estelle Posted January 31, 2010 Posted January 31, 2010 WinLicense - Professional Software Protection and Licensing Management [Version 2.1.1.0]Protection Options for Software: wl (Input File: UnPackMe.exe)----------------------------------Macros Information------------------VM Macros: 0CodeReplace Macros: 0ENCRYPT Macros: 0CLEAR Macros: 0RegisteredVM Macros: 0CHECK_PROTECTION Macros: 0CHECK_CODE_INTEGRITY Macros: 0CHECK_REGISTRATION Macros: 0CHECK_VIRTUAL_PC Macros: 0Protection Options------------------Anti-Debugger: AdvancedAnti-Dumpers: ENABLEDEntry Point Obfuscation: ENABLEDResource Encryption: ENABLEDVMWare compatible: ENABLEDAPI-Wrapping Level: Level 2Anti-Patching: NoneMetamorph Security: ENABLEDMemory Guard: ENABLEDWhen Debugger Found: Display MessageApplication compression: ENABLEDResources compression: ENABLEDSecureEngine compression: ENABLEDAnti-File Monitor: ENABLEDAnti-Registry Monitor: ENABLEDDelphi/BCB form protection: ENABLEDRing-0 Protection: DISABLEDVirtual Machine Settings------------------------Number of Virtual APIs wrapped: 0API Virtualization Level: 3Entry Point Virtualization: 15 instructionsMulti Branch Technology: DISABLEDVirtual Machine Processor: Mutable CISC processorNumber of CPUs: 1Opcode Type: Metamorphic - Level 2Dynamic Opcode: 20% DynamicRegistration Settings---------------------Signature Level: LV2With Single file: regkey.datOnly Hardware locked keys: DISABLEDOnly Temporary keys: DISABLEDOnly runs when registered: DISABLEDClear Trial when registered: DISABLEDAdvanced Protection Options---------------------------Encrypt Application: ENABLEDDLL plugin: DISABLEDExport Generators: ENABLEDKeep Trial Running: DISABLEDHide from PE scanners: Standard.NET assemblies: ENABLEDActive Context: DISABLEDCustom Event: Add Manifest: Don't add manifestLaunch Application: XBundler files--------------No files to bundleVBunpackme.rarwl2110.rar 1
quosego Posted January 31, 2010 Posted January 31, 2010 (edited) Well running without a license doesn't work anymore using the old method..Now uses a few secondary checks;(devirtualized below)0052C57F 81BD 0B2C390A EFA7DD4C CMP DWORD PTR SS:[EBP+A392C0B],4CDDA7EF //Check for Is_reg dword one (in the tut fixed by setting eax, and edx 0 )0052C589 0F85 30000000 JNZ 0052C5BF0052C58F 81BD 9B1E360A 7206676E CMP DWORD PTR SS:[EBP+A361E9B],6E670672 //check for Is_reg dword two (in the tut fixed by setting eax, and edx 0 )0052C599 0F85 20000000 JNZ 0052C5BF0052C59F 8B85 3296390A MOV EAX,DWORD PTR SS:[EBP+A399632]0052C5A5 25 FF000000 AND EAX,0FF0052C5AA 83E8 1A SUB EAX,1A0052C5AD 0BC0 OR EAX,EAX //check secondary check (not fixed in the tut, isn't emulated in the vm with cmp edx, eax anyways.)0052C5AF 0F84 05000000 JE 0052C5BA0052C5B5 E9 7B080000 JMP 0052CE35 //if sec check is not correct jump to destruction. (calls EBX without defining resulting in ending up in some ****ey mem section and crashing.)0052C5BA E9 A9080000 JMP 0052CE68 // Correct jump, which another two checks for correct is_reg dwords Then a few other checks which are used resulting in an exit. Doubt it'll be very fancy.. Edited January 31, 2010 by quosego
Teddy Rogers Posted February 13, 2010 Posted February 13, 2010 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
EvOlUtIoN Posted February 23, 2010 Posted February 23, 2010 I'm close to get it with only one hour of study. Already had program unpacked in memory, but not running for now.Anyway remains the fact that program can be unpacked regardless the license, and this is sure.OEP looks like this:00401580 >/$ 55 PUSH EBP00401581 |. 8BEC MOV EBP,ESP00401583 |. 6A FF PUSH -100401585 |. 68 D0234000 PUSH dumped.004023D00040158A |. 68 06174000 PUSH dumped.00401706 ; SE handler installation0040158F |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]00401595 |. 50 PUSH EAX00401596 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP0040159D |. 83EC 68 SUB ESP,68004015A0 |. 53 PUSH EBX004015A1 |. 56 PUSH ESI004015A2 |. 57 PUSH EDI004015A3 |. 8965 E8 MOV [LOCAL.6],ESP004015A6 |. 33DB XOR EBX,EBX004015A8 |. 895D FC MOV [LOCAL.1],EBX004015AB |. 6A 02 PUSH 2004015AD |. 90 NOP004015AE |. E8 C93D8077 CALL msvcrt.__set_app_typeAnd...why to protect a safengine licensor unpackme with wl? At least change the strings please...
quosego Posted February 23, 2010 Posted February 23, 2010 Damn Evo, nice work. Spend at least 2 hours at it before deciding I got bored and needed to drink beer. You didn't have any of the troubles which deathway talked about? He found something encrypted with TEA which was needed for proper decryption. Well seems not.
EvOlUtIoN Posted February 23, 2010 Posted February 23, 2010 No friend quosego, i didn't find anything except for the fact that there is one wrong pointer which does not allow program to run without crash. I solved the problem patching the pointer and bypassing one vm handler, and after it program unpacks into memory...but before fix all of the IT it closes, and i still don't know the reason. Anyway i found no OEP protection inside this target, and also iat is not fully protected since it can be rebuilt in few minutes with the help of uif tool. I think that this is protected with demo wl version.Of course is possible i missed something, i don't have much time to do it because of a large amount of car travels for work...maybe i will check it better in the weekend.
LCF-AT Posted March 23, 2010 Posted March 23, 2010 Hi, I can bypass the checks too. 0059F197 DEC EBX0059F198 JE 0059F289 ; 1. MJ But it seems that I get the same trouble like Evo so I have also some places where are no API calls [red marked on the pic and some more]. 00401645 CALL 004016EA ----004016EA NOP004016EB JMP 77C079DB ; MSVCRT._initterm---77C079DB _initterm PUSH ESI ; wl2110_d.0040300877C079DC MOV ESI,DWORD PTR SS:[ESP+8] ; wl2110_d.0040300077C079E0 JMP SHORT 77C079ED ; 77C079ED77C079E2 MOV EAX,DWORD PTR DS:[ESI] ; wl2110_d.0040107077C079E4 TEST EAX,EAX ; wl2110_d.0040107077C079E6 JE SHORT 77C079EA ; 77C079EA77C079E8 CALL EAX ; wl2110_d.0040107077C079EA ADD ESI,477C079ED CMP ESI,DWORD PTR SS:[ESP+C] ; wl2110_d.0040300C77C079F1 JB SHORT 77C079E2 ; 77C079E277C079F3 POP ESI ; GDI32.77C42D7E77C079F4 RETNAfter the 2. break on call EAX it step into the address 00401070 which is trash code...00401070 CMP BYTE PTR DS:[EDX+79],BL00401073 POPAD00401074 TEST EDI,EBX00401076 ADC AL,0A100401078 INC EBP ; Superfluous prefix0040107A RETN 294A Hmm...maybe this target need again some special system dll versions or something. greetz
quosego Posted March 23, 2010 Posted March 23, 2010 Perhaps the encrypted part is the part deathway talked about. As for missing API's that was the result if you did not fix the dll Imagebase section pointer in WL data.
estelle Posted March 23, 2010 Author Posted March 23, 2010 Hi, I can bypass the checks too. 0059F197 DEC EBX0059F198 JE 0059F289 ; 1. MJ But it seems that I get the same trouble like Evo so I have also some places where are no API calls [red marked on the pic and some more]. 00401645 CALL 004016EA ----004016EA NOP004016EB JMP 77C079DB ; MSVCRT._initterm---77C079DB _initterm PUSH ESI ; wl2110_d.0040300877C079DC MOV ESI,DWORD PTR SS:[ESP+8] ; wl2110_d.0040300077C079E0 JMP SHORT 77C079ED ; 77C079ED77C079E2 MOV EAX,DWORD PTR DS:[ESI] ; wl2110_d.0040107077C079E4 TEST EAX,EAX ; wl2110_d.0040107077C079E6 JE SHORT 77C079EA ; 77C079EA77C079E8 CALL EAX ; wl2110_d.0040107077C079EA ADD ESI,477C079ED CMP ESI,DWORD PTR SS:[ESP+C] ; wl2110_d.0040300C77C079F1 JB SHORT 77C079E2 ; 77C079E277C079F3 POP ESI ; GDI32.77C42D7E77C079F4 RETNAfter the 2. break on call EAX it step into the address 00401070 which is trash code...00401070 CMP BYTE PTR DS:[EDX+79],BL00401073 POPAD00401074 TEST EDI,EBX00401076 ADC AL,0A100401078 INC EBP ; Superfluous prefix0040107A RETN 294A Hmm...maybe this target need again some special system dll versions or something. greetz 00401683 |. 50 PUSH EAX ; /pStartupinfo 00401684 |. FF15 04204000 CALL DWORD PTR DS:[402004] ; \GetStartupInfoA 0040168A |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1 0040168E |. 74 11 JE SHORT 004016A1 ; UnPackMe.004016A1 00401690 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C] 00401694 |. EB 0E JMP SHORT 004016A4 ; UnPackMe.004016A4 00401696 |> 803E 20 /CMP BYTE PTR DS:[ESI],20 00401699 |.^ 76 D8 |JBE SHORT 00401673 ; UnPackMe.00401673 0040169B |. 46 |INC ESI 0040169C |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI 0040169F |.^ EB F5 \JMP SHORT 00401696 ; UnPackMe.00401696 004016A1 |> 6A 0A PUSH 0A 004016A3 |. 58 POP EAX 004016A4 |> 50 PUSH EAX 004016A5 |. 56 PUSH ESI 004016A6 |. 53 PUSH EBX 004016A7 |. 53 PUSH EBX ; /pModule 004016A8 |. FF15 00204000 CALL DWORD PTR DS:[402000] ; \GetModuleHandleA 004016AE |. 50 PUSH EAX
estelle Posted March 23, 2010 Author Posted March 23, 2010 (edited) There are questions in need of help to see a tutMy link password t93a72e376I have an idea patchhwid,do not know if the correct;My link password t9fe596ba Edited March 23, 2010 by estelle
LCF-AT Posted March 23, 2010 Posted March 23, 2010 This I fixed too before.02620000 73D30000 MFC42.73D3000002620004 77BE0000 MSVCRT.77BE000002620008 77E40000 kernel32.77E400000262000C 77D10000 USER32.77D1000002620010 0000000000407D7E 02620004-------------------------00407D7E 0262000000402000 77E59F93 kernel32.GetModuleHandleA00402004 77E4177A kernel32.GetStartupInfoA00402008 000000000040200C >73D9A217 mfc42.#448600402010 >73D351E8 mfc42.#255400402014 >73D39C2B mfc42.#251200402018 >73D414F8 mfc42.#57310040201C >73D3B5A5 mfc42.#392200402020 >73D40CCA mfc42.#108900402024 >73D406C6 mfc42.#519900402028 >73D40245 mfc42.#23960040202C >73D313B3 mfc42.#334600402030 >73D348DE mfc42.#530000402034 >73D8EBC3 mfc42.#530200402038 >73D4747F mfc42.#27250040203C >73D311D4 mfc42.#407900402040 >73D32583 mfc42.#469800402044 >73D31194 mfc42.#530700402048 >73D313D0 mfc42.#52890040204C >73D39144 mfc42.#571400402050 >73D37129 mfc42.#298200402054 >73D37129 mfc42.#298200402058 >73D37129 mfc42.#29820040205C >73D31A47 mfc42.#407700402060 >73D8E633 mfc42.#313600402064 >73D46A75 mfc42.#326200402068 >73D8E66B mfc42.#29850040206C >73D8E62D mfc42.#308100402070 >73D8E671 mfc42.#297600402074 >73D8E610 mfc42.#383000402078 >73D317E0 mfc42.#38310040207C >73D317E0 mfc42.#383100402080 >73D37129 mfc42.#298200402084 >73D43F13 mfc42.#408000402088 >73D8E639 mfc42.#46220040208C >73D3223C mfc42.#442400402090 >73DA87C6 mfc42.#373800402094 >73D3AFAF mfc42.#56100402098 >73D33876 mfc42.#8250040209C >73D475A1 mfc42.#815004020A0 >73D38D34 mfc42.#641004020A4 >73D46AB1 mfc42.#2514004020A8 >73D8EB8C mfc42.#6375004020AC >73D50999 mfc42.#1134004020B0 >73D34444 mfc42.#5241004020B4 >73D8D8DA mfc42.#4376004020B8 >73D4691A mfc42.#4853004020BC >73D3466E mfc42.#6168004020C0 >73D8D6C7 mfc42.#6052004020C4 >73D317E0 mfc42.#3831004020C8 >73D39789 mfc42.#1775004020CC >73D3271D mfc42.#4407004020D0 >73D34444 mfc42.#5241004020D4 >73D320CE mfc42.#2385004020D8 >73D31D0C mfc42.#5163004020DC >73D31CC8 mfc42.#6374004020E0 >73D8E06A mfc42.#4353004020E4 >73D468A4 mfc42.#5280004020E8 >73D34440 mfc42.#3798004020EC >73D33290 mfc42.#4837004020F0 >73D3291C mfc42.#4441004020F4 >73D46956 mfc42.#2648004020F8 >73D46913 mfc42.#2055004020FC >73D8C587 mfc42.#637600402100 >73D37129 mfc42.#298200402104 >73D8C2AE mfc42.#506500402108 >73D3DFA8 mfc42.#17270040210C >73D3DDE8 mfc42.#526100402110 >73D35BF6 mfc42.#244600402114 >73D3C61A mfc42.#212400402118 >73D34444 mfc42.#52410040211C >73D44481 mfc42.#462700402120 >73D38FAA mfc42.#442500402124 >73D3967C mfc42.#359700402128 >73D39CF3 mfc42.#11460040212C >73D31083 mfc42.#116800402130 >73D38F3F mfc42.#32400402134 >73DCFAE8 OFFSET mfc42.#423400402138 >73D395B4 mfc42.#47100040213C >73D318DD mfc42.#486500402140 >73D38C74 mfc42.#75500402144 >73D38B93 mfc42.#47000402148 >73DD7FD8 OFFSET mfc42.#42740040214C >73D3B5E5 mfc42.#262100402150 >73D9A49D mfc42.#467300402154 >73D3B4AC mfc42.#157600402158 000000000040215C >77C01269 MSVCRT._XcptFilter00402160 >77C07ADC ASCII "Sj"00402164 >77C2C7A8 OFFSET MSVCRT._acmdln00402168 >77BEE909 MSVCRT.__getmainargs0040216C >77C079DB MSVCRT._initterm00402170 >77C18F60 MSVCRT.__setusermatherr00402174 >77C2D388 OFFSET MSVCRT._adjust_fdiv00402178 >77BEEB4A MSVCRT.__p__commode0040217C >77BEEB68 MSVCRT.__p__fmode00402180 >77C03632 MSVCRT.__set_app_type00402184 >77C03EB0 MSVCRT._except_handler300402188 >77C1A658 MSVCRT._controlfp0040218C >77C030F6 MSVCRT._onexit00402190 >77C03140 MSVCRT.__dllonexit00402194 >77BF1AD8 MSVCRT.__CxxFrameHandler00402198 >77BFEFFD MSVCRT._setmbcp0040219C >77C07AEE MSVCRT._exit004021A0 00000000004021A4 77D2E700 USER32.DrawIcon004021A8 77D15F23 USER32.GetClientRect004021AC 77D177C0 USER32.GetSystemMetrics004021B0 77D18106 USER32.IsIconic004021B4 77D1816D USER32.EnableWindow004021B8 77D1A102 USER32.LoadIconA004021BC 77D1702F USER32.SendMessageA004021C0 00000000004021C4 00000000@ estelleDo you still have the same project file where you have packed your target?If yes.....can you create a new file maybe you take this time the Notepad or calc.exe just too see whether we get the same problem too or not you know.Thank you.So the User & Kernel calls / jumps will not written in the codesection just into the IATtable.greetz
estelle Posted March 24, 2010 Author Posted March 24, 2010 @LCF-AT Thanks for reply, I went to test whether there are such problems the next.
EvOlUtIoN Posted March 27, 2010 Posted March 27, 2010 Yes there is that problem of not writing all API calls into the code section.But i can assure that it is not a feature of wl 2.1.1.0, i found targets like this also in previous versions like for example 2.0.5.0, i don't know exactly why...but it can simply be fixed since the only api calls missed are in the starting procedure. Maybe there are alsoi other api calls in a more complex program, but i never tested something like this. I'll write something more when i get enough free time.Anyway it is very interesting how to bypass the new wl, but i thought that it was more difficult.
estelle Posted March 29, 2010 Author Posted March 29, 2010 Yes there is that problem of not writing all API calls into the code section.But i can assure that it is not a feature of wl 2.1.1.0, i found targets like this also in previous versions like for example 2.0.5.0, i don't know exactly why...but it can simply be fixed since the only api calls missed are in the starting procedure. Maybe there are alsoi other api calls in a more complex program, but i never tested something like this. I'll write something more when i get enough free time.Anyway it is very interesting how to bypass the new wl, but i thought that it was more difficult.Wait for bypass the new wl EvOlUtIon
LCF-AT Posted March 29, 2010 Posted March 29, 2010 Hi,so can someone check my short patch script below and also just with the wl2110.exe.Craete also a new file called regkey.dat and enter something.Now load the target in Olly and let run this script and then let run the target.For me it starts so.// Just a test script for wl2110.exe!// Create a regkey.dat file and enter somethig!bphwcbcbphws 00565A8E,"x" estobphwcvar AAvar BBmov AA, [00407D7E]sub AA, 04mov [00407D7E], AA // DLL ImageBase fixbp 0041FADC // cmp ecx,eax checkerestomov [0046F8FF],6377A141 // Reg DWORD mov [0049096A],1F34CC39 // Reg2 DWORDmov [00459628],2D1AC4CA // DWORD check first round mov [00467154],FB52B365 // VMed API RD Codewritermov [004A5148],9DA2B36F // 401070mov [004A514C],04865630 // 401070mov [0046AEBC],86810361 // 401070mov [0045ADB4],762B8D8B // No Zw crashmov [004080FB],6BAFD781 // 401070 +mov [00407FA3],9F98C09A // 401070 +bcpauseestopauseNote: Its just a test!So I am not sure whether the script also works for you or not you know.greetz
quosego Posted March 30, 2010 Posted March 30, 2010 Damn LCF-AT, I find it very interesting to see how good you've become actually.. I can remember a time WL was not as easy.. Nice work.. If only I had more time.. Ah well as proven before, Oreans is dead for now. regards, q.
ahmadmansoor Posted March 30, 2010 Posted March 30, 2010 @ quosego : did u remember when I told u ,that u need a false lic key to make it work ... LCF-AT do the same job of my Loader but for certain target . I think my loader still work ,but I need to fix some line inside it . anyway I am busy in try my new tool ( Hasp ). just one thing the new Winlic what it check to detect the debugger . i have pass it by new StrongOD .... but by the old one . when I run olly ( old option ) it detect the debugger directly . so any Idea ?! thanks
quosego Posted March 30, 2010 Posted March 30, 2010 (edited) Yes I know ahmad, I thought up that method the first time when I cracked it, only then it was simpler. My original tutorial already required a fake license and fixing of the dll imagebase location. If your method is similar to LCF_AT's method perhaps you loader still works fine, since they only went after my method as described in my tutorial. Never checked how you did it using your loader, but it'll most likely be somewhat similar to my original work. However never had Themida detect my debugger.. I use a rather exotic and custom version though. Possibly it detects the old driver, from strongod just like extrem.sys in phantom. Edited March 30, 2010 by quosego
ahmadmansoor Posted April 1, 2010 Posted April 1, 2010 (edited) yes ,yes as u say . it check the driver ,but u can pass it by patch 1 byte of code .it is very simple . and no need for custom version of olly ..OllyIce is enough I think Oreans have to rethink more in this . it is shameful form Oreans Edited April 1, 2010 by ahmadmansoor
ahmadmansoor Posted April 2, 2010 Posted April 2, 2010 anyway just for fun not else ... this is my unpacked file for this file . harry up LCF-AT ,where is ur unpacked file ?? . I have a question LCF-AT ...I will PM u Later wl2110 unpacked by Ahmadmansoor-exetools.rar
Syntax Posted April 29, 2010 Posted April 29, 2010 How can i bypass "debugger detected" from latest winlicense ?
Gladiator Posted April 30, 2010 Posted April 30, 2010 How can i bypass "debugger detected" from latest winlicense ?You can use OllyDbg - Armadillo Edition with StrongOD Plugin.
Admin2 Posted January 13, 2011 Posted January 13, 2011 (edited) Hi, so can someone check my short patch script below and also just with the wl2110.exe.Craete also a new file called regkey.dat and enter something.Now load the target in Olly and let run this script and then let run the target.For me it starts so. // Just a test script for wl2110.exe!// Create a regkey.dat file and enter somethig!bphwcbcbphws 00565A8E,"x" estobphwcvar AAvar BBmov AA, [00407D7E]sub AA, 04mov [00407D7E], AA // DLL ImageBase fixbp 0041FADC // cmp ecx,eax checkerestomov [0046F8FF],6377A141 // Reg DWORD mov [0049096A],1F34CC39 // Reg2 DWORDmov [00459628],2D1AC4CA // DWORD check first round mov [00467154],FB52B365 // VMed API RD Codewritermov [004A5148],9DA2B36F // 401070mov [004A514C],04865630 // 401070mov [0046AEBC],86810361 // 401070mov [0045ADB4],762B8D8B // No Zw crashmov [004080FB],6BAFD781 // 401070 +mov [00407FA3],9F98C09A // 401070 +bcpauseestopause Note: Its just a test!So I am not sure whether the script also works for you or not you know. greetz WORKED nice ))) this my used nice ollydebug unpack to c:\ will then: C:\Tools\Olly\SABRE-GOLD and run OLLYDBG.EXE and in phantom plugins me set this: usually run OLLYDBG.EXE , but is some time run SABRE-G.exe Alexey moderator, have you small space on host-server ?????? then OK luck Edited January 13, 2011 by Admin2 Deleted OllyDbg attachment... seriously was there any need? :)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now