Hi !

I'm trying unpack zmud 6.62, which is protected by e-license 4.0, but i failed.
I read som tutorials about unpacking, but i'm unable to recreate IAT.
In encrypted zmud.exe (.idata section) is only one export cyb to elicen40.dll, which resolve exports and encrypt its in memory (?).
Anyone has some experience with e-license 4.0 and how to recreate sections ?
Please help me. Thanx.

DeCryptoniTe.

e-license is silly, just start the program till u get the e-license nag screen, bpx on freelibrary, hit free trial, and execute the api till the user code, look for.

JMP DWORD PTR DS:[249F85C] <--This Jumps to OEP

Of Course 249F85C will be differnt in most programs thats what i got for Zmud
just look for a "JMP DWORD PTR [XXXXXXX]

The OEP has a funny startup code i think some of the instructions like

PUSH EBP
MOV EBP, ESP

are emulated b4 the JMP DWORD PTR [XXXXXXX]

Should be simple enough to fix

Api's are also Simple from what i saw they are like:



So 1DAED479 XOR 6A4973A6 = 77E7A7DF
77E7A7DF = Kernel32.GetCurrentThreadId

On my Pc at least, its easy enough to fix all imports by hand, just takes a while
maybe somebody with experience can write a simple plugin for imprec ? :P

Have fun

-Billy

Nevermind about the plugn its not even needed, i was playing and i found this.

Find the First Invalid IAT Entry.

Mine was:

RVA: 0038C230 (0078C230 <-- in Memory)

Start the Program till u are at the Nag Screen, goto that rva in the dump window.

Set a Hardware Breakpoint on the 4 Bytes (Write)

Click FreeTrial

You will break here.
02537CD3 MOV DWORD PTR DS:[ECX],EAX ;Eax Contains Fake Api
02537CD5 MOV EDX,DWORD PTR SS:[EBP-2AC]

Scrolling up u will see this code.



02537C13 8B85 2CFDFFFF MOV EAX,DWORD PTR SS:[EBP-2D4]
02537C19 8930 MOV DWORD PTR DS:[EAX],ESI
02537C1B 8B8D 2CFDFFFF MOV ECX,DWORD PTR SS:[EBP-2D4]
02537C21 8B95 4CFDFFFF MOV EDX,DWORD PTR SS:[EBP-2B4] ; Contains Real API
02537C27 3311 XOR EDX,DWORD PTR DS:[ECX]
02537C29 8B85 30FDFFFF MOV EAX,DWORD PTR SS:[EBP-2D0]
02537C2F 8910 MOV DWORD PTR DS:[EAX],EDX
02537C31 8B8D 34FDFFFF MOV ECX,DWORD PTR SS:[EBP-2CC]
02537C37 8B95 38FDFFFF MOV EDX,DWORD PTR SS:[EBP-2C8]
02537C3D 8D440A 02 LEA EAX,DWORD PTR DS:[EDX+ECX+2]
02537C41 8985 3CFDFFFF MOV DWORD PTR SS:[EBP-2C4],EAX
02537C47 8B8D 3CFDFFFF MOV ECX,DWORD PTR SS:[EBP-2C4]
02537C4D 8B95 30FDFFFF MOV EDX,DWORD PTR SS:[EBP-2D0]
02537C53 8911 MOV DWORD PTR DS:[ECX],EDX
02537C55 8B85 34FDFFFF MOV EAX,DWORD PTR SS:[EBP-2CC]
02537C5B 8B8D 38FDFFFF MOV ECX,DWORD PTR SS:[EBP-2C8]
02537C61 8D5401 08 LEA EDX,DWORD PTR DS:[ECX+EAX+8]
02537C65 8995 3CFDFFFF MOV DWORD PTR SS:[EBP-2C4],EDX
02537C6B 8B85 3CFDFFFF MOV EAX,DWORD PTR SS:[EBP-2C4]
02537C71 8B8D 2CFDFFFF MOV ECX,DWORD PTR SS:[EBP-2D4]
02537C77 8908 MOV DWORD PTR DS:[EAX],ECX
02537C79 8B95 34FDFFFF MOV EDX,DWORD PTR SS:[EBP-2CC]
02537C7F 8B85 38FDFFFF MOV EAX,DWORD PTR SS:[EBP-2C8]
02537C85 8D4C10 0D LEA ECX,DWORD PTR DS:[EAX+EDX+D]
02537C89 898D 3CFDFFFF MOV DWORD PTR SS:[EBP-2C4],ECX
02537C8F 8B95 3CFDFFFF MOV EDX,DWORD PTR SS:[EBP-2C4]
02537C95 8B85 ACFDFFFF MOV EAX,DWORD PTR SS:[EBP-254]
02537C9B 8902 MOV DWORD PTR DS:[EDX],EAX
02537C9D 8B8D 34FDFFFF MOV ECX,DWORD PTR SS:[EBP-2CC]
02537CA3 8B95 38FDFFFF MOV EDX,DWORD PTR SS:[EBP-2C8]
02537CA9 8D440A 14 LEA EAX,DWORD PTR DS:[EDX+ECX+14]
02537CAD 8985 3CFDFFFF MOV DWORD PTR SS:[EBP-2C4],EAX
02537CB3 8B8D 3CFDFFFF MOV ECX,DWORD PTR SS:[EBP-2C4]
02537CB9 8B95 ACFDFFFF MOV EDX,DWORD PTR SS:[EBP-254]
02537CBF 8911 MOV DWORD PTR DS:[ECX],EDX
02537CC1 8B85 38FDFFFF MOV EAX,DWORD PTR SS:[EBP-2C8] ; Start Faking Api
02537CC7 0385 34FDFFFF ADD EAX,DWORD PTR SS:[EBP-2CC] ; Finish Faking Api
02537CCD 8B8D 54FDFFFF MOV ECX,DWORD PTR SS:[EBP-2AC]
02537CD3 8901 MOV DWORD PTR DS:[ECX],EAX ; Mov Fake Api into IAT
02537CD5 8B95 54FDFFFF MOV EDX,DWORD PTR SS:[EBP-2AC]


Simply Change



02537CC1 8B85 38FDFFFF MOV EAX,DWORD PTR SS:[EBP-2C8] ; Start Faking Api
02537CC7 0385 34FDFFFF ADD EAX,DWORD PTR SS:[EBP-2CC] ; Finish Faking Api
02537CCD 8B8D 54FDFFFF MOV ECX,DWORD PTR SS:[EBP-2AC]
02537CD3 8901 MOV DWORD PTR DS:[ECX],EAX ; Mov Fake Api into IAT

to

02537CC1 8B85 4CFDFFFF MOV EAX,DWORD PTR SS:[EBP-2B4]
02537CC7 90 NOP
02537CC8 90 NOP
02537CC9 90 NOP
02537CCA 90 NOP
02537CCB 90 NOP
02537CCC 90 NOP
02537CCD 8B8D 54FDFFFF MOV ECX,DWORD PTR SS:[EBP-2AC]
02537CD3 8901 MOV DWORD PTR DS:[ECX],EAX


That will replace all fake entires with Real ones, just let it will stop on a exception, then just fire up imprec and imports are 100% correct.

Sorry for the Previous Post i just discovered this

Hmm After Fixing the Dump and running Dumped_.exe , lots of crashes
No idea how to fix this, anybody want to have a look and shed some light ? iam way too busy to be getting into this but would like to see how to resolve it.

-Billy

First ! Thanks for your Reply, but I already unpack my target.

Yes, E-license is silly. OEP is EP of packed exe.
My first problem was, that E-license (EL) used anti-dump tricks, so you can't
dump program with ProcDump or IceDump (If you don't believe me, try dump .idata section from elicen40.dll. It creates 2,2 GB file.).
So better is used LordPE for dumping exe.
Second, this is was my first attempt to manually unpack (without unpacker) packed file, so i never heard about tools like revirgin or Import Reconstructor.
Never mind.

You don't need decrypt IAT with NOPing xor and add instruction.
Use Trace Level 3 (trap flag) and ImpRec resolve unresolved imports.
Than fix dump and dumped_.exe works fine on my Computer.
But I heard, that on other system (Win2k oftenly), it crash sometimes with message
"Access violation on adrex 0x0....., Read of Address FFFFFFFF".
So, there is still some unresolved pointers or maybe .reloc table is invalid for
dumped file ? I don't know.

i am trying to do it with ollydbg. is it possible? when i hit free trial the program goes out and turns off my computer. any help?
(thx for all your information)

well i have unpacked zmud follow the post that is more down, and i have the executable that runs well, but when i connect to server the program products a segment fault or something. any help? plis....

How do I dump the EXE with Import Reconstructor? I'm trying to unpack Total Pro Football URL Removed) and have never manually unpacked before.


Thanks,

Kevin

SlantNGo:

It certainly appears that you ignored the BIG RED LETTERS at the top of the Forums. Time to go back there, read the message and then review the FAQ. Then use the "search" button and do some of your own research on how one may "dump with import Reconstructor." Then do a search of "manual unpacking" and read a whole bunch of threads on that subject, then make an attempt on your own to do these things and report back when you have a "specific" question about how far you got and where you are stuck.

No one here has the time or the energy to attempt to take you by the hand and lead to through the entire process of learning how to dump or manually unpack exes of your current favorite target. The short answer to your question is that you have to learn how to crawl before you can walk and you have given no indication you yet know how to crawl. There is already plenty of information here for you to review on "learning how to crawl."

Regards,

I apologize JMI. I have been reading and following tutorials and other forum posts, from Muad'dib's eLicense 2.4 tutorial to the posts in this thread. I am using OllyDbg, setting a breakpoint on FreeLibrary as in Billy's post and on GetModuleHandleA as in Muad's tutorial, but it never makes it to either of the two breakpoints. I am supposed to be setting a hardware breakpoint, right?

I suspect it's because I'm having to set back my clock in order to get the Trial button on the splash screen (my 3-day trial has expired). I think it performs the system clock check before it gets to my breakpoints. I was looking for a possible "quick fix" using ImpRec to fix up the invalid imports. Is anyone familiar with eLicense 4.0 as in what traces it leaves on the hard drive that I could get rid of? If not, I'll probably have to save my system to a ghost, then pull back an old one w/o Total Pro Football, reinstall it and do my debugging from there.

i think that the bpx is bpx Kernel32.FreeLibrary in the nag window With zmud is.

well, i think the elicense has a removal tool in order to do this, see the main page of elicnse to download it. another way is to search into the elicense to do this by hand, there are some tutorials tehre to do this. i don t try them but i think there should work. the elicense has two files lmmc and other i dont remember that are blocked by the system control. if yo remove this files you remove elicense.

Yea, I removed Elicense using the removal tool, uninstalled the game, and checked to make sure lmmcfu.cpl and mmfs.dll were gone, reinstall the game... still can detect my trial has expired. I'm sure there's something else hidden that's gotta be removed. How were you able to get around this? Or is your trial still active?

Hiya

Look for what I posted on this site about a month back

Elicense40 - It is really easy if you have expired "not literally" just read it - if you had done a search you would have found it - try not to be lazy!

/hobferret

Hi hobferret,

I saw that post, couldn't follow your instructions, couldn't find the byte sequence 83BDE0F0FFFF02 you referred to. Is that program specific? Or is it common to the elicen40.dll? Also mine is different size/date than yours, 69 KB and July 2002 I believe, I'll double-check that when I get home.

Hiya SlantNGo

That sequence is specific to elicense40.dll or at least every one I have seen

If you can't find it try running the prog again, when you arrive at the nag search again and you will most likely find it - had the same prob here a couple of times - it's there you just need to persevere

If all else fails, get the window handle then try a BMSG Wm_Destroy and you will eventually end up in the right code area

One other thing someone posted something about finding the correct IAT reference, in this version you need to subtract 4 from the address you are looking for because the prog then adds +4 to the byte. i.e if you are looking for 0078C230 the break on 0078C22C - OK!

/hobferret

SlantNGo, I am also trying to do the same programme and have run into a few problems myself. I am just starting out though and admit perhaps I am trying to run before I can walk. My main problem is when I try to start up my SoftIce loader nothing happens the sequence goes like this:

(1) Load up SoftIce lite

(2) Load up TPF.exe

(3) Get the Trial Expired screen with no option but to exit.

Thats it I get nothing after that the only thing I can do is just exit, no breakpoints no SoftIce pop up nothing.

Whats interesting for me is the mmfs file. Now I uninstalled the e-license control but mmfs.dll was still in my windows folder after destorying nearly all processes in task manager I finally was allowed to delete it (before that I got the stupid "read-write protection bla bla" message). For me that leads me to believe that mmfs is connected to the connection protocal for registering. More on that in a few seconds. You may also notice that mmfs.dll and elicense.dll are wrapped. This is obvious by examining a hex editor which has tons of information and the .dll in a diassmbler like WDASM. Now my question to hobferret is in the programme that you used were the mmfs and e-license files both wrapped? If not then this is the difference between TPF and what ever programme you were reversing and maybe why the byte routine can't be found in TPF.

Back to the mmfs.dll file now I've partially examined the file in HEdit. In between all the "gunk" bytes you discover certian calls such as GetModuleHandleA and a call made to a connection process. This makes me think that mmfs is the major connection file along with lmmcfu.cpl. For TPF there is also another file but I have uninstalled it so can't look at the minute (may look later on) that may also have some bearing. All of these seem to interlink with the elicense file to form the overall wrapper. Note I could be way off target here but this is the gut feeling I am getting.

Really e-license is a very tricky programme for newbies like myself and maybe something I come back to once I've done some more reading on the subject. Some people seem to be focusing on the whole unpacking of the actual programme but I think three other areas would be of more interest:

(1) Finding the actual full routine that makes the call to e-license.com and port 80. Kill this routine so no call is made and the user can just type in anything and continue (difficult perhaps impossible). Redirect the routine so that it goes to another site e.g. a virtual machine, IIS or L2L Proxy. This site would then hold a simple file that is called and feed back. Again this would require finding out what type of file is stored by the e-license servers and then building your own. However something as simple as a .asp file might be able to do the trick. To better cement that idea:

current web-site address: http://www.elicense.com
new address: http://www.whatever.com

Current: Programme makes call to elicense.com with input data. elicense.com comes back and feeds a response back (most likely no).

Edited: Programme makes call to newsite.com with input data. newsite.com feedsback data from already uploaded fake file data is then valid.

Problem: Still need to find out the way in which elicense holds the files on there server.

Possible solution: Create a simple .asp with something like:

ProductId = $WhatEver|True
VendorId = $WhatEver2|True
OrderNumber = 123456789|True

Difficulty rating: Very.

(2) Find ProductId and VendorID. This one may not be to tricky for someone with good reversing skills. Basically as we all know the ProductID and VendorID are both stored within the .exe file. However as of yet I am not able to find either within the code. Some may ask whats the point because I still don't have a valid order number but there is already some software out there for that process. This may well be good as a tutorial especially for newbies who may find it easier to search for two processes which is a similar device to serial sniffing (one of the first things you learn). However I must say I've tried replecating a serial sniffing type procedure and it turns up nothing.

Difficulty rating: Intermediate.

(3) Creation of an unpacking tool for e-license. I think hobferret was going to think about doing this one personally I'd prefer a ProductID/Vendor finder but hopefully your still going to continue with this as I believe e-license is one of the biggest firms now without a pre-made unpacker which is kind of weird.

Overall e-license is quite a tricky tool for newbies but is becoming a massive tool used by commercial companies. I hope someone who has better skills may think about any of the above ideas I've suggested either for interests sakes or just to design a tutorial on (again another area that is severly lacking on e-license).

To SlantNGo let me know how you get on with TPF.exe and I'll do the same if I can work it out. Like I said I've got a bit more reading to do on unpacking and rebuilding and trying to work out why the hell SoftIce does nothing when TPF.exe is staryed (Maybe someone here can shed some light on that??).

Cheers

T2000

P.S. SlantNGo if you want to do some reading I recommend Krobars page it has shed loads of tutorials on unpacking. Some of the other stuff is a little outdated though as its mainly from the late 90's and some from around two years ago. The link is somewhere on the front page of the forum I think.

Have you tried Damn's eLicense proxy? I downloaded it and read through the documentation but didn't really fiddle with it. I think that was designed for eLicense 3.3 but you can give that a shot too.

I'm going at the EXE with Ollydbg, and it's not reaching my breakpoints either. I think the process was written for programs where the trial is still active, hence you can click Trial and it will get to your breakpoint. If the trial has expired, you have to do what hobferret did... however I haven't had any success.

Hiya all

Elicen40.dll and its temp file. 69Kb 06/25/2002 .

Just had a look at your proggie take note!

TPF
@ 02224B54 CALL 0227CBED
@ 02224B5E MOV[EBP+XXXXXXXX],EAX
@ 02224B64 MOV EAX,[XXXXXXXX]
@ 02224B6A MOV[EBP+XXXXXXXX],EAX
@ 02224B70 CMP DWORD PTR[EBP+XXXXXXXX],02 (83BDE0F0FFFF02) SO IT'S THERE
@ 02224B77 JNZ 02224E57

You can work the rest out for yourself including the "must register" piece - SIMPLE OR WHAT

Obviously addresses will be different on your machine
/hobferret

Thanks for that hobferret I may have a look at it some more once I've done some more reading around packing/unpacking and rebuilding the import tables. Its good to know that the byte sequence in the file is there but as I said in my last message I don't want to jump the gun on this as I am just starting out. I'll have a look into it again in the next few days and report back how I went/if I ran into trouble etc. One question though is what debugger are you using? I have assumed from your message it is OllyDbg(???).

SlantNGo the DAMN proxy is what I was talking about earlier when I referred to "other software". It will allow you to do all e-license programmes and works for 4.0 the trick is to find the actual Vendor ID/Product ID which I believe are encrypted using the RC5 protocal and CBC. Once again this is another area I am going to explore once I've done more reading.

To Mods: Any moderator/admin reading this you may want to think about making this topic sticky. It seems to be the main topic of discussion in regards to e-license and would also prevent other users from coming back in a few months time and asking the same questions when we could just direct them to a few pages back. Also perhaps moving the older topics on e-license into here would be helpful.

Wow I'm an idiot... found the byte sequence in the temp file and put a bpx 3 lines above it like you said. What are you doing to trigger the bpx? Right now, I'm exiting the program, it breaks there, I change EAX to 1, it takes the jump, and if I resume the program, I get password expired error 24.

So, adding 14AB like you said, I put another bpx there. Never makes it to that line... still exits with password expired. I'll give it another shot later. What were you using to unpack?

Test2000:

The FAQ and the BIG RED LETTERS tell posters that they are supposed to SEARCH before posting. Assuming they DO that, there would be no need to create a series of "sticky" threads or to attempt to merge all threads on e-license (or any other subject) into one big, incoherent mass. For example, a merge would probably re-order all the posts by date and then one wouldn't be able to tell which posts went with which topic or sub-topic. Not a very good plan.

Regards,

SlantNGo

I'm exiting the program, it breaks there, I change EAX to 1, it takes the jump, and if I resume the program, I get password expired error 24.


Like I said b4 if you get any errors just keep a record of where you have jumped from and then make sure you don't repeat that jump

Trace thru the whole bloody lot
Be patient you will get there in the end

BTW Don't ask for any more info coz I have deleted the thing, not my cup of tea
The IAT is simple coz it's in VB

/hobferret

True but the thing is most people don't do that. Maybe its just me but I'd like to have an active topic where by people can talk about the latest developments with that type of protection or have people go into that thread who maybe having problems. It also means you don't have the same question come up again as theres always a thread on hand for someone to post that question or check the previous pages. Having a search function is fine but most of the topics end up dead anyway and result in a new post ala this one because other people have other questions. Anyway I won't get into board semantics I have some more very easy crackmes to play with.

Hobferret,

I nearly forgot to ask you something. Did you find what you were looking for last time you were playing with e-license? I remember you asked for the VTCyber unwrapper which was used before it became the e-license.dll. Just wondering did you find it because I've got a link for you? Will PM you if you haven't if you have no point.

Hiya

No I have found nothing, if it is an active link then please PM with details

Thanx

/hobferret

I've PM'd you the link to the file now hobferret hope it helps with what you are trying to do. If the link goes down between now and the time you read the PM give me a PM back with an e-mail (just set up a casual hotmail one if you don't want to give me a permanent address) and I'll attach it and send as I have downloaded it already for my own reference.

Thanx

I found that prog for the VTCyber unwrapper too, but it's not what I am after. What I need is the vtcpak.exe to create a vtcpacked prog. Or better still the elicense SDK

Regarding the temp file I think if I remember correctly its something like XXXXXXXX.2xcp and is located in the WINDOWS\TEMP directory, almost sure it ends with 2xcp. And the byte sequence is in this temp file, remember what I said B4 if you get message boxes showing errors keep a log of where you are coming from & going to. Might sound a pain in the butt but you will get there in the end M8

Thanx

/hobferret

Cheers for that hobferret I'll have a look once I feel I've got myself up to a good level of understanding cracking concepts I felt I was weak on I feel thats going to take a good week maybe two.

Sorry that wasn't what you were looking for in terms of the vtcpak.exe I can say it no longer exists in any shape or format. I feel whatever was vtcpak has either been deleted or turned into what became the e-license SDK. Now in terms of that you might want to check out a company called HeyNow.com they specialised in porting the e-license SDK to Macintosh compatibility so they should have good understanding. You might be able to feel them out and see if they will give you any help in understanding how the processes work better or even give you a working version. Remember be savy about this if you go that route something like "I am a developer looking into making a programme with similar or identical protocal/API calls to the e-license mechniasm, I believed you worked on this and was wondering if you could me either some guidelines or a working SDK if you have time. The reason I am contacting you is because I feel that I may need such procedures porting over to Macintosh comptability which is what you have dealt with for the ViaTech company according to your resume". Could work might not but worth a shot.

I've also attempted to get the SDK for you on another route but I'll see how that goes.

[Edit: The SDK is definitely not online either it seems the route for obtaining this is similar to what Numega use e.g. ring up ask for copy to evaluate etc. As a side note some more interesting information is that ViaTech are looking into going into movies using the e-license protection.

Edit 2: Hobferret just realised you may want to check the DAMN proxy source code if you haven't already that may or may not contain some useful information suppose you have the link for the DAMN site?]

Thanx for the info Test2000

But perhaps you should have sent that via a PM, no doubt VIATECH keep an eye on these sites

Let me know how you get on with your proggie

/hobferret

This is just a very slight update on ViaTech in terms of two areas. The first is that they've now upgrade there systems (again) in terms of cryptography they are now using there own custom cryptography mixed in with some basic RSA stuff. I think they may also have a third encrypter as well but I believe there custom one and the old RC5 key is what they are using at the minute.

The other update comes in the form of perhaps the trial system. Some people have said they can't seem to get the trial back. This is because just deleting the mmfs file now does jack shit. On some exes and I use the term very loosely when I say sum you need to delete the following files:

lcmmfu.cpl
mmfs.dll/sys
mmfs.dss
ViaTech Keys in Registry
[AppName] Key in Registry
LicCtrl (this is impossible to delete it does not remove itself from the registry the last two files refuse to be removed even when the runservice.exe in task manager is killed).

Even then its no guarantee as the main exe now usually runs a GetLocalTime to GetSystemTime to GetFileTime to Kernel32 which is just a pain in the backside to kill (and even if you NOP or dump it the exe goes crazy with errors). In terms of LicCtrl I am in the process of e-mailing ViaTech and may actually sue them as its a violation of and corruption of my computer system as I cannot remove the file. You may also notice that in nearly all protections protected by E-License there is no license agreement or pre-warning that such systems will be installed upon your computer. In terms of computer law this may fall under the same classification as trojan horses and viruses. As these people can be prosecuted for not asking the user permission to run programmes and also for harmful acts (but with some wording it counts as invasion of privacy or possessions) the same action maybe able to be taken against ViaTech. Don't know depends how they reply to there e-mail if they are snobbish and rather "Not our problem" attitude I might sue them. Now thats irony .

i think itz eazy but tricky + boring
the proggy packed with neolite 2.0
http://members.lycos.co.uk/sssevennn/z.gif

Hiya Test2000

Sent email on TPF, understand your point on answers and will oblige if necessary

BTW The prog you mentioned is more or less exactly the same as what is explained in the link you provided. If you are stuck the actual image size is 26C800h, I'm sure you can work the rest out, I got it working in about 10 mins when I realized what was going on and it's another written in VB

Regards

/hobferret

Also to seven

Interesting stuff you have on lycos

/hobferret

well i think i have unpacked zmud and run it whithout elicense, but when the trial cames out the program has gone with the trial. i think i have unpacked it because he runned without the nag screen of elicense. but now the prgrams trys to run but fails somewhere any help plis?

and another thing i have been tryin to unpcak it now, without trial mode, and only i have catch is a passs has failed 24 or something like this

<quote>
When at TRY BUY EXIT LICENSE screen open debugger and search for this byte sequence:-
83BDE0F0FFFF02
When found use the second string occurance, i.e. the one after the call.
But set BPX 3 instructions above the CMP.
EAX must equal 1 and the following memory compare must also equal 1.
It will then JMP at the CMP DWORD PTR [EBP+FFFFF0E0] to the unpacker.
If any errors like INVALID PASSWORD occur check these:-
After the JMP above note code location i.e. 02563B75 add 14AB and you should be at a TEST EAX,EAX following </quote>
the things i meet are the cmp and comparitions if take eax to 1 the jnz brings to something and in this something there isnt cmp and 14ab more there arent test eax. so so how can i take out a license from now to never?

jolopez

I am not flaming you but READ STUDY AND INWARDLY DIGEST, I said before if you are having problems trace thru the whole thing from the CMP,02 and keep a note of where you are jumping to and jumping from. If you hit an error you know not to jump or converesly to jump depending upon what has happened.

It really is easy but it's down to you to sort it out else how will you learn if I or someone else does it for you.

/hobferret

sorry, my message is not in intention o tell me how to do. In this forum i have learn to unpack the zmud. my zmud is unpacked i did it in trial mode, it is easy, but now when the trial is out my executable goes out to. :< so i am trying to do it whithout trial (i can try to in trial in another windows ;-> buti don´t think it would be elicense, i think zmud has another thing in the program that checks something (in where???¿?¿ elicense ? registry?) and makes it to not to run when no is in trial mode. For example i take my system in 2020 the trial is out, so the zmud original doesn run. my unpacked zmud (tracing until the oep dump with lordpe and fixing imports with imprec) dows run to :/, but if i put it on trial (when the elicense thinks it is in trial both programs runs well. how can my unpacked program check elicense? what must i nop? this is why i ask help.

A prior message I had written had gone missing. I don't believe I had any clickable links or code refs, so I don't know why.

Anyway, to zap LicCtrl files, the LicCtrl service must be stopped, then the DLLs, etc., can be deleted. One of the EXEs that wasn't mentioned was c:\WinNT\RunService.exe (please verify first, but the one on mine was from eLicense).

There are some VERY strange registery entries, though. They used the SysInternals trick of placing a NUL character in the midle of the keyname to prevent things like RegEdit from being able to see the contents of it or search it.

They begin at HKLM\Software\LicCtrl\LicCtrl\LicCtrl. That's as far as you get with standard RegOpenKey and the like.

However, with NtOpenKey, NtEnumerateKey, and NtEnumerateValueKey, some VERY interesting things happen... There seems to be quite a bit of interesting stuff stored in there.

For me, I have a new found hatered of UNICODE.
8 bits should be enough for any character...

jolopez

I am finding it difficult to understand what you are trying to say.

By your use of "¿?¿" I am assuming you native language is Spanish, if that is so send me a PM in Spanish and I will try and help you. I am not Spanish but was raised in New Mexico and spent some years in Panamá. So Spanish is not a "foreign" language to me

/hobferret

Yes, that is a problem. Are there any ways to remove that keys from the Registry? .. I played a little bit with permissions but I couldnt delete the key. It seems to be another trick like the one you mentioned above.
Is there a registry editing tool that can handle that kind of RegKeys?

There must be a workaround that one can remove elicence and reinstall ist without formatting the harddisk. Well, I haven't found it yet.

sgdt what type of registration/OS are you using? I think you maybe using either NT or ME from what you've said as I don't seem to have those options (NtOpenKey) in my regedit. If your using an external programme to access the registry would you mind PMing the URL to me?

Pinkomat I don't think there is a way to get rid of the LicCtrl. I am looking into this to see if it is an invasion upon ones private property. Electronic law is very tricky though especially when your talking about something which doesn't really harm your computer. However it is essentially the owners property and in many ways it can be likend to me letting a sales man into my house to give me a demonstration and then leaving a giant slab of glass in my room. It may not be doing me any harm but it is still annoying and I want to throw it away but the sales man has bolted it to the floor.

I have e-mailed ViaTech but there fantastic response was:

Dear XXXX,

You just delete the file.

Thanks

XXXX

Really helpful huh? Anyway I am now looking on the net to find anything about electronic law and permissions given to software. If I can find anything the next e-mail I send ViaTech will be informing them of court proceedings. If anybody wants to then join those proceedings dependent on whether I can find the legal interpretation of these actions then feel free.

I included a zip file that includes source code and executable. It will find these keys, and ask on each one if you want to delete.

The RegEdit program can't do it, as RegEdit uses regular registry calls. What eLicense did was use a trick discovered by SysInternals (I *think* they discovered it, they were the first to publish) where you have a NUL (0x00) character inside your keyname, and then regular programs can't snoop.

Although you could (and SHOULD) follow in the code, what we do to find them is call "NtOpenKey", and use "NtEnumerateKey" to enumerate thru subkeys. We are looking for keys that look "weird" (i.e. they have a 0x00 in them which would freek out regular ring 0 programs). When we find one, we print out the name and values and ask if we should delete the key.

I would run this at least once saying NO to each delete, preferably in a debugger. There are a lot of REALLY interesting values placed there, some of which might be worth looking into.

If you have any questions, feel free to ask.

I should probably explain a bit.



This allows us to use the undocumented registry calls. I emphasize the word undocumented, because they are documented quite well by everyone but Microsoft...

Coding using these functions is a little bit harder than the regular registry functions. There's the obvious mater of UNICODE, but additionally the way names and values is handled may seem a little alien if you've never written any driver code. One might say Life is too easy for the Win32 coders...

Please look into hxxp://undocumented.ntinternals.net for more information.

Anyway, here's a little more code from it...





Ran from a command prompt, it will display the 0x00 characters as a solid block for easy identification.

You can modify main() to call from a different root key if you like.

\Registry\Machine\SOFTWARE\LibCtrl

is the equiv of Win32's

HKEY_LOCAL_MACHINE\Software\LibCtrl

Hope this helps...

Jeez what do I have to do to get eLicense off my system? Ran the eLicense uninstaller, deleted all the files Test mentioned if any were left over, deleted ViaTech and TPF registry entries, zapped hidden LicCtrl entries, then deleted the remaining LicCtrl entries, reboot, start TPF, and still says Trial Expired?!?

Yes!

As Pinkomat said it will most likely still be trial expired. I believe this is due to the system clock check that it runs and dumps in memory before you can kill it. If you try changing this check or the values of it the entire programme freaks and crashes out.

Good afternoon all

I have just been trying to get rid of all this elicense crap from my PC

After purging the registry and the known files, I found these 4 remaining in the \Windows folder:-
ELMENV.EXE - ALSO REFERRED TO IN STARTUP
ELMGUI.DLL
ELMHX.DLL
ELMLCMM.DLL

There may be more elsewhere but I have not found any

Just wanna get rid of the rubbish and I made a decision that I ain't gonna install any more elecense rubbish on my PC!!!!!!

/hobferret

RegShot not only allows you to take s snapshot of the registry before and after installing and running a target application, it also allows you to take a snapshot of a directory so you can see which files were added.

I wouldn't say "I ain't gonna install any more elicense rubbish on my PC!!!!!!". The reason is simple, if by using mass qty of nasty tricks and inconviences is all they have to do to keep their software protected, they will do even more of it. The "average" computer user doesn't know what those files are, and probably assume they are there because some thoughtful company put them there. (The "average" computer user seems to think everything is written by Microsoft).

Using tools like RegShot take quite a bit of the mystery out of what a target is doing to your poor computer. Using these tools will force the protectors to come up with different (and maybe more entertaining) methods to annoy us, hopefully methods that won't fill up our hard disks...

Hi sgdt

Good point, however, I expect most people using this forum are not "average computer users".

As for Regshot most people have the utility as it's been around for 2 years or more

Before you reply I ain't getting at you just stating facts

/hobferret

wop!
i dunoow how but i have reset my trial on zmud.
i were trying to patch the zmapi instead of do this in the zmud because the read of addres 14 error or something like this and i have reset the trial how? i dont know :<

Look on the positive side!

I mean, if it takes TOO long to crack, eventually the times got to wrap, right?

I'm patient... (/me whips out calculator to determine exact year of wrap).

OK, I'm back. Waiting isn't a good idea.

Did I ever mention there is this company that stores there registration info as numbers in the registry, and by resetting them to strings EVERY one of their games suddenly became REGISTERED? Yup, they have a silly bug where if they can open the key, it sets goodguy, and then they reset it after they read it and determine it is bogus. Only thing is, they hurl on strings leaving goodguy set to true...

My point is bugs are usually exploitable. It would be very interesting to know HOW to exploit THIS bug.

OK, no more booze for me...

hmmm....

Hobferret,

I think those files must have come from the ZMud programme or possibly the TTT one. I can't find them within my system though and the only one I have not installed which you have is ZMud so those must have something to do with the way that is protected.

I also believe there is already a ZMud dumped exe of 7.01 on some newsgroups. It could be a useful thing to look at to see how they've patched the .exe and what are the key differences between this and the original .exe.

Furthermore as e-license users server checking tricks I am not to sure whether or the standard way around server calls would be a way to kill the programme. I believe there is some problem with this due to the RC5 encryption key being used which they may now have scrapped to start using there own version. Either that or they are using a modified eliptical curve cryptography.

the crack is only the undump of the program (i think) this the same i have made with my hands and the help of the forum
this dasent run it ahs some tricks inside. this crack only works when you are in trial mode when it gets out the dumpprogram too.
zmud has anotehr module that ne frien has say it is vtprotect :/
i think that with patch this and making it t make always the same will do, but no, it does some tricks inside because the program reads from another memory and crashes out.
thx people ;->

Hi again Test2000

Quite possibly they have come from Zmud but I was also playing around with one of their ebooks, same idea of protection, so you can easily open an ebook and print the thing

But like I said B4 I ain't gonna bother anymore with their bulls**t, just cleared the whole bloody mess out

Also to Jolopez, I will reply to your recent email but I dunno where you live I guess in Spain by your email address but your Spanish is as bad as your English - quote from yr email "fue un amigo kien ablo con el i komo dice ke" I assume that should read "fue un amigo quien hablo con el y como dice que" - ¿si o no?

/hobferret

i agree with you.
Es mi asquerosa forma de hablar considerada vaga y fea. hablo mal, me explico peor. pero bueno espero que esto no influya en mis conocimientos. siento haber heridos algunos sentimientos linguistas, pero es que suelo pasar de esas cosas y saltarmelas a la torera(a lo bruto a lo bestia).
Asi que perdon e intentare hablar mejor.
Ah y por cierto..
I live in Basque Country in Spain yes. ;->

Hi jolopez

For those who do not understand what he says it is:-

My disgusting form of speaking is considered vague and ugly. I speak badly, I explain myself worse. but I hope this doesn't influence my knowledge.

So pardon me and I will try to speak better.
Ah and by the way..
I live in Basque Country in Spain

Your knowledge is obviously good else you would not have gotten as far as you have

I have removed all elicense softs from my PC but when I was messing with your Version 7.03 it was not necessary to patch any of the dll's, however, when it connected with a site it crashed and I really don't have the time to play around with it any more. You are right when you say it works fine while it's still in the TRIAL period, even the patched version

Regards

/hobferret

Well after having a nice long rest and trying a few other things I decided to have a look at e-license again. I am still kind of surprised that no-one from the reversing scene has really done anything on the unpacking side or the tutorial side of this programme. Its fast gaining on the top spot of being the packer that is hard to defeat especially with these new problems I am hearing people are having with the new Zmud. That could be down to not much interest in it though so end of rant here.

Anyway I'd tried a few trial programmes fairly easy most of them were using the old system that allowed the trial dump.exe to work fine (this is a problem in the new Zmud as mentioned earlier). After that I went back to the expired programme I had. Was having multiple problems either with the byte sequence or strange jumps. Having not being able to go down the reverser route I went down a more avaliable programme and after much trial and error it worked fine. I kind of hit the Hobferret attitude then and no longer wanted any e-license crap on my system so deleted it all.

Today though I found some old files stored namely the temp files and the e-license.dll all of which I had stored in a folder called Elicreverse. I'd unfortunately forgotten about that folder when deleting. Cutting the story short I basically unpacked the .dll and the .temp file. If anyone is still interested in playing with e-license I'd go this route first as more experienced reversers might find a few of the calls that are made by these unpacked files interesting (especially the temp file) and maybe able to patch the .dll without even having to go down the whole route of dumping and fixing the dumped IAT etc which I believe is causing trouble for a lot of people with trying to dump the new Zmud.

To summarise this thread in its current state and the state of the e-license protection scheme:

Unpackers: None

Tutorials: None as such

General Guide: This Thread

Tools Guide: For trial version you can most likely do it with any debugger and simple IAT rebuilder. For Hobferrets expired version guide it is recommended to use TRW2000 or SoftIce, using OllyDbg can be rather tedious especially when tracing. You may also be able to use another programme out there but you may need either a VMWare or a friend within the reversing circle.

Reading Guide: BEFORE you even attempt looking at e-license I would recommend reading up on manual unpacking, IAT rebuilding, dumping in Ollydbg and general newbie reading altogether. Most people when getting stuck with e-license seem to be newbies and reading this material will aid those who are more experienced to be able to give you better advice that you understand.

Well thats me out if anyone wants the .dll or the .temp versions unpacked feel free to PM me I've kept them on my computer for reference only, though please note I will ask you to explain to me why exactly you couldn't unpack it yourself as it is not very hard. Oh and "I couldn't be bothered" doesn't qualify.

T2000

Hi Test2000

Just as a point you can quite easily get into the temp file using Olydebug if you set a breakpoint on USER32.dll (view names) DestroyWindow

After a few RET's you are right in there and if I remember correctly just another 1 or 2 and you hit that byte sequence following the call

From then on it's much the same as TRW & SICE, although I must admit I found it easier with the latter. Quite likely coz I am a relative newcomer to Olly

However, Test2000 suggested in the past that we get together and write a tut based on all debuggers mentioned above. Maybe we should go ahead even if I have to reinstall their CRAP once more!

BTW you could always set a restore point prior to install, then go back and reinstall again. If I am right you dont lose all your data when you do that - only the executables

/hobferret

I think that's a great idea, to have a tutorial for eLicense 4.0 since it seems to be such a mess... I've been really busy lately, and with exams coming up, I put attempting to unpack TPF on hold until probably mid-April or so.

Test, you said you unpacked the elicen40.dll and the temp file, and got the program working w/o touching the EXE? Isn't the temp file generated and named randomly each time?

SlantNGo

Don't bother putting TPF off, if you have not expired you can do the whole lot including rebuilding the IAT in <10mins - the IAT is a piece of cake coz it's written in VB

You must have already read that the EIP remains constant

/hobferret

Unfortunately, it's expired. The trial period for that was 3 days, and I didn't even try to unpack it until it was on the last day already. I followed your steps for the expired trial, found the byte sequence, at the end I get a "Password expired" error. Didn't quite understand what you meant by tracing the jumps... did you mean step into the jump and going line by line? That I don't have time for at this point unfortunately. If you can show me any shortcuts that I can get it done in <10 mins with, I'd greatly appreciate it!

Hobferret,

Don't know how much use I would be in terms of tutorials you seem to be more experienced than me anyway . I'll put here what I know in terms of how to destroy the protection using OllyDbg when the trial is active. I'll set it out like a tutorial so if you want you can use it and if not you don't have to (note I am going off the top of my head from what I remember here so apologies if it is a little hazy in parts, segments of code is obviously not included):


E-License Tutorial

By

Test2000

-------------------------------------------------------------------------

Tools Required

OllyDbg 1.09+
ImpRec, ReVirgin or knowledge of manual IAT rebuilding
OllyDump or LordPE

--------------------------------------------------------------------------

What This Tutorial Does

Not much really I am still learning myself but as someone once said to me "We are all really learning in this world". This will only show you the basic steps to unpack E-License 4.0 protection trial versions using OllyDbg. It will not show you how to rebuild the IAT step by step nor will it show you how to use OllyDbg step by step. There are other better guides out there for this purpose and it is suggested you read these materials before you try to unpack this protection. This guide should only be used for research purposes it is the users own choice what he/she use the purposes for and I can't be held responsible in anyway.
-------------------------------------------------------------------------

(1) Open up your .exe file with OllyDbg.

(2) Select the main executable file of your programme and place a hardware breakpoint on it (right click > Breakpoint > Hardware on execution)

(3) Click Trial on the pop up window.

(4) You should now have jumped back to OllyDbg dump the data using either OllyDump or LordPE

(5) Now rebuild the IAT either using ReVirigin, ImpRec or by hand (quite a few of the E-Licenses I played with required by hand rebuilding). As stated earlier I can't teach you IAT rebuilding each .exe that I have played with which has been protected requires having the IAT rebuilt differently. It is Your job to read about IAT rebuilding it is not a hard subject but does require time effort and patience if you don't have any of these your best bet is to hope that ImpRec or ReVirgin can rebuild for you correctly. E-License can be a real pain As a slight tip if you do run into trouble look at where the cyb import is before trial and then see what happens after you hit trial to see which addresses have imports. Furthermore I believe there is a plugin designed for either ImpRec or ReVirgin of an older version of the e-license protection that solves some of the tracing problems.

On another note some more recently released versions (as of March 2004) are using some new features of the e-license SDK. This has resulted in a remarkably high increase in terms of files that are having problems with the IAT rebuilding. Even when the IAT seems to be correct the programme still seems to drop out and no-one can work out why at this moment.

--------------------------------------------------------------------------

As for the trial expired version with OllyDbg I constantly had a problem with this. Its interesting what you said earlier Hobferret about going into the User32 module and setting a breakpoint on WinDestroy. I think I chatted with a friend on MSN about this and did do something similar. I believe I copied out the problem I was having in that convo it was something to do with finding the actual point of reference to the .temp I'll check later to see if I saved it as I think I did because the convo was largely to do with a work related project.

SlantNGo I may be able to help you with TPF. I've tried out a programme that was mentioned earlier in this thread on an expired programme and it seemed to work out okay. I deleted TPF as it was around this point I got hacked off with e-license plus I'd tried it on a friends computer already and although I liked it I wasn't going to load it up again to discover it may not work with this programme. I digress if you live in a similar time zone to me I might be able to help. So post which country you live in and if its a not to distant one from mine then I'll PM you with the details.

Finally in terms of e-license tutorials I was actually mistaken. There is one from two years ago that does appear on this very board. It was done in SICE I believe and written by +Spl/\j who I think may still be on this board but am not sure. Hobferret I think +Spl/\j might be a good source of reference for the unpacker if you ever wanted to go down that route again. He seems to have some exprience in writing that type of stuff but to be honest from what you've said you seem to be of the same mind set as me when it comes to e-license (never want to touch it again unless I have to).

Hey Test,

I'm in Canada, Eastern Standard Time. Good job on the tut! Even if I can get this working now, I'll probably give the trial another shot whenever I decide to re-ghost my machine... seems much easier to do when the trial is still active. As for e-License tutorials, the only one I found was for eLicense 2.4, and that one required using PEDump, which doesn't work with 4.0.

Hi again

Like Test2000 I ain't gonna reinstall this pile of junk again, thanks for reminding me mate!

Using Test's quote "This guide should only be used for research purposes it is the users own choice what he/she use the purposes for and I can't be held responsible in anyway".

Somewhere on this board I posted the stuff about the byte sequence, and what to do if it's expired. You need to find that in TRW and SICE purely because it makes it easier. Like I said before if you use Oly break on DestroyWindow and a few RET's later you will be there, the instruction following the call!

You must JUMP at the instruction CMP DWORD PTR [EBP+FFFFF0E0] so you get to the unpacker. Again it is most important to trace thru this temp file because you will get error messages. If you get a MSGBOX saying whatever you must keep notes of how you got there in the first place. i.e.if you arrived from a jump then don't jump the next time, conversely if you got it by not taking a jump then next time make the jump. I can't say any more than that coz like Test it's a bit fuzzy now, you just have to have patience or else you will fail.

If I remember correctly sometimes you get a registration screen pop up, if you get that just click on Start Over assuming that box appears in all versions, I really don't know!

To be perfectly honest I have not found a program yet protected by this mess that has been of any use, anyways most times I usually delete the progs I have cracked coz if it's any good then buy the bloody thing!

BTW Test I don't agree with you when you say I am more experienced than you, remember I had to ask you about Ollyscripts coz Olly is NEW to me! Pls send me what you mentioned about them I would appreciate it coz I really ain't got my head properly round it yet!

Sorry I gotta edit this - it wasn't Test and Olly but R@dier

/hobferret

Hi guys,
I'm newba in Reserve Engineering. Yesterday i download <deleted> I obtain the license for trial.
So, after this, i find your forum. What i do for "crack" the TPB ? please, help me point-to-point and with the download links (if necessary).

thanks guys

Hi don't wanna flame you but read this thread and serach the site for more clues, there is enough here to get you sorted out

/hobferret

And while you're at it, read the FAQ... *sigh*

Thanks guys.. I will see the thread.. but ONLY one question: do i the same thing for the trial version than for expired trial version ?

Hmmmm.....

One question CAN YOU READ

/hobferret

a solution from dakkor from damn.to to reset the trial in elicenses
this a .bat i have made
@echo off
zaphidden.exe
net stop "licctrl service"
attrib -s -r -h c:\windows\system32\mmf.sys
del c:\windows\system32\mmf.sys
pause

have a nice day

Genius!!! I totally forgot about mmf.sys
I guess we found everything except that file... Great work man! I just reset my trial, and now looking to unpack the EXE.

Apparently ViaTechs e-license isn't as secure as they actually think it is lol. I just got done talking to someone on the net about this (we were discussing various things) apparently the main holes within the license are:

(1) You can reset your trial over and over and over and over (I was about to post a message about mmf.sys but jolopez beat me to it).

(2) The proxy has numerous holes and if someone updates a couple of things then such programmes as the DAMN server could be customised to work forever.

(3) The way that the programme is munged means you can dump the file easily with some little reversing knowledge (both expired and trial versions).

(4) Apparently there is some interesting information in lcmmfu.cpl this file apparently controls the main part of the e-license control. Manipulation of this could allow you a registered version even when you don't essentially have one (note don't ask me about this as I don't know though I do have an unpacked .cpl file this is something I missed off my list).

Also to jolopez would you mind uploading the .bat file. The reason for this is that I believe it would really be the only actual tool out there for e-license even though it isn't necessarily a definite tool as such. There is nothing else plus it would save me some time of going over notes etc if I ever come back to this protection (doubtful but you never know) .

Just click "Manage Attachments" in additional options before you post. If you don't want to upload it to the board for fear of ViaTech or someone watching or whatever PM me and I'll give you my e-mail so you can send it there and I'll upload it.

Good work by the way with your detective skills (Oh and thanks to DAMN's Ivanapulo I think Ivan is Dakkor but might be wrong?).

o i didn t mind anithing about elicense and thx for all in the forum specially to hobferret and dakkor in damn.to
in the file there are the .bat and zaphidden.exe
not tested in 98 but yes on 2000 and xp

Hi jolopez

Glad to hear you got there in the end!!

Like I said before you are obviously good else you would not have gotten as far as you have!

/hobferret

recuerde el laza de luto en España

Guys,
i have one problem with this .bat :
when i execute this appear this messages:
Could not get handle ntdll.dll

Error 2185 (the message is in portugue but i try to put this in english): The service name is invalid. Verify if is specify a service name valid and, try again.

File doesn't exist - c:\windows\system32\mmf.sys
File doesn't exist
Press any key to continue

well, if it is in portuguese, the name of the service can change so you must go to control panel and in services search for the licctrl service or something like this, you must stop this. you can see the services started with
net start
the services will be show.
after you stop the service you can change mmf.sys.
and i dont try this in 98 or NT 4, so be sure that you are in 2000 or XP. i will try the bat in windows some day ;->

to hobferret, it is Lazo negro

JOLopez,
try to help me
but my win is win98 and unhappy, i don't have mmf.sys

I think you need to help yourself at this point, have you even tried filemon to see what alternate file it may be using?

You've gotten plenty of help already and your first post in this thread was a crack request, which clearly shows you never even *read* the earlier posts warning against exactly this, or even worse chose to ignore them.

You seem more interested in getting this cracked than in studying how the protection works, which has already been discussed in great detail in this thread, so forget it, that's not what we're here for nor what we encourage at all.

C'mon, let's raise the bar a little bit? (maybe a lottle bit?)

Kayaker

Sorry, i say it again. I don't want to do fights. Some guys think that brazilian people is kiddie hackers... Maybe, you think that about me, ya ? I already buy a game in eLicense system. I'm newba in Reverse Engineeering. I only post many posts because i don't find a objective tutorial. I download many programs like SoftIce, ASpack, RegEditX and some more programs in a attempt to learn some thing or do something.

After the read the FAQ and the topic, i know that isn't a crack forum or any things like this.

I will continue to try to know how eLicense system works.

I apologize.

Bye,
Filipe Melo

I don't think the problem is with mmf.sys, although that is also a problem. If you're on Win98, the NTEnumerateKey, NTOpenKey, etc. API functions that the ZapHidden.exe file are calling more then likely won't work because they exist only in an NT operating system.

Filipe, You don't need to apologize or defend yourself, nor is anyone trying to be newbie-question unfriendly. I'm just trying to set the tone for the types of questions allowed on this forum, and encourage people to think for themselves. This is an ongoing job of the moderators and others that unfortunately seems to require reenforcing every few days or few weeks.

If your interest is learning, then great, best of luck, learn, ask questions when you are truely stuck and contribute your knowledge when you can.

K.

SlantNGo (if you know) do you know any functions/system files/keys like NTEnumerateKey, NTOpenKey or mmf.sys ?

well i am in a fucked 98 (all things doesn run, i have to format this) and i cant run regedit.exe so i can see the entrades in the registry, in my windows 98 only i have do is
attrib -s -h c:\windows\system\mmf.sys
del c:\windows\system\mmf.sys
without stopping any thing or run zaphidden.
Before to delete mmf.sys i have delete mmfs.dll booting in dos mode only. i think it isnt necesary.
i have use to view the process in windows the process explorer from sysinternals and when i run zmud it runs the licctrl service with runservice. after i kill zmud the runservice goes to another site. so be sure to kill the runservice before deleting mmf.sys. it is in the system not system32
i am not sure that the reset in win2k needs zaphidden i am going to try now. i need anotehr reboot :<

from dakkor:
Test2000 wrote: "Oh and thanks to DAMN's Ivanapulo I think Ivan is Dakkor but might be wrong?"

I don't really want to go through all the hassle of signing up there, but could you just mention that I accept the compliment, but I'm not actually Ivan .

1 problem now:
i haven't mmf.sys. I don't know why (i have some eLicense games installed) but i haven't it.

I search in Search File and Folders and i don't find.
In MS-DOS in folder system, i find with *.sys : ndiswmi.sys - poet95.sys - compbatt.sys - acpi.sys - battc.sys - sisnic.sys - dxapi.sys



So, thanks for try to help us and congratulations for your work!

You have it.
But it is hidden and with system attributes
from console
cd windows\system
attrib -s -h mmf.sys
and delete it

It's me again JOLopez:

When i digit "attrib -s -h mmf.sys" in MS-DOS appear it:

"Compartment Rap reading C:\"
Annul, Repeat or Fail

Again i say: it's in portuguese, i'm trying to translate it for english

A hug for you,
Filipe!

Hello people,

I am trying to unpack a similar program - TEW - of the same producers. I followed the tutorial on page 4 of this thread and I indeed break into Olly at some point, but it doesn't look like an entrypoint at all...
I dumped the exe nontheless, it had no icon, but who cares. I fixed the IAT using ImpRec, which said the process was all ok and all that. Then, when I run my dumped exe, it opens a DOS box, does nothing and just terminates.

I don't know WHERE I am going wrong, but any help is appreciated. I tried continuing the run in Olly, but after the hardware break, it gives some exceptions. When I pass them to the program, it says 'program was unable to process exception' and eventually it exits with code 0x80.

What am I missing here?

Thanks,
- Fahr

Disregard that last comment - using LordPE to dump it DOES produce a somewhat valid result. At least it now 'runs'.

When I run dumped_.exe, I get the following:
"The application failed to initialize properly (0xc00000ba). Click on OK to terminate the application."

I dumped it on Windows 2000, someone mentioned there's glitches on Win2K... will I have more luck attempting the dump in Win9xME? Or is it something else?

Thanks,
- Fahr

Fahr, I'm trying to get in to TEW too, but when I try running dumped_.exe I get

"This application has failed to start because .dll was not found. Re-installing the application may fix this problem."

I admit this is the first thing I've ever tried to "crack", so I'm a compelte noob, but if anyone has any hints I'd greatly appreciate it.

I'm on XP Pro, used OllyDbg, LordPE, and ImpRec

Hi thetakerfan

Have you tried renaming the dumped_.exe to the name of the original file

Worth a shot

/hobferret

Well, then you're having more luck than me - my dumped_.exe just crashes, no normal errors, not 'missing DLLs', no nothing :S
What exactly did you do? You DID use the same tools...

Thanks,
- Fahr

yes hobferrett, I did try that, but it had teh same error

HOWEVER, I just opened the main exe, and it still says I have 24 hours on my trial, which is what it said late last night, so I clicked Trial and and went straight to the game, no having to reregister.

I have no idea what happened to it, but the folder int he start menu is gone, freaky

This is mainly to the two new users asking in this thread. For starters I think you might have just read the guide I posted and are following that. This is not the way to defeat the e-license programme. You need to start reading about it first. It took me nearly three weeks to understand most of the basics and I say basics because thats what they are and I've still not got to grips with everything. The main issue you seem to be having and I know this from experience is that you are either not hitting the OEP (you might be hitting the fake API), your dumping it but have not bothered to rebuild the IAT by hand or even looked at the IAT's in general, your rebuilding it with ImpRec but are forgetting that e-license uses anti-tracing. You may also not have read any documentation on OllyDbg because if your using the latest version your going to hit a snag when trying to set a Hardware breakpoint.

The listed problems above are what I expect is causing the .exe to not work. You can also use the SoftIce method in OllyDbg if you know what your doing so this system can be defeated IF you read up before you attempt it. What your doing is diving into the swimming pool before you've even got the arm bands off.

There are also more ways to get around the protection system than just reversing it but you need to use your heads, work out what your doing and then try again and again and again and again. This protection has been covered in as much detail as it really needs to be in this topic already. The rest is up to you to LEARN and if you can't do that then buy the thing.

I already figured the other ways to bypass the protection and built 2 working bypass programs - 1 for NT/2K/XP and 1 for 9x/ME... Unlimited licenses are nice, but I'd still like to get rid of that nag screen and the registration procedure...

On top of that; you made a guide which should at least allow us to DUMP it correctly. I am ready to learn all about manual IAT rebuilding to do the IAT, but what good is it if you basically say the dump made by following your guide is faulty to begin with? No offence intended at all, but could you at least tell us if you YOURSELF were able to unpack this eLicense?

Thanks,
- Fahr

Did you even bother to read this entire thread or just skip to the last god damn page? If you would have read it you would have known that it wasn't a proper tutorial and it also states that it won't teach you IAT building at the start which is a major part of dumping exe's. This isn't the place for someone to hold your hand and go right this is how you do this, this, this and this. Sorry but this forum does not work like that and if you thought that it did your in the wrong place. Read most rough guides like the one I posted by people and they will not tell you how to rebuild IATs because you need to read it and understand it yourself, simple protections allow you to have a working dump straight away most require you to rebuild it so stating that I gave you a guide which doesn't teach you how to rebuild the dump is kind of stupid as most rough guides do this. It didn't used to be like that and there was a lot smarter people than I who would create useful plugins to do most of the work for you. These days its a lot of building by hand if there has not been a nice plugin created for ImpRec or ReVirgin. E-License can sometimes be even tricker because of the way it sometimes disguises the API's, I think its this protection that uses the hidden API routine but quite a few wrappers I've played with do that. Like I said I am going off memory here so please excuse me if I everything I say isn't correct.

In answer to your question of whether I got e-license to unwrap. Yes I did and I did it through a variety of ways. There are multiple options either you can reset the trial and reverse from there, forward the trial to an expired point and reverse from there, patch certain points of the .cpl (I only tried this once as by this point e-license was annoying me), learn some cryptography and delphi and work on something something that I won't mention or direct link to because thats not how things work.

Someone also sent me a PM asking if I would "crack" there e-license programme. If anyone PM's me like that again the only thing I will be sending is the message forwarded to a mod who can ban you for asking for stupid things. This is a place for reversing not for cracking.

Fahr I apologise if I can't be of anymore help than the above but I have no interest in the e-license protection anymore. None of the products they protect really interest me and if I like something that much and its not overtly priced I usually buy it anyway. E-License was just something fun for me to expand my knowledge on a little and I enjoyed learning about the reversing scene again. As it is I've found something new to amuse my time now, its called fatherhood and I recommend it to anyone with a stable job and who doesn't hate kids, though to be fair I once hated kids still do but I can't take my eyes off my son, so reversing is kind of low on my priorities as I am sure you can see.

Just say the word

I DID read the entire thread, don't take me for a noob here. I'm also not concerned about the IAT, I think ImpRec provides valid results (TEW is written in VB, ImpRec generates a complete import table for the VB 6 runtime). I would just like to know if my DUMP is correct before I spend hours trying to rebuild something faulty... that's all.



I am mainly interested in unpacking it, as it is an area quite new to me. I am not looking to 'crack' this particular program for any reason other than the learning experience.
I do know Delphi, in fact, I am employed as a programmer for Delphi and some other programming languages, so I think I'll manage in that area. I also know a fair share about applied cryptography. If you refer to building a generic unpacker of sorts, I think that's a bit above me, I never managed to reverse a crypto alogrithm, leave alone reversing, dumping and IAT rebuilding in one program...



As I said before; I don't want to reverse it because I can't buy it, or because it interests me; I simply want to reverse it because it is possible and I can learn from it.
As for fatherhood; I am married, but I don't think there will be any kids for the coming few years
I'd say; enjoy your son and have fun

And finally - can anyone please tell me if my dump is correct? Because I don't think it is...

Hi

I have no idea or interest in the details of this thread, but from your earlier quote:

"I dumped the exe nontheless, it had no icon, but who cares?"

I think you should care, this likely indicates your resource section is corrupt/misaligned/incomplete/still packed. A way to avoid this would be to do a RAW dump instead of an "optimized" LordPE or whatever dump that does section realigning.

I have always preferred dumps where raw size=virtual size and raw offset=virtual offset. It makes reconstruction SO much simpler, to the point where you can do much of it semi-manually rather than relying on automagic tools.

Generally, once you fixed up the sizes/offsets and OEP the icon should show if you've got a good workable dump. THEN you can start rebuilding the IAT.

Kayaker

In the message after that, I stated that a full dump with LordPE DID produce an icon. The dump that did not produce an icon was done with OllyDump.

My main concern is not the icon, my main concern is dumping the right way on the right spot... I THINK I am on the right spot, but I'm not quite sure... and seeing how I am rather new to this dumping stuff, it would help a lot to know if my dump is in fact valid. I produced more dumps which had a nice icon, but that doesn't seem to be the factor on which to decide its correctness at all...

- Fahr

after dump you must fix the dump with imports. i did it with imprec, and it work fine, to do this well, you muts run the original program and get imports and auto trace. i do it normally in 98 because in xp they make somethings extranges.

to test2000 have you register the elicense patching the libraryes?
thx

That sounds interesting, I'm working on 2000 - also an NT... it could be the cause of some problems...
I'll try it on Win98 then and see if I have better results with ImpRec.

What did you use to create the initial dump?

Thanks,
- Fahr

Hi

Not to split hairs, but sticking with the facts, what you stated was that you were able to produce a 'somewhat valid result', there was no specific mention of the icon, as insignificant as that might sound. All I was trying to get across was that the *non-presence* of an icon after dumping is a detail that shouldn't be ignored, yet still might 'run' to a certain degree.

K.

Ok, my bad then. Facts are: I have an exe with an icon, it does not run.
I guess that's it then

>I have an exe with an icon, it does not run.

Heheh, well at least it looks good now

For reference, the "Trial Expired" method posted by hobferret is in an older thread, and involves searching for a certain byte sequence (can't remember at the top of my head) in the temp file that is created each time you launch the program. From there, follow hobferret's instructions and slowly trace through jumps and eventually you should be able to unlock the program, although I haven't quite gotten here myself.

I had problems dumping the EXE myself, could never hit the OEP. Haven't touched this for a couple weeks now so my memory is shaky too.

Same problem here - hitting the OEP appears to be troublesome using that hardware breakpoint. But according to the other thread you refer to, Hobferret was able to unpack Elicense 4 using that byte sequence (and apparently SoftICE).

I'll check it out,
- Fahr

I tried it with a very recent software, the elicen40.dll is still 6/25/2002 though and I found that byte sequence in the temp file. By changing that first EAX, I get a password expired error... see if you can get that far, then if you can, it's just about following that jump and seeing which jump(s) to avoid.

But I am not looking to REGISTER it - I am looking to UNPACK it... I'm not sure we're after the same thing here...

- Fahr

It can be unpacked using this method. From hobferret's other post:

"When at TRY BUY EXIT LICENSE screen open debugger and search for this byte sequence:-
83BDE0F0FFFF02
When found use the second string occurance, i.e. the one after the call.
But set BPX 3 instructions above the CMP.
EAX must equal 1 and the following memory compare must also equal 1.
It will then JMP at the CMP DWORD PTR [EBP+FFFFF0E0] to the unpacker.
If any errors like INVALID PASSWORD occur check these:-
After the JMP above note code location i.e. 02563B75 add 14AB and you should be at a TEST EAX,EAX following a CALL to 026501B - EAX should equal 1 here and JUMP.
Again at 02563B75+1DDD there is another TEST EAX,EAX this also should be EAX=1.
Eventually 4 RET instructions you should arrive back in the elicen40.dll, the EP is just a little way down at 02483CCF FF255CF84902 JMP NEAR[0249F85C].

Actual address may be different but the method will be the same"

Ok, I must have missed that part (or overlooked it), thanks a lot

Can I also do this kind of things with OllyDBG? Or do I really need SoftICE? It looks rather SoftICE specific, but I have some bad experiences with installing SoftICE on my system... :S

- Fahr

Should be able to do it with Olly but I probably know less than you about this. Search for binary string to find that byte sequence, just toggle breakpoint 3 instructions above the second occurence like he says. When it stops there, change EAX to 1, it will then take the jump... from there I haven't had any success.

I THINK I may have gotten this thing working, but I tried so many things I'm not exactly sure what I did, so if I can figure it out again I'll let you guys know

ok, I've done it a few times successfully, but this wouldn't work for any other programs I don't think, just the one that Fahr and I were trying to crack.

I don't exactly remember HOW I got to where I did, but the end result works, or atleast it seems like it does. I havne't tested to see if it crashes after awhile, but here's what I did, and it's in Olly.

1) Open the CPU window for the elicen40.dll, and right click, search for binary string, and enter:
FF25 5CF84902
You should be at: JMP DWORD PTR DS:[XXXXX]; TEW.<ModuleEntryPoint>
Set a breakpoint here, and click the trial button.

2) Once the program pauses, go to LordPE, right click on tew.exe, and do a full dump

3) Open the normal TEW.exe, Go to ImpRec, and click "get imports", then fix dump, and select dumped.exe

4) Back in LordPE, click Rebuild PE, and select dumped_.exe

5) Open dumped_.exe, it should go straight to the game now.

So you didn't have to manually rebuilt the IAT? I just tried this for TPF (same company product) and the program crashes when I run the dumped EXE so I think it needs to be rebuilt by hand. Keep testing yours and let me know if you get any crashes... I'd be very surprised if your EXE ends up fully stable, I'd think that if it works on TEW it should work on TPF/TPB/etc. as well...

I just DLed the latest patch for TEW, and tried to do it following the same steps, but it doesn't work anymore, so it's back to the drawing board

Well, first of all, I don't think you're hitting the OEP, and after you do, then you'll need to re-build the import table by hand I believe. Not back to the drawing board, just keep at it... I'll give it a try this weekend, in the middle of final exams right now.

I still have an unpatched version of TEW, tried exactly this and it doesn't run - NULL pointer exception...
Which OS were you on when you tried this? Some people said it's kind of impossible to dump it on NT/2K/XP. I'm on 2K.

- Fahr

I'm confused about jolopez' post. I've never unpacked anything in my entire life, but I'm just tryin to figure out how to bypass the ELicense password requirement thingy for zMUD . Post a reply if you know how to do this.


P.S. I'm just using this so I can use zMUD for playing Dragonstone (http://www.dragonstone.org).

Fahr, I had the first patch installed when I got it to work, and I'm on XP

Odd... but either way; with this 4th patch it doesn't seem to work anymore... or without it, for that matter.

I'll install Win98 some day and try it there, some people suggested that it's easier, since some NT-specific 'tricks' don't apply there.

Keep posting your progress! For now, you're the only one with valid results

- Fahr

well school is wniding down for me, last couple weeks, so I probably won't have much time to mess around with it for now.

Better off anyway since there's a new "patch" for this stupid game every couple days anyway.

Once we figured out a way to unpack eLicense 4, we can do it every few days, why not

- Fahr

Hey kiesel_lunaris

Have you read the FAQS, you will get no help here unless you make some sort of effort yourself and DONT ASK FOR SOMEONE TO DO THE WORK FOR YOU

/hobferret

hi im new here but i just found out that if you just turn back the system clock before playing TEW you can use the trail version forever so to speak sorry if its a little off topic but its just a loop hole in this particular e-liecense or maybe the program itself I hope it works on everyone elses copy too

Doesn't work always, but methods to completely reset the trial have been posted here. PM me if you want the prog for Win9x/ME (ZapHidden doesn't work on 9x/ME)

- Fahr

Thanks very much to Jolopez, his file was a great help to me, and I'm sure a lot of others. I have no idea how he did it, cause I'm sort of an idiot when it comes to this stuff, but I recognize a good job when it works for me.

-Cariv Ermack.

Огромное спасибо jolopez за триал рестартер для zmud7.05a !!!
Всем привет из России!!!

EDIT Kayaker:
Or as worldlingo.com would say,

Enormous thanks jolopez for trial of restarter for zmud7.05a!!!
To all regards from Russia!!!