[unpackme] WinLicense v 2 1 1 0 Unpackme

[estelle]

WinLicense - Professional Software Protection and Licensing Management [Version 2.1.1.0]

Protection Options for Software: wl (Input File: UnPackMe.exe)

----------------------------------

Macros Information

------------------

VM Macros: 0

CodeReplace Macros: 0

ENCRYPT Macros: 0

CLEAR Macros: 0

RegisteredVM Macros: 0

CHECK_PROTECTION Macros: 0

CHECK_CODE_INTEGRITY Macros: 0

CHECK_REGISTRATION Macros: 0

CHECK_VIRTUAL_PC Macros: 0

Protection Options

------------------

Anti-Debugger: Advanced

Anti-Dumpers: ENABLED

Entry Point Obfuscation: ENABLED

Resource Encryption: ENABLED

VMWare compatible: ENABLED

API-Wrapping Level: Level 2

Anti-Patching: None

Metamorph Security: ENABLED

Memory Guard: ENABLED

When Debugger Found: Display Message

Application compression: ENABLED

Resources compression: ENABLED

SecureEngine compression: ENABLED

Anti-File Monitor: ENABLED

Anti-Registry Monitor: ENABLED

Delphi/BCB form protection: ENABLED

Ring-0 Protection: DISABLED

Virtual Machine Settings

------------------------

Number of Virtual APIs wrapped: 0

API Virtualization Level: 3

Entry Point Virtualization: 15 instructions

Multi Branch Technology: DISABLED

Virtual Machine Processor: Mutable CISC processor

Number of CPUs: 1

Opcode Type: Metamorphic - Level 2

Dynamic Opcode: 20% Dynamic

Registration Settings

---------------------

Signature Level: LV2

With Single file: regkey.dat

Only Hardware locked keys: DISABLED

Only Temporary keys: DISABLED

Only runs when registered: DISABLED

Clear Trial when registered: DISABLED

Advanced Protection Options

---------------------------

Encrypt Application: ENABLED

DLL plugin: DISABLED

Export Generators: ENABLED

Keep Trial Running: DISABLED

Hide from PE scanners: Standard

.NET assemblies: ENABLED

Active Context: DISABLED

Custom Event:

Add Manifest: Don't add manifest

Launch Application:

XBundler files

--------------

No files to bundle

VBunpackme.rar

wl2110.rar

[quosego]

Well running without a license doesn't work anymore using the old method..

Now uses a few secondary checks;

(devirtualized below)

0052C57F                              81BD 0B2C390A EFA7DD4C       CMP DWORD PTR SS:[EBP+A392C0B],4CDDA7EF      //Check for Is_reg dword one (in the tut fixed by setting eax, and edx 0 )
0052C589                              0F85 30000000                JNZ 0052C5BF
0052C58F                              81BD 9B1E360A 7206676E       CMP DWORD PTR SS:[EBP+A361E9B],6E670672         //check for Is_reg dword two  (in the tut fixed by setting eax, and edx 0 )
0052C599                              0F85 20000000                JNZ 0052C5BF
0052C59F                              8B85 3296390A                MOV EAX,DWORD PTR SS:[EBP+A399632]
0052C5A5                              25 FF000000                  AND EAX,0FF
0052C5AA                              83E8 1A                      SUB EAX,1A
0052C5AD                              0BC0                         OR EAX,EAX                             //check secondary check (not fixed in the tut, isn't emulated in the vm with cmp edx, eax anyways.)
0052C5AF                              0F84 05000000                JE 0052C5BA
0052C5B5                              E9 7B080000                  JMP 0052CE35                              //if sec check is not correct jump to destruction. (calls EBX without defining resulting in ending up in some ****ey mem section and crashing.)
0052C5BA                              E9 A9080000                  JMP 0052CE68                           // Correct jump, which another two checks for correct is_reg dwords 

Then a few other checks which are used resulting in an exit. Doubt it'll be very fancy..

Edited January 31, 2010 by quosego

[estelle]

thx quosego

[Teddy Rogers]

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

[EvOlUtIoN]

I'm close to get it with only one hour of study. Already had program unpacked in memory, but not running for now.

Anyway remains the fact that program can be unpacked regardless the license, and this is sure.

OEP looks like this:

00401580 >/$ 55 PUSH EBP

00401581 |. 8BEC MOV EBP,ESP

00401583 |. 6A FF PUSH -1

00401585 |. 68 D0234000 PUSH dumped.004023D0

0040158A |. 68 06174000 PUSH dumped.00401706 ; SE handler installation

0040158F |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]

00401595 |. 50 PUSH EAX

00401596 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP

0040159D |. 83EC 68 SUB ESP,68

004015A0 |. 53 PUSH EBX

004015A1 |. 56 PUSH ESI

004015A2 |. 57 PUSH EDI

004015A3 |. 8965 E8 MOV [LOCAL.6],ESP

004015A6 |. 33DB XOR EBX,EBX

004015A8 |. 895D FC MOV [LOCAL.1],EBX

004015AB |. 6A 02 PUSH 2

004015AD |. 90 NOP

004015AE |. E8 C93D8077 CALL msvcrt.__set_app_type

And...why to protect a safengine licensor unpackme with wl? At least change the strings please...

[quosego]

Damn Evo, nice work. Spend at least 2 hours at it before deciding I got bored and needed to drink beer.

You didn't have any of the troubles which deathway talked about? He found something encrypted with TEA which was needed for proper decryption.

Well seems not.

[EvOlUtIoN]

No friend quosego, i didn't find anything except for the fact that there is one wrong pointer which does not allow program to run without crash. I solved the problem patching the pointer and bypassing one vm handler, and after it program unpacks into memory...but before fix all of the IT it closes, and i still don't know the reason.

Anyway i found no OEP protection inside this target, and also iat is not fully protected since it can be rebuilt in few minutes with the help of uif tool. I think that this is protected with demo wl version.

Of course is possible i missed something, i don't have much time to do it because of a large amount of car travels for work...maybe i will check it better in the weekend.

[LCF-AT]

Hi,

I can bypass the checks too.

0059F197    DEC EBX
0059F198    JE 0059F289            ; 1. MJ

But it seems that I get the same trouble like Evo so I have also some places where are no API calls [red marked on the pic and some more].

00401645    CALL 004016EA        
----
004016EA    NOP
004016EB    JMP 77C079DB                       ; MSVCRT._initterm
---
77C079DB _initterm   PUSH ESI                        ; wl2110_d.00403008
77C079DC             MOV ESI,DWORD PTR SS:[ESP+8]    ; wl2110_d.00403000
77C079E0             JMP SHORT 77C079ED              ; 77C079ED
77C079E2             MOV EAX,DWORD PTR DS:[ESI]      ; wl2110_d.00401070
77C079E4             TEST EAX,EAX                    ; wl2110_d.00401070
77C079E6             JE SHORT 77C079EA               ; 77C079EA
77C079E8             CALL EAX                        ; wl2110_d.00401070
77C079EA             ADD ESI,4
77C079ED             CMP ESI,DWORD PTR SS:[ESP+C]    ; wl2110_d.0040300C
77C079F1             JB SHORT 77C079E2               ; 77C079E2
77C079F3             POP ESI                         ; GDI32.77C42D7E
77C079F4             RETNAfter the 2. break on call EAX it step into the address 00401070 which is trash code...00401070  CMP BYTE PTR DS:[EDX+79],BL
00401073  POPAD
00401074  TEST EDI,EBX
00401076  ADC AL,0A1
00401078  INC EBP                         ; Superfluous prefix
0040107A  RETN 294A

Hmm...maybe this target need again some special system dll versions or something.

greetz

[quosego]

Perhaps the encrypted part is the part deathway talked about. As for missing API's that was the result if you did not fix the dll Imagebase section pointer in WL data.

[estelle]

Hi,

I can bypass the checks too.

0059F197    DEC EBX
0059F198    JE 0059F289            ; 1. MJ

But it seems that I get the same trouble like Evo so I have also some places where are no API calls [red marked on the pic and some more].

00401645    CALL 004016EA        
----
004016EA    NOP
004016EB    JMP 77C079DB                       ; MSVCRT._initterm
---
77C079DB _initterm   PUSH ESI                        ; wl2110_d.00403008
77C079DC             MOV ESI,DWORD PTR SS:[ESP+8]    ; wl2110_d.00403000
77C079E0             JMP SHORT 77C079ED              ; 77C079ED
77C079E2             MOV EAX,DWORD PTR DS:[ESI]      ; wl2110_d.00401070
77C079E4             TEST EAX,EAX                    ; wl2110_d.00401070
77C079E6             JE SHORT 77C079EA               ; 77C079EA
77C079E8             CALL EAX                        ; wl2110_d.00401070
77C079EA             ADD ESI,4
77C079ED             CMP ESI,DWORD PTR SS:[ESP+C]    ; wl2110_d.0040300C
77C079F1             JB SHORT 77C079E2               ; 77C079E2
77C079F3             POP ESI                         ; GDI32.77C42D7E
77C079F4             RETNAfter the 2. break on call EAX it step into the address 00401070 which is trash code...00401070  CMP BYTE PTR DS:[EDX+79],BL
00401073  POPAD
00401074  TEST EDI,EBX
00401076  ADC AL,0A1
00401078  INC EBP                         ; Superfluous prefix
0040107A  RETN 294A

Hmm...maybe this target need again some special system dll versions or something.

greetz

00401683 |. 50 PUSH EAX ; /pStartupinfo

00401684 |. FF15 04204000 CALL DWORD PTR DS:[402004] ; \GetStartupInfoA

0040168A |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1

0040168E |. 74 11 JE SHORT 004016A1 ; UnPackMe.004016A1

00401690 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]

00401694 |. EB 0E JMP SHORT 004016A4 ; UnPackMe.004016A4

00401696 |> 803E 20 /CMP BYTE PTR DS:[ESI],20

00401699 |.^ 76 D8 |JBE SHORT 00401673 ; UnPackMe.00401673

0040169B |. 46 |INC ESI

0040169C |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI

0040169F |.^ EB F5 \JMP SHORT 00401696 ; UnPackMe.00401696

004016A1 |> 6A 0A PUSH 0A

004016A3 |. 58 POP EAX

004016A4 |> 50 PUSH EAX

004016A5 |. 56 PUSH ESI

004016A6 |. 53 PUSH EBX

004016A7 |. 53 PUSH EBX ; /pModule

004016A8 |. FF15 00204000 CALL DWORD PTR DS:[402000] ; \GetModuleHandleA

004016AE |. 50 PUSH EAX

[estelle]

There are questions in need of help to see a tut

My link password t93a72e376

I have an idea patchhwid,do not know if the correct;

My link password t9fe596ba

Edited March 23, 2010 by estelle

[LCF-AT]

This I fixed too before.

02620000  73D30000  MFC42.73D30000
02620004  77BE0000  MSVCRT.77BE0000
02620008  77E40000  kernel32.77E40000
0262000C  77D10000  USER32.77D10000
02620010  0000000000407D7E  02620004
-------------------------
00407D7E  02620000

00402000  77E59F93  kernel32.GetModuleHandleA
00402004  77E4177A  kernel32.GetStartupInfoA
00402008  00000000
0040200C >73D9A217  mfc42.#4486
00402010 >73D351E8  mfc42.#2554
00402014 >73D39C2B  mfc42.#2512
00402018 >73D414F8  mfc42.#5731
0040201C >73D3B5A5  mfc42.#3922
00402020 >73D40CCA  mfc42.#1089
00402024 >73D406C6  mfc42.#5199
00402028 >73D40245  mfc42.#2396
0040202C >73D313B3  mfc42.#3346
00402030 >73D348DE  mfc42.#5300
00402034 >73D8EBC3  mfc42.#5302
00402038 >73D4747F  mfc42.#2725
0040203C >73D311D4  mfc42.#4079
00402040 >73D32583  mfc42.#4698
00402044 >73D31194  mfc42.#5307
00402048 >73D313D0  mfc42.#5289
0040204C >73D39144  mfc42.#5714
00402050 >73D37129  mfc42.#2982
00402054 >73D37129  mfc42.#2982
00402058 >73D37129  mfc42.#2982
0040205C >73D31A47  mfc42.#4077
00402060 >73D8E633  mfc42.#3136
00402064 >73D46A75  mfc42.#3262
00402068 >73D8E66B  mfc42.#2985
0040206C >73D8E62D  mfc42.#3081
00402070 >73D8E671  mfc42.#2976
00402074 >73D8E610  mfc42.#3830
00402078 >73D317E0  mfc42.#3831
0040207C >73D317E0  mfc42.#3831
00402080 >73D37129  mfc42.#2982
00402084 >73D43F13  mfc42.#4080
00402088 >73D8E639  mfc42.#4622
0040208C >73D3223C  mfc42.#4424
00402090 >73DA87C6  mfc42.#3738
00402094 >73D3AFAF  mfc42.#561
00402098 >73D33876  mfc42.#825
0040209C >73D475A1  mfc42.#815
004020A0 >73D38D34  mfc42.#641
004020A4 >73D46AB1  mfc42.#2514
004020A8 >73D8EB8C  mfc42.#6375
004020AC >73D50999  mfc42.#1134
004020B0 >73D34444  mfc42.#5241
004020B4 >73D8D8DA  mfc42.#4376
004020B8 >73D4691A  mfc42.#4853
004020BC >73D3466E  mfc42.#6168
004020C0 >73D8D6C7  mfc42.#6052
004020C4 >73D317E0  mfc42.#3831
004020C8 >73D39789  mfc42.#1775
004020CC >73D3271D  mfc42.#4407
004020D0 >73D34444  mfc42.#5241
004020D4 >73D320CE  mfc42.#2385
004020D8 >73D31D0C  mfc42.#5163
004020DC >73D31CC8  mfc42.#6374
004020E0 >73D8E06A  mfc42.#4353
004020E4 >73D468A4  mfc42.#5280
004020E8 >73D34440  mfc42.#3798
004020EC >73D33290  mfc42.#4837
004020F0 >73D3291C  mfc42.#4441
004020F4 >73D46956  mfc42.#2648
004020F8 >73D46913  mfc42.#2055
004020FC >73D8C587  mfc42.#6376
00402100 >73D37129  mfc42.#2982
00402104 >73D8C2AE  mfc42.#5065
00402108 >73D3DFA8  mfc42.#1727
0040210C >73D3DDE8  mfc42.#5261
00402110 >73D35BF6  mfc42.#2446
00402114 >73D3C61A  mfc42.#2124
00402118 >73D34444  mfc42.#5241
0040211C >73D44481  mfc42.#4627
00402120 >73D38FAA  mfc42.#4425
00402124 >73D3967C  mfc42.#3597
00402128 >73D39CF3  mfc42.#1146
0040212C >73D31083  mfc42.#1168
00402130 >73D38F3F  mfc42.#324
00402134 >73DCFAE8  OFFSET mfc42.#4234
00402138 >73D395B4  mfc42.#4710
0040213C >73D318DD  mfc42.#4865
00402140 >73D38C74  mfc42.#755
00402144 >73D38B93  mfc42.#470
00402148 >73DD7FD8  OFFSET mfc42.#4274
0040214C >73D3B5E5  mfc42.#2621
00402150 >73D9A49D  mfc42.#4673
00402154 >73D3B4AC  mfc42.#1576
00402158  00000000
0040215C >77C01269  MSVCRT._XcptFilter
00402160 >77C07ADC  ASCII "Sj"
00402164 >77C2C7A8  OFFSET MSVCRT._acmdln
00402168 >77BEE909  MSVCRT.__getmainargs
0040216C >77C079DB  MSVCRT._initterm
00402170 >77C18F60  MSVCRT.__setusermatherr
00402174 >77C2D388  OFFSET MSVCRT._adjust_fdiv
00402178 >77BEEB4A  MSVCRT.__p__commode
0040217C >77BEEB68  MSVCRT.__p__fmode
00402180 >77C03632  MSVCRT.__set_app_type
00402184 >77C03EB0  MSVCRT._except_handler3
00402188 >77C1A658  MSVCRT._controlfp
0040218C >77C030F6  MSVCRT._onexit
00402190 >77C03140  MSVCRT.__dllonexit
00402194 >77BF1AD8  MSVCRT.__CxxFrameHandler
00402198 >77BFEFFD  MSVCRT._setmbcp
0040219C >77C07AEE  MSVCRT._exit
004021A0  00000000
004021A4  77D2E700  USER32.DrawIcon
004021A8  77D15F23  USER32.GetClientRect
004021AC  77D177C0  USER32.GetSystemMetrics
004021B0  77D18106  USER32.IsIconic
004021B4  77D1816D  USER32.EnableWindow
004021B8  77D1A102  USER32.LoadIconA
004021BC  77D1702F  USER32.SendMessageA
004021C0  00000000
004021C4  00000000

@ estelle

Do you still have the same project file where you have packed your target?If yes.....can you create a new file maybe you take this time the Notepad or calc.exe just too see whether we get the same problem too or not you know.Thank you.

So the User & Kernel calls / jumps will not written in the codesection just into the IATtable.

greetz

[estelle]

@LCF-AT

Thanks for reply, I went to test whether there are such problems the next.

[EvOlUtIoN]

Yes there is that problem of not writing all API calls into the code section.

But i can assure that it is not a feature of wl 2.1.1.0, i found targets like this also in previous versions like for example 2.0.5.0, i don't know exactly why...but it can simply be fixed since the only api calls missed are in the starting procedure. Maybe there are alsoi other api calls in a more complex program, but i never tested something like this. I'll write something more when i get enough free time.

Anyway it is very interesting how to bypass the new wl, but i thought that it was more difficult.

[estelle]

Yes there is that problem of not writing all API calls into the code section.

But i can assure that it is not a feature of wl 2.1.1.0, i found targets like this also in previous versions like for example 2.0.5.0, i don't know exactly why...but it can simply be fixed since the only api calls missed are in the starting procedure. Maybe there are alsoi other api calls in a more complex program, but i never tested something like this. I'll write something more when i get enough free time.

Anyway it is very interesting how to bypass the new wl, but i thought that it was more difficult.

Wait for bypass the new wl EvOlUtIon

[LCF-AT]

Hi,

so can someone check my short patch script below and also just with the wl2110.exe.Craete also a new file called regkey.dat and enter something.Now load the target in Olly and let run this script and then let run the target.For me it starts so.

// Just a test script for wl2110.exe!
// Create a regkey.dat file and enter somethig!
bphwc
bc
bphws 00565A8E,"x" 
esto
bphwc
var AA
var BBmov AA, [00407D7E]
sub AA, 04
mov [00407D7E], AA        // DLL ImageBase fixbp 0041FADC               // cmp ecx,eax checker
esto
mov [0046F8FF],6377A141   // Reg  DWORD 
mov [0049096A],1F34CC39   // Reg2 DWORD
mov [00459628],2D1AC4CA   // DWORD check first round 
mov [00467154],FB52B365   // VMed API RD Codewriter
mov [004A5148],9DA2B36F   // 401070
mov [004A514C],04865630   // 401070
mov [0046AEBC],86810361   // 401070
mov [0045ADB4],762B8D8B   // No Zw crash
mov [004080FB],6BAFD781   // 401070 +
mov [00407FA3],9F98C09A   // 401070 +
bc
pause
esto
pause

Note: Its just a test!So I am not sure whether the script also works for you or not you know.

greetz

[tomatoes]

Tested and work (Windows XP SP2)

Thanks LCF-AT

[quosego]

Damn LCF-AT,

I find it very interesting to see how good you've become actually.. I can remember a time WL was not as easy..

Nice work.. If only I had more time..

Ah well as proven before, Oreans is dead for now.

regards,

q.

[ahmadmansoor]

@ quosego : did u remember when I told u ,that u need a false lic key to make it work ... LCF-AT do the same job of my Loader but for certain target .

I think my loader still work ,but I need to fix some line inside it .

anyway I am busy in try my new tool ( Hasp ).

just one thing the new Winlic what it check to detect the debugger .

i have pass it by new StrongOD .... but by the old one .

when I run olly ( old option ) it detect the debugger directly .

so any Idea ?!

thanks

[quosego]

Yes I know ahmad, I thought up that method the first time when I cracked it, only then it was simpler.

My original tutorial already required a fake license and fixing of the dll imagebase location.

If your method is similar to LCF_AT's method perhaps you loader still works fine, since they only went after my method as described in my tutorial. Never checked how you did it using your loader, but it'll most likely be somewhat similar to my original work.

However never had Themida detect my debugger.. I use a rather exotic and custom version though.

Possibly it detects the old driver, from strongod just like extrem.sys in phantom.

Edited March 30, 2010 by quosego

[ahmadmansoor]

yes ,yes as u say .

it check the driver ,but u can pass it by patch 1 byte of code .it is very simple .

and no need for custom version of olly ..OllyIce is enough

I think Oreans have to rethink more in this .

it is shameful form Oreans

Edited April 1, 2010 by ahmadmansoor

[ahmadmansoor]

anyway just for fun not else ...

this is my unpacked file for this file .

harry up LCF-AT ,where is ur unpacked file ?? .

I have a question LCF-AT ...I will PM u Later

wl2110 unpacked by Ahmadmansoor-exetools.rar

[Syntax]

How can i bypass "debugger detected" from latest winlicense ?

[Gladiator]

How can i bypass "debugger detected" from latest winlicense ?

You can use OllyDbg - Armadillo Edition with StrongOD Plugin.

[Admin2]

Hi,

so can someone check my short patch script below and also just with the wl2110.exe.Craete also a new file called regkey.dat and enter something.Now load the target in Olly and let run this script and then let run the target.For me it starts so.

// Just a test script for wl2110.exe!
// Create a regkey.dat file and enter somethig!
bphwc
bc
bphws 00565A8E,"x" 
esto
bphwc
var AA
var BBmov AA, [00407D7E]
sub AA, 04
mov [00407D7E], AA        // DLL ImageBase fixbp 0041FADC               // cmp ecx,eax checker
esto
mov [0046F8FF],6377A141   // Reg  DWORD 
mov [0049096A],1F34CC39   // Reg2 DWORD
mov [00459628],2D1AC4CA   // DWORD check first round 
mov [00467154],FB52B365   // VMed API RD Codewriter
mov [004A5148],9DA2B36F   // 401070
mov [004A514C],04865630   // 401070
mov [0046AEBC],86810361   // 401070
mov [0045ADB4],762B8D8B   // No Zw crash
mov [004080FB],6BAFD781   // 401070 +
mov [00407FA3],9F98C09A   // 401070 +
bc
pause
esto
pause

Note: Its just a test!So I am not sure whether the script also works for you or not you know.

greetz

WORKED nice )))

this my used nice ollydebug

unpack to c:\

will then: C:\Tools\Olly\SABRE-GOLD

and run OLLYDBG.EXE and in phantom plugins me set this:

usually run OLLYDBG.EXE , but is some time run SABRE-G.exe

Alexey

moderator, have you small space on host-server ??????

then OK

luck

Edited January 13, 2011 by Admin2
Deleted OllyDbg attachment... seriously was there any need? :)