Jump to content
Tuts 4 You

[unpackme]WinLIcense 2.0.8.0 + Hardaware lock


EvOlUtIoN

Recommended Posts

  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

  • EvOlUtIoN

    15

  • quosego

    13

  • ZenLoren

    11

  • Loveless

    6

Top Posters In This Topic

Posted Images

Okay I hate to do this(go blatantly off topic,) but are we ever going to see a TM/WL 2.1.0.0 full featured UnpackMe since they started water marking? Would someone have to sacrifice a license, or do a intermediate inline patch before posting it?

Most people here don't have the time and/or skills to do this level of protector, but it's intriguing to see the more productive and skilled reverser do them and give feedback. There seems to be only two protectors from separate vendors that don't get instantly dumped, and this is one of them. Also the target I've been doing in the wild has stopped at 2.0.8.0 and doesn't use much more than VM macros and the trivial anti-debug with the IAT stuff.

Edited by hiya
Link to comment
Share on other sites

  • 2 weeks later...

Hi All,

I am working on this unpackingme themida protections & from this posting you'll learn how the themida reads export directory of a module & gets the functions names. You'll also know how where it checks for ntice.sys, plus more. Pls note i am not able to bypass hardware id checks & anti dumping routines. As & when i find i'll update you all.

Let's follow set hardware breakpoint at 5DF2F6 & we'll land here.

005DF2F6  pushad
005DF2F7 clc
005DF2F8 sub eax,eax
005DF2FA xor dword ptr ss:[ebp+A742559],ebx
005DF300 mov dword ptr ss:[ebp+A740E01],eax
005DF306 mov edx,dword ptr ss:[esp+28]
005DF30A jns 005DF319
005DF310 pushad
005DF311 mov esi,0EF8D36C
005DF316 push ebx
005DF317 pop eax
005DF318 popad
005DF319 mov dword ptr ss:[ebp+A74198D],eax
005DF31F pushad
005DF320 jnb 005DF329
005DF326 movzx edx,bx
005DF329 popad
005DF32A mov esi,3C ; ESI = 3C Offset of PE Header to Begin
005DF32F mov dword ptr ss:[ebp+A743001],edx
005DF335 add esi,dword ptr ss:[esp+24] ; First time ESI = Kernel Image Base ESI=7C80003C
005DF339 clc
005DF33A lods word ptr ds:[esi] ; EAX=0100 Read Word to get start PE header
005DF33C mov dword ptr ss:[ebp+A740451],ecx
005DF342 add eax,dword ptr ss:[esp+24] ; EAX=7C8000E8 = PE Header
005DF346 xor dword ptr ss:[ebp+A741011],esi
005DF34C nop
005DF34D jmp 005DF358 Keep press F7 to reach here005DF37A mov eax,dword ptr ds:[eax+78] ; EAX=0000262C Get RVA of Export Directory
005DF394 add eax,dword ptr ss:[esp+28] ; EAX=7C80262C Points to kernel32.$$VProc_ImageExportDirectory
005DF3A7 mov eax,dword ptr ds:[eax+18] ; EAX=000003B5 i.e. Number of Fucntions Exported005DF3AA mov dword ptr ss:[ebp+A742369],edx
005DF3B0 inc eax ; Incremented by 1
005DF3B1 add dword ptr ss:[ebp+A741185],edx
005DF3B7 mov dword ptr ss:[ebp+A743F0E],eax ; eax=000003B6 saved ss:[005DF2EC]=000003B6
005DF3BD pushad
005DF3BE mov edi,dword ptr ss:[ebp+A741559]
005DF3C4 mov dword ptr ss:[ebp+A74033D],eax ; eax=000003B6 saved ss:[005DB71B]=000003B6005DF3CA popad
005DF3CB pop eax
005DF3CC or dword ptr ss:[ebp+A741ED9],ecx
005DF3D2 mov esi,dword ptr ds:[eax+78]
005DF3D5 pushad
005DF3D6 mov edx,dword ptr ss:[ebp+A741E3D]
005DF3DC mov edx,dword ptr ss:[ebp+A740855] ; EDX=D9DA1CE9 Get Encrypted DWORD of API to fetch the address
005DF3E2 popad
005DF3E3 add esi,1C
005DF3E6 pushad
005DF3E7 mov dword ptr ss:[ebp+A7407E1],ecx
005DF3ED sub ecx,dword ptr ss:[ebp+A74111D]
005DF3F3 popad
005DF3F4 add esi,dword ptr ss:[esp+24] ; ESI points to First Function
005DF41C lods dword ptr ds:[esi] ;
005DF430 add eax,dword ptr ss:[esp+24] ; EAX=7C802654005DF435 stos dword ptr es:[edi] ; Store it eax=7C802654 & es:[edi]=[005DD52B]=7C802654F7 slowly & we'll reach here005DF531 dec dword ptr ss:[ebp+A743F0E] ; ss:[ebp+A743F0E] = ss:[005DF2EC]=000003B6 Saved @ 5DF3B7 see above
005DF537 cmp dword ptr ss:[ebp+A743F0E],0 ; Have we finished with all functions ? obviously not
005DF53E jnz short 005DF550
005DF540 mov dword ptr ss:[esp+1C],0005DF548 lea esi,dword ptr ss:[ebp+A744394]
005DF54E jmp esi
005DF550 push esi
005DF551 lods dword ptr ds:[esi]
005DF552 add eax,dword ptr ss:[esp+28] ; EAX=7C804B73 ASCII "ActivateActCtx"
005DF556 xchg eax,edi
005DF557 mov ebx,edi
005DF559 mov al,byte ptr ss:[ebp+A741A25] ; Here Take First Byte of the Function Name we are searching for 'L' i.e. Hex 0x4C
005DF55F test al,al
005DF561 je short 005DF567
005DF563 cmp al,byte ptr ds:[edi] ; Compare byte with function name in EDI which is "ActivateActCtx" byte 'A'
005DF565 jnz short 005DF5B3 ; Not equal and jump is taken which Pop esi & add esi by 4 to loop 005DF531

So basically what it does is Get a Byte of function name & check with the required 'L' in this case.

If byte match successful we'll reach below


005DF567 push edi ; So we'll put a break point here F2 & F9 to reach here Save function name on stack
005DF568 xor al,al ;
005DF56A scas byte ptr es:[edi]
005DF56B jnz short 005DF56A
005DF56D pop esi
005DF56E sub edi,ebx ; Fuction length in EDI
005DF570 push edx
005DF571 cld
005DF572 xor ecx,ecx ;
005DF574 dec ecx
005DF575 mov edx,ecx
005DF577 xor eax,eax
005DF579 xor ebx,ebx
005DF57B lods byte ptr ds:[esi] ; load byte in EAX
005DF57C xor al,cl
005DF57E mov cl,ch
005DF580 mov ch,dl
005DF582 mov dl,dh
005DF584 mov dh,8
005DF586 shr bx,1
005DF589 rcr ax,1
005DF58C jnb short 005DF597
005DF58E xor ax,5041
005DF592 xor bx,5449
005DF597 dec dh ; dh=counter
005DF599 jnz short 005DF586
005DF59B xor ecx,eax
005DF59D xor edx,ebx
005DF59F dec edi
005DF5A0 jnz short 005DF577
005DF5A2 not edx
005DF5A4 not ecx
005DF5A6 mov eax,edx
005DF5A8 rol eax,10
005DF5AB mov ax,cx
005DF5AE pop edx
005DF5AF cmp edx,eax ; Encrypted Compare EDX=D9DA1CE9 loaded @ 005DF3DC see up with EAX=D4DA1FC7
005DF5B1 je short 005DF5C2 ; if equal take this JE
005DF5B3 pop esi
005DF5B4 add esi,4 ; Increment ESI by 4 Get next functions
005DF5B7 inc dword ptr ss:[ebp+A74198D]
005DF5BD jmp 005DF531 ; Loop 5DF531
005DF5C2 pop esi ; ESI=LoadLibrayA005DF661 add eax,dword ptr ss:[esp+24] EAX=7C801D77 = LoadLibrayA005DF69D mov dword ptr ss:[esp+1C],eax Save it on stack005DF772 mov byte ptr ss:[ebp+A741A25],0 ; ss:[005DCE03]=4C ('L') Clear it so that we can put another function byteVM stuff i need to dig into it.00643510 push 0A7A82B2
00643515 jmp 005F5F39
0064351A push 0A7A8357
0064351F jmp 005F5F39
00643524 push 0A7A84D5
00643529 jmp 005F5F39
0064352E push 0A7A8720
00643533 jmp 005F5F39
00643538 push 0A7A87AC
0064353D jmp 005F5F39
00643542 push 0A7A88F1
00643547 jmp 005F5F39
0064354C push 0A7A89A4
00643551 jmp 005F5F39
00643556 push 0A7A8D48
0064355B jmp 005F5F39
00643560 push 0A7A8E5B
00643565 jmp 005F5F39
0064356A push 0A7A8F91
0064356F jmp 005F5F39
00643574 push 0A7A9011
00643579 jmp 005F5F39

Clear all Hardware Breakpoint & Reload the program

Now set Hardware Breakpoint @ 5DF5C2 & let the program run We'll the function names getting checked.

Keep them running & we'll get an Error at 6591C1 so we'll put an hardare breakpoint there as well & make it run

We we land at 6591C1 i just nop it & let the program excute. We break again at 5DF5C2 & see some more functions

Make it run pressin F9 & the program terminates becuase we have to bypass the Hardware ID checks which i need to dig.

Clear all hardware break point & reload the program Set hardware breakpoint @ 66CEE7

0066CEE1  push dword ptr ss:[ebp+A7D07EB]       ; ntice.sys ; Iceext.sys ; Syser.sys ; HanOlly.sys ; extrem.sys
0066CEE7 call dword ptr ss:[ebp+A7D07EF] ; kernel32.lstrcmpiA

What i guess is it check if iceext.sys or syser.sys or HanOlly.sys or extrem.sys is found or not.

It checks with almost all drivers of system.

Any way breakpoint on 66CF7F to come out after all checking.

0066D0F1 call dword ptr ss:[ebp+A741F99] ; Kernel32.dll ???? need to dig

005F4A2B jmp dword ptr ds:[edi+eax*4] Don't understand yet

ZwTerminateProcess terminates our process

So now you all know what i know about this target. Will update with when i find more for this target.

Cheers Lorens!

Edited by ZenLoren
Link to comment
Share on other sites

Hi All,

One question to all here does anybody benifit from this type of posting ? If yes let us all know. I need to know who all are working on this target. Frankly reading 3 pages there was nothing an individual can learn from this new unpackme.

Comeon Guys throw your findings & comments we are here to learn + share :)

Some more findings. This time how we reach EAX=5DF2F6 & where it loads the bytes of function name.

0068364F   lea eax,dword ptr ss:[ebp+A7E707C]	; EAX = GDI32.dll Mobule Name
00683655 nop
00683656 push eax ; Save on stack
00683657 nop
00683658 call dword ptr ss:[ebp+A7429B5] ; kernel32.LoadLibraryA
0068365E mov dword ptr ss:[ebp+A7E7131],eax ; Save Address on stack
00683664 lea esi,dword ptr ss:[ebp+A7E7086] ; Get Function Name
0068366A push eax ;
0068366B mov dword ptr ss:[esp],esi ; Save on stack
0068366E push dword ptr ss:[ebp+A7E7131] ;
00683674 call dword ptr ss:[ebp+A742C95] ; kernel32.GetProcAddress
0068367A mov dword ptr ss:[ebp+A7E7135],eax ; Save Address of Funcation Name00683680 lea esi,dword ptr ss:[ebp+A7E7097] ; Get another function name
00683686 push eax ; WinLicen.00682447
00683687 mov dword ptr ss:[esp],esi ; WinLicen.00688F6E
0068368A push dword ptr ss:[ebp+A7E7131]
00683690 call dword ptr ss:[ebp+A742C95] ; kernel32.GetProcAddress
00683696 mov dword ptr ss:[ebp+A7E7139],eax ; Save it

So we see some routine for GDI32.dll & their function name getting saved.

Now below It will fetch for Ecrypted function

006836EE   mov byte ptr ss:[ebp+A741A25],52  ; Byte 'R' i.e. 0x52
006836F5 push 2CAFAC1B
006836FA add dword ptr ss:[esp],6A99B6D8
00683701 push dword ptr ss:[ebp+A7404B1] ; USER32.77D40000
00683707 lea eax,dword ptr ss:[ebp+A743F18]0068370D call eax EAX = 005DF2F6 SEE above post where we have set our Hardware Break point0068370F mov dword ptr ss:[ebp+A7E70E1],eax ; Save it
00683715 mov byte ptr ss:[ebp+A741A25],43 : Preare for next function this time with byte 'C'
0068371C call 00683725 ; WinLicen.00683725006839F7 mov dword ptr ss:[ebp+A7E7121],eax ;
006839FD jmp 006840AC ; Finish with User32.dll & jmp

How did find above code i set Hardware BreakPoint @ 00659D45 i guess its some type of return from VM real Code.

Return 2-4 times on this breakpoint & youll land at 68364F

One more finding @ 66BEC7 it get drivers name ntice.sys, iceext.sys .....

Ok one more thing found

:00661E6B  	cmp     edx, eax  ; Encrypted Compare at another location You need to check 005DF5AF in above posting
:00661E6D jz short loc_661E7E
:00661E6F
:00661E6F loc_661E6F: ; CODE XREF: :00661E21j:00661E6F pop esi
:00661E70 add esi, 4
:00661E73 inc dword ptr [ebp+0A74198Dh] ;
:00661E79 jmp loc_661DD2 ; Loop
:00661E7E ; :00661E7E pop esi ; Function Name

More when i find something new :)

Cheers, Lorens

Edited by ZenLoren
Link to comment
Share on other sites

Very interesting ZenLoren. Definitely useful also if you wish to unpack this one an understanding of the import routines is important since there's a faulty HWID trigger in there..

Which should not be that hard to find and kill now, once you get passed the actual checks.

Try to find the actual decisions before the messagebox and check the VM there to bypass the HWID.

Link to comment
Share on other sites

Hi quosego,

First accept my compliments "You are one of the Smart RE Learner" If any of your close friend is there beside you tell him/her to pat on your back on my behalf. Good Work!

Thank you for your comments. I am already searching for the routine & I feel i have manually trace many many VM call going in & coming out.

Finding the check is like niddle in haystack VM routines :)

> Try to find the actual decisions before the messagebox and check the VM there to bypass the HWID.

I don't get any messagebox when i trace through Olly program just exist. At this current moment i am clue less. Lame request from my side Offset hint pls :) because this is not the end. I have to find Anti Dumping routines so it dumps well for all of us big task, rebuilding IAT & in the end it should excute properly finally share it to the world so that others can handle upcoming versions :)

Cheers Lorens!

Link to comment
Share on other sites

zenloren, you don't have to trace VM very much...you have onbly to do it in a smart way, also compare this target with an older one can be a good idea.

Link to comment
Share on other sites

One question to all here does anybody benifit from this type of posting ? If yes let us all know. I need to know who all are working on this target. Frankly reading 3 pages there was nothing an individual can learn from this new unpackme.
- ZenLoren
Sorry to say guys but my methods will stay private, oreans has proven it's resilience once more.

This time enough to keep this out of the public for a while.

- quosego

Only ~4 people here can do it and they all share that perspective.

It could also be that release teams watch ARTeam, Woodmann, and Tuts4you and the later versions of TM/WL and EXECryptor are the only ones not being inline patched in the wild. Most 'reversers' who do stuff for release teams do so off other peoples efforts.

Also since this will be my last post here, and likely deleted. I'm 1/3 of the Americans just in this thread alone on these forums, the other two are using flags from another country or those are proxy gateways....it is what it is.

Edited by hiya
Link to comment
Share on other sites

One question to all here does anybody benifit from this type of posting ? If yes let us all know. I need to know who all are working on this target. Frankly reading 3 pages there was nothing an individual can learn from this new unpackme.
- ZenLoren
Sorry to say guys but my methods will stay private, oreans has proven it's resilience once more.

This time enough to keep this out of the public for a while.

- quosego

Only ~4 people here can do it and they all share that perspective.

It could also be that release teams watch ARTeam, Woodmann, and Tuts4you and the later versions of TM/WL and EXECryptor are the only ones not being inline patched in the wild. Most 'reversers' who do stuff for release teams do so off other peoples efforts.

Also since this will be my last post here, and likely deleted. I'm 1/3 of the Americans just in this thread alone on these forums, the other two are using flags from another country or those are proxy gateways....it is what it is.

Why would your post be deleted?? I see no obscene language or any insults. No crack request or anything else..

Also WL/TM is often inlined by SnD and execryptor often inlined by {res}. If other release teams wish to learn from that no problem.. Those patches hold all the info to circumvent WL licensing.

The is_registered dwords have been documented and some antidumps as well.. Patching the TM/WL crc is a piece of cake as well..

It is beyond me why not many people actually put the pieces together.. Especially 0day, they should have the skill.

I'd be glad to help people on the way, but most simply never get beyond the gimme script to do it wtf omg etc. stage..

As for ZenLorens, I've got no problems helping him. He's one of the few who are actually motivated enough to do it old school, how it should be. Seems there are simply not many of those.

@ZenLorens, everything is decided using the cmp ecx,eax VM handler. :)

To find it search in VM for cmp ecx,eax pushfd.

Edited by quosego
Link to comment
Share on other sites

Hi All,

From today our real work for this protection starts. Till know we have just scratched the surface & understood how thing works inside how it extracts apiname, where it loads .sys files checking etc etc..

If you were victim of program getting closed without showing any MessageBox below small script will explain you why it does it.

Once you excute below script it will cry with a MessageBox overwriting your Clipboard content with some numbers :)

EvOlUtIoN:

> you have only to do it in a smart way, also compare this target with an older one can be a good idea.

Thank you for your kind advice, see below script i am learning smart ways. I will try to use smart ways now!

hiya:

> Only ~4 people here can do it and they all share that perspective.

Great to know that at least 4 people can finish it. Sooner or later it will be more. Initiating process has been made.

> Most 'reversers' who do stuff for release teams do so off other peoples efforts.

Leave them aside, don't waste energy thinking of them who cares?

quosego:

> everything is decided using the cmp ecx,eax VM handler

Thanks for your tuts which you have released. i'll be reading it today. Hope i manage easily this target for your above hints :)

The target has just loaded, now i'll dig cmp ecx, eax & post my findings soon.

Cheers, Lorens

/* Script made by while studying Themida Winlicense Targets ver 2.0.8.0 http://forum.tuts4you.com/index.php?showtopic=20020What's the use? Nothing for the time being. If you load this target & don't see the MessageBox Pop it will help you understand why it did not. While learning wanted to narrow down the target so that we can focus on more important things. My concern was why it was closing before reaching reaching the MessageBox.Finally came to know that it was able to find some of the tools of RE's & was silently routed me to ExitThread. Shameless advt. by Lorens */var save_edx  		// save EDX in this variable
var save_esi // save ESI in this variable
var sys_names /* sys_names will have address where when the program runs points to ntice.sys, iceext.sys */bphws 661E7E, "x" // set hardware Breackpoint on execution @ 661E7E
bphws 6591c1, "x" // set hardware Breackpoint on execution @ 6591C1bphws 5DF5C2, "x" // bphws 66BECB, "x" // EAX=ntice.sys estoL1:
cmp edx, 8E726969
jz 1st_time // ExitThread cmp eip, 6591c1 // check if eip=6591C1 becuase we have to nop it for execution
jz nopitcmp eip, 66BECB
jz change_sys_namesmov save_edx, edx // Loging EDX
log save_edxmov save_esi, esi // Logging ESI
log save_esi
esto
Jmp L11st_time:mov save_edx, edx
log save_edxmov save_esi, esi
log save_esi
esto
jmp L1nopit:
mov [eip], 9090 // nop it
esto // let the program continue
jmp L1change_sys_names:
mov sys_names, eax /* EAX is point to ntice.sys when you reach first time, next time you reach it will point to iceext.sys, keep breaking here & see what all it calls. They have not left anything it will search for ntice.sys | iceext.sys | Syser.sys | HanOlly.sys | extrem.sys | FRDTSC.SYS | Filem | | REGMON | regsys | sysregm | PROCMON |
*/mov sys_names, sys_names // points to EAX
mov [sys_names], 31313131 // Patch it with 1111
esto // Let it continue
Jmp L1END:
ret
Edited by ZenLoren
Link to comment
Share on other sites

Hi All,

Just wanted to ask if we have the number i.e. HWID of the machine which on which it was protected & if we FEED the program with same Number will it accept it ? Any body tried or thought of it ?

EvOlUtIoN:

Can you provide me with your machine HWID ?

????-????-????-????-????-????-????-????

Cheers, Lorens

Link to comment
Share on other sites

Just wanted to ask if we have the number i.e. HWID of the machine which on which it was protected & if we FEED the program with same Number will it accept it ? Any body tried or thought of it ?

I'm convinced it can be done, but not easily.. Since I've attempted this from the start in older versions. Never succeeded, you can't just copy over the hardware ID where it is stored. There's a secondary calculation in VM I've never found.

q.

Link to comment
Share on other sites

Hi quosego,

Thanks for clarification, I have digged out a routine where it decrypts & stores Machine ID & then for display it copies to another location for MessageBox i guess.

See below for this target.

Load the attached script & Put a Break Point on Line no. 47

Let the script run & you'll be here at a Break Point 6D175E, yes i have read your tutorial & was trying to find routines for {Variable_1} & {Variable_2}, I have not managed to find it yet, but its has has benefited me to find some interesting routines.

Set a Break Point on 6B1562 ie. below & Let the program run F9 we land here soon

First time we land here

6B1562 Call EAX ; EAX=6B1110  ; this routins checks whichs type license it is, SND.dat files etc etc..Pres F9 few time so that we reach our break-point again6B1562 Call EAX ; EAX=6AF63D Now we trace with F7006AF63D    push ebp
006AF63E mov ebp,esp
006AF640 pushad
006AF641 mov ecx,8 ; ECX=8 2 dwords at a time
006AF646 mov edi,dword ptr ss:[ebp+C] ; EDX=6EEDF9 will store here generated Machine ID
006AF649 mov ebx,dword ptr ss:[ebp+8] ; EBX=105A6BFF 006AF64C jmp 006AF65F ; Will take the jump
006AF651 rol ebx,4 ; some maths begins
006AF654 mov eax,ebx ;
006AF656 and al,0F
006AF658 call 006AF66F ;
006AF65D stos byte ptr es:[edi] ; first bytes of Machine ID stored
006AF65E dec ecx006AF65F or ecx,ecx ; is ECX=0
006AF661 jnz 006AF651 ;
006AF667 mov al,0
006AF669 stos byte ptr es:[edi]
006AF66A popad
006AF66B leave
006AF66C retn 8

We'll break 4 times here & we get Machine ID & if we see content at start of EDI=6EEDF9 we

see our Machine ID stored. Later on the program overwrites the above code & copies the ID &

makes a presentable format i mean ????-????-????-????-????-????-????.

Here if we put the original ID what can be the output will it accept or not ?

I have one more questions if the program goes to this stage does it know I have not able to

Find & Patch the {Varible_1} & {Variable_2} that you discuss in your tuts ?

OR

This is part of the flow & the Variable_1 and Variable_2 compares will come later?

Awaiting for your valuable input.

EvOlUtIoN:

Thank you for your input at well.

Cheers, Lorens

log2-script.txt

Link to comment
Share on other sites

Just because you're American doesn't mean you can't RE. It helps to get a job involving REing, so you're legally covered :)

FBI: Y U DISASM TEH THEMIDAZ!?!?!?

ME: IT WAS FOR WEH WORKS!!!!111

ach, he deleted his post.

Edited by Loveless
Link to comment
Share on other sites

Hi All,

I have read & searched tuts by Deathway, Quosego, extremely good, some good posting as well but still not able to make or find the checks so that i can go ahead with the unpackings. Got stuck. Any body ready to throw your knowledge here? :)

What's found?, there is an interesting posting in this thread by sfs

See below

006B16DF TO PUSH 0A81731A
006C138A TO PUSH 0A828F79
0071FE83 TO PUSH 0A88A9910074C2AC ??

I'll try to explain what that means but what it does & how its found is still not understood.

Buts its interesting.

---> 006B16DF TO PUSH 0A81731A will not terminate the app..006B16DF     push 0A816B60  <--- here assign the value of 6B16F8
006B16E4 jmp 005F5F39
006B16E9 push 0A8171CC
006B16EE jmp 005F5F39
006B16F3 push 0A81731A <--- assigning this push to 06B16DF
006B16F8 jmp 005F5F39 ---> 006C138A TO PUSH 0A828F79
006C138A push 0A826E5D <--- here assign the value of 6C13F8
006C138F jmp 005E3B27 006C13F8 push 0A828F79 <--- assigning this push to 6C138A
006C13FD jmp 005E3B27 ---> 0071FE83 TO PUSH 0A88A9910071FE83 push 0A8857E7 <--- here assign the value of 71FF4B
0071FE88 jmp 005F5F390071FF4B push 0A88A991 <--- assigning this push to 71FE83
0071FF50 jmp 005F5F39

So what it does is assigning the Last Value of Push Jump at the known locations.

Now how it is found & how does it benefit is still NOT known to me. Also after applying the patches the programs does not execute.

00746C70      push 0A8AF726		; Shows MessageBox with your HardwareID
00746C75 jmp 005F5F39
00746C7A push 0A8AF877 : Close the Program
00746C7F jmp 005F5F39

Is this the Is_Register DWORDS @ 5D5BA7 B9 A5 86 85 ?

More till i get ahead of this massgebox.

Cheers, Lorens

Edited by ZenLoren
Link to comment
Share on other sites

EvOlUtIoN

> To execute it you need more...not much more indeed.

Could not understand what you saying here.

Is this the Is_Register DWORDS @ 5D5BA7 B9 A5 86 85 ?

Cheers, Lorens

Link to comment
Share on other sites

006046E0 3BC8 CMP ECX,EAX

EAX 1AE21EEA

ECX 26A001C9

EDX 005DB537 WinLicen.005DB537

EAX 46C571D2

ECX 46C571D2

EDX 005DE3E3 WinLicen.005DE3E3

Hmm 5D5BA7 doesn't seem to be a is_registered location. ;)

Link to comment
Share on other sites

Hi quosego,

Please accept a Big Thank You from my side :) You made my day showing all the needed things. You guys rocks !

Thank you for your thorough research and clear writing.

Now, I can proceed further.

Cheers, Lorens

Edited by ZenLoren
Link to comment
Share on other sites

Now you have solution in your hands...

To be honest the help was too much...you won't learn much by this way.

Edited by EvOlUtIoN
Link to comment
Share on other sites

To be honest the help was too much...you won't learn much by this way.

Well, at least Loren is trying, the help could also learn to figuring out why if one were to build upon it.

Link to comment
Share on other sites

EvOlUtIoN,

> To be honest the help was too much...

ok agree, but at some point we require pointers to go ahead, thats exactly what quosego has done. Also as we all know VMs pose a challenge because they severely dilute the value of existing tools VM parsing / dispatching code over and over again we see and return to the same code again & again very tedious & slow moving process.

> you won't learn much by this way.

I am already learning & shareing as well :) Also this is just an surface scratch there will be more things to come, dump properly, find VM entry, find anti-dump, crc's plus many goodies, and whats this they are copying whole file elsewhere in the process address space executing there the code, i'll go back to work for more stay tunned.

Thanks once again quosego to help me move forward.

Cheers, Lorens

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...