Page 1 of 3 123 LastLast
Results 1 to 15 of 33

Thread: More eLicense 4 issues

  1. #1

    More eLicense 4 issues

    Hello all,

    I must admit that I never actually unpacked eLicense 4, since the program I was working on a while back released an update every week or so... I just built a little program (using ZapHidden by someone else, don't remember whom...) that reset the trial each time.

    Anyways, I now got something else on my hands and this one promises to be more interesting. Point is; there is NO trial. The only way to run the program is to reg it.
    Since the actual program never really runs, I guess it's more or less impossible to dump it from the eLicense nag screen, so I figured I should first get the program to RUN... I also guess that the existance of this 'Trial' button is a param somewhere, but there's prolly more params, like how long the trial should take, etc. I don't think it's possible to 'force' a trial button to appear.

    So, I'm stuck. I have no idea what to do next or if this is even possible at all. I could actually BUY the program (not too expensive) and then attempt to dump it once it really runs... but then I might as well just use the regkey I got to further reg it.

    So, does anybody know if this is possible and if so, where to start?

    Thanks,
    - Fahr

  2. #2
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Fahr

    Interesting......

    Maybe you could PM the target - I'm not going to install it on my PC but on an old one I found in a dumpster

    Regards

    /hobferret

  3. #3
    Hobferret,

    as always #1 to come to the rescue most appreciated.

    I sent you a PM with the target details. Thanks a lot!

    - Fahr

  4. #4
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Fahr

    Check your PM, it's all too easy

    Regards

    /hobferret

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    hobferret, if you found out something interesting about this protection wrapper you are of course welcome to share it with the rest of us, instead of just saying how easy it was...

  6. #6
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Quote Originally Posted by dELTA
    hobferret, if you found out something interesting about this protection wrapper you are of course welcome to share it with the rest of us, instead of just saying how easy it was...
    dELTA

    I did not post anything here coz it is really no different to what has been posted in the past - especially the bit about elicense ebooks

    Regards

    /hobferret

  7. #7
    Related to this issue; I just CAN'T get SoftICE to break on elicen40.dll and I assume that breaking when the dialog is already visible is too late...
    Also, OllyDBG (which I use normally) just runs this app without breaking at the EP.
    What tool(s) did you use, Hobferret? Cuz I have the feeling I am missing something here...

    Thanks,
    - Fahr

  8. #8
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Hi all

    This is from the PM to/from Fahr

    Re: Elicense crap

    --------------------------------------------------------------------------------

    Quote:
    Originally Posted by hobferret
    Hi M8

    Just follow this and you will be done!

    It's written in VB6 so IAT is a piece of cake!

    Elicense40.dll 09/17/2002 70KB & spawned temp file

    02614BDE 8985E0F0FFFF EAX==1 HERE
    02614BE4 8B8594DAFFFF M==1 HERE
    02614BEA 898510F3FFFF
    02614BF7 0F85DA020000 JNZ - YOU SHOULD AUTO JUMP HERE
    0261588E JUMP HERE
    026162A3 JUMP HERE
    0261889F JUMP HERE
    02619128 JUMP HERE - WILL TAKE YOU THRU UNPACKING TO EIP

    EIP 0040BE7C

    Regards

    /hobferret

    Looks simple indeed I assume you did that with SoftICE? Cuz if I try to load it in OllyDBG, it immidiately runs :S

    I do have SoftICE, but I guess I'll need some pointers on how to load this. Also note that elicen40.dll is packed with some ASPR, also not good for OllyDBG :P

    - Fahr

    It is quite easy to find this code in Olly - when at NAG screen set BP on DestroyWindow hit Quit - Olly will break on DestroyWindow, then just follow the code thru, I think it appears after 2, maybe 3 Ret's - Don't forget the values of the registers/memory need to be changed

    In SICE just load it into the loader and do the same - Don't forget if you are using DS you need to use the ADDR command else it wont break

    Regards

    /hobferret

  9. #9
    I can't believe it! I actually get a trial reg screen I guess the EAX and mem changes have something to do with the command that was pressed? As in; 1 = trial, eventhough the button isn't there? Very cool!

    One thing though, in my mem, the mentioned routines are on adresses B0000 below yours, no probs there, I can find all the right code and jumps, EXCEPT this one:

    0261588E JUMP HERE

    For me it should be at 0256588E, but there's nothing there. Only at 88D:

    0256588D 8B95 849EFFFF MOV EDX,DWORD PTR SS:[EBP+FFFF9E84]

    The rest of the jumps are all there, as well as the little snippet at the start...

    - Fahr

  10. #10
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Fahr

    Typo

    Shud be 02615B8E - SORRY!!!

    Yep if EAX==1 you gotta trial kinda like Vbox idea.

    BTW you should not get a trial reg screen, it's probably coz you aint jumped at the one above wot I typed wrronng

    Regards

    /hobferret
    Last edited by hobferret; May 26th, 2004 at 05:36.

  11. #11
    Cool it should be working now, thanks

    One more q, after the last jump (to the unpack routine, so to say), I put in a

    TC EIP < 2500000

    seemed like a good idea at the time, since that whole temp module is loaded at 25xxxxx and the OEP is at 0040BE7C. But I guess I missed something again, cuz it seems like tracing takes forever :S

    - Fahr

  12. #12
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Quote Originally Posted by Fahr
    Cool it should be working now, thanks

    One more q, after the last jump (to the unpack routine, so to say), I put in a

    TC EIP < 2500000

    seemed like a good idea at the time, since that whole temp module is loaded at 25xxxxx and the OEP is at 0040BE7C. But I guess I missed something again, cuz it seems like tracing takes forever :S

    - Fahr
    Just set a hardware breakpoint on EIP

    Remember all elic EP==EP!

    /hobferret

  13. #13
    Ah! Of course! That kind of slipped my mind

    I DID try a software breakpoint, but that never ends well with self-modifying code.

    One more odd issue; I have a dump now, I did a full dump using LordPE when OllyDBG broke on the EP. I then ran the demo of this app (which does run normally) and used ImpRec to capture the import table, which I then applied to my dump. So far, so good.

    The IAT fixed dump wont run, gives me an AV error and quits. The raw dump, without IAT fixed just gives me an error message saying "Invalid data!!!" and then quits :hmm:

    I think that maybe I should fix the IAT using the original exe, but I can't get that one to actually run up till the point where I get a main screen. When I press F9 at the EP in Olly, it generates some unhandled exceptions and exits. End of story.

    Or maybe that dumped exe without IAT fix is good and just requires some more cracking?

    Thanks,
    - Fahr

  14. #14
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Hi again

    I don't think you will fix anything by running the demo

    When you have unpacked the God darn thing and dumped it - run it from there and you have the RIGHT program running

    EDIT - Sometimes you can resolve the IAT with the prog locked at EIP - EDIT

    Another tip:-
    When in temp file you will RET to elicense40.dll @ 02483C3E

    Then:-
    02483CCF FF255CF84902 JMP NEAR [0249F85C] == 0040BE7C

    0040BE7C 68ECE34000 PUSH DWORD 0040E3EC
    0040BE81 E8F0FFFFFFFF CALL MSVBM60!ThunRTMain

    All addresses except prog are relative to my PC, if you don't have this code at the EP then it has not unpacked

    Good nite for now, like I said before this elicense crap pi**es me off, personally I ain't found anything useful wrapped with this pile :!:

    Regards

    /hobferret
    Last edited by hobferret; May 26th, 2004 at 07:19.

  15. #15
    Ow, then mine is NOT unpacked :S It starts with something completely different!

    What went wrong? I followed all the steps and DID land on the EP after the unpack routine... only the code was different.

    - Fahr

Similar Threads

  1. synchronization issues
    By WaxfordSqueers in forum The Newbie Forum
    Replies: 2
    Last Post: July 24th, 2013, 08:30
  2. FLIRT issues...
    By Externalist in forum The Newbie Forum
    Replies: 12
    Last Post: April 6th, 2010, 02:18
  3. issues with windows 7?
    By yellow24 in forum The Newbie Forum
    Replies: 4
    Last Post: April 4th, 2010, 21:54
  4. ViaTech eLicense System
    By xor37h in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: November 6th, 2001, 21:40
  5. eLicense, need help
    By none in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: April 28th, 2001, 06:24

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •