Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Safengine Licensor 2.3.7.0

converse
converse
in UnPackMe

Featured Replies

Posted

Difficulty : 5
Language : Delphi
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Safengine Licensor 2.3.7.0

Description :

We need to do a patch HWID or unpack. Password - unpackme

Screenshot :

2a421eb63c3bd2f1e70303f31508c24e.png

unpackme Safengine Licensor 2.3.7.0.rar

Edited by converse

    • Like 1

    OEP: 44ca99

    Also need to add "push ebp" on 44ca98 and set new origin on it before dumping.

    To fix iat, use script from here by L4Nce.

    But we need to fix it for our target (correct addresses). Note that CreateThread you must handle manually.

    To dump resource (RCDATA), just stop on LoadResource and dump it. SizeOfResource just after it will tell you its size.

    To patch HWID, we need to stop on emulated RegQueryValueExA (string SystemBiosVersion will be in eax). After that before second break you can find hwid in memory (byte representation of base64 hwid). Just search for it. We need to patch it BEFORE second break. Restart target and after first break, place hwbp on write on last byte of where it was located in memory and replace with valid one.

    Unpacked file attached

    project1_se_dump_.zip

    •
    • Like 3
    • Author
    8 hours ago, SHADOW_UA said:

    To fix iat, use script from here by L4Nce.

     

    Details please

    An easy way to obtain all valid iat.

    trace into its vm shell and stop at va:004C2D67, eax holds just got api address. 

    004C2D67                      /EB 45           jmp short 004C2DAE                       ; --< Real

    majic jmp at va:004C1F7B 
    modify the !ZF value to 1 or just patch it to "jmp" 

    004C1F7B                     ^\0F84 7216FBFF   je 004735F3                              ; --<majic jump

    alternative way, api emulation address at va:004C2157 , 
    nop this command if you prefer. 

    004C2157                       03C6            add eax,esi

    So this is your answer about that PM.

    • Like 1

    magic jump  Can be seen to write and to be simulated by the API, a large part of the IAT table ,

    To deal with it, to repair the IAT will become very little. 

    • Like 1
    • 10 months later...
    On 2016/5/16 at 4:54 PM, SHADOW_UA said:

    OEP: 44ca99

    Also need to add "push ebp" on 44ca98 and set new origin on it before dumping.

    To fix iat, use script from here by L4Nce.

    But we need to fix it for our target (correct addresses). Note that CreateThread you must handle manually.

    To dump resource (RCDATA), just stop on LoadResource and dump it. SizeOfResource just after it will tell you its size.

    To patch HWID, we need to stop on emulated RegQueryValueExA (string SystemBiosVersion will be in eax). After that before second break you can find hwid in memory (byte representation of base64 hwid). Just search for it. We need to patch it BEFORE second break. Restart target and after first break, place hwbp on write on last byte of where it was located in memory and replace with valid one.

    Unpacked file attached

    project1_se_dump_.zip

    @SHADOW_UA File link of project1_se_dump_.zip seems broken. Can you resend file again? and can you give me the script for fix iat?

    Thank you.

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.