Richie86’s Life!!

It’s all about me!!

  • Categories

  • Archives

Unpacking Themida/WinLicense 1.8.x

Posted by Richie86 on January 24, 2008

Title: Unpacking Themida/WinLicense 1.8.x
Author: Richie86
Tool Preparation: OD + Phantom + okdodo script + PEiD + ImportRec
Packer Used: WinLicense 1.8.9.0
Software Name: Cpp1.exe
Software Size: 152Kb(Original), 1.37Mb(Packed)
Operating System: Windows XP SP2

Cpp1.exe (Packed) Download
Cpp1_src.exe (Non Packed) Download
———————————————————————————————————-

Software Introduction:
1. OD
Also known as OllyDbg. It’s a 32-bit assembler level analysis debugger. Powerful tool to analyze 32-bit assembler. More info see http://en.wikipedia.org/wiki/OllyDbg

2. Phantom
It’s a plugin for OllyDbg. Used to prevent the OllyDbg from being detected by anti-debugger engine for Themida/WInLicense.

3. okdodo script
This is the unpack script we will use in this tutorial.

4. PEiD
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

5. ImpportRec
Import Reconstructor is a tool that used to fix the IAT of dump image and reconstruct them.

You can get these tool easily from http://www.unpack.cn

———————————————————————————————————-

Okay let’s get started.

First we have to determine what is the packer first. Drag Cpp1.exe into PEiD. You will need the latest signature database. Here we found it’s pack with Themida/WinLicense 1.8.2.0 above.
PeID
Start your ollydbg, make sure your phantom setting is like below. Configure it by pressing Plugin>Phantom>Option . You will need to restart ollydbg for setting to take effect.
Phantom Setting

After that drag Cpp1.exe into ollydbg. See the yellow line in main thread. B8 00 00 00 60, common entry point used by Themida/WinLicense.
load.jpg
Pressing ALT+M to switch into Memory Map tab. Drag down a little bit the list and you will found msvcrt on PE Header. Shows that this EXE is using C++ Runtime.
C++

Let’s continue. Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc

The script will automatic run. After you being prompt that the script has completed. The debugger will stop at the OEP (Original Entry Point) of your EXE.
oep.jpg

Take note of the OEP address above. We will using it later on. 00401151
Next we will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.

Then you will see in the status box. Image Base: 00400000. So calculate the OEP by 00401151-00400000 = 1151
Fill in into the OEP box and press IAT Auto Search. It will inform you that the OEP is found.

Press Get Import to get all import function. From the Imports status, shows that valid:YES. Which means all imports function pointer are match.

So dump the image by RightClick>Advanced Commands>Select Code Section(s)
imprec.jpg

Press Full Dump. then save it at somewhere as cpp1_dump.exe
dumped.jpg

Then continue to reconstruct the dump base on new OEP. At main menu. Press Fix Dump, then select the dump image cpp1_dump.exe we create just now.
fixdump.jpg

After reconstruct. New image cpp1_dump_.exe is created. And now try to open the cpp1_dump_.exe and you will see you are sucessfully unpacked it.
done.jpg

Credit: okdodo for the script. unpack.cn for the resources.

Posted in Reverse Engineering | 108 Comments »

Richie86 Boxes Game

Posted by Richie86 on December 24, 2007

This is the game that created by me, you need some logic thinking and patient only able to solve it. It’s kind of puzzle game.. If you having problem for running it, install .net Framework 2.0 that can be downloaded from Microsoft.

After few update, it’s quite hard to hack this game anymore. In Version 3.0 you can just simply load it in olly and find the boolean value refer by the function called each time you press a box. But now you have more thing to do to exploit it, and the most difficult is.. you have to bypass the validation of simulation, you can cheat by change all box to black which is very simple, but during simulation it will replay whatever step you had made and that time it will know whether you cheat or not.

Score evaluate by recording your startup time and the time where you solve the game. May be you will think of freezing the time or change it though system clock, try it and see what happened.

Offline Database (score.dll) is just using MS Access without password protect but you can’t just modify your score there.

Download Link:

Game program:
http://hoangyuh.googlepages.com/Richie86BoxesGame3.5.rar

Replay Script Collection:
http://hoangyuh.googlepages.com/RBGSCollection.rar

Main Interface

Online Ranking

Simulation Playback

Change log:
Version 3.5
– Tweaked simulation speed
– Fixed threading problem in simulation

Version 3.4
– Introducing Simulating Engine
a) Anti-Hack Mode
b) Replay Mode
– Minor bug fixed

Version 3.3
– Quick fix on ranking system

Version 3.2
– Added a mini Anti-Hack Mechanism
– Exe packed!
– Improved Synchronizing System

Version 3.1
– Fixed some bugs
– Added mini Anti SQL Injection Engine
– Added restart button

Version 3.0
– Introducing Ranking System
– Introducing Anti-Cheat System (Try to cheat and see :P)
– Introducing Online Database Synchronizing Support
– Improving GUI, Help menu added with tutorial and hint
– Added Automated MSN Adding Feature

Version 2.0
– Remodify Score Evaluating System
– Improving game difficulty to 5×5 boxes game

Version 1.0
– Original 3×3 boxes game
– Introducing Score Evaluating System

Posted in Programming | Tagged: , | 2 Comments »