OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: September 3, 2007 15:05 CDT by mcwanks .

Are there any unpackers or tutorials for unpacking WinLicense?

I heard WinLicense and TheMida are based off the same stuff and I tried UnTheMide but it doesn't work.

jms		September 3, 2007 15:21.29 CDT
Post a link to its installer, I will take a quick look at it. No guarantees, but I need the practice anyways :)

mcwanks		September 3, 2007 15:50.04 CDT
http://rapidshare.com/files/53219511/WinLicense_v1.8.5.5.rar.html

jms		September 3, 2007 16:37.02 CDT
So do you have any experience with unpackers or anti-debugging? While you're waiting try some of this: 1) Do a check for IsDebuggerPresent, and bypass it. 2) Check for other anti-debugger techniques, like GetTickCount, etc. 3) Search in memory for any strings related to WinLicense, and see if there are any suspect commands near it. 4) Do a search for jmp eax, at the beginning of a run, and set breakpoints on any found, you might get lucky and find the OEP :) Let me know how you make out.

nico		September 3, 2007 22:14.56 CDT
heh You are pretty naive if you think those are gonna be enough with any commercial protection system Themida/Winlicense has one anti olly that uses a FPU bug in olly. so u need to patch ur olly or use ImmunityDbg 1.1 that fixes it. other than this, you must be pretty confident with unpacking, assembly, and coding your own tools.. You are gona have some troubles otherwise ;)

jms		September 3, 2007 22:30.09 CDT
I hardly said that it was going to be enough :)

Sellmi		September 4, 2007 01:52.27 CDT
@nico true. Themida emulates also API functions+ it is possible to convert x86 code into p-code which is then executed in the VM of themida. To unpacking this means you have to patch fully the VM after dumping the host file(the VM of course uses anti dumping tricks)

MohammadHosein		September 4, 2007 06:49.32 CDT
look for "Themida & Winlicense.v1.1.x 1.0.X.Dy.a__p.oSc" and use it with the patched version of olly named "theODBG"

nico		September 4, 2007 07:41.07 CDT
Sellmi yeah, it has many features. I have coded my own dumper for reversing malwares, i didn't bother with imports nor the VM, i just dump files with everything decrypted, resources included, so i can extract embedded files (dlls, rootkits etc), and most of the time, you can see what the malware is, without the imports anyway. In old versions, it was easy to patch it, to have clean imports, i don't know about recent ones, they probably have fixed a few weaknesses

vuadapass		October 10, 2007 02:44.42 CDT
I using the 0DBG to debug the Winlicense, but when i press F9 to run target on the 0Dbg. A Messagebox show "Ocurred : 0x....." and unload target.

clanturkish2		November 9, 2008 21:40.12 CST
dsdsd

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit