Jump to content
Tuts 4 You

[unpackme] WinLicense v2.0.1.0

acidflash

By acidflash
in UnPackMe

 Share

Recommended Posts

Loveless

Loveless

Posted
Posted

Thank you so much :)

Loki

Loki

Posted
Posted

heh heh, seems McAffee detects version 2 as a virus ;)

quosego

quosego

Posted
Posted (edited)

Voila, :ninja:

Please note that I dumped the entire program memory so unrarred it's about 46 mb.. So don't be suprised.. If I would code an nice memory dumper or do it manually that could be reduced significantly.. (~10 mb) But well I'm not in the mood. :)

(said in the previous thread it had no VM but it has VMed api's so that's why the VM had to come along)

Not much new in it.. Standard tricks, low alloc VM parts, VM, esp ebp modification when dumped etc..

Please note I've haywired the import VM handler to retrieve api location at only one place.. this is not really a valid method but I couldn't find the actual original import dword in VM code.. I'll fix that when I find a more difficult target which uses more api's.. :)

Also ebp trick has been defeated by inserting the original ebp minus VM mod prior to entering VM.. This is also a quick fix and should not be considered a valid solution, though ah well it works this time. :)

Dump: (6 mb)

(tested on XP SP2 and SP1)

http://www.willhostforfood.com/access.php?fileid=24437

PW: fghfghSND23

So that leaves armadillo :)

Regards,

quosego

Edited by quosego
acidflash

acidflash

Posted
  • Author
Posted (edited)
Voila, :ninja:

Please note that I dumped the entire program memory so unrarred it's about 46 mb.. So don't be suprised.. If I would code an nice memory dumper or do it manually that could be reduced significantly.. (~10 mb) But well I'm not in the mood. :)

(said in the previous thread it had no VM but it has VMed api's so that's why the VM had to come along)

Not much new in it.. Standard tricks, low alloc VM parts, VM, esp ebp modification when dumped etc..

Please note I've haywired the import VM handler to retrieve api location at only one place.. this is not really a valid method but I couldn't find the actual original import dword in VM code.. I'll fix that when I find a more difficult target which uses more api's.. :)

Also ebp trick has been defeated by inserting the original ebp minus VM mod prior to entering VM.. This is also a quick fix and should not be considered a valid solution, though ah well it works this time. :)

Dump: (6 mb)

(tested on XP SP2 and SP1)

Your dump crashes on my machine :) Vista x64. Still you are a machine! I'll post up latest asprot ske in a bit, im "eating" breakfast atm.

See if you can get it running :)

If you wish i can whip up a larger app that uses there VM replacement macro's

http://www.willhostforfood.com/access.php?fileid=24437

PW: fghfghSND23

So that leaves armadillo :)

Regards,

quosego

nice work but your unpacked version crashes on my machine. Vista x64. I'm going to toss up an ASProtect SKE 2.41 02.26 in a bit, for fun.

Now if you wish, I can whip up a better app and use VM's / ect and max out the prot....

you are an unpacking machine!

-acid

Edited by acidflash
Loki

Loki

Posted
Posted

Works fine here on XP SP2 - awesome work once again quosego!

quosego

quosego

Posted
Posted (edited)

Yeah I think one should dump it on vista x64 too make it work there.. Doubtfull I can fix to run on vista.. since I've got no idea what microsoft did with that OS since I don't use it.. And I'm not planning to install it.. :)

Wouldn't mind a spiced up version.. :)

That would require me to fix my two quick fixes.. And get me of my lazy ***.

@ loki:

Thnx.. Just making sure SnD kicks ***. :)

quosego

Edited by quosego
acidflash

acidflash

Posted
  • Author
Posted
Yeah I think one should dump it on vista x64 too make it work there.. Doubtfull I can fix to run on vista.. since I've got no idea what microsoft did with that OS since I don't use it.. And I'm not planning to install it.. :)

Wouldn't mind a spiced up version.. :)

That would require me to fix my two quick fixes.. And get me of my lazy ***.

@ loki:

Thnx.. Just making sure SnD kicks ***. :)

quosego

Just tried it on an XP SP3 VMWare 6.0.4 and it crashes :(

quosego

quosego

Posted
Posted (edited)

Possibly my second quick fix is invalid.. Fixed it uses relative values instead of absolute...

If this doesn't work, the dumped VM/my methods are OS specific.. And my dump can only be used on XP SP2/1..

However if you could post some specific error codes/analysis.. I might be able to make it work for you..

Dump:

http://www.willhostforfood.com/access.php?fileid=24439

PW: fghfghSND23

Regards,

quosego

Edited by quosego
acidflash

acidflash

Posted
  • Author
Posted

0x009EA130 FF32 PUSH DWORD PTR DS:[EDX] edx == 12FFC0

dies here. (im testing w/ XP now)..

quosego

quosego

Posted
Posted

That's deep in the VM... What's the violation??

(since pushing that edx value doesn't look lik a violation..) At least not here...

Since this instruction is used many many times...

quosego

Hartek

Hartek

Posted
Posted

What's protections option you selected acidflash?

acidflash

acidflash

Posted
  • Author
Posted
What's protections option you selected acidflash?

Anti-Debugger = Ultra

API Wrapping = level 2

anti-dumpers = enabled

anti-patching = disabled

ring 0 prot = enabled

OEP obfuscation = enabled

Metemorph Security = enabled

all resources compressed / encrypted

no code replacement enabled

Monitor Blockers (all) = enabled

Mutable RISC - 128 processor

Metamorphic level = 3

Dynamic Opcodes = 80%

Multi-branch = eabled (virtualization level 100)

Hide from PE scanners = type 2 (type 1 pretends to be a different packer)

no xbundler files

Crash when debugger is found = true

Don't run in virtual machines

thats a mouth full :P

-acid

Loveless

Loveless

Posted
Posted
That's deep in the VM... What's the violation??

(since pushing that edx value doesn't look lik a violation..) At least not here...

Since this instruction is used many many times...

quosego

Dump dies there because stack is at different address. VM is checking for a value at 0012FFC0... since stack is different on other machine, 0012FFC0 not exist, thus killing dump.

Also, no need for dump to be so big. Note that if you dump first 6 VirtualAlloc regions, that is VM in entirety.

Killboy

Killboy

Posted
Posted
Also, no need for dump to be so big. Note that if you dump first 6 VirtualAlloc regions, that is VM in entirety.

Does that include Themida's virtual kernel32/user32/advapi32 ?

Loveless

Loveless

Posted
Posted
Also, no need for dump to be so big. Note that if you dump first 6 VirtualAlloc regions, that is VM in entirety.

Does that include Themida's virtual kernel32/user32/advapi32 ?

Nope

Loveless

Loveless

Posted
Posted

Yeah, quosego was right, nothing new to study :(

acidflash

acidflash

Posted
  • Author
Posted
Yeah, quosego was right, nothing new to study :(

I though for sure Themida would at least be harder =) So much for 2.0.1.0

Execellent work, i can only do PECompact and ASProt's latest... need to study armadillo next.

@loki thanks for testing :)

Loki

Loki

Posted
Posted
@loki thanks for testing :)

About the only thing I can do when it comes to Themida.... makes my head hurt ;)

SunBeam

SunBeam

Posted
Posted

Well, quosego. If you got bored, move on to VM rebuilding :D:D

Loveless

Loveless

Posted
Posted
Well, quosego. If you got bored, move on to VM rebuilding :D:D

That will just encourage his boredom :(

Computer_Angel

Computer_Angel

Posted
Posted

to acidflash:

Could you tell me how did you remove the watermark of WL 2010 target ?

quosego

quosego

Posted
Posted (edited)

That's not unpacking that's copying pasting... :cool:

Unless you can compile themida VM opcodes you could not have fixed the Api VM... ( the oep however is not impossible )

So you used the code in another unpackme posted by acidflash..

However if you did compile themida VM into assembly I'll now shut up and be honored with your visit... ;)

Though this is doubtfull....

quosego

0040ECA0									|.  FF15 C8314100				 CALL DWORD PTR DS:[<&kernel32.GetProcAddress>]
0040ECA6									|.  85C0						  TEST EAX,EAX
0040ECA8									|.  75 1B						 JNZ SHORT 0040ECC5
0040ECAA									|.  8B4424 14					 MOV EAX,DWORD PTR SS:[ESP+14]
0040ECAE									|.  BF C03F0000				   MOV EDI,3FC0
0040ECB3									|.  23C7						  AND EAX,EDI
0040ECB5									|.  3B4424 14					 CMP EAX,DWORD PTR SS:[ESP+14]
0040ECB9									|.  75 27						 JNZ SHORT 0040ECE2
0040ECBB									|.  FF15 14304100				 CALL DWORD PTR DS:[<&comctl32.InitCommonControls>]
0040ECC1									|.  8BF7						  MOV ESI,EDI
0040ECC3									|.  EB 1D						 JMP SHORT 0040ECE2

Should be VMed.....

Edited by quosego
Computer_Angel

Computer_Angel

Posted
Posted
That's not unpacking that's copying pasting

So you used the code in another unpackme posted by acidflash..

You're underestimate me so much. I not have any post in tuts4you forum, but it doesn't mean that I don't know anything. I've studies unpack Winlic since ver 1.8.5.5. In this unpackme, it is the simples case, the author does not use any SDK in code.

By the way, i haven't try other target of acidflash ... believe or not it's up to you.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...