Richie86’s Life!!

It’s all about me!!

Unpacking Themida/WinLicense 1.8.x

Posted by Richie86 on January 24, 2008

Title: Unpacking Themida/WinLicense 1.8.x
Author: Richie86
Tool Preparation: OD + Phantom + okdodo script + PEiD + ImportRec
Packer Used: WinLicense 1.8.9.0
Software Name: Cpp1.exe
Software Size: 152Kb(Original), 1.37Mb(Packed)
Operating System: Windows XP SP2

Cpp1.exe (Packed) Download
Cpp1_src.exe (Non Packed) Download
———————————————————————————————————-

Software Introduction:
1. OD
Also known as OllyDbg. It’s a 32-bit assembler level analysis debugger. Powerful tool to analyze 32-bit assembler. More info see http://en.wikipedia.org/wiki/OllyDbg

2. Phantom
It’s a plugin for OllyDbg. Used to prevent the OllyDbg from being detected by anti-debugger engine for Themida/WInLicense.

3. okdodo script
This is the unpack script we will use in this tutorial.

4. PEiD
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

5. ImpportRec
Import Reconstructor is a tool that used to fix the IAT of dump image and reconstruct them.

You can get these tool easily from http://www.unpack.cn

———————————————————————————————————-

Okay let’s get started.

First we have to determine what is the packer first. Drag Cpp1.exe into PEiD. You will need the latest signature database. Here we found it’s pack with Themida/WinLicense 1.8.2.0 above.
PeID
Start your ollydbg, make sure your phantom setting is like below. Configure it by pressing Plugin>Phantom>Option . You will need to restart ollydbg for setting to take effect.
Phantom Setting

After that drag Cpp1.exe into ollydbg. See the yellow line in main thread. B8 00 00 00 60, common entry point used by Themida/WinLicense.
load.jpg
Pressing ALT+M to switch into Memory Map tab. Drag down a little bit the list and you will found msvcrt on PE Header. Shows that this EXE is using C++ Runtime.
C++

Let’s continue. Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc

The script will automatic run. After you being prompt that the script has completed. The debugger will stop at the OEP (Original Entry Point) of your EXE.
oep.jpg

Take note of the OEP address above. We will using it later on. 00401151
Next we will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.

Then you will see in the status box. Image Base: 00400000. So calculate the OEP by 00401151-00400000 = 1151
Fill in into the OEP box and press IAT Auto Search. It will inform you that the OEP is found.

Press Get Import to get all import function. From the Imports status, shows that valid:YES. Which means all imports function pointer are match.

So dump the image by RightClick>Advanced Commands>Select Code Section(s)
imprec.jpg

Press Full Dump. then save it at somewhere as cpp1_dump.exe
dumped.jpg

Then continue to reconstruct the dump base on new OEP. At main menu. Press Fix Dump, then select the dump image cpp1_dump.exe we create just now.
fixdump.jpg

After reconstruct. New image cpp1_dump_.exe is created. And now try to open the cpp1_dump_.exe and you will see you are sucessfully unpacked it.
done.jpg

Credit: okdodo for the script. unpack.cn for the resources.

Advertisements

107 Responses to “Unpacking Themida/WinLicense 1.8.x”

  1. MrFlame said

    The unpack.cn dosent work so try to upload for us..

  2. Richie86 said

    you means the link not work for you? If you looking for the script. Here is it.
    http://www.sendspace.com/file/991eal
    Try it, different version might require different script. If only I know how to unpack manually like those expert.

  3. aRkAiNe said

    hi there can you please upload the okdodo.osc script again.
    link is dead :(
    and can i have a copy of your peid ;D
    thanks

  4. Richie86 said

    Here is the script.. Save it

    /*
    Script written by okdodo 2007/03
    Tested for themida IAT restore and OEP find~

    Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E)
    HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2)

    Test Environment : Ollyice 1.1 + HideOD
    ODBGScript 1.52 under WINXP
    Thanks :
    kanxue – author of HideOD
    hnhuqiong – author of ODbgScript 1.52
    */

    data:
    var cbase
    var csize
    var dllimg
    var pmbase
    var apibase
    var mem

    gmi eip,CODEBASE
    mov cbase,$RESULT
    gmi eip,CODESIZE
    mov csize,$RESULT
    gmemi eip,MEMORYBASE
    mov dllimg,$RESULT
    log dllimg

    findapibase:
    gpa “GetLocalTime”, “kernel32.dll”
    mov tmpbp,$RESULT
    cmp tmpbp,0
    je stop
    bphws tmpbp ,”x”
    esto
    bphwc tmpbp
    rtu
    gpa “VirtualAlloc”, “kernel32.dll”
    mov tmpbp,$RESULT
    cmp tmpbp,0
    je stop
    bphws tmpbp ,”x”
    esto
    bphwc tmpbp
    rtu
    mov apibase,eax
    log apibase
    gpa “LoadLibraryA”, “kernel32.dll”
    mov tmpbp,$RESULT
    cmp tmpbp,0
    je stop
    bphws tmpbp ,”x”
    esto
    bphwc tmpbp
    rtu

    findVirtualAlloc:
    find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#
    mov tmpbp,$RESULT
    cmp tmpbp,0
    je stop
    bphws tmpbp ,”x”

    iatloop:
    esto
    mov tmp,[esp]
    find dllimg,#50516033C0#
    cmp $RESULT,0
    jne iatpatch
    jmp iatloop

    iatpatch:
    bphwc tmpbp
    find eip,#C21000#
    bphws $RESULT,”x”
    esto
    bphwc $RESULT
    sti
    mov tmpbp,tmp
    find tmpbp,#0F850A000000C785#
    mov tmpbp,$RESULT
    mov [tmpbp],0A0EEB
    find tmpbp,#0F84390000003B8D#
    mov tmpbp,$RESULT
    mov [tmpbp],3928EB

    alloc 1000
    mov mem, $RESULT
    log mem
    mov tmp,mem
    mov [tmp],#A3000000008908ADC746FC00000000E90000000050A1000000008907807FFFE8750866C747FEFF15EB0666C747FEFF2558E90000000050A100000000894701807FFFE8750866C747FFFF15EB0666C747FFFF25580F8500000000E90000000083C704E900000000#
    mov memtmp,tmp
    add memtmp,100
    add tmp,1
    mov [tmp],memtmp
    add tmp,15
    mov [tmp],memtmp
    add tmp,22
    mov [tmp],memtmp
    mov tmp,mem

    find tmpbp,#8908AD#
    mov tmpbp,$RESULT
    mov addr1,tmpbp
    add addr1,0A
    eval “jmp {tmp}”
    asm tmpbp, $RESULT

    find tmpbp,#E92400000058#
    mov tmpbp,$RESULT
    add tmp,14
    eval “jmp {tmp}”
    asm tmpbp, $RESULT

    find tmpbp,#0F851800000083BD#
    mov tmpbp,$RESULT
    mov addr3,tmpbp
    add addr3,06
    add tmp,22
    eval “jmp {tmp}”
    asm tmpbp, $RESULT

    find tmpbp,#884704#
    mov tmpbp,$RESULT
    mov addr2,tmpbp
    add addr2,03
    mov [tmpbp],#909090#

    find tmpbp,#ABAD#
    mov tmpbp,$RESULT
    mov [tmpbp],#90#

    add tmpbp,9
    add tmp,29
    eval “jmp {tmp}”
    asm tmpbp, $RESULT

    mov memtmp,mem
    add memtmp,0F
    eval “jmp {addr1}”
    asm memtmp, $RESULT
    add memtmp,22
    eval “jmp {addr2}”
    asm memtmp, $RESULT
    add memtmp,23
    eval “jne {addr2}”
    asm memtmp, $RESULT
    add memtmp,06
    eval “jmp {addr3}”
    asm memtmp, $RESULT
    add memtmp,08
    eval “jmp {addr1}”
    asm memtmp, $RESULT

    find eip,#C7010000000083C104#
    mov tmpbp,$RESULT
    add tmpbp,14
    bphws tmpbp,”x”
    esto
    bphwc tmpbp

    mov tmp,cbase
    add tmp,csize

    findoep:
    bprm cbase,csize
    esto
    bpmc
    cmp eip,tmp
    ja findoep
    msg “script finished,check the oep place by yourself~”
    ret

    stop:
    pause

    apierror:
    pause

  5. Dhiru said

    Hi Richie! When i run the okdodo script it gives me an error “Error on line 16 Text: “getlocaltime”, “kernel32.dll”

  6. Richie86 said

    what window you running?
    GetLocalTime is the function under window API.
    supported by Windows Vista, Windows XP, or Windows 2000 Professional.
    see http://msdn.microsoft.com/en-us/library/ms724338(VS.85).aspx

  7. Dhiru said

    I am using Windows XP Service Pack 2. I have tried to use other versions of the script but i dont get any script completed message after the script is run.

  8. Richie86 said

    do you use Phantom? or other type of stealth approach?

  9. Dhiru said

    I am using OllyDBG 1.10 Downloaded from the official site. With it, i am using PhantomOM Plugin V 1.20.

  10. akumaduma said

    @ Dhiru:

    there’s a character syntax error with the double-quotes in the script you’re using because you copy/pasted it from the example above.

    open it in notepad and replace all instances of left and right double quotation marks with neutral (vertical) ones.

    then save and it should work.

  11. Richie86 said

    my bad =.=”

  12. alimz said

    hmm i still occur problem…i cant get the oep because that program asking key before running..
    can u help me richie?

  13. Richie86 said

    may be you trying unpack newer version?

  14. Lalipa said

    Hi Richie86 & thanks 4 share
    ah |!| problem with Error on line 16 Text: “getlocaltime”, “kernel32.dll”
    plz solution for this problem

    —————————————————————————–
    there’s a character syntax error with the double-quotes in the script you’re using because you copy/pasted it from the example above.

    open it in notepad and replace all instances of left and right double quotation marks with neutral (vertical) ones.

    then save and it should work.
    ——————————————————————————

    Not work ?

  15. Richie86 said

    http://www.sendspace.com/file/b7vb55
    here is it. host it somewhere else.

  16. aLimz said

    hmm can u try check it?
    http://download.twinr.net/twinr/TwinRSEA159.rar

  17. Richie86 said

    Cabal hack =.=”
    Probably newer version. Because PEID signature only detect 1.8.x onward, which means it could be 1.9.x too
    and the script only work for old version

  18. albert said

    i dont know y, but i cant Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc as u said did i do something wrong.

    i have downloaded all the things tat needed but it`s not showing me the pluging pls help……..

  19. ncvnmarket said

    Hi Richie86,
    I’m trying to crack twinrNA1.59. Maybe, it was packed by Themida/Winlic 1.8.2 or 1.9. I know the offset to modify, but the big problem is I can’t unpack it. Can you give me a hit?

    Here is the link
    http://download.twinr.net/twinr/TwinRNA159.rar

  20. Tom said

    scripts made by “Computer Angel” will work on 1.9.x versions, and are available on tuts4you.com.
    http://www.tuts4you.com/download.php?view.1855
    http://www.tuts4you.com/download.php?view.2114

    on that twinR file posted above, it still doesn’t go past the nag screen asking for the license, so don’t know what to say for you. maybe richie can shed some more light on it.

    albert, do you have the ODbgScript plugin? that wasn’t listed at the top of the page, but it is also a required plugin.

  21. Richie86 said

    Try with different script, the script post here is used long long ago and probably not work anymore. and try get few stealth plugin as well. unpack.cn have a few thread discuss about themida so may be you guy can have a look over there.

  22. ncvnmarket said

    Hi Tom and Richie,
    I tried several scripts but it does not pass the nag screen asking for the license (like Tom said), so that’s why I can’t find OEP.

    Do you have any hint to bypass the nag screen popping up?

    Thanks guys!

  23. Richie86 said

    I remembered that someone in unpack.cn mention that the script wont work if there is any pop up window for winlicense. the way to fix it is use some script then manually unpack it in olly. I’m not sure about the detail, you have to check it out at unpack.cn

  24. ncvnmarket said

    I got the OEP after running Themida script+IAT repair (of course with license to solve pop up window). umm but now I have problem with dumping the file.
    Run UIF to fix
    Run inportRec
    put OEP-imagebase to OEP box
    click IAT search->good
    click import->yep I got everything->Valid
    Dump file fix dump
    However, when I run the dump file nothing happened

    I don’t know how to fix it!
    Can you give me a hint?
    Thanks Richie

  25. albert said

    i
    Richic thx for the help, i have found the plugins for the ODBGScript but now i have a new problem after i run the script it show me the OEP which is 009D8E63, how do i want to deduct this num with 4000000 teach me pls……………

    below r the link for the pic i create for u to see, pls help me……….

    thx in advance……….

    http://rapidshare.com/files/131572965/Pictures.rar.html

  26. Tom said

    I wish i could help. I can see this same file was posted by “tarc” on unpack.cn, but I can’t read Chinese and google translator isn’t working so great for me. I would recommend pming him, but judging by his other posts, he doesn’t like helping people, only getting help for himself.

  27. Tom said

    on second thought, if you have a working license, you should be able to use “themida unpacker” by okdodo. it’s kind of like unthemida 2.0, but better. it does everything for you and should output a working file. if you figure out a way to get it without a license, let me know. I’m curious. :)

  28. Richie86 said

    Sorry Tom I don’t means I doesn’t like helping people.. I was using a previous version of winlicense + no pop up menu + script that work for the old version in this example that why it work.. However the problem post in comments are refer to higher version of WinLicense. I had stop research in unpacking temporary after post this thread for quite a long moment. Here is few point that I knew previously.

    1. Pop up menu make it harder to unpack
    2. If the VM technology is conducted, its even harder to unpack
    3. If the file packed in DLL, the method to unpack would be different (I failed last time when post in unpack.cn)
    4. The PEiD Signature that you can get latest from unpack.cn, cannot show exactly what version of the Themida/WinLicense is, because of the signature of a few version look more or less the same. (Reason that certain script might not work because wrong version)
    5. If you able to load your exe in olly without getting “thread terminated” half way, that means you had pass the part where you need certain plugin to bypass or stealth the olly from being detect when it try to debug the running program.
    6. If I know more I will post here..

  29. Richie86 said

    To albert.. what script you using?

  30. Tom said

    no, no. I didn’t mean you Richie. I’m sure you’ve helped many people. :) and nice blog you have here.

    I meant this person named “tarc.” I can see him posting on unpack.cn asking for and receiving help with this file. but on other forums, he tells people to not pm him because he will help nobody. lol. That kind of irony just makes me laugh.

    according to the PEiD signatures that I have, it’s packed with themida version 1.8.0.2

  31. albert said

    thx for the fast reply…

    i use Themida OEP Finder + IAT Repair v0.2

  32. Richie86 said

    Sorry TOM I was mistaken.. Can you post the link for me?? because tarc <– seems like my college name, I wonder who is that..

    To Albert: I can’t give an exact answer for your case because I didn’t work on latest WinLicense..
    I will pay a visit to unpack.cn when TOM pass me the link.. and see if I found anything idea and I will post it here too.

  33. Tom said

    well, it’s difficult because i came across his posts in various threads while browsing. Here’s a link to a thread he started, and it discusses a bit about this file and the license issue.

    http://www.unpack.cn/viewthread.php?tid=26868

    I know he’s made other posts about it, just can’t be bothered to browse through so many again. I dont think it’s you though. :P

  34. ncvnmarket said

    “themida unpacker” ?
    can u give the link to download Tom?

    thx

  35. Richie86 said

    Interesting… from the thread you post to me, he seems to get rid of the timer protection by using regshot.. track on a clean comp that haven’t run the software, then run it and notify the registry changes, and just remove that one.

  36. Tom said

    ncvnmarket…. http://rapidshare.com/files/98014446/TheMida_WinLicense_Unpacker_v2.0.rar

    not uploaded by me, so that extra stuff in there, just ignore.

    Richie, that is interesting. I wouldn’t think that would work so easily, but I guess it’s worth a shot. If ncvnmarket has a working license, he should be able to do that pretty easily.

  37. Richie86 said

    yeah from the post he have the working license but just expired. I think some kind like.. Time Execution expiration may be.

  38. ncvnmarket said

    Wow, perfect!
    Thanks Richie a lots
    Now I have to probe the file and find right offset to crack!

    :)

  39. Richie86 said

    Good Luck and all the best to you :D

  40. Tom said

    ncvmarket, which key was it? I see 22 keys added, but deleting them all still says license expired.

  41. Richie86 said

    erm no idea I never tried.. Are you try at Clean comp? which haven’t run it before?

  42. Tom said

    yeah, i was asking ncv, since he seems to have found it. And yes, it was a clean comp. It showed the changes, but it was a ton of stuff. I just deleted the new reg keys that were added, but still says that the license expired.

  43. Richie86 said

    erm do you think it’s possible they check like… when you run it.. it save a log to somewhere that it had wrote to the registry, and when you run next time it will check, if the registry content is clean but somehow the log shows you should have some entry in registry therefore expired it?

  44. Tom said

    yes, that’s exactly what i think. and that what it seems to imply as well on the winlicense website. but if ncv and tarc found it or did something else, i’d like to know. :)

  45. Richie86 said

    There is a tool from sysinternal which allow you to monitor the file activity.. I forgot the name..

  46. reversengineering said

    hi
    this link Cpp1_src.exe (Non Packed) Download is not more there
    thanx

  47. Richie86 said

    Sorry It’s just a proof of concept program.. I don’t backup it on my comp too :(

  48. Me said

    Would you mind sharing iceodbg?

  49. Kabos said

    Hello, every one.
    What a nice topic! I have been trying to unpack this kind of protection for three months But, alas, no way. It has driven me mad.
    It works fine my Olly, I have lodered my debuggy software, but some features were not activated.
    If you allow me putting a link for that program, I’ll be so happy. I guess you don’t mind if I did.

    Link:

    http://fs06n4.sendspace.com/download/lite/84e1a85468dadbdb6ee6e356c5983f96/487fd073/e9xrlw/3c12d003b33cf0350fee1e54003523cc/fxp7Nnp4dlVPBmR1fWpHdF0HZm5tJURmMH5taGsqbXJrTil1Kg==/ELWAVE90cRetailOnlineSetup.exe

    Plz! Any one help me unpacking that tagged file, or tell me what to do,

    God bless you all.

    Regards

  50. Richie86 said

    Reply to 48#
    I will upload it when i’m free.

    Reply to Kabos
    what features were not activated?

    Reply to Colin
    Your comment is missing. You know how to load DLL in olly?
    When target with impRec.. target olly and select pick dll. then choose the loaded dll there.

  51. Richie86 said

    erm i lost the olly file.. ice olly is actually a plugin to hide olly.. try the file i uploaded.. add to your olly plugin.

    http://www.sendspace.com/file/hyecvg

  52. Kabos said

    Thanks Richei 86 for your reply.

    Well, features not active are analysing, expert advisor…etc.

    You can check them in about window. I’ve bypassed no license, but still can’t analyse. I always get this message ” Automatic module is required “. Older versions works fine. ” Cracked by unknown”.
    The problem is in tracing that msg.

    So, plz! tell me how can I unpack it. I’ve managed getting it working by lodering not by unpacking.

    ThanX Richei again, and my God bless all Good people like you.

    Regards

  53. Richie86 said

    can’t analyze? The “Automatic module is required “. Older versions works fine. ” Cracked by unknown” message is from olly script? Maybe it work for previous version of winlicense?

  54. Me said

    Thanks Richie86, I just found okdodo’s plugin on unpack.cn and was trying it out when I realized that was what I saw in your SS.

  55. Kabos said

    can’t analyze? The “Automatic module is required “. Older versions works fine. ” Cracked by unknown” message is from olly script? Maybe it work for previous version of winlicense?

    Richie86, I meant that the program being debugged can’t analyse. It’s a stock program. This program is encrypted with winlicense. Olly works fine.

    Regards

  56. albert said

    i richie n tom pls take a look at this tread……..

    it`s giving a tutorial on how to unpack the winlicence but i could not understand maybe u could make a tutorial for it……….

    thx in advance………

    http://www.unpack.cn/viewthread.php?tid=21921&extra=&page=1

  57. Richie86 said

    I think that is bypass when you trying to open a program that fixed on certain hardware id.

  58. Kabos said

    Yeah albert, I think Richie can do that.

    Unpack.cn uses credits or points in order to download a file or an attachment. I don’t have enough points to do that. So, plz! Richie or any one do us a favour and show us the road.

    Regards

  59. albert said

    i kabos!!!!!!!

    below is the attachment for the tread i provided, i hope someone can give me a better tutorial on how to unpack it……

    http://rapidshare.com/files/133807570/tut.rar.html?killcode=3756218707822386330

  60. albert said

    i richie!!!

    i just unpack the winlicence by purchasing it for a week time then i use the WINLICENCE UNPACKER to unpack the twinrsea2.0 but got some kind of error msg can u help me out……

    below r the link

    thx in advance…………

    http://rapidshare.com/files/133855940/twinrsea2.0.rar.html

  61. Richie86 said

    I don’t think you can unpack it in Legitimate way by purchasing it. Sorry I haven’t have time to look into the tutorial yet, recently was busy with work.

  62. oren_studio said

    Albert. it seems that u and me are working on the same target. wanna join forces? lol

  63. reversengineering said

    thanx man for ur answering
    ok not problem
    good luck
    http://reversengineering.wordpress.com
    best regards

  64. HelloWorld said

    I can’t run the script on ollydbg. anyone can help?

  65. Tom said

    i haven’t looked at the file yet, but i’m guessing it’s a new version of themida. I posted links above that are scripts that work on newer versions.

    Bypassing winlicense can be a pain if you dont have a legit license for your computer. I wish I could tell you how to do it, but I dont know.

  66. SoccerMan said

    Hello guys,
    I’m back…We all have same target twinr2.x. it was packed by newest version of themida, so even I have legit license I can’t find right OEP…

    Any guys here have ideal?

    LinkInfo 9.0
    Themida/Winlincese
    Compiler Windows Visual C/C++

    Thx

  67. medic said

    nice tut but is there any tuts on how to find the oep manually m8 ?

  68. Tom said

    @SoccerMan, I’ve already posted a script for it on here. If it doesn’t work, there are other scripts on that site that may work:
    http://www.tuts4you.com/download.php?view.1855

  69. matrix2000 said

    Can anyone help me to get a file from unpackcn?
    http://www.unpack.cn/viewthread.php?tid=21921&extra=&page=1

    I can;t seems to register for the forum. Can anyone help me get the file and post it elsewhere? Thanx.

  70. kanni said

    sorry i want to have ICEODBG who can send link Download for me ?
    I Wantted but not link Download

  71. Ian said

    Will this work for TheMida 2.X.X?

  72. Richie86 said

    never for sure..

  73. lococrazy said

    Anyone attempt to crack twinrSea? Please leave method of contact. Thanks.

  74. LadyEv said

    i need help with unpack themida and winlicense 2.0.4.0

    thanks

  75. Max said

    Can any body help me to unpack some program packed with themida|winlicense?

  76. rONi said

    I need to unpack oxycube. Packed with themida/winlicence 1.8.0.2.

    Anybody help me please.

    You can find the Software

    http://www.oxygensoftware.com/en/products/oxycube/

  77. juki said

    hi,
    Im trying to use this algorithm to get unpacked version of some App. But when i run app with olly 1.10, application crashes. (phant0m is on) PEiD finds : Themida 1.0.x.x – 1.8.x.x (no compression) -> Oreans Technologies [Overlay]
    I heard that new themida versions use some code, that crashes olly (exploiting olly bugs), but is fixed in new olly version 2.0. But i dont have pluggins for olly 2.0.
    Any suggestions, every hint will be appretiated.

  78. v01d said

    @RONi oxycube is packed with version 2.0.3.0 which is relatively new version and this solution won’t work for you. Try this

  79. v01d said

    http://www.tuts4you.com/download.php?view.2495

  80. Seabird said

    any body her know how to unpack this
    http://www.RequestCracks.com/files/pe.rar

  81. hi richi said

    hi richi i am getting prob to open okdodo.osc
    its shows error like
    error line 12
    gmemi eip,MEMORYBASE

  82. Abdul said

    Hey richie. I was wondering if you could unpack Maplestory clients :) Get back to me if you can.

    ~abdul

  83. Crypto said

    Here is what the first 65 lines of okdodo.osc does. Its not hard to see what these scripts do if you follow the readme for what ever scripting plugin he used.


    Sets a hardware bp on 7C80A874 for GetLocalTime.kernel32.dll

    Executes Shift-F9

    Then clears the hardware bp

    Then returns to User Code with alt-F9

    Sets hardware bp on 7C809AF1 for VirtualAlloc.kernel32.dll

    Executes Shift-F9

    Then clears the hardware bp

    Then returns to User Code with alt-F9

    saves apibase as 00CD0000

    Sets a hardware bp on 7C801D7B for LoadLibraryA.kernel32.dll

    Executes Shift-F9

    Then clears the hardware bp

    Then returns to User Code with alt-F9

    Find these bytes #558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#
    at the image base 00CD0000 the $result is CD8EF3

    Sets hardware bp on 00CD8EF3 for VirtualAlloc.kernel32.dll

    Executes Shift-F9

    save esp, when you find this byte #50516033C0# locations address
    Script Execution, item 59
    Line=59
    Command= mov tmp,[esp]
    Result= j
    EIP= i
    Values <---=6D80F0?12FF20,6CB9BA?12FF20,65A057?12FF14,6A2276?12FEFC,6A2245?12FEFC,69D6DC?12FF24

    Found in 6D80F0?12Ff20 on the stack then jump to patch

    clear hardware bp

    I will post 65 thru 162. Later. I’m using version 2 of his script.

  84. Crypto said

    Here is what the patch looks like when the script is finished.

    028E0000 A3 00018E02 MOV DWORD PTR DS:[28E0100],EAX
    028E0005 8908 MOV DWORD PTR DS:[EAX],ECX
    028E0007 AD LODS DWORD PTR DS:[ESI]
    028E0008 C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
    028E000F – E9 4D8BDFFD JMP Cpp1.006D8B61
    028E0014 50 PUSH EAX
    028E0015 A1 00018E02 MOV EAX,DWORD PTR DS:[28E0100]
    028E001A 8907 MOV DWORD PTR DS:[EDI],EAX
    028E001C 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
    028E0020 75 08 JNZ SHORT 028E002A
    028E0022 66:C747 FE FF15 MOV WORD PTR DS:[EDI-2],15FF
    028E0028 EB 06 JMP SHORT 028E0030
    028E002A 66:C747 FE FF25 MOV WORD PTR DS:[EDI-2],25FF
    028E0030 58 POP EAX
    028E0031 – E9 018CDFFD JMP Cpp1.006D8C37
    028E0036 50 PUSH EAX
    028E0037 A1 00018E02 MOV EAX,DWORD PTR DS:[28E0100]
    028E003C 8947 01 MOV DWORD PTR DS:[EDI+1],EAX
    028E003F 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
    028E0043 75 08 JNZ SHORT 028E004D
    028E0045 66:C747 FF FF15 MOV WORD PTR DS:[EDI-1],15FF
    028E004B EB 06 JMP SHORT 028E0053
    028E004D 66:C747 FF FF25 MOV WORD PTR DS:[EDI-1],25FF
    028E0053 58 POP EAX
    028E0054 – 0F85 DD8BDFFD JNZ Cpp1.006D8C37
    028E005A – E9 C08BDFFD JMP Cpp1.006D8C1F
    028E005F 83C7 04 ADD EDI,4
    028E0062 – E9 FA8ADFFD JMP Cpp1.006D8B61

  85. Anonymous said

    http://www.sendspace.com/file/qsid8s (Cpp1_src.exe (Non Packed)) doesn’t work

  86. Dimitris said

    My friend i have a program locked with the win license 1.8 could somebody crack this program for me is a gambling game a slot machine program..I offer 300 dollars to anyone who is interested i need to open this program and have full access to all the password protection it has as well settings for the gambling program etc..

  87. […] های ODBGScript موجود هم اکثرا مشکل دارن. مثلا این اسکریپت: https://richie86.wordpress.com/2008/0…inlicense-18x/ یا خطا میدن یا تا آخر اجرا نمیشن (البته باید برم دنبال […]

  88. Cialis said

    wbtyjt Excellent article, I will take note. Many thanks for the story!

  89. Brian said

    Can someone unprotect this program for me ?

    I tried the instructions above but I dont know what i am doing.

    It is protected by HWID with Winlicense. I do not know which version. Took out HDD, Program not run anymore, and Author wont help me.

    http://rapidshare.com/files/377472841/Program.rar

    Great article, I just dont know what to do… really.

  90. Mujo said

    Hi
    I’m trying to run this tutorial with the same file and the same okdodo script. But, when I ran the script, I ended up on 77B44CD7 address.
    I checked the script and looks like (I’m not an expert in scripting) that it never finds apibase on line 60

    find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#

    Looks like result is 0 then je command sends it to stop.

    Any clue what this is happening?

    I’m using Phantom from here and I set it as described here.

    Thanks in advance

  91. etichetat said

    sweet site, I hadn’t noticed richie86.wordpress.com before in my searches

  92. gamer22871 said

    Vureo has the highest quality flash games as well as selection. click to go to vureo.com

  93. Omnia said

    Plzzzzzz i neeeeed your help urgently

  94. abcdata said

    hi i m trying to unpack this one for a few months…
    http://www.megaupload.com/?d=13KC5G7H
    rar-pass is: abcd
    has anyone an idea …
    thx

  95. I ask for copies of the software patch for the software link was:
    http://www.hoanggia.org/Products/SA.aspx

  96. 0dayarchive is Original Scene Download Game From Mediafire…

    Unpacking Themida/WinLicense 1.8.x « Richie86′s Life!!…

  97. wordpress business themes,best wordpress business themes,business themes wordpress…

    […]Unpacking Themida/WinLicense 1.8.x « Richie86′s Life!![…]…

  98. mql4 builder…

    […]Unpacking Themida/WinLicense 1.8.x « Richie86′s Life!![…]…

  99. Tom said

    check out this software please:

    ceaudio.com
    /download/
    breakaway_setup_1.30.02.exe

    or

    http://www.ceaudio.com
    /beta/
    breakaway_setup_1.30.02_rc.exe

  100. I for all time emailed this webpage post page to all my friends, because if
    like to read it then my links will too.

  101. pirate bay said

    As such, it must not be too difficult to pay some time constructing a database of tables along the
    lines of what is suggested at where they have got provided a sample database spec for usage in a
    college accommodation reservation application.
    Virus Barrier X5 can be a popular virus scanner designed for Mac computers.
    Typically, the My Documents folder may be the best one to use.

  102. Hmm it looks like your site ate my first comment (it was extremely long) so I guess
    I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog.
    I too am an aspiring blog blogger but I’m still new to everything.
    Do you have any recommendations for inexperienced blog writers?
    I’d definitely appreciate it.

  103. Aman said

    Can somebody unpack that file please http://it.khanakia.com/baw.zip

  104. WonYG said

    is it old ver?

  105. 商品名ミニ四駆グレードアップパーツ No.399 MSシャーシ マルチブレーキセットメーカータミヤ発売日シリーズミニ四駆グレードアップパーツ 登場作品・原作商品仕様組み立てキットサイズ商品内容JANコード4950344153992 商品説明スポンジシートを貼り付けたパーツを車体下面に装着。ノースフェイス 限定 http://www.semsecurity.com/template/e3838ee383bce382b9e38395e382a7e382a4e382b9-e99990e5ae9a.htm

  106. tcddy said

    am asking for help with nacsport elite protected by themida/winlicense 2.x and obsidium

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: