From Shub, ArTeam Admin.
Hi all,
this is time I am publishing something interesting from our friend quosego. He’s a talented reverser from SND and he felt that’s time to write something document to share with others.. thanks him, there are not much WinLicense tutorials!
The result is under your eyes, I just edited the template and graphics, no special kudos to me.
The title tells all you need to know: Defeating the Winlicense Main Executable version 2.0.5.0
I hope quosego fill find time and will to write more.
you can download the distribution from here (temporarily from our mirror tutorials server):
Or :
//Themida/Winlicense CryptoCode fixing script by quosego/snd
var repl
var reset
var base
var oep
var first
var addr
var addr2
var addr3
LCLR
log “SnD CryptoCode Fixer.”
log “————-”
GMEMI eip, MEMORYBASE
mov base, $RESULT
mov repl,0
mov reset,base
mov oep,eip
LABELcodec_01:
find base, #68453826786A??6A0?68????????68????????6845382678#
cmp $RESULT,0
je ENDcode_02
mov base, $RESULT
mov addr, $RESULT
mov addr3,addr
mov addr2,addr
add addr3,8
mov temp, [addr3]
and temp, ff
cmp temp, 1
je LABELcodec_03
mov eip, addr2
inc repl
log eip, “CryptoCode function fixed at: ”
add addr, 20
bphws addr, “x”
//sub addr, 8
//asm addr, “call 1613290″ // If you’ve fixed direct API’s you can fix the call here to not execute wsprintfA.
esto
bphwc eip
LABELcodec_03:
mov [addr2], 00eb
inc addr2
mov [addr2], 9090901e
add base,2
jmp LABELcodec_01
ENDcode_02:
cmp repl, 0
je ENDcode_03
log “————-”
log repl, “Total CryptoCode functions: ”
msg “Script has finished, all CryptoCode functions have been fixed.”
mov eip, oep
ret
ENDcode_03:
log “No CryptoCode functions found.”
msg “No CryptoCode functions found, so none were fixed.”
mov eip, oep
ret