WinLicense v2.2 x64 unpack tut

[ahmadmansoor]

not a big deal but I hope u like it ,Thanks to Carbon For unpack file.


https://docs.google.com/file/d/0B402...SzA/edit?pli=1

[ZeNiX]

The tut is so direct.
I love it.

I saw it twice and spent a few time to adjust my IDA to work with WinDbg.
My system is Windows 8.1 x64, so it is a little tricky.

Then, one question pops up.
WinLicense x64 does not have any anti-debug protection?

I thought it will detect my debugger.

[ahmadmansoor]

Hi ZeNIX and thanks that u like it .
the unpacked file use the lost options in packing ,that why not detect ur debugger.
That all .

[mr.exodia]

Winlicense x64 has anti-debug stuff, but it's not really strong. I believe only some minor PEB changes (easy), ProcessDebugPort and ProcessDebugFlags check. Also some anti guard page, but im not 100% on that

[ZeNiX]

Oh, I forgot to ask one more thing.
Is there anti-dump tricks on WinLicense x64?
Such as CPIUD, Heap Stack,....?

[[ID]ZE]

Hi,Ahmadmansoor
I test u tuts,but I can not setup the IDA Process option correctly.I do not know how fill the Parameters option.It pop up the warning message:The file can't be loaded by the debugger plugin.Please verify that the parameters are valid.I install WinDDK contains the Debuggers directory.Please tell that How config the IDA 64 + WinDDK dbgsvr.exe,thank you!

[nikkapedd]

[ID]ZE, if you are using ida v6.1 go to the folder "cfg" and open the file ida.cfg
search this string

Code:

//
// Location of Microsoft Debugging Engine Library (dbgeng.dll)
// This value is used by both the windmp (dump file loader) and the windbg
// debugger module. Please also refer to dbg_windbg.cfg
// (note: make sure there is a semicolon at the end)

//DBGTOOLS = "put here the full path of your windbg install folder";

, and change the DBGTOOLS path according with the windbg install folder...

[ahmadmansoor]

@[ID]ZE : what u did and not work the steps is very clear .
run IDA x64 version ( if u have it ) then chose ur debugger from the list (Windbg debugger) then load ur target ( x64 must be ) then IDA will ask u for (dbgsrv.exe).
u will find it in :

Quote:

C:\WinDDK\7600.16385.1\Debuggers

folder chose it ,confirm the command & port information .
Done .

[Storm Shadow]

Very interesting, do you know if the segments area that shall be analyzed would be the same each time in the low security settings.Or have spesific signaturs
Thinking off doing a plugin script to automate the process if so.

[Storm Shadow]

Here you go @ahmadmansoor

PHP Code:

import idc
import idaapi

sEA = 0x0000000140001000
eEA = sEA + 0x1
ea = GetEntryPoint(1)
ea2 = MaxEA
idc.LoadDebugger("windbg", 1)
LoadDebugger("windbg", 1)
AddBptEx(0x0000000140001000, 0x1, BPT_BRK)
SetDebuggerOptions(DOPT_BPT_MSGS)
path = GetInputFilePath()
args = ''
sdir = ''
StartDebugger(path, args, sdir)
enable_extlang_python(True)
MakeCode(0x0000000140001000)
PauseProcess()
enable_extlang_python(True)
StopDebugger()



print "##################################################\n" \
      "        What just HAppend your asked ?            \n" \
      "        While you blinked.                        \n" \
      "       IDA Python did the work for you            \n" \
      "                                                  \n" \
      "         WinLicense Easy settings checker       \n" \
      "#############################################\n" \
      " Storm Shadow      \n" \
      "#############################################\n"
print ("IAT = 0000000140001000")
print ("WinLicense IAT is FOUND\n" \
      "IMPORT Breakpoint Adress into X64 By Mr Exodia")
Jump(0x0000000140001000) 


Code proberly dosent show correct in the forum
if error get it here.(RAW)
http://pastie.org/9381756

check if it produces code correct, if correct. procced to ScullaHide
Winlicense testfile Easy settings TIGER64 (Red)

UnpackmeWLx64.zip

[mr.exodia]

@Storm Shadow: Just wondering, why is my name in the script?

Greetings

[Storm Shadow]

Quote:

Originally Posted by mr.exodia

@Storm Shadow: Just wondering, why is my name in the script?

Greetings

i was only apdapting the script to ahmadmansoor tut , He use scullahide to dump after he finds the right IAT, you can mod it out if you like.
I thought you didnt mind.

NB!! if it dosent jump to right code after script, it didnt find the right IAT.

[ahmadmansoor]

@Storm Shadow : thanks for concern of this topic ,Now I am out trying to do some work ,back and try ,and movie flash will always be Welcome