unpacking process with x64dbg and Scylla.
Observed Behavior
- The crash occurs when stepping from:
00007FF84E8B259F | 48:FF15 BA380700 | call qword ptr ds:[]
to:
00007FF84E8B25A6 | 0F1F4400 00 | nop dword ptr ds:[rax+rax],eax
- The executable becomes unusable after unpacking.
Detailed Analysis and Context
The breakpoint is hit at the entry point:
000000014014D20C | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx
Following is the relevant code flow:
000000014014D20C | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx 000000014014D211 | 55 | push rbp 000000014014D212 | 48:8BEC | mov rbp,rsp ... 000000014014D295 | 48:3BC3 | cmp rax,rbx 000000014014D298 | 48:0F44C1 | cmove rax,rcx 000000014014D29C | 48:8905 DDDD0500 | mov qword ptr ds:[1401AB080],rax
The crash happens when stepping from:
00007FF84E8B259F | 48:FF15 BA380700 | call qword ptr ds:[]
Possible Causes
- Anti-debugging or anti-tamper mechanisms by Themida.
- Corrupted stack or registers due to improper unpacking.
- Unresolved imports or integrity checks in the unpacked executable.
Troubleshooting Steps Taken
- Enabled ScyllaHide in x64dbg to bypass anti-debug checks.
- Nopped the suspicious call to
RtlExitUserThread, which prevents the crash but affects execution flow.
- Rebuilt the Import Address Table (IAT) using Scylla, but the issue persists.
Expected Behavior
The executable should continue execution normally after the entry point and not crash at the call to RtlExitUserThread.
Environment
- Debugger: x64dbg with Scylla and ScyllaHide
- Protector: Themida 3.x
- Operating System: win 11
- Processor Architecture: x64
Request for Assistance
Looking for guidance on:
- Properly bypassing or patching the anti-debugging mechanism.
- Ensuring integrity checks are bypassed or satisfied.
- Any alternative unpacking methods for Themida.
Issue Description
When unpacking a Themida-protected executable, the program crashes after the following instruction:
00007FF84E8B259F | 48:FF15 BA380700 | call qword ptr ds:[]
Stepping from this instruction to the next causes a crash. This behavior is observed during the unpacking process with x64dbg and Scylla.
Observed Behavior
00007FF84E8B259F | 48:FF15 BA380700 | call qword ptr ds:[]
to:
00007FF84E8B25A6 | 0F1F4400 00 | nop dword ptr ds:[rax+rax],eax
Detailed Analysis and Context
The breakpoint is hit at the entry point:
000000014014D20C | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx
Following is the relevant code flow:
000000014014D20C | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx 000000014014D211 | 55 | push rbp 000000014014D212 | 48:8BEC | mov rbp,rsp ... 000000014014D295 | 48:3BC3 | cmp rax,rbx 000000014014D298 | 48:0F44C1 | cmove rax,rcx 000000014014D29C | 48:8905 DDDD0500 | mov qword ptr ds:[1401AB080],rax
The crash happens when stepping from:
00007FF84E8B259F | 48:FF15 BA380700 | call qword ptr ds:[]
Possible Causes
Troubleshooting Steps Taken
RtlExitUserThread, which prevents the crash but affects execution flow.Expected Behavior
The executable should continue execution normally after the entry point and not crash at the call to
RtlExitUserThread.Environment
Request for Assistance
Looking for guidance on: