This is the thread for discussing the complete reversal of the eLicense software protection system. The first target will be zMUD available at http://www.zuggsoft.com. Surprisingly, this is one of the few softwares I would actually pay for, but the author gave me a free license for helping him with his protection. Sadly, he stuck with eLicense instead of writing his own. I'm sure he will appreciate a whole team of reversers working on eLicense, but as for the company that produces it, I'm not so sure :) I'll see if I can dig out my old copy of the eLicense protector somewhere...if not, it just makes our job more fun =)

I forgot to mention that we will be using v6.16 NOT v6.39a BETA. That's all, now I'm about to get started on it.

Hi rmlobvx,

I downloaded the program... the protection itself is really weak like you said... It makes no attempt to hide any information from us crackers... PE-header is intact... (gosh, i was scratching my head and thinking LordPE was buggy, when i select BreaknEnter with bpint3 and the program runs on without breaking :)...

After a while i concluded that the DLL does the job of decrypting the exe... to unpack the exe is simple.. I put a bpm on OEP then let it run, the second time the programbreaks, the exe is fully decrypted only IAT redirected with a simple xor scheme...

I look for the IAT redirection routine and found that it uses a DLL created at run time, store in temp directory... so i dump and rebuild this dll, disassemble it and find where to patch the IAt redirection, once done our IAT will not be redirected and Imprec rebuilds for me fine...

Now the easy part is over, i attempt to look for license checking routine but alas i found none??? Filemon and regmons both dont give anything... i foudn where the Nag is called but the routine is REALLY long... the variables list itself is already about 3 pages on IDA :/... and the dll that i dump form temp directory is more than 1Mb :/... I must admit that i am not accustomed to playing with overly bloated code... simple routines looks like MD5 hash now :/... and here i am kinda stumped and unable to locate the license checking routine...

:/... how should i find the license checking routine?

Thanks
crUs...

PS : i am going on a holiday so i'll be back in a short while... keep it up and i'll catch up with ya hopefully :)...

crUsAdEr:

If the code is really big, then try to use OllyDebugger to help you analyze it. It happens to have a very good analyzer.

Looks like some of you old ID guys got something new rolling...

Sounds like a worthwhile effort. I also purchased zMUD (YEARS AGO!!!), but don't play MUDs much anymore, so I haven't upgraded my software in a while...

I'm gonna grab the new version this weekend and see if I can contribute to the group's efforts. I've been away from Reversing for a little while, but have a 2 week vacation coming up! Only issue is that I'm getting married in 8 days....but I promise I'll try to post anything interesting I find.

-eT

Hey...Looks like Zugg has released version 6.40 as of Dec 18th. I can't seem to find a way to download the old version from his site. Could someone post the v6.16 so others could join in the research?

Thanks!

Hey...Looks like Zugg has released version 6.40 as of Dec 18th. * I can't seem to find a way to download the old version from his site. *Could someone post the v6.16 so others could join in the research?

Thanks!

Hi! :)
I'll give you more than one way:

1) http://www.google.it/search?q=zmud616&ie=U...UTF-8&hl=it&lr= (http://www.google.it/search?q=zmud616&ie=UTF-8&oe=UTF-8&hl=it&lr=)
2) http://www.zuggsoft.com/redirect.asp?target=zmud , see the URL and try to connect manually to the ftp you've found, that is ftp://download.elicense.com/pub/zuggsoft/

Why all of this?
- now you have different copies of the same package (why do we have two different files, one exe and one zip, at http://glorglas.dyndns.dk/stuff/ ?)
- now you know an address where some more zmud files are available
- now you know where many elicense programs are stored, to test your findings about the program with other apps.

:D

I actually got it from tucows but didn't post that I got it...figure others might have the same question so I left it...

The info about all the eLicense archives might be useful :)

- now you have different copies of the same package (why do we have two different files, one exe and one zip, at http://glorglas.dyndns.dk/stuff/ ?)

The zip file is a 'keymaker' for zMUD. You guys might find the .nfo in the zip to be quite useful for you project.
Crudd

OK guys...sorry about this but we'll be working on zMUD 6.40 now that I'm back and ready to work on this. I have just unpacked everything related to eLicense running in memory. There are a few things you need to unpack. First, unpack elicen40.dll, then that S3VXXXX random one...unpack it as a DLL. Finally, unpack lcmmfu.cpl in c:windowssystem. This is the control panel extension and we'll be using this for making some tools (we're gonna make some fun LM tools! :) Well, I must be off to start reversing these unpacked files some more, I hope to hear from you guys soon! =)

hey i've just begun to reverse the zmud. I unpacked the zmud.exe, i found the random dll (which for me is s1xxxx), nothing strange till now, i only have to rebuild iat. However whats your final goal? To FULLY reverse the elicense system so you can make unwrappers etc? Hope i'll be useful :) I'm gonna continue my reversing so c u later!
Bye!
AndreaGeddon
ps, hey dont tell me you already finished it off! :-P

I dumped the Zmud 6.40 exe file which was 6,723kb and the dump is 6,784kb. this was done by breakpointing on OEP, changing jump to eb fb, lord pe to dump file. When executed it displays the elicense menu (free trial, buy etc) but when i click free trial it crashes. Is this a bad dump? do i need to dump more stuff, whats with the random dll, do i need to dump it for some reason? or is it a good dump, but i need to fix the IAT now. Also if u get a good dump does the trial message at the start dissappear or do i have to reverse it. One more thing, if possible does anyone know of a target with earlier versions of elicense.
Thnx
X-Factor

well the dump itself is useless because the iat is redirected. The random dll is the responsible of iat building and creating the redirection microroutines. The iat build routine is from address 2538F52 to 25392F4, it loads a block with all original first thunks crypted in memory (dynamically allocated), then it decrypts the api name in 253908D (the decryption key appears to be always "rp1041899125", but i didnt study the decrypt algo yet) then got the address and cleared the decrypted api name a microroutine is created for redirection (microroutines addresses change at every execution). Each api ha its own microroutine (but the routines are alwayes the same in their structure). So you simply need to find an easy way to rebuild a working IT.
All this work (iat building, oep decryption and program running) happens AFTER you press FREE TRIAL, so i think once you have the exe decrypted and the IT rebuilded you are free from eLicense.
Bye
AndreaGeddon

i could build the IT by using revirgin, however my main question is how do i get a good dump? and by getting a good dump should the free trial screen show up?

Just ignore my previous statement, i realised everything now. However, i still would be interested to know if anyone has succesfully dumped zmud and got it working and if so could they please reply how they achieved this (preferably for the new version but 6.16 welcome also)

Thnx

X-Factor

Hi All,
I was practising on Autozip v4.2 and AutoZip 4.3 (which was using an old elicense) .... just to catch up and come upto speed.

The newer elicense (v4.0) from ZMud v6.16 and ZMud 6.40 does not dump that way. Also practising with a smaller image size: the elicensed tick tac toe from their site.

My problem is this:
I bpx with GetModuleHandleA (looks like FreeLibrary also works reliably) and trace through the kernel32 and s3vxxx temp files up to the elicen40.dll module - which is where we get the OEP.

016F:02483C38 FF9574E2FFFF CALL [EBP+FFFFE274] -----> we land here 016F:02483C3E 898508E4FFFF MOV [EBP+FFFFE408],EAX
016F:02483C44 8B85B0F3FFFF MOV EAX,[EBP+FFFFF3B0]
016F:02483C4A 50 PUSH EAX
016F:02483C4B FF1584914902 CALL [KERNEL32!FreeLibrary]
016F:02483C51 83BD08E4FFFF00 CMP DWORD PTR [EBP+FFFFE408],00
016F:02483C58 750A JNZ 02483C64

Trace on, and we notice the OEP shown below:

016F:02483CC9 5E POP ESI
016F:02483CCA 5D POP EBP
016F:02483CCB 5B POP EBX
016F:02483CCC 8BE5 MOV ESP,EBP
016F:02483CCE 5D POP EBP
016F:02483CCF FF255CF84902 JMP [0249F85C] -----> OEP
016F:02483CD5 5E POP ESI
016F:02483CD6 5D POP EBP
016F:02483CD7 5B POP EBX


I take the jump, and then try to dump. But nothing works?
I've tried 2 methods:
A) straight forward dumping with icedump - using both /dump and /pedump. /Dump produces a file which does not run - it complains about aligning or something like that..
/Pedump reports :

/pedump 400000 4185f4 c:/mud.exe
ICEDUMP: Phoenix : DLL List allocated
ICEDUMP: Phoenix : Failed to rebuild Import table

B) stopping the process with the a eip, jmp eip method and
dumping the thread with procdump. Both a partial and a full dump
crashes procdump. Killing the runservice and other lic related processes does not make a difference.

I noticed all the exe, dll and cpl files are packed with Aspack (1.08c if i remember correctly) and unpacked everything in the meanwhile...for later interesting work as Muad'Dib stated...

Can someone help me please? How do i correctly unpack these? Or am i a little hasty, and is unpacking not really necessary in the big picture?


Regards,
MeaCulpa

This project is going to be more than we bargained for. Here is an email I got from the author:

>> Have you actually tried running zMUD, connected to a MUD, for an
>> extended
>> period with the eLicense unwrapped? If you do, you will discover that
>> zMUD
>> checks to make sure it is still wrapped and checks your system for a
>> valid
>> license even while it is running at random intervals when connected to a
>> MUD. Even my development code, which is never wrapped with eLicense,
>> crashes if my own license expires.
>> *
>> It might be possible to track down all of the places that zMUD checks
>> for
>> stuff like this, but the checks are pretty obscure and do not cause any
>> special error messages. It just corrupts memory which eventually leads
>> to
> a
>> access violation (and probably a corrupt settings file).
>> *
>> There isn't any way to completely remove all trace of a license short of
>> reformatting the computer and reinstalling Windows. At least eLicense
>> has
>> never provided me with any method. They have an uninstall program that
>> is
>> linked at http://www.zuggsoft.com/zmud/elicense.htm but it just removes
>> the
>> eLicense control panel. The actual license is still buried somewhere.
>> *
>> I have a decent background in encryption myself and so I know quite a
>> bit
>> about how this stuff works. Having looked at lots of alternatives, I
>> still
>> feel that eLicense is one of the best available. There is no way at all
>> to
>> make a program hard to crack unless you have the program periodically
>> check
>> with a remote server to verify reg codes. Anything self-contained to
>> the
>> user's computer is eventually hacked, and once hacked, a program can
> usually
>> be created to make the process easy to run.
>> *
>> The 30-day trial is important to me. I don't want to disable features.
>> In
>> the past I used my own public/private key encryption and then had my own
>> server keep track of the 30-day trial based upon a "system id"
>> algorithm,
>> but it also had problems. Mainly, I just don't want to spend time on
>> this
>> stuff. I have very little time to program as it is and would much
>> rather
>> spend time on adding features. That's why I outsourced this to
>> eLicense,
> so
>> that it's their problem to fix.
>> *
>> The method you mention basically can't be stopped. It will always be
>> possible to grab the image of a program once it is running no matter how
>> it
>> is wrapped. That's why zMUD has the additional checks in it. The
>> combination of the wrapper and the internal checking should eliminate
>> this
>> method. But I'd be happy to hear your additional thoughts on this.
>> *
>> Zugg

Well, i havnt really looked at it for a while, been busy reversing other progs, and other elicense versions. I was wondering, before i satarted again, how exactly you came accross finding the iat redirection and figuring out how to patch the exe. I will look at as soon as i get the chance, but will be busy atm as School starts again...

X-Factor