Jump to content
Tuts 4 You

[unpackme] Winlicense 1.8.9.0

Teddy Rogers

By Teddy Rogers
in UnPackMe

 Share

Recommended Posts

  • 2 weeks later...
rendari

rendari

Posted
Posted

0o just saw this. Will check it out :)

  • 3 months later...
SiliconShadow

SiliconShadow

Posted
Posted

Well i notice the files are missing but no one has said anythign to why...

Also what features of win licence where you going to look at the only special one imo is the sdk.

Regards - SS

Teddy Rogers

Teddy Rogers

Posted
  • Author
Posted

The link in the original post is still working and valid...

Ted.

SiliconShadow

SiliconShadow

Posted
Posted

Ok i apolagise ted but seriusly when i posted that the download system said the file was missing.. apologies ;)

Loki

Loki

Posted
Posted

Its been doing a few weird things lately - in the supprt forum Ted mentioned a scan as being the cause :)

Teddy Rogers

Teddy Rogers

Posted
  • Author
Posted

Yes, some files were deleted during a scan on the site but I think I recovered most if not all those missing/deleted files.

My apologies for the problems everyone...

Ted.

  • 4 weeks later...
quosego

quosego

Posted
Posted (edited)

Nice one, I really dislike the fixed api emulations/stolen code in this one.. (that's positive.. ;) ) And if I'm not mistaken they're even fully emulated... which makes fixing them a pain..

Winlicense;

0042723E								 .- E9 83E48B00		JMP 00CE56C6
00427243									90				 NOP
00427244									3D				 DB 3D												  ;  CHAR '='
00427245									14				 DB 14
00427246									EE				 DB EE
00427247									C2				 DB C2
00427248									45				 DB 45												  ;  CHAR 'E'
00427249									96				 DB 96
0042724A									E3				 DB E3
0042724B								 .  3822			   CMP BYTE PTR DS:[EDX],AH
0042724D								 .  5D				 POP EBP
0042724E								 .  A3 10E64500		MOV DWORD PTR DS:[45E610],EAX

Ori;

0042723E								  FF15 84094600		CALL DWORD PTR DS:[460984]							 ; kernel32.GetCommandLineA
00427244								  A3 D8EB4500		  MOV DWORD PTR DS:[45EBD8],EAX
00427249								  E8 32940000		  CALL 00430680
0042724E								  A3 10E64500		  MOV DWORD PTR DS:[45E610],EAX

ah well of to find an method to fix them..

quosego

Edited by quosego
rendari

rendari

Posted
Posted

The API's themselves are not fully emulated, but the instructions behind them are. Just dump the entire thing with VM and be done with it.

What

What

Posted
Posted (edited)

Since all data is stored in the first section, including IAT, you can just put a memory breakpoint on access of that section and just decipher by watching the stack, breaks, and registers.

For instance the first break for the area talked about (0042723E) is 

0133A461    FF32            PUSH DWORD PTR DS:[EDX]                  ; kernel32.GetCommandLineAthen 0135825B    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>  -------------- edi = 0045EBD8 also eax = edi and only 4 bytes are writtenthen it lands in this area00430680    A1 38EA4500     MOV EAX,DWORD PTR DS:[45EA38] --------------- so obviously Call this addressI suggest just skipping going through that call though by setting the eip to the return thats in the stack. The next break will be at 0042724E,

Anyway code is deciphered to

GetCommandLineA

mov dword ptr [0045EBD8], eax

Call 00430680

Longer stolen code could be a pain in the a$$, also code that requires information from earlier code. (If you dont have the right info it most likely will crash.) If your lazy you might as well just dump the needed areas.

Edited by What
rendari

rendari

Posted
Posted 
Anyway code is deciphered toGetCommandLineA
mov dword ptr [0045EBD8], eax
Call 00430680Longer stolen code could be a pain in the a$$, also code that requires information from earlier code. (If you dont have the right info it most likely will crash.) If your lazy you might as well just dump the needed areas.

That's not very practical... I think this app has some couple of hundred jumps to the VM. You gonna fix em all? Better to just dump it. You can rebuild the code for the reg routine, and that's that ^^

What

What

Posted
Posted
That's not very practical... I think this app has some couple of hundred jumps to the VM. You gonna fix em all? Better to just dump it. You can rebuild the code for the reg routine, and that's that ^^

Very true. I was just pointing a way of repairing it. I personally just dump, if that, I would usually just inline it because the dumps are gigantic. :dry:

rendari

rendari

Posted
Posted

Yep, I agree that inlining is the most "efficient" way to go :)

quosego

quosego

Posted
Posted

That was indeed my point, the dump right now is already 10 mb for an unpackme. Attaching those section to it will greatly increase it's size.

quosego

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...