Jump to content
Tuts 4 You

[unpackme] WinLicense v2.0.1.0


acidflash

Recommended Posts

I that case I'll shut up and be honored as promised.. ;)

My mistake.

(The chances of a copy paste VM were so much higher than actually finding someone talented, I thought it was negliciable)...

Though I and everyone else here would be extremely interested how you did it though..

The API VM that is..(see above) Since that is the only thing that would only be possible with an greater understanding of WL VM.

Unless I've been missing something obvious.. ;)

I'm not talking about the unpacking btw that I trust you can do.. It's only those lines of code (40ECA0-40ECC3) I'm interested in..

As you state you extracted them from the VM.. And that I've not seen before..

quosego

Edited by quosego
Link to comment
Share on other sites

I must agree with quosego in saying it look suspicous... even if you did decompile the VM, the VM never execute direct x86 translation of opcode. Instead, thing such as

mov eax, [esp+4] in VM become something like:

LDESP

PUSH [context.ESP]

POP

ADD VAR, 4

PUSH [VAR]

POP

PUSH VAR

POP [context.EAX]

NOP (shuffle context)

... so even if you restore VM, opcode by opcode, only with very much luck and insight could you retrieve 100% original code.

Now, I am hesitant to insult honor of someone, and I have been mistake in past, but please leave proof of how you restore code, before I can believe you.

No hard feeling, hopefully

-Loveless.

Link to comment
Share on other sites

I think that if level of VM is not set high and if we has a lot of time to trace, we will restore some original codes. But... when a man know how to decode VM Code of Themida/Winlic, why must he share with you ?? That is secret. :)

Link to comment
Share on other sites

  • 3 months later...

Hi quosego

Firstly, apologies to bring a few months old thread in front. But I would like to ask few questions regarding the unpack me target.

> Not much new in it.. Standard tricks, low alloc VM parts, VM, esp ebp modification when dumped etc..

I would like to know what is esp ebp modification ? Are you modifying some part of memory before dumping ? if yes which part & how do you come to know about it

> Please note I've haywired the import VM handler to retrieve api location at only one place..

> this is not really a valid method but I couldn't find the actual original import dword in VM code..

> I'll fix that when I find a more difficult target which uses more api's..

Does it mean you have fixed Original API's by breaking-point at a particular & then saving the original API address

for example in the unpacke me target below address

0085888E mov ebx,dword ptr ss:[ebp+11F70079] ; <--- break-pointing here & saving API address 4130a0 for Kernel32

OR its something else you were mentioning.

> Also ebp trick has been defeated by inserting the original ebp minus VM mod prior to entering VM..

What is this ebp trick ? can you please eloborate or point me a tutor which explains it ?

Awaiting for your comments.

Regards

Lorens!

Link to comment
Share on other sites

A lot of questions :)

The answers:

1. The esp ebp mods are the VM modifying those registers when it returns to normal code.. This usually results in crashes later on as the registers hold incorrect values. When I unpacked this one I did not yet know the proper way of fixing this and have like I said haywired them to fix them afterwards. Neither did I know why the VM did this. Nowadays it's common knowledge that it is the result of a VM antidump. There are however more antidumps in more protected apps like this that cannot be fixed like this.

2. In this one I used my old method of imports fixing using UIF, however the VM retrieves API addresses from the original IAT and not from the new UIFed one. In this case I modified the VM to retrieve it at the correct place.. Nowadays I rebuild the entire original IAT + FF25/15's. Which makes this step not necessary.

I fix the imports by gathering all info in the IAT writing routines of Themida/Winlicense (location/place, FF25/15 etc.) and overwrite the Themida obfujump when it is written. Scripting this is the way to go..

quosego

Link to comment
Share on other sites

Hi quosego

Thanks for all your clarifications. I guess i need to dig/learn more to understand VM dumping + antidump. I am already RE's some scripts file to understand what the author is trying to do.

Btw, i have also PM you my script for rebuilding the imports taking base as your concept of breaking pointing & writing real api to required address. Can you just check & let me know if its correct method or i am doing wrong ?

ImpRec is able to rebuild iat 100% but since all the targets which i am studying are either VM + antidump tricks i could not make the dump work for me as yet because my current knowledge for VM is limited.

Thanks once again for all the clarification & help

Regards

Lorens!

Link to comment
Share on other sites

do you mind pm me with a link to the main winlicense.exe program? or the unzip password from oreans will do, i have all the files.

:wub:

Edited by Nooby
Link to comment
Share on other sites

do you mind pm me with a link to the main winlicense.exe program? or the unzip password from oreans will do, i have all the files.

:wub:

I think WL already leaks on other forum. Not sure.

Link to comment
Share on other sites

That is Nooby from the "other forum?" :dunno:

Ted.

yes i am, you can pm me on "the other forum" to confirm.

but i doubt theres a leaked wl 2030 in the wild.

Edited by Nooby
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...