Jump to content
Tuts 4 You

TinyCrackMe - WinLicense 3.1.7.0 Edition


Recommended Posts

Posted

TinyCrackMe - WinLicense 3.1.7.0 Edition


=== SPOILER INSIDE SOURCE CODE TAB ===
A WinLicense'd version of TinyCrackMe

Rules:
1. Unpack first
2. Do whatever you want after unpack, as long as ":3" MessageBox appear :3

Just want to see how long ppl will crack the latest version of WinLicense...
WL Protection:
- Anti-Debugger
- Advanced API-Warping
- Compress And Encrypt (all 3 options)
- Full Encrypt Strings
- Detect File/Registry Monitor
- Entry Point Virt
- Anti File Patching
- Perform Protection Check
- VMware/Virtual PC Allowed

WLVM:
- SHARK32 (Black, Red)
- PUMA32 (Black, Red)
- EAGLE32 (Black)

Happy reversing :3


 

  • Like 1
Posted

Unpacked and patched (accepting any input)

ok.exe

  • Like 2
Sean Park - Lovejoy
Posted (edited)

It's hard to me.

Regards.

sean.

Edited by windowbase
editing some words.
  • Like 1
InvizCustos
Posted (edited)
4 hours ago, Bang1338 said:

Just want to see how long ppl will crack the latest version of WinLicense...

It's not enough to have the latest version of the protector. You must also know how to use the protector.

You have not used all of the available settings. Nor have you used the SDK.

Edited by InvizCustos
  • Like 2
TRISTAN Pro
Posted (edited)

No protection apply (code not virtualized),

so it can be unpacked easily,I already post script,so use it for repair iat and dump.

pass is eXcElLEnt at 004018FB.

Mazotoa daholy.😁

 

 

Edited by TRISTAN Pro
Tested on VM boot win 7
  • Like 2
Posted (edited)
4 hours ago, TRISTAN Pro said:

No protection apply (code not virtualized),

 

damn :o
excellent :)

5 hours ago, InvizCustos said:

Nor have you used the SDK.

Will use SDK next time :)

7 hours ago, X0rby said:

Unpacked and patched (accepting any input)

ok.exe 441.5 kB · 8 downloads

excellent :3

Edited by Bang1338
  • Like 1
Posted (edited)

In this sample you asked for unpack, when you add virtualization to the code you need to name it de-virtualize me not unpackme - there's a difference.

and those who are talking I bet any one of them can do it, it's not an easy task - it will take like a week of group work to do it.

unless you have already did a reseach on the vms and made a tool that can automate the process.

Edited by X0rby
  • Like 1
  • 9 months later...
Posted
On 1/15/2024 at 4:42 PM, Sean the hard worker said:

It's hard to me.

Regards.

sean.

Greetings, could you provide me with the winlicense 3.1.70 installer?

  • Like 1
Sean Park - Lovejoy
Posted (edited)
1 hour ago, wilaper said:

Greetings, could you provide me with the winlicense 3.1.70 installer?

@wilaper No, I can not do it.  'cause that I do not have it. but I have the winlicense v3.1.3.0 x86 x64.

Regards.

sean.

Edited by Sean the hard worker
  • Like 1
  • 4 weeks later...
Posted (edited)

winlicense 3.2.2

Edited by Noob boy
  • Like 1
Posted (edited)
39 minutes ago, Noob boy said:

WinLicense 3.2.2 x64.zip 5.87 MB · 1 download WinLicense 3.2.2 x86Dome.rar 5.34 MB · 3 downloads

Winlicense 3.2.2 has updated the verification method. The old method cannot be bypassed. So how can the new method bypass it

thank for updating my crackme :D

i only have Winlicense 3.2.0.0 in my hand

Edited by Bang1338
woops, not my crackme, it's CFF explorer :P
  • Like 1
Posted
1 hour ago, Bang1338 said:

thank for updating my crackme :D

i only have Winlicense 3.2.0.0 in my hand

Then update the English version of the x86 x64 examples.

  • Like 2
Posted (edited)
On 12/13/2024 at 9:42 PM, Noob boy said:

Then update the English version of the x86 x64 examples.

sure 👌

Note: i will only gave x86 ver

Edited by Bang1338
not gonna do x64 because it's pain to recompile and reprotect
  • Like 1
  • Thanks 1
Posted (edited)

Rules:
1. Unpack first (extra, optional: devirtualize will get extra respects)
2. Do whatever you want after unpack, as long as ":3" MessageBox appear :3
3 (extra, optional). Extract the splash screen (no screenshot pls)

Note: Flags is now different.

Just want to see how long ppl will crack the latest 3.2.0.0 version of WinLicense...
WL Protection:
- Anti-Debugger
- Advanced API-Warping
- Compress And Encrypt (all 3 options)
- Full Encrypt Strings
- Detect File/Registry Monitor
- Entry Point Virt
- Anti File Patching
- Perform Protection Check
- VMware/Virtual PC Allowed
- Four Two macros

WLVM:
- DOLPHIN32 (White)
- FISH32 (Red, White)
- TIGER32 (White)

Splash screen by eintim23 (not in tuts4you), thank you.

LargerThanColonThree.zip

Edited by Bang1338
forgot to mention that flags changed to uhhhh i can't tell | forgot to mention that devirtualize is optional
  • Like 1
  • Thanks 1
Posted
3 hours ago, Bang1338 said:

Rules:
1. Unpack first (extra, optional: devirtualize will get extra respects)
2. Do whatever you want after unpack, as long as ":3" MessageBox appear :3

This is a sample that I manually unpacked. :)

Unpacked_InlinePatch.zip

3 hours ago, Bang1338 said:

3 (extra, optional). Extract the splash screen (no screenshot pls)

I haven't thought of a good way to satisfy the third rule yet...

  • Like 1
  • Thanks 1
Posted
4 hours ago, boot said:

I haven't thought of a good way to satisfy the third rule yet...

You can skip rule 3 if you can't, since rule 3 is optional ;) 

 

4 hours ago, boot said:

This is a sample that I manually unpacked.

Bravo 🎉

  • Like 1
Sean Park - Lovejoy
Posted (edited)

How to recover api wrapping?

screenshot-31.png

 

screenshot-32.png

 

And what is the advanced api wrapping?

Regards.

sean.

Edited by Sean Park - Lovejoy
  • Like 1
Posted
2 hours ago, Sean Park - Lovejoy said:

And what is the advanced api wrapping?

image.png.03c0107eb9f3aa5040737548a2c95f5e.png

  • Thanks 1
Sean Park - Lovejoy
Posted

GPT says that

Quote

Themida's Advanced API Wrapping is a feature provided by the Themida software protection tool, which is designed to protect applications from reverse engineering, debugging, and tampering. This feature involves modifying the way your application's API calls interact with the operating system or other external libraries by "wrapping" them, which adds an additional layer of security and obfuscation.

How Advanced API Wrapping Works

Intercepting API Calls: Themida replaces or modifies standard API calls (such as calls to Windows APIs) in your program with protected versions.

Wrapper Code Injection: A wrapper layer is inserted between the application and the API. This wrapper can:

Obfuscate API arguments and return values.

Encrypt or encode the API communication.

Perform additional checks or validations (e.g., anti-debugging or anti-tampering).

Runtime Security: At runtime, the wrapped API calls execute through the Themida protection mechanism. This makes it significantly harder for attackers to understand the functionality of the program, as:

API call logic becomes non-standard.

Debugging tools may fail to track or hook into the API calls.

The program may detect reverse engineering attempts and react accordingly.

Key Benefits of Advanced API Wrapping

Obfuscation: Hides the logic of API calls, making it difficult to analyze or intercept.

Anti-Hooking: Prevents attackers from hooking APIs to monitor or alter program behavior.

Tamper Resistance: Ensures that if the wrapping is modified or bypassed, the application may stop working.

Enhanced Debugging Resistance: Introduces anti-debugging techniques that trigger errors or disrupt analysis tools.

Use Cases

Game Protection: Prevents cheats or hacks by obfuscating how the game communicates with its environment.

DRM (Digital Rights Management): Protects software from piracy by securing sensitive API interactions.

Commercial Software Security: Shields proprietary algorithms or sensitive functionality from reverse engineering.

Potential Drawbacks

Performance Overhead: The additional layer of API wrapping can introduce performance penalties, especially for applications with frequent API calls.

Complex Debugging: Even legitimate debugging of protected applications becomes more challenging.

Compatibility Issues: Some protected APIs might not work correctly on all systems or configurations.

If you are considering using Themida's Advanced API Wrapping, evaluate your application's needs, test extensively to ensure compatibility, and weigh the trade-offs between security and potential impact on performance and usability.

Regards.

sean.

  • Like 1
Posted
48 minutes ago, Sean Park - Lovejoy said:

GPT says that

Regards.

sean.

don't ask GPT for very such a far thing

consider reading documentation

  • Thanks 1
Sean Park - Lovejoy
Posted
31 minutes ago, Bang1338 said:

don't ask GPT for very such a far thing

consider reading documentation

@Bang1338 Wrapping means that using different apis to make an api call be obfuscated?

Regards.

sean.

  • Like 1
Sean Park - Lovejoy
Posted
52 minutes ago, Sean Park - Lovejoy said:

@Bang1338 Wrapping means that using different apis to make an api call be obfuscated?

Regards.

sean.

Themida’s Advanced API Wrapping doesn’t mean using different APIs to make a call but rather involves wrapping and obfuscating existing API calls to make them more difficult to analyze, intercept, or manipulate by attackers. Here's a detailed explanation:

What Happens with Advanced API Wrapping?
Interception and Wrapping:

Themida intercepts standard API calls made by your program (e.g., calls to Windows APIs or libraries) and replaces them with custom “wrapped” versions.
These wrapped versions act as intermediaries between the application and the actual API.
Obfuscation of Parameters and Flow:

Parameters passed to the API can be encoded, encrypted, or altered by the wrapper.
The wrapper logic itself is obfuscated, making it difficult for an attacker to understand how the API call is being processed or what arguments are being passed.
Redirection and Layering:

Calls may be redirected through additional layers of code or custom logic before reaching the actual API.
These layers might perform security checks (e.g., anti-debugging, anti-tamper) or simply add noise to confuse reverse engineers.
Dynamic Behavior:

The wrapper might dynamically adjust how it interacts with the API based on runtime conditions, making static analysis tools ineffective.
For example, some wrapped API calls may only function correctly in a valid execution environment, preventing sandboxed analysis.
What This Means for API Calls
Obfuscation:

While the actual API (e.g., CreateFile or ReadProcessMemory) remains the same, the way it is invoked appears obfuscated due to the added wrapper logic.
Attackers analyzing the program won't see straightforward API calls. Instead, they'll encounter a chain of custom function calls or complex operations obscuring the original API call.
Security Checks:

The wrapper might add security checks (e.g., validating the environment) before deciding whether to allow the API call to proceed.
Anti-Hooking:

By wrapping API calls, Themida makes it harder for attackers to use hooking techniques to monitor or modify API calls, as they can't directly intercept the standard APIs.
What Advanced API Wrapping Does NOT Mean
Using Different APIs: It doesn't replace one API with another (e.g., using OpenFile instead of CreateFile); rather, it modifies how the original API call is invoked and processed.
Changing API Functionality: The underlying functionality of the API remains the same; the changes are in how the application interacts with it.
Example (Simplified)
Consider a program that calls CreateFile. Without Themida, it might look like this in pseudo-code:

c
Copy code
HANDLE fileHandle = CreateFile("example.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
With Themida's API Wrapping, this might become:

c
Copy code
HANDLE fileHandle = Wrapped_API_XYZ_123("encoded_example.txt", obfuscated_flags, security_token);
Obfuscated Call: Instead of calling CreateFile directly, it goes through Wrapped_API_XYZ_123, which contains complex and obfuscated logic.
Encoded/Encrypted Parameters: The string "example.txt" and other arguments might be encoded or encrypted before being passed to the wrapper.
Decryption at Runtime: The wrapper decrypts and processes the parameters, performs additional security checks, and then calls CreateFile internally.
Why Use This Technique?
To protect sensitive functionality from being understood or manipulated.
To make reverse engineering harder by complicating the flow of API calls.
To deter common hacking methods like API hooking, parameter sniffing, or call redirection.
In summary, Advanced API Wrapping modifies and obfuscates how API calls are made without fundamentally changing the APIs themselves.

 

Best Regards.

sean.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...