Jump to content
Tuts 4 You

Safengine Licensor 2.3.7.0

converse

By converse
in UnPackMe

 Share

Recommended Posts

converse

converse

Posted
Posted (edited)

Difficulty : 5
Language : Delphi
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Safengine Licensor 2.3.7.0

Description :

We need to do a patch HWID or unpack. Password - unpackme

Screenshot :

2a421eb63c3bd2f1e70303f31508c24e.png

unpackme Safengine Licensor 2.3.7.0.rar

Edited by converse
  • Like 1
Link to comment
Share on other sites
SHADOW_UA

SHADOW_UA

Posted
Posted

OEP: 44ca99

Also need to add "push ebp" on 44ca98 and set new origin on it before dumping.

To fix iat, use script from here by L4Nce.

But we need to fix it for our target (correct addresses). Note that CreateThread you must handle manually.

To dump resource (RCDATA), just stop on LoadResource and dump it. SizeOfResource just after it will tell you its size.

To patch HWID, we need to stop on emulated RegQueryValueExA (string SystemBiosVersion will be in eax). After that before second break you can find hwid in memory (byte representation of base64 hwid). Just search for it. We need to patch it BEFORE second break. Restart target and after first break, place hwbp on write on last byte of where it was located in memory and replace with valid one.

Unpacked file attached

project1_se_dump_.zip

  • Like 3
Link to comment
Share on other sites
converse

converse

Posted
  • Author
Posted
8 hours ago, SHADOW_UA said:

To fix iat, use script from here by L4Nce.

 

Details please

Link to comment
Share on other sites
White

White

Posted
Posted

An easy way to obtain all valid iat.

trace into its vm shell and stop at va:004C2D67, eax holds just got api address. 

004C2D67                      /EB 45           jmp short 004C2DAE                       ; --< Real

majic jmp at va:004C1F7B 
modify the !ZF value to 1 or just patch it to "jmp" 

004C1F7B                     ^\0F84 7216FBFF   je 004735F3                              ; --<majic jump

alternative way, api emulation address at va:004C2157 , 
nop this command if you prefer. 

004C2157                       03C6            add eax,esi

So this is your answer about that PM.

  • Like 1
Link to comment
Share on other sites
Sound

Sound

Posted
Posted

magic jump  Can be seen to write and to be simulated by the API, a large part of the IAT table ,

To deal with it, to repair the IAT will become very little. 

  • Like 1
Link to comment
Share on other sites
  • 10 months later...
Danny Zhou

Danny Zhou

Posted
Posted
On 2016/5/16 at 4:54 PM, SHADOW_UA said:

OEP: 44ca99

Also need to add "push ebp" on 44ca98 and set new origin on it before dumping.

To fix iat, use script from here by L4Nce.

But we need to fix it for our target (correct addresses). Note that CreateThread you must handle manually.

To dump resource (RCDATA), just stop on LoadResource and dump it. SizeOfResource just after it will tell you its size.

To patch HWID, we need to stop on emulated RegQueryValueExA (string SystemBiosVersion will be in eax). After that before second break you can find hwid in memory (byte representation of base64 hwid). Just search for it. We need to patch it BEFORE second break. Restart target and after first break, place hwbp on write on last byte of where it was located in memory and replace with valid one.

Unpacked file attached

project1_se_dump_.zip

@SHADOW_UA File link of project1_se_dump_.zip seems broken. Can you resend file again? and can you give me the script for fix iat?

Thank you.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...