I have a target that uses the vtcpak33.dll as part of its protection.

I was looking at unpacking/unwrapping the elicense part of the software but found that the program had already expired.

Thought No probs just delete the mmf.sys file. So I shutdown the service LicCtrl and deleted the mmf.sys file.

Then ran the software which restarted the service LicCtrl and the product was still expired. Anyone have any other thoughts on reseting the trial period. It seems all the previous tutes explain how to unpack the proggie but they require the program NOT to be expired or else no way to get to OEIP.

Used Filemon but apart from some *.nls files that are accessed during the service startup not much there.

In registry found a weird thing HKLM\software\licctrl\licctrl\licctrl\licctrl is the path but when trying to access the last one get a key error and not able to delete it.

Just though is that it uses the registry to hide the data but How can I delete or see whats there.

peter

Hi

Will it Export that registry key to a .reg file OK so you can see that final value? Sounds like a really weird error. Regedit won't allow you to delete the whole key?

Kayaker

the export starts to export but when it gets the that specific key it just doesn't write anything.

Could be a corrupt registry entry on my side but don't know how I created it. Was thinking this might be part of the version 3 of elicense.

Still unable to reset the trial period.

peter

A few months ago we had a thread on an e-license protected prog.
here are some notes :

Prog. protected with vtcpak33d.dll

With Softice :
bpx bff6430d if (ax==9001)
F5
bff6430d jmp eax
f10
xxxx9001 (02319001 or 021f9001)

g 0222ffad or g 0210ffad (xxxx - 000f)

if your 30-day trial period is not over :
at xxxxffad nag screen (TRY, BYE, QUIT)
f10
xxxxffad
xxxxffb2
g 02483bff (or xxxx + 0022)
02483bff jmp [024a2024] = jump to 52ac00 (OEP)
a
jmp eip
/dump 400000 3e7000 dpdump1.exe
------------------------------------------

IF YOUR 30-DAY TRIAL PERIOD IS OVER :
r eip xxxxffb2
g 0223145c : don't jump to 022388e
g 0223388e : jump to 022333dc
g 0223464b : wrapper does unpacking
g 0223465d : wrapper works upon PEHeader (changes it, moves it (?) and zeroes part of it (4000xx to 4002xx)
g 02483bff jmp [024a2024] = jump to 52ac00 (OEP)
a
jmp eip
dump
-------------------------------------------

Dump crashes (is has a zeroed PEHeader).

That thread closed when we got our aim.

Good luck.
Artifex

Artifex

Thanks for that but having done a search i had found that.

The vtcpak33d.dll is different from the vtcpak33.dll that I have.

Nothing corresponds and there seems to be IAT encryption in there but I still can't get the trial period reset.

Hmmm.

Need a drink and a new way to look at this.

peter

You may find this program helpful, it describes a way of hiding data in the registry without regedit being able to delete, display or being able modify the data. It seems a few programs are already using this method as part of there protection. Only seems to work on 2k/XP, but I assume that's what most people are using anyway.

It includes full source code.

Interesting trick, it sounds exactly like what's happening. Wish I could check it out but it's not for Win9x apparently.

Just wanted to mention another little app that clears some system restrictions including access to the registry with Regedit (as one version of Merak Mail did if it caught you fiddling with it). It's called Key2000 and is available at

http://www.bookcase.com/library/software/win9x.security.undef.html

or directly

ftp://ftp.simtel.net/pub/simtelnet/win95/security/key2k_13.zip

Kayaker