Jump to content
Tuts 4 You

[unpackme] Winlicense 1.8.9.0


Teddy Rogers

Recommended Posts

  • 2 weeks later...
  • 3 months later...
SiliconShadow

Well i notice the files are missing but no one has said anythign to why...

Also what features of win licence where you going to look at the only special one imo is the sdk.

Regards - SS

Link to comment

Yes, some files were deleted during a scan on the site but I think I recovered most if not all those missing/deleted files.

My apologies for the problems everyone...

Ted.

Link to comment
  • 4 weeks later...

Nice one, I really dislike the fixed api emulations/stolen code in this one.. (that's positive.. ;) ) And if I'm not mistaken they're even fully emulated... which makes fixing them a pain..

Winlicense;

0042723E								 .- E9 83E48B00		JMP 00CE56C6
00427243 90 NOP
00427244 3D DB 3D ; CHAR '='
00427245 14 DB 14
00427246 EE DB EE
00427247 C2 DB C2
00427248 45 DB 45 ; CHAR 'E'
00427249 96 DB 96
0042724A E3 DB E3
0042724B . 3822 CMP BYTE PTR DS:[EDX],AH
0042724D . 5D POP EBP
0042724E . A3 10E64500 MOV DWORD PTR DS:[45E610],EAX

Ori;

0042723E								  FF15 84094600		CALL DWORD PTR DS:[460984]							 ; kernel32.GetCommandLineA
00427244 A3 D8EB4500 MOV DWORD PTR DS:[45EBD8],EAX
00427249 E8 32940000 CALL 00430680
0042724E A3 10E64500 MOV DWORD PTR DS:[45E610],EAX

ah well of to find an method to fix them..

quosego

Edited by quosego
Link to comment

The API's themselves are not fully emulated, but the instructions behind them are. Just dump the entire thing with VM and be done with it.

Link to comment

Since all data is stored in the first section, including IAT, you can just put a memory breakpoint on access of that section and just decipher by watching the stack, breaks, and registers.

For instance the first break for the area talked about (0042723E) is

0133A461    FF32            PUSH DWORD PTR DS:[EDX]                  ; kernel32.GetCommandLineAthen 0135825B    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>  -------------- edi = 0045EBD8 also eax = edi and only 4 bytes are writtenthen it lands in this area00430680    A1 38EA4500     MOV EAX,DWORD PTR DS:[45EA38] --------------- so obviously Call this addressI suggest just skipping going through that call though by setting the eip to the return thats in the stack. The next break will be at 0042724E, 

Anyway code is deciphered to

GetCommandLineA

mov dword ptr [0045EBD8], eax

Call 00430680

Longer stolen code could be a pain in the a$$, also code that requires information from earlier code. (If you dont have the right info it most likely will crash.) If your lazy you might as well just dump the needed areas.

Edited by What
Link to comment
Anyway code is deciphered toGetCommandLineA
mov dword ptr [0045EBD8], eax
Call 00430680Longer stolen code could be a pain in the a$$, also code that requires information from earlier code. (If you dont have the right info it most likely will crash.) If your lazy you might as well just dump the needed areas.

That's not very practical... I think this app has some couple of hundred jumps to the VM. You gonna fix em all? Better to just dump it. You can rebuild the code for the reg routine, and that's that ^^

Link to comment
That's not very practical... I think this app has some couple of hundred jumps to the VM. You gonna fix em all? Better to just dump it. You can rebuild the code for the reg routine, and that's that ^^

Very true. I was just pointing a way of repairing it. I personally just dump, if that, I would usually just inline it because the dumps are gigantic. :dry:

Link to comment

That was indeed my point, the dump right now is already 10 mb for an unpackme. Attaching those section to it will greatly increase it's size.

quosego

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...