Vermithrax
August 4th, 2002, 05:24
Hey people. 
I've been working on unpacking/unwrapping Z-mud v6.32 Beta. Available at: h t t p : / / w w w.z u g g s o f t.c o m / r e d i r e c t . a s p ? t a r g e t = z m u d b e t a
I'm pretty new (in fact, this is my first "real" try at unwrapping/crakin' anything!) It's using Elicense protection with vtcpack33.dll, and I'm having probs getting a dump that works. It appears to be doing an xor after unpacking, and I'm not sure where the actual unpacked (and un-xored?) jump is that I can step into. I'm using TRW2000 1.23 and I tried to pedump where I *thought* the jump was... F8'd into it, it looked reasonable, and it didn't work afterwards. I couldn't use makepe, which is only in the regged ver of TRW2k, which says that it fixes headers or something... And when I tried to run the resulting executable (I renamed it to Zmud.exe just in case, saving the old one as a backup). It just gives some kind of protection fault and zaps out, so it's obviously not a good dump... Maybe these headers that are being talked about being corrupted there?
So anyhoo, I loaded zmud.exe in trw2k, and F5'd until I was at the Elicense try/buy/license (I tried the damn proxy, but it didn't work, even though I told it to use the proxy. *mumble*) I then CTRL-N'd and set a breakpoint at freelibrary, which is where I've seen most elicense posts talk about. So I F5'd back out after setting the breakpoint and clicked on the TRY button (I've only got 5 days left haw), and immediately trw2k popped up with the breakpoint. Anyhoo, I continued tracing with F10 (which doesn't step into function calls), and looked for the first JMP after that, which I presumed (like I say, this is my first time, but I've done a lot of research!!, and I don't REALLY know yet!) would lead me to the unwrapped executable. After I followed the jump (not sure whether I should follow a CALL or a JMP after??) I saw what appeared to be a little bit of a loop with an xor after it. I figured it was just unpacking the file then un-xoring it, so I set a breakpoint at the xor. I'm not sure where the file was being unpacked to, what address or whatever (the OEP?? What does that mean? I know entry point, but... ?). After setting a breakpoint at the xor, I again hit f5, which after the loop was finished, stopped at the xor... So I let it do that, and it returned from the (jump?/call?)... I figured I'd see if the next JMP was the correct one, but it went through the same loop with the xor... Anyhoo, I didn't know where to go from here, so I used pedump and of course it didn't work.
I got revirgin 1.3, I'm using Windows ME, which prevents me from running softice or revirgin 1.4 (tried it on another machine, worked fine, but it was registered there... Mayhaps I can dump that one somehow? I tried Procdump, but it crashed.
) Anyhoo, I can't figure out how to use revirgin if the executable just crashes, what process can I attach to?? So I said, "Can't do that..." 
Anyhoo, I've tried like a sonofabitch to get this to dump correctly, and just can't figure it out. Anyone care to give me a hand with my first crackorama ever?
WoOooOOO!
I've been working on unpacking/unwrapping Z-mud v6.32 Beta. Available at: h t t p : / / w w w.z u g g s o f t.c o m / r e d i r e c t . a s p ? t a r g e t = z m u d b e t a
I'm pretty new (in fact, this is my first "real" try at unwrapping/crakin' anything!) It's using Elicense protection with vtcpack33.dll, and I'm having probs getting a dump that works. It appears to be doing an xor after unpacking, and I'm not sure where the actual unpacked (and un-xored?) jump is that I can step into. I'm using TRW2000 1.23 and I tried to pedump where I *thought* the jump was... F8'd into it, it looked reasonable, and it didn't work afterwards. I couldn't use makepe, which is only in the regged ver of TRW2k, which says that it fixes headers or something... And when I tried to run the resulting executable (I renamed it to Zmud.exe just in case, saving the old one as a backup). It just gives some kind of protection fault and zaps out, so it's obviously not a good dump... Maybe these headers that are being talked about being corrupted there?
So anyhoo, I loaded zmud.exe in trw2k, and F5'd until I was at the Elicense try/buy/license (I tried the damn proxy, but it didn't work, even though I told it to use the proxy. *mumble*) I then CTRL-N'd and set a breakpoint at freelibrary, which is where I've seen most elicense posts talk about. So I F5'd back out after setting the breakpoint and clicked on the TRY button (I've only got 5 days left haw), and immediately trw2k popped up with the breakpoint. Anyhoo, I continued tracing with F10 (which doesn't step into function calls), and looked for the first JMP after that, which I presumed (like I say, this is my first time, but I've done a lot of research!!, and I don't REALLY know yet!) would lead me to the unwrapped executable. After I followed the jump (not sure whether I should follow a CALL or a JMP after??) I saw what appeared to be a little bit of a loop with an xor after it. I figured it was just unpacking the file then un-xoring it, so I set a breakpoint at the xor. I'm not sure where the file was being unpacked to, what address or whatever (the OEP?? What does that mean? I know entry point, but... ?). After setting a breakpoint at the xor, I again hit f5, which after the loop was finished, stopped at the xor... So I let it do that, and it returned from the (jump?/call?)... I figured I'd see if the next JMP was the correct one, but it went through the same loop with the xor... Anyhoo, I didn't know where to go from here, so I used pedump and of course it didn't work.
I got revirgin 1.3, I'm using Windows ME, which prevents me from running softice or revirgin 1.4 (tried it on another machine, worked fine, but it was registered there... Mayhaps I can dump that one somehow? I tried Procdump, but it crashed.
) Anyhoo, I can't figure out how to use revirgin if the executable just crashes, what process can I attach to?? So I said, "Can't do that..." Anyhoo, I've tried like a sonofabitch to get this to dump correctly, and just can't figure it out.
Anyone care to give me a hand with my first crackorama ever? WoOooOOO!
