Jump to content
Tuts 4 You

WinLicense v3.2.2 (Window Function Through an External Plugin)

lengyue

By lengyue
in CrackMe

 Share
Go to solution Solved by karan,

Recommended Posts

lengyue

lengyue

Posted
Posted
WinLicense v3.2.2 (Window Function Through an External Plugin)

View File

WinLicense v3.2.2 (Window Function Through an External Plugin)

This is a WinLicense 3.2.2/sample, set by default, without adding an SDK in the source code, only adding a window function through an external plugin. I don't know if bypass can be cracked, I tested it and it doesn't. Shedding may be more complicated.Please use your own way to crack it. Whether it's molting, bypass, or keygen, they are all the best methods. No need to upload your proposal, posting a picture is the best answer. I will strive to learn towards your achievements. HWID:1031-E184-1D1E-92A8-AA82-151F-E2BC-34EE NAME:Mr.Leng .RegistCode:2FGP7NTY-22AMY4QL-XXEHAOKD-ZJKHKDKR-VY66SHXY-YTEQXVBF-GAXAEFIA-7BQWOTA5-5CE344K4-VBGMG25R-5TGP26WS-AIKQB3S5-5LDUHEHX-S6KSKH3H-OPPHIFAX-N6WPWIAM

 

1.png.6697fe555dc51b56e70ceae6a892be5d.png

3.png.844e6d41df1c4fffee988d508465e15b.png

 

WinLicense3.2.2_sample.rar

 

 

  • Like 2
  • 2 weeks later...
Noob boy

Noob boy

Posted
Posted

This plugin is much more powerful than the original WinLicense. 80-90% of people can’t get around it!

  • Like 1
  • Haha 1
  • 3 weeks later...
Noob boy

Noob boy

Posted
Posted (edited)

This is a sample encrypted by default and without anti-debugging enabled.WinLicense3.22.rar
6FF2-7FBC-317A-E404-40AC-57D7-D049-706D

Edited by Noob boy
  • Like 2
  • 2 weeks later...
  • Solution
karan

karan

Posted
  • Solution
Posted

Among the anti-debug techniques, there's an interesting one worth noting.

A dummy thread is created and then it calls Sleep(0x32).
(The goal is for the created thread to be detected by tools like x64dbg.)

Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle.

If the returned HandleCount is greater than 1, it determines that debugging is in progress.

  

void dummy()
{
	Sleep(8000);
}

bool CheckCreateThreadHandleCount()
{
	HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL);
	if (hThread == NULL)
	{
		return false;
	}

	Sleep(0x32);

	PUBLIC_OBJECT_BASIC_INFORMATION objInfo;

	NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL);

	if (!NT_SUCCESS(status))
	{
		CloseHandle(hThread);
		return false;
	}

	std::cout << "Handle Count: " << objInfo.HandleCount << std::endl;

	if (objInfo.HandleCount > 1)
	{
		CloseHandle(hThread);
		return true;
	}

	CloseHandle(hThread);
	return false;
}

 

  • Like 2
  • Thanks 4
lengyue

lengyue

Posted
  • Author
Posted
21 hours ago, karan said:

Among the anti-debug techniques, there's an interesting one worth noting.

A dummy thread is created and then it calls Sleep(0x32).
(The goal is for the created thread to be detected by tools like x64dbg.)

Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle.

If the returned HandleCount is greater than 1, it determines that debugging is in progress.

  

void dummy()
{
	Sleep(8000);
}

bool CheckCreateThreadHandleCount()
{
	HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL);
	if (hThread == NULL)
	{
		return false;
	}

	Sleep(0x32);

	PUBLIC_OBJECT_BASIC_INFORMATION objInfo;

	NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL);

	if (!NT_SUCCESS(status))
	{
		CloseHandle(hThread);
		return false;
	}

	std::cout << "Handle Count: " << objInfo.HandleCount << std::endl;

	if (objInfo.HandleCount > 1)
	{
		CloseHandle(hThread);
		return true;
	}

	CloseHandle(hThread);
	return false;
}

 

You are wonderful.

  • Like 1
jackyjask

jackyjask

Posted
Posted

time to add new anti-dbg trick into ScyllaHide plugin :) !?!?

 

  • Like 1
  • Thanks 1
Kanes

Kanes

Posted
Posted
2 hours ago, boot said:

I have also released a simple demo version plugin.

This is a protected example.

Could you upload it to mediafire, mega or google drive? i am not from china and i have not been able to download your examples. If you can upload the plugin and the protected example would be great, thank you.

  • Like 2
  • 1 month later...
Noob boy

Noob boy

Posted
Posted
On 3/12/2025 at 2:41 PM, Noob boy said:

This is a sample encrypted by default and without anti-debugging enabled.WinLicense3.22.rar
6FF2-7FBC-317A-E404-40AC-57D7-D049-706D

@bootHi~ Expert, can Lengyue's WinLicense v3.2.2 be bypassed? If not, can you try my default encryption version?

  • Like 1
jackyjask

jackyjask

Posted
Posted
On 3/21/2025 at 8:15 AM, karan said:

Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle.

If the returned HandleCount is greater than 1, it determines that debugging is in progress.

smth is wrong with your code

I tried sample consle app and it prints 2 when  being ran without debugger and  4  when unde4 MS VS...

are you sure this is reliable new anti-debug way?

  • Like 1
karan

karan

Posted
Posted
On 5/7/2025 at 6:20 AM, jackyjask said:

smth is wrong with your code

I tried sample consle app and it prints 2 when  being ran without debugger and  4  when unde4 MS VS...

are you sure this is reliable new anti-debug way? 

bool CheckCreateThreadHandleCount()
{
	PUBLIC_OBJECT_BASIC_INFORMATION objInfo = {};
	HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL);
	if (hThread == NULL)
	{
		return false;
	}

	NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL);

	if (!NT_SUCCESS(status))
	{
		CloseHandle(hThread);
		return false;
	}

	DWORD HandleCount = objInfo.HandleCount;

	Sleep(0x32);

	objInfo = {};

	

	status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL);

	if (!NT_SUCCESS(status))
	{
		CloseHandle(hThread);
		return false;
	}

	std::cout << "Handle Count: " << objInfo.HandleCount << std::endl;

	if (objInfo.HandleCount != HandleCount)
	{
		CloseHandle(hThread);
		return true;
	}

	CloseHandle(hThread);
	return false;
}

 

  • Like 1
jackyjask

jackyjask

Posted
Posted

thanks, I see updated algo above, I'll give it a try today

 

  • Like 1
jackyjask

jackyjask

Posted
Posted

OK, 2nd function OK but IMHO it's risky to use it, here is why:

NtQueryObject:

- This function may be changed or removed from Windows without further notice.

- This function has no associated header file or import library. You must use the LoadLibrary or GetProcAddress function to dynamically link to Ntdll.dll.

- not clear what Windows versions supports it (no info in MSDN)

- if you try the ObjectTypeInformation type you'll get error 0xc000004

 

  • Like 1
jackyjask

jackyjask

Posted
Posted

Minimum supported clientWindows 2000.

 

OK! sounds better

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...