Hello all,

I must admit that I never actually unpacked eLicense 4, since the program I was working on a while back released an update every week or so... I just built a little program (using ZapHidden by someone else, don't remember whom...) that reset the trial each time.

Anyways, I now got something else on my hands and this one promises to be more interesting. Point is; there is NO trial. The only way to run the program is to reg it.
Since the actual program never really runs, I guess it's more or less impossible to dump it from the eLicense nag screen, so I figured I should first get the program to RUN... I also guess that the existance of this 'Trial' button is a param somewhere, but there's prolly more params, like how long the trial should take, etc. I don't think it's possible to 'force' a trial button to appear.

So, I'm stuck. I have no idea what to do next or if this is even possible at all. I could actually BUY the program (not too expensive) and then attempt to dump it once it really runs... but then I might as well just use the regkey I got to further reg it.

So, does anybody know if this is possible and if so, where to start?

Thanks,
- Fahr

Fahr

Interesting......

Maybe you could PM the target - I'm not going to install it on my PC but on an old one I found in a dumpster

Regards

/hobferret

Hobferret,

as always #1 to come to the rescue most appreciated.

I sent you a PM with the target details. Thanks a lot!

- Fahr

Fahr

Check your PM, it's all too easy

Regards

/hobferret

hobferret, if you found out something interesting about this protection wrapper you are of course welcome to share it with the rest of us, instead of just saying how easy it was...

dELTA

I did not post anything here coz it is really no different to what has been posted in the past - especially the bit about elicense ebooks

Regards

/hobferret

Related to this issue; I just CAN'T get SoftICE to break on elicen40.dll and I assume that breaking when the dialog is already visible is too late...
Also, OllyDBG (which I use normally) just runs this app without breaking at the EP.
What tool(s) did you use, Hobferret? Cuz I have the feeling I am missing something here...

Thanks,
- Fahr

Hi all

This is from the PM to/from Fahr

Re: Elicense crap

--------------------------------------------------------------------------------

Quote:
Originally Posted by hobferret
Hi M8

Just follow this and you will be done!

It's written in VB6 so IAT is a piece of cake!

Elicense40.dll 09/17/2002 70KB & spawned temp file

02614BDE 8985E0F0FFFF EAX==1 HERE
02614BE4 8B8594DAFFFF M==1 HERE
02614BEA 898510F3FFFF
02614BF7 0F85DA020000 JNZ - YOU SHOULD AUTO JUMP HERE
0261588E JUMP HERE
026162A3 JUMP HERE
0261889F JUMP HERE
02619128 JUMP HERE - WILL TAKE YOU THRU UNPACKING TO EIP

EIP 0040BE7C

Regards

/hobferret

Looks simple indeed I assume you did that with SoftICE? Cuz if I try to load it in OllyDBG, it immidiately runs :S

I do have SoftICE, but I guess I'll need some pointers on how to load this. Also note that elicen40.dll is packed with some ASPR, also not good for OllyDBG :P

- Fahr

It is quite easy to find this code in Olly - when at NAG screen set BP on DestroyWindow hit Quit - Olly will break on DestroyWindow, then just follow the code thru, I think it appears after 2, maybe 3 Ret's - Don't forget the values of the registers/memory need to be changed

In SICE just load it into the loader and do the same - Don't forget if you are using DS you need to use the ADDR command else it wont break

Regards

/hobferret

I can't believe it! I actually get a trial reg screen I guess the EAX and mem changes have something to do with the command that was pressed? As in; 1 = trial, eventhough the button isn't there? Very cool!

One thing though, in my mem, the mentioned routines are on adresses B0000 below yours, no probs there, I can find all the right code and jumps, EXCEPT this one:

0261588E JUMP HERE

For me it should be at 0256588E, but there's nothing there. Only at 88D:

0256588D 8B95 849EFFFF MOV EDX,DWORD PTR SS:[EBP+FFFF9E84]

The rest of the jumps are all there, as well as the little snippet at the start...

- Fahr

Fahr

Typo

Shud be 02615B8E - SORRY!!!

Yep if EAX==1 you gotta trial kinda like Vbox idea.

BTW you should not get a trial reg screen, it's probably coz you aint jumped at the one above wot I typed wrronng

Regards

/hobferret

Cool it should be working now, thanks

One more q, after the last jump (to the unpack routine, so to say), I put in a

TC EIP < 2500000

seemed like a good idea at the time, since that whole temp module is loaded at 25xxxxx and the OEP is at 0040BE7C. But I guess I missed something again, cuz it seems like tracing takes forever :S

- Fahr

Just set a hardware breakpoint on EIP

Remember all elic EP==EP!

/hobferret

Ah! Of course! That kind of slipped my mind

I DID try a software breakpoint, but that never ends well with self-modifying code.

One more odd issue; I have a dump now, I did a full dump using LordPE when OllyDBG broke on the EP. I then ran the demo of this app (which does run normally) and used ImpRec to capture the import table, which I then applied to my dump. So far, so good.

The IAT fixed dump wont run, gives me an AV error and quits. The raw dump, without IAT fixed just gives me an error message saying "Invalid data!!!" and then quits :hmm:

I think that maybe I should fix the IAT using the original exe, but I can't get that one to actually run up till the point where I get a main screen. When I press F9 at the EP in Olly, it generates some unhandled exceptions and exits. End of story.

Or maybe that dumped exe without IAT fix is good and just requires some more cracking?

Thanks,
- Fahr

Hi again

I don't think you will fix anything by running the demo

When you have unpacked the God darn thing and dumped it - run it from there and you have the RIGHT program running

EDIT - Sometimes you can resolve the IAT with the prog locked at EIP - EDIT

Another tip:-
When in temp file you will RET to elicense40.dll @ 02483C3E

Then:-
02483CCF FF255CF84902 JMP NEAR [0249F85C] == 0040BE7C

0040BE7C 68ECE34000 PUSH DWORD 0040E3EC
0040BE81 E8F0FFFFFFFF CALL MSVBM60!ThunRTMain

All addresses except prog are relative to my PC, if you don't have this code at the EP then it has not unpacked

Good nite for now, like I said before this elicense crap pi**es me off, personally I ain't found anything useful wrapped with this pile :!:

Regards

/hobferret

Ow, then mine is NOT unpacked :S It starts with something completely different!

What went wrong? I followed all the steps and DID land on the EP after the unpack routine... only the code was different.

- Fahr

Fahr

The only thing I can say is this. When you get to:-
02614BDE 8985E0F0FFFF EAX==1 HERE
02614BE4 8B8594DAFFFF M==1 HERE
02614BEA 898510F3FFFF
02614BF7 0F85DA020000 JNZ - YOU SHOULD AUTO JUMP HERE

Trace thru the whole thing manually til you get back into the elicdll and the near jump to the EIP

Or gimme your web space data and I will upload it for you, but this has been done with ME coz that's wot was on the old base unit I found

Regards

/hobferret

I don't get it

I found the retn to elicen40.dll, I also found the jump to the OEP (it's actually at the same address as in your case), but after I jump to the OEP it is NOT unpacked!

What did I do wrong? :hmm: I changed the EAX to 1 and the memory to 1 one line below it, the JNZ DOES jump, then I fixed the other 4 conditional jumps into JMPs, it DOES enter the unpack routine after the last jump (or so it seems), but the target just doesn't unpack

am I going nuts here? Or am I still missing something?

Thanks,
- Fahr

Fahr

The only thing you appear to be doing different is changing the code at the JMP - I only changed the EAX register and the memory below it - When I came to the area where you need to JMP I just changed the register AND I also stepped thru the whole piece till I reached the EIP

So I dunno what you are doing M8 - keep on trying I'm sure you will get there in the end

Regards

/hobferret

I just can't get it done :hmm:

Here's step by step what I do;

1) I load the exe into OllyDBG, it immidately runs
2) When the screen appears I type BP DestroyWindow and press the Exit button
3) I land here:

77E14885 > B8 59110000 MOV EAX,1159
77E1488A 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
77E1488E CD 2E INT 2E
77E14890 C2 0400 RETN 4

I put a breakpoint on the RETN and hit F9
4) At the RETN I press F8 and trace through a total of 3 RETNs (including this one)
5) I land here:

02564BDE 8985 E0F0FFFF MOV DWORD PTR SS:[EBP-F20],EAX
02564BE4 8B85 94DAFFFF MOV EAX,DWORD PTR SS:[EBP-256C]
02564BEA 8985 10F3FFFF MOV DWORD PTR SS:[EBP-CF0],EAX
02564BF0 83BD E0F0FFFF 02 CMP DWORD PTR SS:[EBP-F20],2
02564BF7 0F85 DA020000 JNZ s154.02564ED7

I change the value of EAX to 1
6) I press F8 and change the value of the memory to 1, then press F8 twice more and jump (the jump is taken).
7) I put a breakpoint on 0256889D, 0256629C, 02565B87 and 02569121, those are all lines before the conditional jumps.
8) I press F9 and land here:

02565B87 83BD 10F3FFFF 01 CMP DWORD PTR SS:[EBP-CF0],1

There I change the value of EBP-CF0 into 0, the jump is taken.
9) I press F9 and land here:

0256629C 83BD 10F3FFFF 01 CMP DWORD PTR SS:[EBP-CF0],1

The jump is also taken, it checks the same value
10) I press F9 and land here:

0256889D 85C0 TEST EAX,EAX

There I change the value of EAX to 1, the jump is taken.
11) I press F9 and land here:

02569121 83BD 10F3FFFF 01 CMP DWORD PTR SS:[EBP-CF0],1

The jump is taken, once again the same value.
12) I press F8 at the last jump and land here:

02569669 8D8D BCA2FFFF LEA ECX,DWORD PTR SS:[EBP+FFFFA2BC]
0256966F E8 FC9BF9FF CALL s154.02503270
02569674 C645 FC D1 MOV BYTE PTR SS:[EBP-4],0D1
02569678 8D8D BCA2FFFF LEA ECX,DWORD PTR SS:[EBP+FFFFA2BC]
0256967E 51 PUSH ECX

Supposedly the unpack routine.
13) I trace through pressing F8, passing several jumps and RETNs until a RETN to eLicen40.dll, after which I land here:

02483C3E 8985 08E4FFFF MOV DWORD PTR SS:[EBP-1BF8],EAX
02483C44 8B85 B0F3FFFF MOV EAX,DWORD PTR SS:[EBP-C50]
02483C4A 50 PUSH EAX
02483C4B FF15 84914902 CALL DWORD PTR DS:[2499184] ; kernel32.FreeLibrary

14) I trace that one through manually by pressing F8, passing a FreeLibrary and a DeleteFileA until here:

02483CCF -FF25 5CF84902 JMP DWORD PTR DS:[249F85C] ; XXX.<ModuleEntryPoint>

15) After I press F8 I land on the OEP, the code looks like this:

0040BE7C > 56 PUSH ESI
0040BE7D C4FA LES EDI,EDX ; Illegal use of register
0040BE7F 9F LAHF
0040BE80 00E8 ADD AL,CH
0040BE82 F0:FF65 FF LOCK JMP DWORD PTR SS:[EBP-1] ; LOCK prefix is not allowed


What did I do wrong!

Hobferret, thanks for willing to upload it, but that's only a last resort option... I really want to unpack this one by myself

Thanks,
- Fahr

Fahr

NOTE:- This guide should only be used for research purposes it is the users own choice what he/she use the purposes for and I can't be held responsible in anyway

If you like the program then buy it

Elicense40.dll 09/17/2002 70KB & spawned temp file

02614BDE 8985E0F0FFFF EAX==1 HERE
02614BE4 8B8594DAFFFF M==1 HERE
02614BEA 898510F3FFFF
02614BF7 0F85DA020000 JNZ - YOU SHOULD AUTO JUMP HERE
0261588E JUMP HERE ***CHANGE EIP TO 02616067***
026162A3 JUMP HERE ***CHANGE EIP TO 02618858***
0261889F JUMP HERE ***CHANGE EIP TO 02619121***
02619128 JUMP HERE ***CHANGE EIP TO 02619669***
THEN TIL RETURN @ 02619AE8 RET TO 0264FBF8

0264FBFA JUMP BECAUSE EAX==1
0264FC17 MOV 01h INTO EAX
0264FC76 RET 0C TO 02653163 NOTE ESI==1 & EAX==1
02653169 JMP IS NOT TAKEN
0265316D JMP IS TAKEN
026531A6 MOV EAX 01h
026531AD RET 0C TO 0260C3BD
0260C3BE RET OC TO Elic.dll @ 02483C3E
02483C58 JMP IS TAKEN
02483C95 CMP DWORD BYTE 00 -- M==025B0000
02483C9C JMP IS TAKEN
02483CAA JMP IS TAKEN
02483CCF JMP PROGRAM EP 0040BE7C

Maybe it's because you are changing the bytes in memory to make the jumps is what is causing the problem. I don't really know why you are having these problems but that is the only thing which comes to mind. All I can say is that it worked the way I have done it. As I have said before I have yet to find any program wrapped with this muck that is of any use to me personally, I am not a "game" fan!

Regards

/hobferret

Ok, that's it :\

I did EVERYTHING to the LETTER, placing hardware breakpoints to avoid code modification and still no unpack...

I am beginning to think it's an NT specific thing, since there's also calls to the ntdll etc.
I'll try this on 9x/ME and check if that works out. If that also doesn't, I guess I'm going to tear out my hair...

Thanks,
- Fahr

Fahr

Ok, that's it :\

I ain't gonna try this on XP coz it took forever to get rid of all the crap this stuff leaves behind

I guess that if you can't get it to work on 98/ME you better order a wig

Regards

/hobferret

As in; OK, that does it, I don't know anymore


Anyways, I installed ME inside VMWare (cool stuff), but OllyDBG says "CAN'T PLACE BREAKPOINT" when I do a BP DestroyWindow.
I searched for a bit online and found on the Olly users forum that Win 9x/ME can't place breakpoints inside system DLLs!

I know this can be done, cuz I remember SoftICE tells you something about it when you install it (to enable setting breakpoints there), but I'd like to know how to do it without installing SoftICE...

I guess you know, since you also managed; so please share

Thanks,
- Fahr

Fahr

I don't know, never tried to run Olly on 98/ME for the reasons you state, however, have you tried TRW2000

I would put money on the fact that you can do it with that program, if you are not aware you can load and unload it at will - give it a try

Other than that and SICE I would suggest something like looking in the memory window of Olly for the bytes you need to stop it at, then set a breakpoint on execution

Regards

/hobferret

The problem is that I can't install a lowlevel debugger inside a Virtual Machine without severe consequences...

Also; BPX DID work in Olly, I traced it all thru (in WinME), again with the same results

I'm beginning to think it's something with Olly that prevents doing this properly. Which tool(s) did you use to get this done? SoftICE? I have it installed, but I can't step over anything in it (according to the NuMega guides, this is because there is some other driver controlling INT 1 and INT 3 breakpoints and it has some fix involving Vectors, but that's all WAY above my field of knowledge...)

Thanks,
- Fahr

Fahr

Can you be more explicit about what you are doing - I did it with SICE, however, I tried it with Olly on ME and got the same results as you posted

Regards

/hobferret

So it IS Olly! I am no goin crazy after all and I wont need a wig!

I tried it with SICE on Win2K, but I already plan to install a WinME partition simply for RE purposes.

One thing though; when I BP on DestroyWindow and I step, somehow everything goes wonky on the 3rd line (INT 2). I had this in both Olly AND SICE. I used to place BPs on the last line (the RET) and then just run, but I guess it should be steppable?

Oh, and another thing, since I am not an export on SICE; how to change the value of a register/memory? I will need to change EAX, memory and the EIP. I could prolly find this elsewhere in a tutorial if I searched for 5 seconds, but since I'm annoying the hell out of you anyways...

I will let you know how things went with WinME

Thanks,
- Fahr

i have a elicense protected program that doesnt have a try me or trial button on the nag screen, will i still be able to unwrap this?

thanks

Just read this thread - it's all about it!

But you'll need SoftICE and possibly an installed WinME.

I still have to install WinME, will prolly do so this weekend, so I'll let you know how it worked out.

- Fahr

cant i just use windows compatibility to make the program think that im using windows me? when i installed softice it was asking for windows 95 or 98 and i just switch the compatibility and it worked

Ugh. I HOPE you're kidding :S

You just can't install a lowlevel debugger for Win9x/ME on a windows NT without severe consequences.
And I also have SoftICE for NT, but it has some glitches, so I plan to install ME anyways.

And if you don't understand WHY you can't install a lowlevel debugger like SoftICE on the wrong OS, I think you should read some more tutorials and documents on it before attempting this one - no offence, just an idea

- Fahr

So you got it working with SoftICE but not Olly? I struggled at it with Olly for a few weeks, had some help from hobferret and some others but never did manage to hit the OEP. Specifically, what problem were you having with Olly? I'm trying to figure out if it's an issue with Olly or if I'm just stupid.

Well, I didn't unpack it at all yet, but hobferret managed to do it with SoftICE and, using the same procedure, not in Olly.

I followed his steps exactly with Olly, I DID hit the OEP, but it was not unpacked at all, all the code was still encrypted, which soon resulted in some errors and a program shutdown.

- Fahr