EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-05-2014, 20:14
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 954
Rept. Given: 441
Rept. Rcvd 341 Times in 124 Posts
Thanks Given: 80
Thanks Rcvd at 34 Times in 19 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Post WinLicense v2.2 x64 unpack tut

not a big deal but I hope u like it ,Thanks to Carbon For unpack file.


https://docs.google.com/file/d/0B402...SzA/edit?pli=1
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following 22 Users Gave Reputation+1 to ahmadmansoor For This Useful Post:
arlequim (02-06-2014), benney (02-11-2014), besoeso (02-06-2014), canopus (02-10-2014), chessgod101 (02-11-2014), copyleft (02-08-2014), Dreamer (02-05-2014), giv (02-06-2014), h8er (02-11-2014), Insid3Code (02-05-2014), Kla$ (02-06-2014), KuNgBiM (02-08-2014), mr.exodia (02-05-2014), nikkapedd (02-10-2014), nikre (02-06-2014), NoneForce (02-09-2014), softgate (02-06-2014), tonyweb (02-08-2014), ZeNiX (02-08-2014)
  #2  
Old 02-08-2014, 22:30
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 691
Rept. Given: 172
Rept. Rcvd 764 Times in 252 Posts
Thanks Given: 118
Thanks Rcvd at 370 Times in 100 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
The tut is so direct.
I love it.

I saw it twice and spent a few time to adjust my IDA to work with WinDbg.
My system is Windows 8.1 x64, so it is a little tricky.

Then, one question pops up.
WinLicense x64 does not have any anti-debug protection?

I thought it will detect my debugger.
Reply With Quote
  #3  
Old 02-08-2014, 23:01
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 954
Rept. Given: 441
Rept. Rcvd 341 Times in 124 Posts
Thanks Given: 80
Thanks Rcvd at 34 Times in 19 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Hi ZeNIX and thanks that u like it .
the unpacked file use the lost options in packing ,that why not detect ur debugger.
That all .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #4  
Old 02-08-2014, 23:46
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 817
Rept. Given: 475
Rept. Rcvd 1,149 Times in 307 Posts
Thanks Given: 72
Thanks Rcvd at 414 Times in 166 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Winlicense x64 has anti-debug stuff, but it's not really strong. I believe only some minor PEB changes (easy), ProcessDebugPort and ProcessDebugFlags check. Also some anti guard page, but im not 100% on that
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #5  
Old 02-10-2014, 09:48
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 691
Rept. Given: 172
Rept. Rcvd 764 Times in 252 Posts
Thanks Given: 118
Thanks Rcvd at 370 Times in 100 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
Oh, I forgot to ask one more thing.
Is there anti-dump tricks on WinLicense x64?
Such as CPIUD, Heap Stack,....?
Reply With Quote
  #6  
Old 06-09-2014, 19:01
[ID]ZE [ID]ZE is offline
Friend
 
Join Date: Nov 2013
Posts: 22
Rept. Given: 18
Rept. Rcvd 18 Times in 4 Posts
Thanks Given: 24
Thanks Rcvd at 0 Times in 0 Posts
[ID]ZE Reputation: 18
Hi,Ahmadmansoor
I test u tuts,but I can not setup the IDA Process option correctly.I do not know how fill the Parameters option.It pop up the warning message:The file can't be loaded by the debugger plugin.Please verify that the parameters are valid.I install WinDDK contains the Debuggers directory.Please tell that How config the IDA 64 + WinDDK dbgsvr.exe,thank you!
Reply With Quote
  #7  
Old 06-10-2014, 23:30
nikkapedd nikkapedd is offline
VIP
 
Join Date: Mar 2011
Location: Somewhere In Europe
Posts: 193
Rept. Given: 275
Rept. Rcvd 146 Times in 61 Posts
Thanks Given: 94
Thanks Rcvd at 95 Times in 38 Posts
nikkapedd Reputation: 100-199 nikkapedd Reputation: 100-199
[ID]ZE, if you are using ida v6.1 go to the folder "cfg" and open the file ida.cfg
search this string
Code:
//
// Location of Microsoft Debugging Engine Library (dbgeng.dll)
// This value is used by both the windmp (dump file loader) and the windbg
// debugger module. Please also refer to dbg_windbg.cfg
// (note: make sure there is a semicolon at the end)

//DBGTOOLS = "put here the full path of your windbg install folder";
, and change the DBGTOOLS path according with the windbg install folder...
Reply With Quote
  #8  
Old 06-11-2014, 00:16
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 954
Rept. Given: 441
Rept. Rcvd 341 Times in 124 Posts
Thanks Given: 80
Thanks Rcvd at 34 Times in 19 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
@[ID]ZE : what u did and not work the steps is very clear .
run IDA x64 version ( if u have it ) then chose ur debugger from the list (Windbg debugger) then load ur target ( x64 must be ) then IDA will ask u for (dbgsrv.exe).
u will find it in :
Quote:
C:\WinDDK\7600.16385.1\Debuggers
folder chose it ,confirm the command & port information .
Done .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Gave Reputation+1 to ahmadmansoor For This Useful Post:
stantheguy (06-11-2014)
  #9  
Old 06-17-2014, 21:57
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 269
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 120
Thanks Rcvd at 190 Times in 65 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Very interesting, do you know if the segments area that shall be analyzed would be the same each time in the low security settings.Or have spesific signaturs
Thinking off doing a plugin script to automate the process if so.
Reply With Quote
  #10  
Old 07-13-2014, 02:35
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 269
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 120
Thanks Rcvd at 190 Times in 65 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Here you go @ahmadmansoor

PHP Code:
import idc
import idaapi

sEA 
0x0000000140001000
eEA 
sEA 0x1
ea 
GetEntryPoint(1)
ea2 MaxEA
idc
.LoadDebugger("windbg"1)
LoadDebugger("windbg"1)
AddBptEx(0x00000001400010000x1BPT_BRK)
SetDebuggerOptions(DOPT_BPT_MSGS)
path GetInputFilePath()
args ''
sdir ''
StartDebugger(pathargssdir)
enable_extlang_python(True)
MakeCode(0x0000000140001000)
PauseProcess()
enable_extlang_python(True)
StopDebugger()



print 
"##################################################\n" 
      "        What just HAppend your asked ?            \n" 
      "        While you blinked.                        \n" 
      "       IDA Python did the work for you            \n" 
      "                                                  \n" 
      "         WinLicense Easy settings checker       \n" 
      "#############################################\n" 
      " Storm Shadow      \n" 
      "#############################################\n"
print ("IAT = 0000000140001000")
print (
"WinLicense IAT is FOUND\n" 
      "IMPORT Breakpoint Adress into X64 By Mr Exodia"
)
Jump(0x0000000140001000
Code proberly dosent show correct in the forum
if error get it here.(RAW)
http://pastie.org/9381756

check if it produces code correct, if correct. procced to ScullaHide
Winlicense testfile Easy settings TIGER64 (Red)

UnpackmeWLx64.zip

Last edited by Storm Shadow; 07-13-2014 at 02:43.
Reply With Quote
The Following 2 Users Gave Reputation+1 to Storm Shadow For This Useful Post:
ahmadmansoor (07-13-2014), DMichael (07-13-2014)
  #11  
Old 07-13-2014, 04:49
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 817
Rept. Given: 475
Rept. Rcvd 1,149 Times in 307 Posts
Thanks Given: 72
Thanks Rcvd at 414 Times in 166 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@Storm Shadow: Just wondering, why is my name in the script?

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #12  
Old 07-13-2014, 05:00
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 269
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 120
Thanks Rcvd at 190 Times in 65 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Quote:
Originally Posted by mr.exodia View Post
@Storm Shadow: Just wondering, why is my name in the script?

Greetings
i was only apdapting the script to ahmadmansoor tut , He use scullahide to dump after he finds the right IAT, you can mod it out if you like.
I thought you didnt mind.

NB!! if it dosent jump to right code after script, it didnt find the right IAT.
Reply With Quote
  #13  
Old 07-13-2014, 17:57
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 954
Rept. Given: 441
Rept. Rcvd 341 Times in 124 Posts
Thanks Given: 80
Thanks Rcvd at 34 Times in 19 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
@Storm Shadow : thanks for concern of this topic ,Now I am out trying to do some work ,back and try ,and movie flash will always be Welcome
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Gave Reputation+1 to ahmadmansoor For This Useful Post:
Storm Shadow (07-13-2014)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT +8. The time now is 09:42.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX