Jump to content
Tuts 4 You

[unpackme]WinLIcense 2.0.8.0 + Hardaware lock


Recommended Posts

Posted

Perhaps but if someone can make use of my above notes, he's already passed the stage that he gets spoonfed.. So let's hope Lorens will learn form it and not use it blindly. :)

@Lorens, No problemo..

  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

  • EvOlUtIoN

    15

  • quosego

    13

  • ZenLoren

    11

  • r00t_H@ck3r

    6

Top Posters In This Topic

Posted Images

Posted (edited)

What are the 28656 bytes getting decrypted here quosego:

005DEEE5 FE0F DEC BYTE PTR DS:[EDI]

005DEEE7 47 INC EDI

005DEEE8 49 DEC ECX

005DEEE9 ^ 75 FA JNZ SHORT WinLicen.005DEEE5

Edited by crypto
Posted

Hi All,

I am digging with rebuilding the IAT & would like to ask where does it store API address from Kernel32, User32 & which offset is Patched ?

Kernel32:


(1) InterlockedExchange (2) InterlockedCompareExchange (3) GetStartupInfoA (4) TerminateProcess
(5) GetCurrentProcess (6) UnhandledExceptionFilter (7) SetunhandledExceptionFilter (8) IsDebuggerPresent
(9) QueryPerformanceCounter (10) GetTickCount (11) GetCurrentThreadId (12) GetCurrentProcessId
(13) GetSystemtimeAsFileTime (14) Sleep (15) GetACP (16) GetLocaleInfoA
(17) GetThreadLocale (18) GetVersionExA

User32:

(1) EnableWindow		(2) SendMessageA			(3) IsIconic			(4) DrawIcon
(5) GetClientRect (6) LoadIconA (7) GetSystemMetrics

I have digged out & found below things will be providing with direct offset & only relevant things. Posting my full notes will create a big post.

Let see how it does it. ESI = FirstThunk

EDI = 90 90 90 90 90 90 90 90 90 90 90 90 
(1) 00800FE0 mov edi,dword ptr ss:[esp] ; Load the Offset in EDI
(2) 008011D9 stos byte ptr es:[edi] ; Store 90 nop
(3) 00801203 stos byte ptr es:[edi] ; E9 Save at EDI OpCode of JMP
(4) 00801359 stos dword ptr es:[edi] ; forming a Relative jump to Real Import

After this EDI = 90 E9 ?? ?? ?? ?? ; ?? is the Relative jump address. Is this WL trick OR _declspec (dllimport) has not been used when compiling an executable. This is also known as "jump Thunk table"

So far so good. We know the offset & relative jumps taking place. we recover all of MFC80.dll

some function from MSVCR80.dll can be found 4 or 5 still missing.

See in Dump Window ESI & how it gets cleared. I have noted 3 of them direct offset given. There is few more to find.

(1) 00801385       xor dword ptr ds:[esi-4],eax
(2) 00800D15 mov dword ptr ds:[ecx],0
(3) 007FDBD1 mov dword ptr ds:[esi-4],ebx

If any API from Kernel32, User32, we land at this offset

007FE736     lea ebx,dword ptr ss:[ebp+A96616F] ; EAX=InterlockedExchange

I digged into many routines & completely lost inside the codes, any body any Hints OR Tutorial to refer.

Cheers, Lorens

Posted (edited)

90 e9 relative is a WL trick making surw it won't run on other computers after dumping (Relative stuff will be different ). It must be restored to their original confirmation FF25 [dword].

Kernel/advapi/user API's are usually written by a cisc VM using a similar method as the orignal, however they will be redirected to a memory buffer where part of the API will be ran obfuscated there and part in the actual dll.

So they won't go directly to the API in question. Again these must also be restored to FF25 [dword].

To find out where they get written, just mem bp the text section when arriving at the IAT writing. Any access to the text section will be a API written to the IAT or a direct jmp in code.

There are some script that fix WL IAts and also a few tuts. With a few mods they all should be valid.

Edited by quosego
Posted (edited)

Can I ask why this unpack not work with me :sweat: .

I am trying to to make some test :wacko: .

but this unpack file don't want to work on my PC :kick:

@EvOlUtIoN: pls can u make another one :confused: .. I need to complete my test :(

Thanks

post-24515-125295721658_thumb.jpg

Edited by ahmadmansoor
Posted

006599FC /0F85 0D000000 jnz WinLicen.00659A0F

00659A02 |83BD 2923740A 0>cmp dword ptr ss:[ebp+A742329],0

00659A09 |0F84 7F000000 je WinLicen.00659A8E

00659A0F \FFB5 D6E27B0A push dword ptr ss:[ebp+A7BE2D6]

00659A15 FFB5 D2E27B0A push dword ptr ss:[ebp+A7BE2D2]

00659A1B FFB5 CEE27B0A push dword ptr ss:[ebp+A7BE2CE]

00659A21 FFB5 CAE27B0A push dword ptr ss:[ebp+A7BE2CA]

00659A27 FFB5 C6E27B0A push dword ptr ss:[ebp+A7BE2C6]

00659A2D FFB5 C2E27B0A push dword ptr ss:[ebp+A7BE2C2]

00659A33 FFB5 B6E27B0A push dword ptr ss:[ebp+A7BE2B6]

00659A39 FFB5 B2E27B0A push dword ptr ss:[ebp+A7BE2B2]

00659A3F FFB5 BEE27B0A push dword ptr ss:[ebp+A7BE2BE]

00659A45 FFB5 BAE27B0A push dword ptr ss:[ebp+A7BE2BA]

00659A4B FFB5 AEE27B0A push dword ptr ss:[ebp+A7BE2AE]

00659A51 FFB5 AAE27B0A push dword ptr ss:[ebp+A7BE2AA]

00659A57 8D85 F0E27B0A lea eax,dword ptr ss:[ebp+A7BE2F0]

00659A5D 50 push eax

00659A5E 8D85 B11A740A lea eax,dword ptr ss:[ebp+A741AB1]

00659A64 50 push eax

00659A65 FF95 1535740A call dword ptr ss:[ebp+A743515]

00659A6B 83C4 38 add esp,38

00659A6E 6A 40 push 40

00659A70 8D85 DAE27B0A lea eax,dword ptr ss:[ebp+A7BE2DA]

00659A76 50 push eax ; WinLicen.006596B8

00659A77 8D85 B11A740A lea eax,dword ptr ss:[ebp+A741AB1]

00659A7D 50 push eax

00659A7E 6A 00 push 0

00659A80 FF95 6523740A call dword ptr ss:[ebp+A742365]

00659A86 6A 01 push 1

00659A88 FF95 DD0E740A call dword ptr ss:[ebp+A740EDD]

---------------------------

Exception Information

---------------------------

Please, contact the software developers with the following codes. Thank you.

(press CTRL+C on this window to copy to clipboard)

Version = 2.08

CheckIN = 0

CheckOUT = 0

ProcIN = 0

ProcOUT = 0

ExitIN = 0

ExitOUT = 0

TPin = 0

HWIn = 0

IntV = e462778e, f7780b88, ebac0647, e0677588

---------------------------

---------------------------

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...