Jump to content
Tuts 4 You

WinLicense v3.1.3.0 x64 (Bypass Without Unpacking)


Go to solution Solved by boot,

Recommended Posts

Posted

WinLicense v3.1.3.0 x64 (Bypass Without Unpacking)


License User Details

User Name=2days Tuts4you
Company=The Terminator
Hardware ID=6FF7-E7EF-5988-20FE-144E-865D-2D30-A73B
Custom Data=<custom_start>Skynet, a global network of artificial intelligence machines.<custom_end>

License Restrictions

Days Expiration=365
Date Expiration=2029/12/12
Executions=999
Runtime execution=999
Global Time=999
Install Before Date=2029/01/01

Miscellaneous

Unicode License=yes

Generated License (FILE KEY)

License Format=Binary

License Data= <license_start>
ghO1ud4wf14YNU87wUptZ1JTofTFErVAD+IwWKEjB/fxOtba9Vt0uasw45jdF3Yr9eGcJ/6h6lfad3d/MMYzxXYP7OZVGfHctljzMWS4H13UVl3DWBgWzCeozgy9k1UlULrL3/oKL/VdiS/BOJC98IgsF5+XT80xyGxos+Hcs4YdRarI9t0tj/+asJhpgN2KAXvH6lfp8qp0uvwZQUcnw/u+SpQjssOF5aAP9Bwweuw+6nfGxrZGcy8aNK3Kqo7rI5rLPk9Mzo1U0WkS1/I8lpQS1Mtticm1Am/eZCiCHJDMXDEfgTEuLGhQ9AItQtLQ2Fn8egx786AbJM09OEdiz5aGhz3kZfJZz8djMG3g8222gCmmDty8G4pBttMefKkVjKHoI2UXboNHpoOpxi53F6jldAhh3t+JoaOwa3Ng51uTfoNc2kLlCCP+jrjchZUNN9MY8y3kQ4K0Hd6eNkPAXwqbl2kakLZOlsmkkkVi9Pg620SzOt6YHh9iV1rS+TZ0jzWMvC9IakEgJionxYShgLg1Qkv6o4qIzP2ri9lMpM5eJK9Zo+Yl6K9HLnJ/gOE97Op7iAlywjsol5sunCIROe4pLHZo0PDNFJNZ4yy1VEgHp2+Qy/0nP55Fc8845MkE4hrjpg7SOFphFILgTuGVPG97nhRDTi05+f50WE2rl5PpuXnmeBblgD7S87p2tHUO7o2t8kvI/z7Xd9xNfw4HYJcbztKPxAkamUdIl0jmnhdIRGJMlYZm7rBgLd6dYhEu6Lo8P5vi7tydId4QsuwC7tv6+F8CQ1n6HpXSoPowKuMI/L2Zg1Ry3jlS2KUvH4spGy3URvJ8e2rFaDZpmQ==
<license_end>

File Information
Platform:               Windows
Bits:                   64-bit
Type:                   Executable (Standard)
Version:                1.0.0.2
Modified:               8/1/2023 12:09:04 PM

Protection Macros
Virtual Machine:        10
Mutate:                 0
String Encrypt:         6
CheckProtection:        2
CheckCodeIntegrity:     0
CheckVirtualPC:         1
CheckDebugger:          1
Unprotected:            0
CheckRegistration:      0
Registered:             0
Unregistered:           0

WinLicense x64 (version 3.1.3.0)

Unit_bypassme.pas


 

  • Like 2
Posted
1 hour ago, 2days said:

(Bypass Without Unpacking)

T2.jpg.41c5b8aeeb6b48065b49634595e6ee58.jpg

  • Like 4
  • Haha 3
  • Solution
Posted (edited)

EDIT SLN

You need to

Hook MessageBoxW && Hook MessageBoxExW to mask the dialog box twice.

And you also need to patch the register once, the specific method/step can be referred to here.

The steps are similar to those of x86, you need to suspend the program and step over retn, then set breakpoints at all cmp addresses and select the correct one.

I used Inline Assembly x64 for the Loader64, you can use other tools for bypass, such as Baymax x64... It's a friendly tool for users...

 

Loader64_ByPassMe_x_protected.rar

Edited by boot
add...
  • Thanks 1
Posted (edited)

Few Questions in my mind regarding the @solutions getting posted and even getting approved.

  •  How did you patch It?
  • How did you unpack or crack It?
  • What kind of debugging settings used by You?
  • Have you used already available public tools or coded something private? (If you made something privately then how does It work?)
  • How did you trace and reach to specific point for patching? (Anti debug bypass or CRC check for patch)
  • What was the logic behind that?

Do you guys know what a good @solution is?
See this

Quote

 

 

 

 

What is the logic of all these videos posted in threads (mostly related to Themida) ?
are these Useful? No absolutely not. 

you all are just acting like an attention seeker by showing off that you can unpack or patch by making a 13-15 sec video with no info
in such videos, there is a loader and you launch and it works. BOOM !

If all the videos are like this then better not to post and increase burden on the site because in my point of view these kind of video proofs are pointless and senseless.
We are here to read and increase the knowledge.
If you don't wanna share, simply keep it up to you. No need to show off and even If you do, I have no problem with you when you show-off
but It should not be marked as a Solution.

P.S. - I am not asking you to share the source code or a complete private stuff but at least you can share steps in a descriptive manner.

Edited by BlackHat
  • Like 8
  • Thanks 3
  • Haha 1
Posted

search for CMP x,x

What is the correct value?

Sean Park - Lovejoy
Posted

Give some infos please. about the loader.

sean.

  • Like 1
  • 5 months later...
Sean Park - Lovejoy
Posted

How should I configure anti debug setting? I have a problem to debug this.

Regards.

sean.

  • Like 1
Sean Park - Lovejoy
Posted (edited)
Quote

@boot

The steps are similar to those of x86, you need to suspend the program and step over retn, then set breakpoints at all cmp addresses and select the correct one.

I have some trouble with debugging x64 target. at first  antidebug issue. I can't bypass it with x64dbg using the scyllahide and sharpOD x64 plugins. My settings are below.

screenshot_15.png.ea846c7c29ef8609f5cce78e9690c1ff.png

 

screenshot_16.png.e4a69e524f704f2610b3fbbe5f46967e.png

 

And I don't know how to find the cmp commands in x64 envirnment. 'cause we can't use the ollydbg for x64 apps. so we can't use the finding sequence of commands feature. How should I find the cmp commands with x64dbg?

Waiting for help.

Regards.

sean.

Edited by windowbase
editing some words.
  • Like 1
Sean Park - Lovejoy
Posted
On 1/19/2024 at 6:08 AM, windowbase said:

And I don't know how to find the cmp commands in x64 envirnment. 'cause we can't use the ollydbg for x64 apps. so we can't use the finding sequence of commands feature. How should I find the cmp commands with x64dbg?

Waiting for help.

Regards.

sean.

@boot specifically in this target, how should I find all matches of "cmp x,x" in the ".winlice" section?

I used "cmp dword ptr ds: [rdi],r13d" but nothing matches.

Regards.

sean.

 

  • Like 1
Sean Park - Lovejoy
Posted (edited)
On 8/3/2023 at 10:12 AM, boot said:

EDIT SLN

You need to

Hook MessageBoxW && Hook MessageBoxExW to mask the dialog box twice.

And you also need to patch the register once, the specific method/step can be referred to here.

The steps are similar to those of x86, you need to suspend the program and step over retn, then set breakpoints at all cmp addresses and select the correct one.

I used Inline Assembly x64 for the Loader64, you can use other tools for bypass, such as Baymax x64... It's a friendly tool for users...

 

Loader64_ByPassMe_x_protected.rar 1.99 MB · 130 downloads

 

@boot Not with loader, Not with dll hijacking. I just want to know how to bypass this specific target using with x64dbg. because that I can't understand well what you explained in the summary above.

Many thanks in advance.

Regards.

sean.

Edited by windowbase
Editting words.
  • Like 1
Sean Park - Lovejoy
Posted (edited)
On 8/4/2023 at 5:32 PM, Barestra said:

search for CMP x,x

What is the correct value?

Search for the every CMP instructions. using the trace feature with a condition (streq(dis.mnemonic(cip), "cmp") of the debugger like x64dbg will do the job for you. set breakpoints all of them and find a correct one.

Regards.

sean.

Edited by windowbase
adding words.
  • Like 1
Sean Park - Lovejoy
Posted (edited)
On 1/29/2024 at 1:57 PM, windowbase said:

@boot Not with loader, Not with dll hijacking. I just want to know how to bypass this specific target using with x64dbg. because that I can't understand well what you explained in the summary above.

Many thanks in advance.

Regards.

sean.

When I try to bypass this target with x64dbg, The process suspends after all the messageboxes. Not Showing TMainForm. Can anyone let me know why this happens? View these images below.

1116.png.b0f9d1fcf3a259df686f1a0d6d756c33.png

 

then ...

 

1117.png.40d0c23f44941dd086c81cc0934893b8.png

Regards.

sean.

Edited by windowbase
editing some words.
  • Like 1
Sean Park - Lovejoy
Posted
On 1/30/2024 at 10:37 PM, windowbase said:

When I try to bypass this target with x64dbg, The process suspends after all the messageboxes. Not Showing TMainForm. Can anyone let me know why this happens? View these images below.

1116.png.b0f9d1fcf3a259df686f1a0d6d756c33.png

 

then ...

 

1117.png.40d0c23f44941dd086c81cc0934893b8.png

Regards.

sean.

This target also needs the "dll","drv" hooking, hijacking or a loader application. we cannot bypass it just with the debuggers like x64dbg. Correct me if I am wrong.

Regards.

sean.

  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...