WinLicense v2.2 x64 unpack tut
not a big deal but I hope u like it ,Thanks to Carbon For unpack file.
https://docs.google.com/file/d/0B402...SzA/edit?pli=1 |
The tut is so direct.
I love it. I saw it twice and spent a few time to adjust my IDA to work with WinDbg. My system is Windows 8.1 x64, so it is a little tricky. Then, one question pops up. WinLicense x64 does not have any anti-debug protection? I thought it will detect my debugger. |
Hi ZeNIX and thanks that u like it .
the unpacked file use the lost options in packing ,that why not detect ur debugger. That all . |
Winlicense x64 has anti-debug stuff, but it's not really strong. I believe only some minor PEB changes (easy), ProcessDebugPort and ProcessDebugFlags check. Also some anti guard page, but im not 100% on that
|
Oh, I forgot to ask one more thing.
Is there anti-dump tricks on WinLicense x64? Such as CPIUD, Heap Stack,....? |
Hi,Ahmadmansoor
I test u tuts,but I can not setup the IDA Process option correctly.I do not know how fill the Parameters option.It pop up the warning message:The file can't be loaded by the debugger plugin.Please verify that the parameters are valid.I install WinDDK contains the Debuggers directory.Please tell that How config the IDA 64 + WinDDK dbgsvr.exe,thank you! |
[ID]ZE, if you are using ida v6.1 go to the folder "cfg" and open the file ida.cfg
search this string Code:
// |
@[ID]ZE : what u did and not work the steps is very clear .
run IDA x64 version ( if u have it :) ) then chose ur debugger from the list (Windbg debugger) then load ur target ( x64 must be ) then IDA will ask u for (dbgsrv.exe). u will find it in : Quote:
Done . |
Very interesting, do you know if the segments area that shall be analyzed would be the same each time in the low security settings.Or have spesific signaturs
Thinking off doing a plugin script to automate the process if so. |
1 Attachment(s)
Here you go @ahmadmansoor
PHP Code:
if error get it here.(RAW) http://pastie.org/9381756 check if it produces code correct, if correct. procced to ScullaHide Winlicense testfile Easy settings TIGER64 (Red) Attachment 7859 |
@Storm Shadow: Just wondering, why is my name in the script?
Greetings |
Quote:
I thought you didnt mind.:o NB!! if it dosent jump to right code after script, it didnt find the right IAT. |
@Storm Shadow : thanks for concern of this topic ,Now I am out trying to do some work ,back and try ,and movie flash will always be Welcome ;)
|
All times are GMT +8. The time now is 19:51. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX