Jump to content
Tuts 4 You

[unpackme] WinLicense v 2 1 1 0 Unpackme


estelle

Recommended Posts

WinLicense - Professional Software Protection and Licensing Management [Version 2.1.1.0]

Protection Options for Software: wl (Input File: UnPackMe.exe)

----------------------------------

Macros Information

------------------

VM Macros: 0

CodeReplace Macros: 0

ENCRYPT Macros: 0

CLEAR Macros: 0

RegisteredVM Macros: 0

CHECK_PROTECTION Macros: 0

CHECK_CODE_INTEGRITY Macros: 0

CHECK_REGISTRATION Macros: 0

CHECK_VIRTUAL_PC Macros: 0

Protection Options

------------------

Anti-Debugger: Advanced

Anti-Dumpers: ENABLED

Entry Point Obfuscation: ENABLED

Resource Encryption: ENABLED

VMWare compatible: ENABLED

API-Wrapping Level: Level 2

Anti-Patching: None

Metamorph Security: ENABLED

Memory Guard: ENABLED

When Debugger Found: Display Message

Application compression: ENABLED

Resources compression: ENABLED

SecureEngine compression: ENABLED

Anti-File Monitor: ENABLED

Anti-Registry Monitor: ENABLED

Delphi/BCB form protection: ENABLED

Ring-0 Protection: DISABLED

Virtual Machine Settings

------------------------

Number of Virtual APIs wrapped: 0

API Virtualization Level: 3

Entry Point Virtualization: 15 instructions

Multi Branch Technology: DISABLED

Virtual Machine Processor: Mutable CISC processor

Number of CPUs: 1

Opcode Type: Metamorphic - Level 2

Dynamic Opcode: 20% Dynamic

Registration Settings

---------------------

Signature Level: LV2

With Single file: regkey.dat

Only Hardware locked keys: DISABLED

Only Temporary keys: DISABLED

Only runs when registered: DISABLED

Clear Trial when registered: DISABLED

Advanced Protection Options

---------------------------

Encrypt Application: ENABLED

DLL plugin: DISABLED

Export Generators: ENABLED

Keep Trial Running: DISABLED

Hide from PE scanners: Standard

.NET assemblies: ENABLED

Active Context: DISABLED

Custom Event:

Add Manifest: Don't add manifest

Launch Application:

XBundler files

--------------

No files to bundle

VBunpackme.rar

wl2110.rar

Link to comment

Well running without a license doesn't work anymore using the old method..

Now uses a few secondary checks;

(devirtualized below)

0052C57F                              81BD 0B2C390A EFA7DD4C       CMP DWORD PTR SS:[EBP+A392C0B],4CDDA7EF      //Check for Is_reg dword one (in the tut fixed by setting eax, and edx 0 )
0052C589 0F85 30000000 JNZ 0052C5BF
0052C58F 81BD 9B1E360A 7206676E CMP DWORD PTR SS:[EBP+A361E9B],6E670672 //check for Is_reg dword two (in the tut fixed by setting eax, and edx 0 )
0052C599 0F85 20000000 JNZ 0052C5BF
0052C59F 8B85 3296390A MOV EAX,DWORD PTR SS:[EBP+A399632]
0052C5A5 25 FF000000 AND EAX,0FF
0052C5AA 83E8 1A SUB EAX,1A
0052C5AD 0BC0 OR EAX,EAX //check secondary check (not fixed in the tut, isn't emulated in the vm with cmp edx, eax anyways.)
0052C5AF 0F84 05000000 JE 0052C5BA
0052C5B5 E9 7B080000 JMP 0052CE35 //if sec check is not correct jump to destruction. (calls EBX without defining resulting in ending up in some ****ey mem section and crashing.)
0052C5BA E9 A9080000 JMP 0052CE68 // Correct jump, which another two checks for correct is_reg dwords

Then a few other checks which are used resulting in an exit. Doubt it'll be very fancy..

Edited by quosego
Link to comment
  • 2 weeks later...

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
  • 2 weeks later...

I'm close to get it with only one hour of study. Already had program unpacked in memory, but not running for now.

Anyway remains the fact that program can be unpacked regardless the license, and this is sure.

OEP looks like this:

00401580 >/$ 55 PUSH EBP

00401581 |. 8BEC MOV EBP,ESP

00401583 |. 6A FF PUSH -1

00401585 |. 68 D0234000 PUSH dumped.004023D0

0040158A |. 68 06174000 PUSH dumped.00401706 ; SE handler installation

0040158F |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]

00401595 |. 50 PUSH EAX

00401596 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP

0040159D |. 83EC 68 SUB ESP,68

004015A0 |. 53 PUSH EBX

004015A1 |. 56 PUSH ESI

004015A2 |. 57 PUSH EDI

004015A3 |. 8965 E8 MOV [LOCAL.6],ESP

004015A6 |. 33DB XOR EBX,EBX

004015A8 |. 895D FC MOV [LOCAL.1],EBX

004015AB |. 6A 02 PUSH 2

004015AD |. 90 NOP

004015AE |. E8 C93D8077 CALL msvcrt.__set_app_type

And...why to protect a safengine licensor unpackme with wl? At least change the strings please...

Link to comment

Damn Evo, nice work. Spend at least 2 hours at it before deciding I got bored and needed to drink beer.

You didn't have any of the troubles which deathway talked about? He found something encrypted with TEA which was needed for proper decryption.

Well seems not. :)

Link to comment

No friend quosego, i didn't find anything except for the fact that there is one wrong pointer which does not allow program to run without crash. I solved the problem patching the pointer and bypassing one vm handler, and after it program unpacks into memory...but before fix all of the IT it closes, and i still don't know the reason.

Anyway i found no OEP protection inside this target, and also iat is not fully protected since it can be rebuilt in few minutes with the help of uif tool. I think that this is protected with demo wl version.

Of course is possible i missed something, i don't have much time to do it because of a large amount of car travels for work...maybe i will check it better in the weekend.

Link to comment
  • 4 weeks later...

Hi,

I can bypass the checks too. :)

307q59u.png

0059F197    DEC EBX
0059F198 JE 0059F289 ; 1. MJ

But it seems that I get the same trouble like Evo so I have also some places where are no API calls [red marked on the pic and some more].

00401645    CALL 004016EA        
----
004016EA NOP
004016EB JMP 77C079DB ; MSVCRT._initterm
---
77C079DB _initterm PUSH ESI ; wl2110_d.00403008
77C079DC MOV ESI,DWORD PTR SS:[ESP+8] ; wl2110_d.00403000
77C079E0 JMP SHORT 77C079ED ; 77C079ED
77C079E2 MOV EAX,DWORD PTR DS:[ESI] ; wl2110_d.00401070
77C079E4 TEST EAX,EAX ; wl2110_d.00401070
77C079E6 JE SHORT 77C079EA ; 77C079EA
77C079E8 CALL EAX ; wl2110_d.00401070
77C079EA ADD ESI,4
77C079ED CMP ESI,DWORD PTR SS:[ESP+C] ; wl2110_d.0040300C
77C079F1 JB SHORT 77C079E2 ; 77C079E2
77C079F3 POP ESI ; GDI32.77C42D7E
77C079F4 RETNAfter the 2. break on call EAX it step into the address 00401070 which is trash code...00401070 CMP BYTE PTR DS:[EDX+79],BL
00401073 POPAD
00401074 TEST EDI,EBX
00401076 ADC AL,0A1
00401078 INC EBP ; Superfluous prefix
0040107A RETN 294A

Hmm...maybe this target need again some special system dll versions or something.

greetz

Link to comment

Perhaps the encrypted part is the part deathway talked about. As for missing API's that was the result if you did not fix the dll Imagebase section pointer in WL data.

Link to comment

Hi,

I can bypass the checks too. :)

307q59u.png

0059F197    DEC EBX
0059F198 JE 0059F289 ; 1. MJ

But it seems that I get the same trouble like Evo so I have also some places where are no API calls [red marked on the pic and some more].

00401645    CALL 004016EA        
----
004016EA NOP
004016EB JMP 77C079DB ; MSVCRT._initterm
---
77C079DB _initterm PUSH ESI ; wl2110_d.00403008
77C079DC MOV ESI,DWORD PTR SS:[ESP+8] ; wl2110_d.00403000
77C079E0 JMP SHORT 77C079ED ; 77C079ED
77C079E2 MOV EAX,DWORD PTR DS:[ESI] ; wl2110_d.00401070
77C079E4 TEST EAX,EAX ; wl2110_d.00401070
77C079E6 JE SHORT 77C079EA ; 77C079EA
77C079E8 CALL EAX ; wl2110_d.00401070
77C079EA ADD ESI,4
77C079ED CMP ESI,DWORD PTR SS:[ESP+C] ; wl2110_d.0040300C
77C079F1 JB SHORT 77C079E2 ; 77C079E2
77C079F3 POP ESI ; GDI32.77C42D7E
77C079F4 RETNAfter the 2. break on call EAX it step into the address 00401070 which is trash code...00401070 CMP BYTE PTR DS:[EDX+79],BL
00401073 POPAD
00401074 TEST EDI,EBX
00401076 ADC AL,0A1
00401078 INC EBP ; Superfluous prefix
0040107A RETN 294A

Hmm...maybe this target need again some special system dll versions or something.

greetz

00401683 |. 50 PUSH EAX ; /pStartupinfo

00401684 |. FF15 04204000 CALL DWORD PTR DS:[402004] ; \GetStartupInfoA

0040168A |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1

0040168E |. 74 11 JE SHORT 004016A1 ; UnPackMe.004016A1

00401690 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]

00401694 |. EB 0E JMP SHORT 004016A4 ; UnPackMe.004016A4

00401696 |> 803E 20 /CMP BYTE PTR DS:[ESI],20

00401699 |.^ 76 D8 |JBE SHORT 00401673 ; UnPackMe.00401673

0040169B |. 46 |INC ESI

0040169C |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI

0040169F |.^ EB F5 \JMP SHORT 00401696 ; UnPackMe.00401696

004016A1 |> 6A 0A PUSH 0A

004016A3 |. 58 POP EAX

004016A4 |> 50 PUSH EAX

004016A5 |. 56 PUSH ESI

004016A6 |. 53 PUSH EBX

004016A7 |. 53 PUSH EBX ; /pModule

004016A8 |. FF15 00204000 CALL DWORD PTR DS:[402000] ; \GetModuleHandleA

004016AE |. 50 PUSH EAX

Link to comment

There are questions in need of help to see a tut

My link password t93a72e376

I have an idea patchhwid,do not know if the correct;

My link password t9fe596ba

Edited by estelle
Link to comment

This I fixed too before.

02620000  73D30000  MFC42.73D30000
02620004 77BE0000 MSVCRT.77BE0000
02620008 77E40000 kernel32.77E40000
0262000C 77D10000 USER32.77D10000
02620010 0000000000407D7E 02620004
-------------------------
00407D7E 02620000
00402000  77E59F93  kernel32.GetModuleHandleA
00402004 77E4177A kernel32.GetStartupInfoA
00402008 00000000
0040200C >73D9A217 mfc42.#4486
00402010 >73D351E8 mfc42.#2554
00402014 >73D39C2B mfc42.#2512
00402018 >73D414F8 mfc42.#5731
0040201C >73D3B5A5 mfc42.#3922
00402020 >73D40CCA mfc42.#1089
00402024 >73D406C6 mfc42.#5199
00402028 >73D40245 mfc42.#2396
0040202C >73D313B3 mfc42.#3346
00402030 >73D348DE mfc42.#5300
00402034 >73D8EBC3 mfc42.#5302
00402038 >73D4747F mfc42.#2725
0040203C >73D311D4 mfc42.#4079
00402040 >73D32583 mfc42.#4698
00402044 >73D31194 mfc42.#5307
00402048 >73D313D0 mfc42.#5289
0040204C >73D39144 mfc42.#5714
00402050 >73D37129 mfc42.#2982
00402054 >73D37129 mfc42.#2982
00402058 >73D37129 mfc42.#2982
0040205C >73D31A47 mfc42.#4077
00402060 >73D8E633 mfc42.#3136
00402064 >73D46A75 mfc42.#3262
00402068 >73D8E66B mfc42.#2985
0040206C >73D8E62D mfc42.#3081
00402070 >73D8E671 mfc42.#2976
00402074 >73D8E610 mfc42.#3830
00402078 >73D317E0 mfc42.#3831
0040207C >73D317E0 mfc42.#3831
00402080 >73D37129 mfc42.#2982
00402084 >73D43F13 mfc42.#4080
00402088 >73D8E639 mfc42.#4622
0040208C >73D3223C mfc42.#4424
00402090 >73DA87C6 mfc42.#3738
00402094 >73D3AFAF mfc42.#561
00402098 >73D33876 mfc42.#825
0040209C >73D475A1 mfc42.#815
004020A0 >73D38D34 mfc42.#641
004020A4 >73D46AB1 mfc42.#2514
004020A8 >73D8EB8C mfc42.#6375
004020AC >73D50999 mfc42.#1134
004020B0 >73D34444 mfc42.#5241
004020B4 >73D8D8DA mfc42.#4376
004020B8 >73D4691A mfc42.#4853
004020BC >73D3466E mfc42.#6168
004020C0 >73D8D6C7 mfc42.#6052
004020C4 >73D317E0 mfc42.#3831
004020C8 >73D39789 mfc42.#1775
004020CC >73D3271D mfc42.#4407
004020D0 >73D34444 mfc42.#5241
004020D4 >73D320CE mfc42.#2385
004020D8 >73D31D0C mfc42.#5163
004020DC >73D31CC8 mfc42.#6374
004020E0 >73D8E06A mfc42.#4353
004020E4 >73D468A4 mfc42.#5280
004020E8 >73D34440 mfc42.#3798
004020EC >73D33290 mfc42.#4837
004020F0 >73D3291C mfc42.#4441
004020F4 >73D46956 mfc42.#2648
004020F8 >73D46913 mfc42.#2055
004020FC >73D8C587 mfc42.#6376
00402100 >73D37129 mfc42.#2982
00402104 >73D8C2AE mfc42.#5065
00402108 >73D3DFA8 mfc42.#1727
0040210C >73D3DDE8 mfc42.#5261
00402110 >73D35BF6 mfc42.#2446
00402114 >73D3C61A mfc42.#2124
00402118 >73D34444 mfc42.#5241
0040211C >73D44481 mfc42.#4627
00402120 >73D38FAA mfc42.#4425
00402124 >73D3967C mfc42.#3597
00402128 >73D39CF3 mfc42.#1146
0040212C >73D31083 mfc42.#1168
00402130 >73D38F3F mfc42.#324
00402134 >73DCFAE8 OFFSET mfc42.#4234
00402138 >73D395B4 mfc42.#4710
0040213C >73D318DD mfc42.#4865
00402140 >73D38C74 mfc42.#755
00402144 >73D38B93 mfc42.#470
00402148 >73DD7FD8 OFFSET mfc42.#4274
0040214C >73D3B5E5 mfc42.#2621
00402150 >73D9A49D mfc42.#4673
00402154 >73D3B4AC mfc42.#1576
00402158 00000000
0040215C >77C01269 MSVCRT._XcptFilter
00402160 >77C07ADC ASCII "Sj"
00402164 >77C2C7A8 OFFSET MSVCRT._acmdln
00402168 >77BEE909 MSVCRT.__getmainargs
0040216C >77C079DB MSVCRT._initterm
00402170 >77C18F60 MSVCRT.__setusermatherr
00402174 >77C2D388 OFFSET MSVCRT._adjust_fdiv
00402178 >77BEEB4A MSVCRT.__p__commode
0040217C >77BEEB68 MSVCRT.__p__fmode
00402180 >77C03632 MSVCRT.__set_app_type
00402184 >77C03EB0 MSVCRT._except_handler3
00402188 >77C1A658 MSVCRT._controlfp
0040218C >77C030F6 MSVCRT._onexit
00402190 >77C03140 MSVCRT.__dllonexit
00402194 >77BF1AD8 MSVCRT.__CxxFrameHandler
00402198 >77BFEFFD MSVCRT._setmbcp
0040219C >77C07AEE MSVCRT._exit
004021A0 00000000
004021A4 77D2E700 USER32.DrawIcon
004021A8 77D15F23 USER32.GetClientRect
004021AC 77D177C0 USER32.GetSystemMetrics
004021B0 77D18106 USER32.IsIconic
004021B4 77D1816D USER32.EnableWindow
004021B8 77D1A102 USER32.LoadIconA
004021BC 77D1702F USER32.SendMessageA
004021C0 00000000
004021C4 00000000

@ estelle

Do you still have the same project file where you have packed your target?If yes.....can you create a new file maybe you take this time the Notepad or calc.exe just too see whether we get the same problem too or not you know.Thank you.

So the User & Kernel calls / jumps will not written in the codesection just into the IATtable.

greetz

Link to comment

Yes there is that problem of not writing all API calls into the code section.

But i can assure that it is not a feature of wl 2.1.1.0, i found targets like this also in previous versions like for example 2.0.5.0, i don't know exactly why...but it can simply be fixed since the only api calls missed are in the starting procedure. Maybe there are alsoi other api calls in a more complex program, but i never tested something like this. I'll write something more when i get enough free time.

Anyway it is very interesting how to bypass the new wl, but i thought that it was more difficult.

Link to comment

Yes there is that problem of not writing all API calls into the code section.

But i can assure that it is not a feature of wl 2.1.1.0, i found targets like this also in previous versions like for example 2.0.5.0, i don't know exactly why...but it can simply be fixed since the only api calls missed are in the starting procedure. Maybe there are alsoi other api calls in a more complex program, but i never tested something like this. I'll write something more when i get enough free time.

Anyway it is very interesting how to bypass the new wl, but i thought that it was more difficult.

Wait for bypass the new wl EvOlUtIon

Link to comment

Hi,

so can someone check my short patch script below and also just with the wl2110.exe.Craete also a new file called regkey.dat and enter something.Now load the target in Olly and let run this script and then let run the target.For me it starts so.

// Just a test script for wl2110.exe!
// Create a regkey.dat file and enter somethig!
bphwc
bc
bphws 00565A8E,"x"
esto
bphwc
var AA
var BBmov AA, [00407D7E]
sub AA, 04
mov [00407D7E], AA // DLL ImageBase fixbp 0041FADC // cmp ecx,eax checker
esto
mov [0046F8FF],6377A141 // Reg DWORD
mov [0049096A],1F34CC39 // Reg2 DWORD
mov [00459628],2D1AC4CA // DWORD check first round
mov [00467154],FB52B365 // VMed API RD Codewriter
mov [004A5148],9DA2B36F // 401070
mov [004A514C],04865630 // 401070
mov [0046AEBC],86810361 // 401070
mov [0045ADB4],762B8D8B // No Zw crash
mov [004080FB],6BAFD781 // 401070 +
mov [00407FA3],9F98C09A // 401070 +
bc
pause
esto
pause

Note: Its just a test!So I am not sure whether the script also works for you or not you know.

greetz

Link to comment

Damn LCF-AT,

I find it very interesting to see how good you've become actually.. ;) I can remember a time WL was not as easy..

Nice work.. If only I had more time..

Ah well as proven before, Oreans is dead for now.

regards,

q.

Link to comment
ahmadmansoor

@ quosego : did u remember when I told u ,that u need a false lic key to make it work ;) ... LCF-AT do the same job of my Loader but for certain target .

I think my loader still work ,but I need to fix some line inside it :( .

anyway I am busy in try my new tool ( Hasp ).

just one thing the new Winlic what it check to detect the debugger .

i have pass it by new StrongOD .... but by the old one .

when I run olly ( old option ) it detect the debugger directly .

so any Idea ?!

thanks

Link to comment

Yes I know ahmad, I thought up that method the first time when I cracked it, only then it was simpler. ;)

My original tutorial already required a fake license and fixing of the dll imagebase location.

If your method is similar to LCF_AT's method perhaps you loader still works fine, since they only went after my method as described in my tutorial. Never checked how you did it using your loader, but it'll most likely be somewhat similar to my original work.

However never had Themida detect my debugger.. I use a rather exotic and custom version though.

Possibly it detects the old driver, from strongod just like extrem.sys in phantom.

Edited by quosego
Link to comment
ahmadmansoor

yes ,yes as u say :kick: .

it check the driver ,but u can pass it by patch 1 byte of code .it is very simple :P .

and no need for custom version of olly :yes: ..OllyIce is enough :sweat:

I think Oreans have to rethink more in this :^ .

it is shameful form Oreans :no:

Edited by ahmadmansoor
Link to comment
  • 4 weeks later...
  • 8 months later...

Hi,

so can someone check my short patch script below and also just with the wl2110.exe.Craete also a new file called regkey.dat and enter something.Now load the target in Olly and let run this script and then let run the target.For me it starts so.

// Just a test script for wl2110.exe!
// Create a regkey.dat file and enter somethig!
bphwc
bc
bphws 00565A8E,"x"
esto
bphwc
var AA
var BBmov AA, [00407D7E]
sub AA, 04
mov [00407D7E], AA // DLL ImageBase fixbp 0041FADC // cmp ecx,eax checker
esto
mov [0046F8FF],6377A141 // Reg DWORD
mov [0049096A],1F34CC39 // Reg2 DWORD
mov [00459628],2D1AC4CA // DWORD check first round
mov [00467154],FB52B365 // VMed API RD Codewriter
mov [004A5148],9DA2B36F // 401070
mov [004A514C],04865630 // 401070
mov [0046AEBC],86810361 // 401070
mov [0045ADB4],762B8D8B // No Zw crash
mov [004080FB],6BAFD781 // 401070 +
mov [00407FA3],9F98C09A // 401070 +
bc
pause
esto
pause

Note: Its just a test!So I am not sure whether the script also works for you or not you know.

greetz

WORKED nice :))))

this my used nice ollydebug

unpack to c:\

will then: C:\Tools\Olly\SABRE-GOLD

and run OLLYDBG.EXE and in phantom plugins me set this:

post-59465-0-01238300-1294912901_thumb.j

usually run OLLYDBG.EXE , but is some time run SABRE-G.exe

Alexey

moderator, have you small space on host-server ??????

then OK

luck

Edited by Admin2
Deleted OllyDbg attachment... seriously was there any need? :)
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...