Exetools  

Go Back   Exetools > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-05-2014, 20:14
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 504
Rept. Rcvd 372 Times in 142 Posts
Thanks Given: 320
Thanks Rcvd at 405 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Post WinLicense v2.2 x64 unpack tut

not a big deal but I hope u like it ,Thanks to Carbon For unpack file.


https://docs.google.com/file/d/0B402...SzA/edit?pli=1
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following 22 Users Gave Reputation+1 to ahmadmansoor For This Useful Post:
arlequim (02-06-2014), benney (02-11-2014), besoeso (02-06-2014), canopus (02-10-2014), chessgod101 (02-11-2014), copyleft (02-08-2014), Dreamer (02-05-2014), giv (02-06-2014), h8er (02-11-2014), Insid3Code (02-05-2014), Kla$ (02-06-2014), KuNgBiM (02-08-2014), mr.exodia (02-05-2014), nikkapedd (02-10-2014), nikre (02-06-2014), NoneForce (02-09-2014), softgate (02-06-2014), tonyweb (02-08-2014), ZeNiX (02-08-2014)
The Following User Says Thank You to ahmadmansoor For This Useful Post:
Indigo (07-19-2019)
  #2  
Old 02-08-2014, 22:30
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 732
Rept. Given: 177
Rept. Rcvd 773 Times in 259 Posts
Thanks Given: 213
Thanks Rcvd at 885 Times in 242 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
The tut is so direct.
I love it.

I saw it twice and spent a few time to adjust my IDA to work with WinDbg.
My system is Windows 8.1 x64, so it is a little tricky.

Then, one question pops up.
WinLicense x64 does not have any anti-debug protection?

I thought it will detect my debugger.
Reply With Quote
The Following User Says Thank You to ZeNiX For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 02-08-2014, 23:01
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 504
Rept. Rcvd 372 Times in 142 Posts
Thanks Given: 320
Thanks Rcvd at 405 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Hi ZeNIX and thanks that u like it .
the unpacked file use the lost options in packing ,that why not detect ur debugger.
That all .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Says Thank You to ahmadmansoor For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 02-08-2014, 23:46
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Winlicense x64 has anti-debug stuff, but it's not really strong. I believe only some minor PEB changes (easy), ProcessDebugPort and ProcessDebugFlags check. Also some anti guard page, but im not 100% on that
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 02-10-2014, 09:48
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 732
Rept. Given: 177
Rept. Rcvd 773 Times in 259 Posts
Thanks Given: 213
Thanks Rcvd at 885 Times in 242 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
Oh, I forgot to ask one more thing.
Is there anti-dump tricks on WinLicense x64?
Such as CPIUD, Heap Stack,....?
Reply With Quote
The Following User Says Thank You to ZeNiX For This Useful Post:
Indigo (07-19-2019)
  #6  
Old 06-09-2014, 19:01
[ID]ZE [ID]ZE is offline
Friend
 
Join Date: Nov 2013
Posts: 28
Rept. Given: 18
Rept. Rcvd 18 Times in 4 Posts
Thanks Given: 33
Thanks Rcvd at 7 Times in 7 Posts
[ID]ZE Reputation: 18
Hi,Ahmadmansoor
I test u tuts,but I can not setup the IDA Process option correctly.I do not know how fill the Parameters option.It pop up the warning message:The file can't be loaded by the debugger plugin.Please verify that the parameters are valid.I install WinDDK contains the Debuggers directory.Please tell that How config the IDA 64 + WinDDK dbgsvr.exe,thank you!
Reply With Quote
The Following User Says Thank You to [ID]ZE For This Useful Post:
Indigo (07-19-2019)
  #7  
Old 06-10-2014, 23:30
nikkapedd nikkapedd is offline
VIP
 
Join Date: Mar 2011
Location: ::Bratva::
Posts: 275
Rept. Given: 275
Rept. Rcvd 151 Times in 65 Posts
Thanks Given: 202
Thanks Rcvd at 275 Times in 112 Posts
nikkapedd Reputation: 100-199 nikkapedd Reputation: 100-199
[ID]ZE, if you are using ida v6.1 go to the folder "cfg" and open the file ida.cfg
search this string
Code:
//
// Location of Microsoft Debugging Engine Library (dbgeng.dll)
// This value is used by both the windmp (dump file loader) and the windbg
// debugger module. Please also refer to dbg_windbg.cfg
// (note: make sure there is a semicolon at the end)

//DBGTOOLS = "put here the full path of your windbg install folder";
, and change the DBGTOOLS path according with the windbg install folder...
Reply With Quote
The Following User Says Thank You to nikkapedd For This Useful Post:
Indigo (07-19-2019)
  #8  
Old 06-11-2014, 00:16
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 504
Rept. Rcvd 372 Times in 142 Posts
Thanks Given: 320
Thanks Rcvd at 405 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
@[ID]ZE : what u did and not work the steps is very clear .
run IDA x64 version ( if u have it ) then chose ur debugger from the list (Windbg debugger) then load ur target ( x64 must be ) then IDA will ask u for (dbgsrv.exe).
u will find it in :
Quote:
C:\WinDDK\7600.16385.1\Debuggers
folder chose it ,confirm the command & port information .
Done .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Gave Reputation+1 to ahmadmansoor For This Useful Post:
stantheguy (06-11-2014)
The Following User Says Thank You to ahmadmansoor For This Useful Post:
Indigo (07-19-2019)
  #9  
Old 06-17-2014, 21:57
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Very interesting, do you know if the segments area that shall be analyzed would be the same each time in the low security settings.Or have spesific signaturs
Thinking off doing a plugin script to automate the process if so.
Reply With Quote
The Following User Says Thank You to Storm Shadow For This Useful Post:
Indigo (07-19-2019)
  #10  
Old 07-13-2014, 02:35
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Here you go @ahmadmansoor

PHP Code:
import idc
import idaapi

sEA 
0x0000000140001000
eEA 
sEA 0x1
ea 
GetEntryPoint(1)
ea2 MaxEA
idc
.LoadDebugger("windbg"1)
LoadDebugger("windbg"1)
AddBptEx(0x00000001400010000x1BPT_BRK)
SetDebuggerOptions(DOPT_BPT_MSGS)
path GetInputFilePath()
args ''
sdir ''
StartDebugger(pathargssdir)
enable_extlang_python(True)
MakeCode(0x0000000140001000)
PauseProcess()
enable_extlang_python(True)
StopDebugger()



print 
"##################################################\n" \
      
"        What just HAppend your asked ?            \n" \
      
"        While you blinked.                        \n" \
      
"       IDA Python did the work for you            \n" \
      
"                                                  \n" \
      
"         WinLicense Easy settings checker       \n" \
      
"#############################################\n" \
      
" Storm Shadow      \n" \
      
"#############################################\n"
print ("IAT = 0000000140001000")
print (
"WinLicense IAT is FOUND\n" \
      
"IMPORT Breakpoint Adress into X64 By Mr Exodia")
Jump(0x0000000140001000
Code proberly dosent show correct in the forum
if error get it here.(RAW)
http://pastie.org/9381756

check if it produces code correct, if correct. procced to ScullaHide
Winlicense testfile Easy settings TIGER64 (Red)

UnpackmeWLx64.zip

Last edited by Storm Shadow; 07-13-2014 at 02:43.
Reply With Quote
The Following 2 Users Gave Reputation+1 to Storm Shadow For This Useful Post:
ahmadmansoor (07-13-2014), DMichael (07-13-2014)
The Following User Says Thank You to Storm Shadow For This Useful Post:
Indigo (07-19-2019)
  #11  
Old 07-13-2014, 04:49
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@Storm Shadow: Just wondering, why is my name in the script?

Greetings
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #12  
Old 07-13-2014, 05:00
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Quote:
Originally Posted by mr.exodia View Post
@Storm Shadow: Just wondering, why is my name in the script?

Greetings
i was only apdapting the script to ahmadmansoor tut , He use scullahide to dump after he finds the right IAT, you can mod it out if you like.
I thought you didnt mind.

NB!! if it dosent jump to right code after script, it didnt find the right IAT.
Reply With Quote
The Following User Says Thank You to Storm Shadow For This Useful Post:
Indigo (07-19-2019)
  #13  
Old 07-13-2014, 17:57
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 504
Rept. Rcvd 372 Times in 142 Posts
Thanks Given: 320
Thanks Rcvd at 405 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
@Storm Shadow : thanks for concern of this topic ,Now I am out trying to do some work ,back and try ,and movie flash will always be Welcome
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Gave Reputation+1 to ahmadmansoor For This Useful Post:
Storm Shadow (07-13-2014)
The Following User Says Thank You to ahmadmansoor For This Useful Post:
Indigo (07-19-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Winlicense (Themida) 2.4.6 x64 Help for Bypass/Unpack Reaper General Discussion 2 04-30-2021 18:37


All times are GMT +8. The time now is 15:24.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )