quosego Posted May 31, 2009 Posted May 31, 2009 (edited) Now the final proof oreans is still defeated;And some stuff to study. Pay attention to ;005DC577 7C80A0A7 Edited May 31, 2009 by quosego
r00t_H@ck3r Posted June 1, 2009 Posted June 1, 2009 (edited) @quosego well done :3 no idea where's LCF-AT I think he/she another person can null this O BTW you use MIRC o.o but I cant find you Edited June 1, 2009 by Lithium
What Posted June 1, 2009 Posted June 1, 2009 Quite nice, there's a secondary check. Which makes sure the antidumps are never written. Thusly crashing the app.Thanks for the info, It looked like it was checking the header before it would crash on me.Too lazy to research it any further since I never had HWID bypassing experience in the first place.Kind of in the same boat here, this was actually my first attempt on any target with Hardware Id.
Apakekdah Posted June 3, 2009 Posted June 3, 2009 this unpackme is very hard.. in me, i've got only show splash window.. and the app terminate..
sfs Posted June 3, 2009 Posted June 3, 2009 this unpackme is very hard..in me, i've got only show splash window.. and the app terminate.. 006B16DF TO PUSH 0A81731A will not terminate the app.. 006C138A TO PUSH 0A828F79 0071FE83 TO PUSH 0A88A991 if its helps
Apakekdah Posted June 4, 2009 Posted June 4, 2009 (edited) this unpackme is very hard..in me, i've got only show splash window.. and the app terminate.. 006B16DF TO PUSH 0A81731A will not terminate the app.. 006C138A TO PUSH 0A828F79 0071FE83 TO PUSH 0A88A991 if its helps thx.. anyway for the hint.. the app was close first before reach that 3 address Edited June 5, 2009 by Apakekdah
delldell Posted July 3, 2009 Posted July 3, 2009 well is so ****ing depressed look that just 1 person made it well what can I saygood luck next time
quosego Posted July 3, 2009 Posted July 3, 2009 (edited) Don't worry, there's other people that can do it.. Rest assured that it only takes one person to teach the rest of the world. Unpacking Winlicense has been fully automated, And there's not much left of the SDK. And trust me, next time it'll be perfectly doable as well. q. Edited July 3, 2009 by quosego
EvOlUtIoN Posted July 5, 2009 Author Posted July 5, 2009 ehm...for example i can unpack something like it manually. Yes maybe for me the operation can take muche more than quosego, but i can do and i'm sure there are at least hundred people able to unpack it.
delldell Posted July 7, 2009 Posted July 7, 2009 well this Unpackme is so hard that people only lookand got scared take a look more than 2000 views and just 1 solutionwell what can I say juts wish good luck to all people that got stuck on this Unpackmeand congratulate quosego and thanks EvOlUtIoN for the unpackme
xtor Posted July 8, 2009 Posted July 8, 2009 i got another program by wl2.0.8+hardware locki found the registerd_dword is compared in vm0080FCE7 ^\FFE0 jmp eax ; vm in0080FCE9 10EC adc ah, ch ; //rubbish code0080FCEB 57 push edi0080FCEC 7E 33 jle short 0080FD210080FCEE 5A pop edx0080FCEF 4D dec ebp0080FCF0 4A dec edx0080FCF1 699B D7039347 F>imul ebx, dword ptr [ebx+0x479303D7], 0xA8BA09F10080FCFB CF iretd0080FCFC 0A3B or bh, byte ptr [ebx]0080FCFE 1C 93 sbb al, 0x930080FD00 2D 1F152043 sub eax, 0x4320151F0080FD05 FB sti0080FD06 CD D1 int 0xD10080FD08 70 18 jo short 0080FD220080FD0A 52 push edx0080FD0B 07 pop es0080FD0C 19BE 3F687F09 sbb dword ptr [esi+0x97F683F], edi0080FD12 BA B0136BDF mov edx, 0xDF6B13B00080FD17 FC cld0080FD18 21AA 309F283A and dword ptr [edx+0x3A289F30], ebp0080FD1E CD DF int 0xDF0080FD20 039E 39F024CF add ebx, dword ptr [esi-0x30DB0FC7]0080FD26 9C pushfd0080FD27 A8 28 test al, 0x28 //rubbish code0080FD29 8D8D BB9D6B0A lea ecx, dword ptr [ebp+0xA6B9DBB] ;//vm out0080FD2F 6A 00 push 0x00080FD31 57 push edi0080FD32 E8 03000000 call 0080FD3A //decode codeit's anti that you can't step.0080FDBC FF95 5529420A call dword ptr [ebp+0xA422955] ; (ntdll.ZwSetEvent)0080FDC2 81F7 2950ED6D xor edi, 0x6DED50290080FDC8 6A 00 push 0x00080FDCA FF95 6103420A call dword ptr [ebp+0xA420361]0080FDD0 8BC0 mov eax, eax0080FDD2 ^ EB F4 jmp short 0080FDC8 ; if you step,you can't pass.i had no idea to find the register_dword.vm+obfuscated+anti there is too too hard!!!!!!!
quosego Posted July 8, 2009 Posted July 8, 2009 (edited) When at ntdll.ZwSetEvent bp the jump beneath it (0080FDD2) and press f9 it'll give the decryption thread long enough to overwrite EBF4 and proceed with execution. Edited July 8, 2009 by quosego
r00t_H@ck3r Posted July 8, 2009 Posted July 8, 2009 unpacking stuff manually,shows two thing you understand reversing very well and your asm is superbpartly I am counting to the day VM decrypting will be out,and I doubt it is impossible,and I believe alot of people have done it and proof vm to x86 is possible and defeating one of the worlds most strongest packer.only thing is when It is encrypted and that is the code where you need to reverse ... that what make people crazy about vm cause it make no sense and it stop you from achieving...
xtor Posted July 9, 2009 Posted July 9, 2009 When at ntdll.ZwSetEvent bp the jump beneath it (0080FDD2) and press f9 it'll give the decryption thread long enough to overwrite EBF4 and proceed with execution.I GOT IT,BUT HOW TO FIND THE RETISTER DWORD IN VM?DO YOU HAVE SOME IDEAS,QUOSEGO?
digitalmaphia Posted July 9, 2009 Posted July 9, 2009 Are the hwid locks able to be faked using a cracked copy of WinLicense?In other words, can you use the same version of WinLicense to create a new key for someone elses protected files?DM
EvOlUtIoN Posted July 10, 2009 Author Posted July 10, 2009 No of course if you don't have the license unique key generated for that program...
digitalmaphia Posted July 10, 2009 Posted July 10, 2009 No of course if you don't have the license unique key generated for that program...How is it generated on the other end? Is it done off of a software hashor something? I noticed you can do a little customizing to the key too.Why would anyone seriously use this, it slows down the automation ofdelivery of your software. DM
thisistest Posted July 22, 2009 Posted July 22, 2009 hi.this is text WinLIcense 2.0.9.0WL 2090 Notes.rar
tomatoes Posted July 27, 2009 Posted July 27, 2009 (edited) 005DB537 C9 01 A0 26Is_Register dword but When I patch it,app crash.How to fix ? Edited July 27, 2009 by tomatoes
tomatoes Posted July 28, 2009 Posted July 28, 2009 Of course you wrong something...yes of course,I will try again.and It's great If you or anynone give me some ideas about that.Thanks !
EvOlUtIoN Posted August 5, 2009 Author Posted August 5, 2009 I can only say that it is not that different form older version.
tomatoes Posted August 6, 2009 Posted August 6, 2009 (edited) I can only say that it is not that different form older version. Yes,I understand it and success Thanks! Edited August 6, 2009 by tomatoes
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now