Exetools

Exetools (https://forum.exetools.com/index.php)
-   x64 OS (https://forum.exetools.com/forumdisplay.php?f=44)
-   -   WinLicense v2.2 x64 unpack tut (https://forum.exetools.com/showthread.php?t=15593)

ahmadmansoor 02-05-2014 20:14

WinLicense v2.2 x64 unpack tut
 
not a big deal but I hope u like it ,Thanks to Carbon For unpack file.


https://docs.google.com/file/d/0B402...SzA/edit?pli=1

ZeNiX 02-08-2014 22:30

The tut is so direct.
I love it.

I saw it twice and spent a few time to adjust my IDA to work with WinDbg.
My system is Windows 8.1 x64, so it is a little tricky.

Then, one question pops up.
WinLicense x64 does not have any anti-debug protection?

I thought it will detect my debugger.

ahmadmansoor 02-08-2014 23:01

Hi ZeNIX and thanks that u like it .
the unpacked file use the lost options in packing ,that why not detect ur debugger.
That all .

mr.exodia 02-08-2014 23:46

Winlicense x64 has anti-debug stuff, but it's not really strong. I believe only some minor PEB changes (easy), ProcessDebugPort and ProcessDebugFlags check. Also some anti guard page, but im not 100% on that

ZeNiX 02-10-2014 09:48

Oh, I forgot to ask one more thing.
Is there anti-dump tricks on WinLicense x64?
Such as CPIUD, Heap Stack,....?

[ID]ZE 06-09-2014 19:01

Hi,Ahmadmansoor
I test u tuts,but I can not setup the IDA Process option correctly.I do not know how fill the Parameters option.It pop up the warning message:The file can't be loaded by the debugger plugin.Please verify that the parameters are valid.I install WinDDK contains the Debuggers directory.Please tell that How config the IDA 64 + WinDDK dbgsvr.exe,thank you!

nikkapedd 06-10-2014 23:30

[ID]ZE, if you are using ida v6.1 go to the folder "cfg" and open the file ida.cfg
search this string
Code:

//
// Location of Microsoft Debugging Engine Library (dbgeng.dll)
// This value is used by both the windmp (dump file loader) and the windbg
// debugger module. Please also refer to dbg_windbg.cfg
// (note: make sure there is a semicolon at the end)

//DBGTOOLS = "put here the full path of your windbg install folder";

, and change the DBGTOOLS path according with the windbg install folder...

ahmadmansoor 06-11-2014 00:16

@[ID]ZE : what u did and not work the steps is very clear .
run IDA x64 version ( if u have it :) ) then chose ur debugger from the list (Windbg debugger) then load ur target ( x64 must be ) then IDA will ask u for (dbgsrv.exe).
u will find it in :
Quote:

C:\WinDDK\7600.16385.1\Debuggers
folder chose it ,confirm the command & port information .
Done .

Storm Shadow 06-17-2014 21:57

Very interesting, do you know if the segments area that shall be analyzed would be the same each time in the low security settings.Or have spesific signaturs
Thinking off doing a plugin script to automate the process if so.

Storm Shadow 07-13-2014 02:35

1 Attachment(s)
Here you go @ahmadmansoor

PHP Code:

import idc
import idaapi

sEA 
0x0000000140001000
eEA 
sEA 0x1
ea 
GetEntryPoint(1)
ea2 MaxEA
idc
.LoadDebugger("windbg"1)
LoadDebugger("windbg"1)
AddBptEx(0x00000001400010000x1BPT_BRK)
SetDebuggerOptions(DOPT_BPT_MSGS)
path GetInputFilePath()
args ''
sdir ''
StartDebugger(pathargssdir)
enable_extlang_python(True)
MakeCode(0x0000000140001000)
PauseProcess()
enable_extlang_python(True)
StopDebugger()



print 
"##################################################\n" \
      
"        What just HAppend your asked ?            \n" \
      
"        While you blinked.                        \n" \
      
"       IDA Python did the work for you            \n" \
      
"                                                  \n" \
      
"         WinLicense Easy settings checker       \n" \
      
"#############################################\n" \
      
" Storm Shadow      \n" \
      
"#############################################\n"
print ("IAT = 0000000140001000")
print (
"WinLicense IAT is FOUND\n" \
      
"IMPORT Breakpoint Adress into X64 By Mr Exodia")
Jump(0x0000000140001000

Code proberly dosent show correct in the forum
if error get it here.(RAW)
http://pastie.org/9381756

check if it produces code correct, if correct. procced to ScullaHide
Winlicense testfile Easy settings TIGER64 (Red)

Attachment 7859

mr.exodia 07-13-2014 04:49

@Storm Shadow: Just wondering, why is my name in the script?

Greetings

Storm Shadow 07-13-2014 05:00

Quote:

Originally Posted by mr.exodia (Post 92808)
@Storm Shadow: Just wondering, why is my name in the script?

Greetings

i was only apdapting the script to ahmadmansoor tut , He use scullahide to dump after he finds the right IAT, you can mod it out if you like.:)
I thought you didnt mind.:o

NB!! if it dosent jump to right code after script, it didnt find the right IAT.

ahmadmansoor 07-13-2014 17:57

@Storm Shadow : thanks for concern of this topic ,Now I am out trying to do some work ,back and try ,and movie flash will always be Welcome ;)


All times are GMT +8. The time now is 07:47.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX