Jump to content
Tuts 4 You
  • 1
Sign in to follow this  
converse

Safengine Licensor 2.3.7.0

Question

converse

Difficulty : 5
Language : Delphi
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Safengine Licensor 2.3.7.0

Description :

We need to do a patch HWID or unpack. Password - unpackme

Screenshot :

2a421eb63c3bd2f1e70303f31508c24e.png

unpackme Safengine Licensor 2.3.7.0.rar

Edited by converse (see edit history)

Share this post


Link to post

7 answers to this question

Recommended Posts

  • 1
SHADOW_UA

OEP: 44ca99

Also need to add "push ebp" on 44ca98 and set new origin on it before dumping.

To fix iat, use script from here by L4Nce.

But we need to fix it for our target (correct addresses). Note that CreateThread you must handle manually.

To dump resource (RCDATA), just stop on LoadResource and dump it. SizeOfResource just after it will tell you its size.

To patch HWID, we need to stop on emulated RegQueryValueExA (string SystemBiosVersion will be in eax). After that before second break you can find hwid in memory (byte representation of base64 hwid). Just search for it. We need to patch it BEFORE second break. Restart target and after first break, place hwbp on write on last byte of where it was located in memory and replace with valid one.

Unpacked file attached

project1_se_dump_.zip

  • Like 3

Share this post


Link to post
  • 0
converse
8 hours ago, SHADOW_UA said:

To fix iat, use script from here by L4Nce.

 

Details please

Share this post


Link to post
  • 0
White

An easy way to obtain all valid iat.

trace into its vm shell and stop at va:004C2D67, eax holds just got api address.

004C2D67                      /EB 45           jmp short 004C2DAE                       ; --< Real

majic jmp at va:004C1F7B 
modify the !ZF value to 1 or just patch it to "jmp"

004C1F7B                     ^\0F84 7216FBFF   je 004735F3                              ; --<majic jump

alternative way, api emulation address at va:004C2157 , 
nop this command if you prefer.

004C2157                       03C6            add eax,esi 

So this is your answer about that PM.

  • Like 1

Share this post


Link to post
  • 0
Sound

magic jump  Can be seen to write and to be simulated by the API, a large part of the IAT table ,

To deal with it, to repair the IAT will become very little. 

  • Like 1

Share this post


Link to post
  • 0
Danny Zhou
On 2016/5/16 at 4:54 PM, SHADOW_UA said:

OEP: 44ca99

Also need to add "push ebp" on 44ca98 and set new origin on it before dumping.

To fix iat, use script from here by L4Nce.

But we need to fix it for our target (correct addresses). Note that CreateThread you must handle manually.

To dump resource (RCDATA), just stop on LoadResource and dump it. SizeOfResource just after it will tell you its size.

To patch HWID, we need to stop on emulated RegQueryValueExA (string SystemBiosVersion will be in eax). After that before second break you can find hwid in memory (byte representation of base64 hwid). Just search for it. We need to patch it BEFORE second break. Restart target and after first break, place hwbp on write on last byte of where it was located in memory and replace with valid one.

Unpacked file attached

project1_se_dump_.zip

@SHADOW_UA File link of project1_se_dump_.zip seems broken. Can you resend file again? and can you give me the script for fix iat?

Thank you.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...