February 14, 200817 yr File not found.please post againWinLicense 1.8.9.0http://tuts4you.com/download.php?view.1988Ted.
February 20, 200817 yr Well i notice the files are missing but no one has said anythign to why...Also what features of win licence where you going to look at the only special one imo is the sdk.Regards - SS
February 22, 200817 yr Ok i apolagise ted but seriusly when i posted that the download system said the file was missing.. apologies
February 22, 200817 yr Its been doing a few weird things lately - in the supprt forum Ted mentioned a scan as being the cause
February 22, 200817 yr Author Yes, some files were deleted during a scan on the site but I think I recovered most if not all those missing/deleted files.My apologies for the problems everyone...Ted.
March 18, 200817 yr Nice one, I really dislike the fixed api emulations/stolen code in this one.. (that's positive.. ) And if I'm not mistaken they're even fully emulated... which makes fixing them a pain.. Winlicense; 0042723E .- E9 83E48B00 JMP 00CE56C600427243 90 NOP00427244 3D DB 3D ; CHAR '='00427245 14 DB 1400427246 EE DB EE00427247 C2 DB C200427248 45 DB 45 ; CHAR 'E'00427249 96 DB 960042724A E3 DB E30042724B . 3822 CMP BYTE PTR DS:[EDX],AH0042724D . 5D POP EBP0042724E . A3 10E64500 MOV DWORD PTR DS:[45E610],EAX Ori; 0042723E FF15 84094600 CALL DWORD PTR DS:[460984] ; kernel32.GetCommandLineA00427244 A3 D8EB4500 MOV DWORD PTR DS:[45EBD8],EAX00427249 E8 32940000 CALL 004306800042724E A3 10E64500 MOV DWORD PTR DS:[45E610],EAX ah well of to find an method to fix them.. quosego Edited March 18, 200817 yr by quosego
March 18, 200817 yr The API's themselves are not fully emulated, but the instructions behind them are. Just dump the entire thing with VM and be done with it.
March 18, 200817 yr Since all data is stored in the first section, including IAT, you can just put a memory breakpoint on access of that section and just decipher by watching the stack, breaks, and registers.For instance the first break for the area talked about (0042723E) is 0133A461 FF32 PUSH DWORD PTR DS:[EDX] ; kernel32.GetCommandLineAthen 0135825B F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> -------------- edi = 0045EBD8 also eax = edi and only 4 bytes are writtenthen it lands in this area00430680 A1 38EA4500 MOV EAX,DWORD PTR DS:[45EA38] --------------- so obviously Call this addressI suggest just skipping going through that call though by setting the eip to the return thats in the stack. The next break will be at 0042724E, Anyway code is deciphered toGetCommandLineAmov dword ptr [0045EBD8], eaxCall 00430680Longer stolen code could be a pain in the a$$, also code that requires information from earlier code. (If you dont have the right info it most likely will crash.) If your lazy you might as well just dump the needed areas. Edited March 18, 200817 yr by What
March 18, 200817 yr Anyway code is deciphered toGetCommandLineAmov dword ptr [0045EBD8], eaxCall 00430680Longer stolen code could be a pain in the a$$, also code that requires information from earlier code. (If you dont have the right info it most likely will crash.) If your lazy you might as well just dump the needed areas.That's not very practical... I think this app has some couple of hundred jumps to the VM. You gonna fix em all? Better to just dump it. You can rebuild the code for the reg routine, and that's that ^^
March 18, 200817 yr That's not very practical... I think this app has some couple of hundred jumps to the VM. You gonna fix em all? Better to just dump it. You can rebuild the code for the reg routine, and that's that ^^Very true. I was just pointing a way of repairing it. I personally just dump, if that, I would usually just inline it because the dumps are gigantic. :dry:
March 19, 200817 yr That was indeed my point, the dump right now is already 10 mb for an unpackme. Attaching those section to it will greatly increase it's size. quosego
Create an account or sign in to comment