hobferret
January 27th, 2004, 09:56
Quote:
[Originally Posted by '[NtSC]']Thx!
Well,what i recall from ages back is:
- Start your eLicense Protected Application
( there should be a vtcpak24.dll in that dir )
- Wait till Nag-Screen appears..
- Bpx on FreeLibrary.. x - to get out
- Press the ´Try´-Button in that Dialog
- when SoftIce pops up press F12 to get the Caller
- about 25 Lines below you should find a jump..
- Set a Breakpoint on that jmp..
- When Soft-Ice pops up,trace in the Jump-Instruction with F8
- now u are at the OEP!
Days back i used Icedumps Pedump to rebuild the Iat,until i met i guess
newer protected Apps... Those had some reads in the original File (if i recall it right those were Appz).. I never investigated more on them, but could also have been a new Method to check if its still the original,unmodified File  |
[NtSC] Note they now use Elicen40.dll and a temp file, same idea as 24.dll
If app has expired do the following:-
Elicen40.dll and its temp file. 70Kb 09/17/2002 .
When at TRY BUY EXIT LICENSE screen open debugger and search for this byte sequence:-
83BDE0F0FFFF02
When found use the second string occurance, i.e. the one after the call.
But set BPX 3 instructions above the CMP.
EAX must equal 1 and the following memory compare must also equal 1.
It will then JMP at the CMP DWORD PTR [EBP+FFFFF0E0] to the unpacker.
If any errors like INVALID PASSWORD occur check these:-
After the JMP above note code location i.e. 02563B75 add 14AB and you should be at a TEST EAX,EAX following a CALL to 026501B - EAX should equal 1 here and JUMP.
Again at 02563B75+1DDD there is another TEST EAX,EAX this also should be EAX=1.
Eventually 4 RET instructions you should arrive back in the elicen40.dll, the EP is just a little way down at 02483CCF FF255CF84902 JMP NEAR[0249F85C].
Actual address may be different but the method will be the same
/hobferret
