Posted February 7Feb 7 WinLicense v3.2.2 (Window Function Through an External Plugin) This is a WinLicense 3.2.2/sample, set by default, without adding an SDK in the source code, only adding a window function through an external plugin. I don't know if bypass can be cracked, I tested it and it doesn't. Shedding may be more complicated.Please use your own way to crack it. Whether it's molting, bypass, or keygen, they are all the best methods. No need to upload your proposal, posting a picture is the best answer. I will strive to learn towards your achievements. HWID:1031-E184-1D1E-92A8-AA82-151F-E2BC-34EE NAME:Mr.Leng .RegistCode:2FGP7NTY-22AMY4QL-XXEHAOKD-ZJKHKDKR-VY66SHXY-YTEQXVBF-GAXAEFIA-7BQWOTA5-5CE344K4-VBGMG25R-5TGP26WS-AIKQB3S5-5LDUHEHX-S6KSKH3H-OPPHIFAX-N6WPWIAM WinLicense3.2.2_sample.rar File Information Submitter lengyue Submitted 02/07/2025 Category CrackMe View File
February 21Feb 21 This plugin is much more powerful than the original WinLicense. 80-90% of people can’t get around it!
March 12Mar 12 This is a sample encrypted by default and without anti-debugging enabled.WinLicense3.22.rar 6FF2-7FBC-317A-E404-40AC-57D7-D049-706D Edited March 12Mar 12 by Noob boy
March 21Mar 21 Solution Among the anti-debug techniques, there's an interesting one worth noting. A dummy thread is created and then it calls Sleep(0x32). (The goal is for the created thread to be detected by tools like x64dbg.) Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle. If the returned HandleCount is greater than 1, it determines that debugging is in progress. void dummy() { Sleep(8000); } bool CheckCreateThreadHandleCount() { HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL); if (hThread == NULL) { return false; } Sleep(0x32); PUBLIC_OBJECT_BASIC_INFORMATION objInfo; NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL); if (!NT_SUCCESS(status)) { CloseHandle(hThread); return false; } std::cout << "Handle Count: " << objInfo.HandleCount << std::endl; if (objInfo.HandleCount > 1) { CloseHandle(hThread); return true; } CloseHandle(hThread); return false; }
March 22Mar 22 Author 21 hours ago, karan said: Among the anti-debug techniques, there's an interesting one worth noting. A dummy thread is created and then it calls Sleep(0x32). (The goal is for the created thread to be detected by tools like x64dbg.) Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle. If the returned HandleCount is greater than 1, it determines that debugging is in progress. void dummy() { Sleep(8000); } bool CheckCreateThreadHandleCount() { HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL); if (hThread == NULL) { return false; } Sleep(0x32); PUBLIC_OBJECT_BASIC_INFORMATION objInfo; NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL); if (!NT_SUCCESS(status)) { CloseHandle(hThread); return false; } std::cout << "Handle Count: " << objInfo.HandleCount << std::endl; if (objInfo.HandleCount > 1) { CloseHandle(hThread); return true; } CloseHandle(hThread); return false; } You are wonderful.
March 22Mar 22 I have also released a simple demo WL plugin. This is a protected example. https://forum.tuts4you.com/topic/45492-detector64-winlicense-plugin/ Edited April 8Apr 8 by boot
March 22Mar 22 2 hours ago, boot said: I have also released a simple demo version plugin. This is a protected example. Could you upload it to mediafire, mega or google drive? i am not from china and i have not been able to download your examples. If you can upload the plugin and the protected example would be great, thank you.
May 6May 6 On 3/12/2025 at 2:41 PM, Noob boy said: This is a sample encrypted by default and without anti-debugging enabled.WinLicense3.22.rar 6FF2-7FBC-317A-E404-40AC-57D7-D049-706D @bootHi~ Expert, can Lengyue's WinLicense v3.2.2 be bypassed? If not, can you try my default encryption version?
May 6May 6 On 3/21/2025 at 8:15 AM, karan said: Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle. If the returned HandleCount is greater than 1, it determines that debugging is in progress. smth is wrong with your code I tried sample consle app and it prints 2 when being ran without debugger and 4 when unde4 MS VS... are you sure this is reliable new anti-debug way?
May 11May 11 On 5/7/2025 at 6:20 AM, jackyjask said: smth is wrong with your code I tried sample consle app and it prints 2 when being ran without debugger and 4 when unde4 MS VS... are you sure this is reliable new anti-debug way? bool CheckCreateThreadHandleCount() { PUBLIC_OBJECT_BASIC_INFORMATION objInfo = {}; HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL); if (hThread == NULL) { return false; } NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL); if (!NT_SUCCESS(status)) { CloseHandle(hThread); return false; } DWORD HandleCount = objInfo.HandleCount; Sleep(0x32); objInfo = {}; status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL); if (!NT_SUCCESS(status)) { CloseHandle(hThread); return false; } std::cout << "Handle Count: " << objInfo.HandleCount << std::endl; if (objInfo.HandleCount != HandleCount) { CloseHandle(hThread); return true; } CloseHandle(hThread); return false; }
May 12May 12 OK, 2nd function OK but IMHO it's risky to use it, here is why: NtQueryObject: - This function may be changed or removed from Windows without further notice. - This function has no associated header file or import library. You must use the LoadLibrary or GetProcAddress function to dynamically link to Ntdll.dll. - not clear what Windows versions supports it (no info in MSDN) - if you try the ObjectTypeInformation type you'll get error 0xc000004
May 13May 13 21 hours ago, jackyjask said: - not clear what Windows versions supports it (no info in MSDN) https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryobject
Create an account or sign in to comment