WinLicense v3.1.3.0 x64 (Bypass Without Unpacking)

[2days]

View File

WinLicense v3.1.3.0 x64 (Bypass Without Unpacking)

---

License User Details

User Name=2days Tuts4you
Company=The Terminator
Hardware ID=6FF7-E7EF-5988-20FE-144E-865D-2D30-A73B
Custom Data=<custom_start>Skynet, a global network of artificial intelligence machines.<custom_end>

License Restrictions

Days Expiration=365
Date Expiration=2029/12/12
Executions=999
Runtime execution=999
Global Time=999
Install Before Date=2029/01/01

Miscellaneous

Unicode License=yes

Generated License (FILE KEY)

License Format=Binary

License Data= <license_start>
ghO1ud4wf14YNU87wUptZ1JTofTFErVAD+IwWKEjB/fxOtba9Vt0uasw45jdF3Yr9eGcJ/6h6lfad3d/MMYzxXYP7OZVGfHctljzMWS4H13UVl3DWBgWzCeozgy9k1UlULrL3/oKL/VdiS/BOJC98IgsF5+XT80xyGxos+Hcs4YdRarI9t0tj/+asJhpgN2KAXvH6lfp8qp0uvwZQUcnw/u+SpQjssOF5aAP9Bwweuw+6nfGxrZGcy8aNK3Kqo7rI5rLPk9Mzo1U0WkS1/I8lpQS1Mtticm1Am/eZCiCHJDMXDEfgTEuLGhQ9AItQtLQ2Fn8egx786AbJM09OEdiz5aGhz3kZfJZz8djMG3g8222gCmmDty8G4pBttMefKkVjKHoI2UXboNHpoOpxi53F6jldAhh3t+JoaOwa3Ng51uTfoNc2kLlCCP+jrjchZUNN9MY8y3kQ4K0Hd6eNkPAXwqbl2kakLZOlsmkkkVi9Pg620SzOt6YHh9iV1rS+TZ0jzWMvC9IakEgJionxYShgLg1Qkv6o4qIzP2ri9lMpM5eJK9Zo+Yl6K9HLnJ/gOE97Op7iAlywjsol5sunCIROe4pLHZo0PDNFJNZ4yy1VEgHp2+Qy/0nP55Fc8845MkE4hrjpg7SOFphFILgTuGVPG97nhRDTi05+f50WE2rl5PpuXnmeBblgD7S87p2tHUO7o2t8kvI/z7Xd9xNfw4HYJcbztKPxAkamUdIl0jmnhdIRGJMlYZm7rBgLd6dYhEu6Lo8P5vi7tydId4QsuwC7tv6+F8CQ1n6HpXSoPowKuMI/L2Zg1Ry3jlS2KUvH4spGy3URvJ8e2rFaDZpmQ==
<license_end>

File Information
Platform:               Windows
Bits:                   64-bit
Type:                   Executable (Standard)
Version:                1.0.0.2
Modified:               8/1/2023 12:09:04 PM

Protection Macros
Virtual Machine:        10
Mutate:                 0
String Encrypt:         6
CheckProtection:        2
CheckCodeIntegrity:     0
CheckVirtualPC:         1
CheckDebugger:          1
Unprotected:            0
CheckRegistration:      0
Registered:             0
Unregistered:           0

WinLicense x64 (version 3.1.3.0)

Unit_bypassme.pas

---

• Submitter
  2days
• Submitted
  08/02/2023
• Category
  CrackMe

 

[LCF-AT]

1 hour ago, 2days said:

(Bypass Without Unpacking)

[boot]

EDIT SLN

You need to

Hook MessageBoxW && Hook MessageBoxExW to mask the dialog box twice.

And you also need to patch the register once, the specific method/step can be referred to here.

The steps are similar to those of x86, you need to suspend the program and step over retn, then set breakpoints at all cmp addresses and select the correct one.

I used Inline Assembly x64 for the Loader64, you can use other tools for bypass, such as Baymax x64... It's a friendly tool for users...

 

Loader64_ByPassMe_x_protected.rar

Edited August 3, 2023 by boot
add...

[2days]

5 hours ago, boot said:

Loader64_ByPassMe_x_protected.rar 1.99 MB · 2 downloads

 

 

Legends never die. Kind regards

[kuazi GA]

[X0rby]

😏

[BlackHat]

Few Questions in my mind regarding the @solutions getting posted and even getting approved.

•  How did you patch It?
• How did you unpack or crack It?
• What kind of debugging settings used by You?
• Have you used already available public tools or coded something private? (If you made something privately then how does It work?)
• How did you trace and reach to specific point for patching? (Anti debug bypass or CRC check for patch)
• What was the logic behind that?

Do you guys know what a good @solution is?
See this - 

Quote

 

 

 

 

What is the logic of all these videos posted in threads (mostly related to Themida) ?
are these Useful? No absolutely not. 

you all are just acting like an attention seeker by showing off that you can unpack or patch by making a 13-15 sec video with no info. 
in such videos, there is a loader and you launch and it works. BOOM !

If all the videos are like this then better not to post and increase burden on the site because in my point of view these kind of video proofs are pointless and senseless.
We are here to read and increase the knowledge.
If you don't wanna share, simply keep it up to you. No need to show off and even If you do, I have no problem with you when you show-off
but It should not be marked as a Solution.

P.S. - I am not asking you to share the source code or a complete private stuff but at least you can share steps in a descriptive manner.

Edited August 4, 2023 by BlackHat

[Barestra]

search for CMP x,x

What is the correct value?

[Sean Park - Lovejoy]

Give some infos please. about the loader.

sean.

[bon]

easy.

 thank boot

[Barestra]

On 8/5/2023 at 2:58 PM, bon said:

easy.

 thank boot

BOOM..!

 

 

[Sean Park - Lovejoy]

How should I configure anti debug setting? I have a problem to debug this.

Regards.

sean.

[Sean Park - Lovejoy]

Quote

@boot

The steps are similar to those of x86, you need to suspend the program and step over retn, then set breakpoints at all cmp addresses and select the correct one.

I have some trouble with debugging x64 target. at first  antidebug issue. I can't bypass it with x64dbg using the scyllahide and sharpOD x64 plugins. My settings are below.

 

 

And I don't know how to find the cmp commands in x64 envirnment. 'cause we can't use the ollydbg for x64 apps. so we can't use the finding sequence of commands feature. How should I find the cmp commands with x64dbg?

Waiting for help.

Regards.

sean.

Edited January 18 by windowbase
editing some words.

[Sean Park - Lovejoy]

On 1/19/2024 at 6:08 AM, windowbase said:

And I don't know how to find the cmp commands in x64 envirnment. 'cause we can't use the ollydbg for x64 apps. so we can't use the finding sequence of commands feature. How should I find the cmp commands with x64dbg?

Waiting for help.

Regards.

sean.

@boot specifically in this target, how should I find all matches of "cmp x,x" in the ".winlice" section?

I used "cmp dword ptr ds: [rdi],r13d" but nothing matches.

Regards.

sean.

 

[Sean Park - Lovejoy]

On 8/3/2023 at 10:12 AM, boot said:

EDIT SLN

You need to

Hook MessageBoxW && Hook MessageBoxExW to mask the dialog box twice.

And you also need to patch the register once, the specific method/step can be referred to here.

The steps are similar to those of x86, you need to suspend the program and step over retn, then set breakpoints at all cmp addresses and select the correct one.

I used Inline Assembly x64 for the Loader64, you can use other tools for bypass, such as Baymax x64... It's a friendly tool for users...

 

Loader64_ByPassMe_x_protected.rar 1.99 MB · 130 downloads

 

@boot Not with loader, Not with dll hijacking. I just want to know how to bypass this specific target using with x64dbg. because that I can't understand well what you explained in the summary above.

Many thanks in advance.

Regards.

sean.

Edited January 29 by windowbase
Editting words.

[Sean Park - Lovejoy]

On 8/4/2023 at 5:32 PM, Barestra said:

search for CMP x,x

What is the correct value?

Search for the every CMP instructions. using the trace feature with a condition (streq(dis.mnemonic(cip), "cmp") of the debugger like x64dbg will do the job for you. set breakpoints all of them and find a correct one.

Regards.

sean.

Edited January 29 by windowbase
adding words.

[Sean Park - Lovejoy]

On 1/29/2024 at 1:57 PM, windowbase said:

@boot Not with loader, Not with dll hijacking. I just want to know how to bypass this specific target using with x64dbg. because that I can't understand well what you explained in the summary above.

Many thanks in advance.

Regards.

sean.

When I try to bypass this target with x64dbg, The process suspends after all the messageboxes. Not Showing TMainForm. Can anyone let me know why this happens? View these images below.

 

then ...

 

Regards.

sean.

Edited January 30 by windowbase
editing some words.

[Sean Park - Lovejoy]

On 1/30/2024 at 10:37 PM, windowbase said:

When I try to bypass this target with x64dbg, The process suspends after all the messageboxes. Not Showing TMainForm. Can anyone let me know why this happens? View these images below.

 

then ...

 

Regards.

sean.

This target also needs the "dll","drv" hooking, hijacking or a loader application. we cannot bypass it just with the debuggers like x64dbg. Correct me if I am wrong.

Regards.

sean.