Elicense/Vprotect unpacking

[Soul12]

ive been working on : hxxp:// www.ootpbaseball2006.com/
ive unpacked it..found OEP...restored IAT...but yet it fails to run correct.. and im clueless...ive been figthing with it for hours...so if anybody wanna look.. plz do so ive added my "unpacked" files


--Soul12

my unpacked files: http://www.yousendit.com/transfer.php?action=download&ufid=9DE3435548217629

thnx in advance

[haggar]

Hi

I was thinking to try it, but game is too big for dial-up. Do you know some smaller target ~2-3 MB?


Load your unpacked files in Olly, uncheck exceptions and find where it crushing. After it stops on exception, check stack - maybe address in stack is some call that tries to read empty address.
Search for all intermodular calls and check does it have empty ones, wrong , etc...


Posible CRC checks too?

[bengunn]

I'm not sure what he means by vprotect unpacking, the only elicen40 target I ever saw was some virtual destop app called Winspace, but that was in nov 2004 so I don't know if it still has the same protection. Don't remember any particular problems with it, maybe thats where the vprotect? comes in :shrugs:. I'm pretty sure its the same app as this 4.3mb d/l.

http://www.majorgeeks.com/WinSpace_d232.html

[Soul12]

thnx 2 hagger for finding my error... when Program is loaded in a debugger its never Decrypts the .exe Completely..and leaves not only OEP but Large parts of the Program broken... and ive never seen this before... thnx 2 hagger!

[SKiLLa]

PS: any idea yet how the debugger is detected ? rdtsc, GetTickCount ?

Did you try unpacking with the Olly Advanced Plugin activated ?

[Soul12]

nope, but its something to investiage , but i doubt its something olly advanced wont handle if used

[haggar]

Hi guys.

I have no idea why OEP bytes are changed, I didn't go too much into it.

Soul, did you done it with changing that OEP jump to EB FE? Is code section OK now?


Also , be sure that you dump with reeading PE header from disk in both ImpREc and LordPE. eLicense screw PE header. You could fix it manually, but why bother. Check does all imports are ok. Then find where file is crushing.


PS

It installs tree files into rooth folder

lcmmfu.cpl
mmfs.dll
Runservice.exe

and one in temp folder which is registration dialog program.

It also writes key in registry with embedded nulls. Use RegDellNul from sysinternals to remove it. After deinstalling target, all files stay on hard drive and they are set to run at windows start. They could at least remove those files.

[SKiLLa]

thanx for the info haggar; I hate it when programs leave that kind of trash behind Stupid @!#$%^&
It eats up HDD & Mem-space, slows down your system and could even corrupt your Windows in the end

[Soul12]

yes EBFE fixed it all... no more referenced to Bad 0015xxxx sections hehe... i just skipped past it all like you did you can reach OEP by Break on access easy aswell..but its hammered..but i just restored the bytes.. from a Running .exe i dumped... but its alot more then OEP it forgets to fix hehe

[haggar]

Ok than


Btw , I forgot to thanks bengunn for apropriate target - thanks.

[Soul12]

ya im wondering, in begguns case.. the target he talks about my trial is experied... and button is gone... looking for a way to renable... if you know of a easy way let me know trying my luck atm thou , also its should be VTprotect... just names i find in the files.... seems apropriate to mention

[haggar]

[Soul12]

that will moste likely reset trial ...but theres also targets where the button is never there.... ive been looking for a way to activate it....but no luck..its a very long routine

[SKiLLa]

[haggar]