GithubHelp home page GithubHelp logo

bobalkkagi's Introduction

TEAM Bobalkkagi

BOB11 project

Unpacking & Unwrapping & Devirtualization(Not yet) of Themida 3.1.3 packed program(Tiger red64)

API Hook

Hooking API based win10_v1903

How to

Install

pip install bobalkkagi

or

pip install git+https://github.com/bobalkkagi/bobalkkagi.git

Notes

Need default Dll folder(win10_v1903) or you can give dll folder path

win10_v1903 folder is in https://github.com/bobalkkagi/bobalkkagi

Use

NAME
    bobalkkagi

SYNOPSIS
    bobalkkagi PROTECTEDFILE <flags>

POSITIONAL ARGUMENTS
    PROTECTEDFILE
        Type: str

FLAGS
    --mode=MODE
        Type: str
        Default: 'f'
    --verbose=VERBOSE
        Type: str
        Default: 'f'
    --dllPath=DLLPATH
        Type: str
        Default: 'win10_v1903'
    --oep=OEP
        Type: str
        Default: 't'
    --debugger=DEBUGGER
        Type: str
        Default: 'f'

NOTES
    You can also use flags syntax for POSITIONAL ARGUMENTS

Option Description

Mode: f[fast], c[hook_code], b[hook_block]

Description: Mean emulating mode, we implement necessary api to unpack protected excutables by themida 3.1.3.

Running on fast mode compare rip with only hook API function area size 32(0x20), but hook_block mode and hook_code mode compare rip with all mapped DLL memory (min 0x1000000) to check functions. block mode emulate block size(call, jmp) code mode do it opcode by opcode.

verbose

verbose show Loaded DLL on memory, we will update it to turn on/off HOOKING API CALL info.

dllPath

dllPath is directory where DLLs to load on memory exists. DLLs are different for each window version. This tool may be not working with your window DLL path(C:\Windows\System32)

oep

oep is option to find original entry point. If you turn off this option, you can emulate program after oep (fast mode can't do it, it works on hook_block and hook_code)

debugger

If you want unpack another protector or different version of themida, you should add necessary hook_api functions(anti debugging, handle, syscall). you can analyze protected program hook_code mode or hook_block mode(more detail in https://github.com/unicorn-engine/unicorn) with debugger option(working only hook_code mode!)

bobalkkagi's People

Contributors

hackerhoon avatar p4p3r-hak avatar ssh9753 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

3h54n redpack-kr schnabel0776 idkwim wuyadie qqq-tech ykankaya p4p3r-hak sunwm518 easy-forks gmh5225 kaelanalysis imkk666 hzmslx yang-zhiyuan tempaccountnull zzzsleepsin e027 0xff1e071f sourav-txt hmily-lcg dragonicawindy 365drm wangwh27 crackercat b30wulf lucia361 little3388 coldblackice pandaa-p xuan2261 wojiukankan8 woozoo86 na5he killvxk jyotidwi pogorollo and9527 djnandinho26 easy-forks

bobalkkagi's Issues

Traceback 

Traceback (most recent call last):
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\bobalkkagi\__main__.py", line 4, in <module>
    main()
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\bobalkkagi\application.py", line 14, in main
    fire.Fire(run_Bobalkkagi)
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\fire\core.py", line 141, in Fire
    component_trace = _Fire(component, args, parsed_flag_args, context, name)
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\fire\core.py", line 466, in _Fire
    component, remaining_args = _CallAndUpdateTrace(
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\fire\core.py", line 681, in _CallAndUpdateTrace
    component = fn(*varargs, **kwargs)
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\bobalkkagi\application.py", line 50, in run_Bobalkkagi
    dump, OrignalEntryPoint = unpack(protectedFile, verbose, mode, oep)
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\bobalkkagi\unpacking.py", line 214, in unpack
    PE_Loader(uc, program, GLOBAL_VAR.ImageBaseStart, oep)
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\bobalkkagi\loader.py", line 47, in PE_Loader
    sectionSize, sectionInfo = Section(uc, pe, originBase, oep)
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\bobalkkagi\loader.py", line 171, in Section
    GLOBAL_VAR.SectionInfo.append([sectionName, base + section.VirtualAddress, section.Misc_VirtualSize, PrivChange(priv)])
  File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\bobalkkagi\loader.py", line 151, in PrivChange
    return changeDic[privilege]
KeyError: 0

Unwrapping failed

python3 bobalkkagi protected.exe --verbose t

.....

Unwrapping Start...

Traceback (most recent call last):
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_3.10.3056.0_x64__qbz5n2kfra8p0\lib\runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_3.10.3056.0_x64__qbz5n2kfra8p0\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "C:\Users\ntquery\Desktop\bobalkkagi-master\bobalkkagi\__main__.py", line 4, in <module>
    main()
  File "C:\Users\ntquery\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\bobalkkagi\application.py", line 14, in main
    fire.Fire(run_Bobalkkagi)
  File "C:\Users\ntquery\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\fire\core.py", line 141, in Fire
    component_trace = _Fire(component, args, parsed_flag_args, context, name)
  File "C:\Users\ntquery\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\fire\core.py", line 466, in _Fire
    component, remaining_args = _CallAndUpdateTrace(
  File "C:\Users\ntquery\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\fire\core.py", line 681, in _CallAndUpdateTrace
    component = fn(*varargs, **kwargs)
  File "C:\Users\ntquery\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\bobalkkagi\application.py", line 51, in run_Bobalkkagi
    unwrap(dump, OrignalEntryPoint)
  File "C:\Users\ntquery\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\bobalkkagi\unwrapping.py", line 8, in unwrap
    unwrapping(dumps, OEP)
  File "C:\Users\ntquery\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\bobalkkagi\util_unwrap.py", line 592, in unwrapping
    emulate_start()
  File "C:\Users\ntquery\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\bobalkkagi\util_unwrap.py", line 530, in emulate_start
    uc.mem_write(0x140000000, origin_data)
  File "C:\Users\ntquery\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\unicorn\unicorn.py", line 586, in mem_write
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)

Unicorn.py ImportError: ERROR: fail to load the dynamic library.

Hello when im trying to launch bobalkkagi for unpack an .exe gives my this error
Traceback (most recent call last): File "C:\Users\Dario\AppData\Local\Programs\Python\Python310-32\lib\runpy.py", line 196, in _run_module_as_main return _run_code(code, main_globals, None, File "C:\Users\Dario\AppData\Local\Programs\Python\Python310-32\lib\runpy.py", line 86, in _run_code exec(code, run_globals) File "C:\Users\Dario\AppData\Local\Programs\Python\Python310-32\Scripts\bobalkkagi.exe\__main__.py", line 4, in <module> File "C:\Users\Dario\AppData\Local\Programs\Python\Python310-32\lib\site-packages\bobalkkagi\application.py", line 3, in <module> from .unpacking import unpack File "C:\Users\Dario\AppData\Local\Programs\Python\Python310-32\lib\site-packages\bobalkkagi\unpacking.py", line 1, in <module> from unicorn import * File "C:\Users\Dario\AppData\Local\Programs\Python\Python310-32\lib\site-packages\unicorn\__init__.py", line 4, in <module> from .unicorn import Uc, uc_version, uc_arch_supported, version_bind, debug, UcError, __version__ File "C:\Users\Dario\AppData\Local\Programs\Python\Python310-32\lib\site-packages\unicorn\unicorn.py", line 114, in <module> raise ImportError("ERROR: fail to load the dynamic library.") ImportError: ERROR: fail to load the dynamic library.

Fail to unwrap ExitProcess

we use unicorn to unwrap api, but it need special vlaue(gs:30(Maybe Teb, Peb) ,Maybe GetExitCodeProcess return value) not in dump file.
so we will be update unwrap emulator(DIY emulator using capstone or distorms3) instead of unicorn

"KeyError at PrivChange function in loader.py module"

Hey there,

I've encountered an issue with bobalkkagi; specifically when it is trying to execute the loader.py module.
The error I'm getting is a KeyError: 0, which is thrown at the PrivChange function in the loader.py module.

Here's the output I'm receiving:

C:\Users\Administrator>bobalkkagi "C:\Users\Administrator\Desktop\test.exe" --dllPath="C:\Users\Administrator\Desktop\win10_v1903"
[2023-09-08 02:16:40.443140] Unpacking Start!

Traceback (most recent call last):
  File "c:\python39\lib\runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "c:\python39\lib\runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "C:\Python39\Scripts\bobalkkagi.exe\__main__.py", line 7, in <module>
  File "c:\python39\lib\site-packages\bobalkkagi\application.py", line 14, in main
    fire.Fire(run_Bobalkkagi)
  File "c:\python39\lib\site-packages\fire\core.py", line 141, in Fire
    component_trace = _Fire(component, args, parsed_flag_args, context, name)
  File "c:\python39\lib\site-packages\fire\core.py", line 466, in _Fire
    component, remaining_args = _CallAndUpdateTrace(
  File "c:\python39\lib\site-packages\fire\core.py", line 681, in _CallAndUpdateTrace
    component = fn(*varargs, **kwargs)
  File "c:\python39\lib\site-packages\bobalkkagi\application.py", line 50, in run_Bobalkkagi
    dump, OrignalEntryPoint = unpack(protectedFile, verbose, mode, oep)
  File "c:\python39\lib\site-packages\bobalkkagi\unpacking.py", line 214, in unpack
    PE_Loader(uc, program, GLOBAL_VAR.ImageBaseStart, oep)
  File "c:\python39\lib\site-packages\bobalkkagi\loader.py", line 47, in PE_Loader
    sectionSize, sectionInfo = Section(uc, pe, originBase, oep)
  File "c:\python39\lib\site-packages\bobalkkagi\loader.py", line 171, in Section
    GLOBAL_VAR.SectionInfo.append([sectionName, base + section.VirtualAddress, section.Misc_VirtualSize, PrivChange(priv)])
  File "c:\python39\lib\site-packages\bobalkkagi\loader.py", line 151, in PrivChange
    return changeDic[privilege]
`KeyError: 0`

It looks like the PrivChange function is trying to access a dictionary called 'changeDic' with a key of 0, but this key doesn't exist in the dictionary.

Hoping you have an idea of how to resolve this issue or guide me on how to handle situations where the key might not exist?

Best Regards,
John Wick.

KeyError: 'kernel32.dll_GetModuleHandleA'

[2023-12-07 04:13:41.928117] Unpacking Start!
Traceback (most recent call last):
File "C:\Users*\AppData\Local\Programs\Python\Python39\lib\runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "C:\Users*\AppData\Local\Programs\Python\Python39\lib\runpy.py", line 87, in run_code
exec(code, run_globals)
File "C:\Users*****\AppData\Local\Programs\Python\Python39\Scripts\bobalkkagi.exe_main.py", line 7, in
File "C:\Users*\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\application.py", line 14, in main
fire.Fire(run_Bobalkkagi)
File "C:\Users*\AppData\Local\Programs\Python\Python39\lib\site-packages\fire\core.py", line 141, in Fire
component_trace = _Fire(component, args, parsed_flag_args, context, name)
File "C:\Users*\AppData\Local\Programs\Python\Python39\lib\site-packages\fire\core.py", line 466, in _Fire
component, remaining_args = _CallAndUpdateTrace(
File "C:\Users*\AppData\Local\Programs\Python\Python39\lib\site-packages\fire\core.py", line 681, in _CallAndUpdateTrace
component = fn(varargs, **kwargs)
File "C:\Users*\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\application.py", line 50, in run_Bobalkkagi
dump, OrignalEntryPoint = unpack(protectedFile, verbose, mode, oep)
File "C:\Users*\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\unpacking.py", line 226, in unpack
InsertHookFlag(uc)
File "C:\Users****\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\unpacking.py", line 164, in InsertHookFlag
address =DLL_SETTING.DllFuncs[key]

WinLicense 3x

could add support for WinLicense 3x

Do you have discord?

issue

[2023-03-12 13:00:37.290870] Unpacking done...
Unpacking Runtime: [0:26:14.338330]
[Create] Dumpfile!
[2023-03-12 13:00:37.312853] Unwrapping Start...
Traceback (most recent call last):
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\runpy.py", line 87, in run_code
exec(code, run_globals)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\Scripts\bobalkkagi.exe_main.py", line 7, in
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\application.py", line 14, in main
fire.Fire(run_Bobalkkagi)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\fire\core.py", line 141, in Fire
component_trace = _Fire(component, args, parsed_flag_args, context, name)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\fire\core.py", line 466, in _Fire
component, remaining_args = _CallAndUpdateTrace(
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\fire\core.py", line 681, in _CallAndUpdateTrace
component = fn(*varargs, **kwargs)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\application.py", line 51, in run_Bobalkkagi
unwrap(dump, OrignalEntryPoint)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\unwrapping.py", line 8, in unwrap
unwrapping(dumps, OEP)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\util_unwrap.py", line 592, in unwrapping
emulate_start()
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\util_unwrap.py", line 535, in emulate_start
call_emulate_rip(uc , rip)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\util_unwrap.py", line 447, in call_emulate_rip
uc.emu_start(GLOBAL_VAR.ImageBaseStart + rip, GLOBAL_VAR.ImageBaseStart +rip+ 0x20000)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\unicorn\unicorn.py", line 550, in emu_start
raise self._hook_exception
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\unicorn\unicorn.py", line 392, in wrapper
return func(self, *args, **kwargs)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\unicorn\unicorn.py", line 663, in _hookcode_cb
cb(self, address, size, data)
File "C:\Users\XXX\AppData\Local\Programs\Python\Python39\lib\site-packages\bobalkkagi\util_unwrap.py", line 359, in hooking_code
if not (GLOBAL_VAR.themida[1] <= address and address < (GLOBAL_VAR.themida[1]+GLOBAL_VAR.themida[2])):
IndexError: list index out of range

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.