Unpacking Themida/WinLicense 1.8.x
Posted by Richie86 on January 24, 2008
Title: Unpacking Themida/WinLicense 1.8.x
Author: Richie86
Tool Preparation: OD + Phantom + okdodo script + PEiD + ImportRec
Packer Used: WinLicense 1.8.9.0
Software Name: Cpp1.exe
Software Size: 152Kb(Original), 1.37Mb(Packed)
Operating System: Windows XP SP2
Cpp1.exe (Packed) Download
Cpp1_src.exe (Non Packed) Download
———————————————————————————————————-
Software Introduction:
1. OD
Also known as OllyDbg. It’s a 32-bit assembler level analysis debugger. Powerful tool to analyze 32-bit assembler. More info see http://en.wikipedia.org/wiki/OllyDbg
2. Phantom
It’s a plugin for OllyDbg. Used to prevent the OllyDbg from being detected by anti-debugger engine for Themida/WInLicense.
3. okdodo script
This is the unpack script we will use in this tutorial.
4. PEiD
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.
5. ImpportRec
Import Reconstructor is a tool that used to fix the IAT of dump image and reconstruct them.
You can get these tool easily from http://www.unpack.cn
———————————————————————————————————-
Okay let’s get started.
First we have to determine what is the packer first. Drag Cpp1.exe into PEiD. You will need the latest signature database. Here we found it’s pack with Themida/WinLicense 1.8.2.0 above.
Start your ollydbg, make sure your phantom setting is like below. Configure it by pressing Plugin>Phantom>Option . You will need to restart ollydbg for setting to take effect.
After that drag Cpp1.exe into ollydbg. See the yellow line in main thread. B8 00 00 00 60, common entry point used by Themida/WinLicense.
Pressing ALT+M to switch into Memory Map tab. Drag down a little bit the list and you will found msvcrt on PE Header. Shows that this EXE is using C++ Runtime.
Let’s continue. Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc
The script will automatic run. After you being prompt that the script has completed. The debugger will stop at the OEP (Original Entry Point) of your EXE.
Take note of the OEP address above. We will using it later on. 00401151
Next we will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.
Then you will see in the status box. Image Base: 00400000. So calculate the OEP by 00401151-00400000 = 1151
Fill in into the OEP box and press IAT Auto Search. It will inform you that the OEP is found.
Press Get Import to get all import function. From the Imports status, shows that valid:YES. Which means all imports function pointer are match.
So dump the image by RightClick>Advanced Commands>Select Code Section(s)
Press Full Dump. then save it at somewhere as cpp1_dump.exe
Then continue to reconstruct the dump base on new OEP. At main menu. Press Fix Dump, then select the dump image cpp1_dump.exe we create just now.
After reconstruct. New image cpp1_dump_.exe is created. And now try to open the cpp1_dump_.exe and you will see you are sucessfully unpacked it.
Credit: okdodo for the script. unpack.cn for the resources.
MrFlame said
The unpack.cn dosent work so try to upload for us..
Richie86 said
you means the link not work for you? If you looking for the script. Here is it.
http://www.sendspace.com/file/991eal
Try it, different version might require different script. If only I know how to unpack manually like those expert.
aRkAiNe said
hi there can you please upload the okdodo.osc script again.
link is dead :(
and can i have a copy of your peid ;D
thanks
Richie86 said
Here is the script.. Save it
/*
Script written by okdodo 2007/03
Tested for themida IAT restore and OEP find~
Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E)
HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2)
Test Environment : Ollyice 1.1 + HideOD
ODBGScript 1.52 under WINXP
Thanks :
kanxue – author of HideOD
hnhuqiong – author of ODbgScript 1.52
*/
data:
var cbase
var csize
var dllimg
var pmbase
var apibase
var mem
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE
mov dllimg,$RESULT
log dllimg
findapibase:
gpa “GetLocalTime”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
gpa “VirtualAlloc”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa “LoadLibraryA”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
iatloop:
esto
mov tmp,[esp]
find dllimg,#50516033C0#
cmp $RESULT,0
jne iatpatch
jmp iatloop
iatpatch:
bphwc tmpbp
find eip,#C21000#
bphws $RESULT,”x”
esto
bphwc $RESULT
sti
mov tmpbp,tmp
find tmpbp,#0F850A000000C785#
mov tmpbp,$RESULT
mov [tmpbp],0A0EEB
find tmpbp,#0F84390000003B8D#
mov tmpbp,$RESULT
mov [tmpbp],3928EB
alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A1000000008907807FFFE8750866C747FEFF15EB0666C747FEFF2558E90000000050A100000000894701807FFFE8750866C747FFFF15EB0666C747FFFF25580F8500000000E90000000083C704E900000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem
find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#
find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#
add tmpbp,9
add tmp,29
eval “jmp {tmp}”
asm tmpbp, $RESULT
mov memtmp,mem
add memtmp,0F
eval “jmp {addr1}”
asm memtmp, $RESULT
add memtmp,22
eval “jmp {addr2}”
asm memtmp, $RESULT
add memtmp,23
eval “jne {addr2}”
asm memtmp, $RESULT
add memtmp,06
eval “jmp {addr3}”
asm memtmp, $RESULT
add memtmp,08
eval “jmp {addr1}”
asm memtmp, $RESULT
find eip,#C7010000000083C104#
mov tmpbp,$RESULT
add tmpbp,14
bphws tmpbp,”x”
esto
bphwc tmpbp
mov tmp,cbase
add tmp,csize
findoep:
bprm cbase,csize
esto
bpmc
cmp eip,tmp
ja findoep
msg “script finished,check the oep place by yourself~”
ret
stop:
pause
apierror:
pause
Dhiru said
Hi Richie! When i run the okdodo script it gives me an error “Error on line 16 Text: “getlocaltime”, “kernel32.dll”
Richie86 said
what window you running?
GetLocalTime is the function under window API.
supported by Windows Vista, Windows XP, or Windows 2000 Professional.
see http://msdn.microsoft.com/en-us/library/ms724338(VS.85).aspx
Dhiru said
I am using Windows XP Service Pack 2. I have tried to use other versions of the script but i dont get any script completed message after the script is run.
Richie86 said
do you use Phantom? or other type of stealth approach?
Dhiru said
I am using OllyDBG 1.10 Downloaded from the official site. With it, i am using PhantomOM Plugin V 1.20.
akumaduma said
@ Dhiru:
there’s a character syntax error with the double-quotes in the script you’re using because you copy/pasted it from the example above.
open it in notepad and replace all instances of left and right double quotation marks with neutral (vertical) ones.
then save and it should work.
Richie86 said
my bad =.=”
alimz said
hmm i still occur problem…i cant get the oep because that program asking key before running..
can u help me richie?
Richie86 said
may be you trying unpack newer version?
Lalipa said
Hi Richie86 & thanks 4 share
ah |!| problem with Error on line 16 Text: “getlocaltime”, “kernel32.dll”
plz solution for this problem
—————————————————————————–
there’s a character syntax error with the double-quotes in the script you’re using because you copy/pasted it from the example above.
open it in notepad and replace all instances of left and right double quotation marks with neutral (vertical) ones.
then save and it should work.
——————————————————————————
Not work ?
Richie86 said
http://www.sendspace.com/file/b7vb55
here is it. host it somewhere else.
aLimz said
hmm can u try check it?
http://download.twinr.net/twinr/TwinRSEA159.rar
Richie86 said
Cabal hack =.=”
Probably newer version. Because PEID signature only detect 1.8.x onward, which means it could be 1.9.x too
and the script only work for old version
albert said
i dont know y, but i cant Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc as u said did i do something wrong.
i have downloaded all the things tat needed but it`s not showing me the pluging pls help……..
ncvnmarket said
Hi Richie86,
I’m trying to crack twinrNA1.59. Maybe, it was packed by Themida/Winlic 1.8.2 or 1.9. I know the offset to modify, but the big problem is I can’t unpack it. Can you give me a hit?
Here is the link
http://download.twinr.net/twinr/TwinRNA159.rar
Tom said
scripts made by “Computer Angel” will work on 1.9.x versions, and are available on tuts4you.com.
http://www.tuts4you.com/download.php?view.1855
http://www.tuts4you.com/download.php?view.2114
on that twinR file posted above, it still doesn’t go past the nag screen asking for the license, so don’t know what to say for you. maybe richie can shed some more light on it.
albert, do you have the ODbgScript plugin? that wasn’t listed at the top of the page, but it is also a required plugin.
Richie86 said
Try with different script, the script post here is used long long ago and probably not work anymore. and try get few stealth plugin as well. unpack.cn have a few thread discuss about themida so may be you guy can have a look over there.
ncvnmarket said
Hi Tom and Richie,
I tried several scripts but it does not pass the nag screen asking for the license (like Tom said), so that’s why I can’t find OEP.
Do you have any hint to bypass the nag screen popping up?
Thanks guys!
Richie86 said
I remembered that someone in unpack.cn mention that the script wont work if there is any pop up window for winlicense. the way to fix it is use some script then manually unpack it in olly. I’m not sure about the detail, you have to check it out at unpack.cn
ncvnmarket said
I got the OEP after running Themida script+IAT repair (of course with license to solve pop up window). umm but now I have problem with dumping the file.
Run UIF to fix
Run inportRec
put OEP-imagebase to OEP box
click IAT search->good
click import->yep I got everything->Valid
Dump file fix dump
However, when I run the dump file nothing happened
I don’t know how to fix it!
Can you give me a hint?
Thanks Richie
albert said
i
Richic thx for the help, i have found the plugins for the ODBGScript but now i have a new problem after i run the script it show me the OEP which is 009D8E63, how do i want to deduct this num with 4000000 teach me pls……………
below r the link for the pic i create for u to see, pls help me……….
thx in advance……….
http://rapidshare.com/files/131572965/Pictures.rar.html
Tom said
I wish i could help. I can see this same file was posted by “tarc” on unpack.cn, but I can’t read Chinese and google translator isn’t working so great for me. I would recommend pming him, but judging by his other posts, he doesn’t like helping people, only getting help for himself.
Tom said
on second thought, if you have a working license, you should be able to use “themida unpacker” by okdodo. it’s kind of like unthemida 2.0, but better. it does everything for you and should output a working file. if you figure out a way to get it without a license, let me know. I’m curious. :)
Richie86 said
Sorry Tom I don’t means I doesn’t like helping people.. I was using a previous version of winlicense + no pop up menu + script that work for the old version in this example that why it work.. However the problem post in comments are refer to higher version of WinLicense. I had stop research in unpacking temporary after post this thread for quite a long moment. Here is few point that I knew previously.
1. Pop up menu make it harder to unpack
2. If the VM technology is conducted, its even harder to unpack
3. If the file packed in DLL, the method to unpack would be different (I failed last time when post in unpack.cn)
4. The PEiD Signature that you can get latest from unpack.cn, cannot show exactly what version of the Themida/WinLicense is, because of the signature of a few version look more or less the same. (Reason that certain script might not work because wrong version)
5. If you able to load your exe in olly without getting “thread terminated” half way, that means you had pass the part where you need certain plugin to bypass or stealth the olly from being detect when it try to debug the running program.
6. If I know more I will post here..
Richie86 said
To albert.. what script you using?
Tom said
no, no. I didn’t mean you Richie. I’m sure you’ve helped many people. :) and nice blog you have here.
I meant this person named “tarc.” I can see him posting on unpack.cn asking for and receiving help with this file. but on other forums, he tells people to not pm him because he will help nobody. lol. That kind of irony just makes me laugh.
according to the PEiD signatures that I have, it’s packed with themida version 1.8.0.2
albert said
thx for the fast reply…
i use Themida OEP Finder + IAT Repair v0.2
Richie86 said
Sorry TOM I was mistaken.. Can you post the link for me?? because tarc <– seems like my college name, I wonder who is that..
To Albert: I can’t give an exact answer for your case because I didn’t work on latest WinLicense..
I will pay a visit to unpack.cn when TOM pass me the link.. and see if I found anything idea and I will post it here too.
Tom said
well, it’s difficult because i came across his posts in various threads while browsing. Here’s a link to a thread he started, and it discusses a bit about this file and the license issue.
http://www.unpack.cn/viewthread.php?tid=26868
I know he’s made other posts about it, just can’t be bothered to browse through so many again. I dont think it’s you though. :P
ncvnmarket said
“themida unpacker” ?
can u give the link to download Tom?
thx
Richie86 said
Interesting… from the thread you post to me, he seems to get rid of the timer protection by using regshot.. track on a clean comp that haven’t run the software, then run it and notify the registry changes, and just remove that one.
Tom said
ncvnmarket…. http://rapidshare.com/files/98014446/TheMida_WinLicense_Unpacker_v2.0.rar
not uploaded by me, so that extra stuff in there, just ignore.
Richie, that is interesting. I wouldn’t think that would work so easily, but I guess it’s worth a shot. If ncvnmarket has a working license, he should be able to do that pretty easily.
Richie86 said
yeah from the post he have the working license but just expired. I think some kind like.. Time Execution expiration may be.
ncvnmarket said
Wow, perfect!
Thanks Richie a lots
Now I have to probe the file and find right offset to crack!
:)
Richie86 said
Good Luck and all the best to you :D
Tom said
ncvmarket, which key was it? I see 22 keys added, but deleting them all still says license expired.
Richie86 said
erm no idea I never tried.. Are you try at Clean comp? which haven’t run it before?
Tom said
yeah, i was asking ncv, since he seems to have found it. And yes, it was a clean comp. It showed the changes, but it was a ton of stuff. I just deleted the new reg keys that were added, but still says that the license expired.
Richie86 said
erm do you think it’s possible they check like… when you run it.. it save a log to somewhere that it had wrote to the registry, and when you run next time it will check, if the registry content is clean but somehow the log shows you should have some entry in registry therefore expired it?
Tom said
yes, that’s exactly what i think. and that what it seems to imply as well on the winlicense website. but if ncv and tarc found it or did something else, i’d like to know. :)
Richie86 said
There is a tool from sysinternal which allow you to monitor the file activity.. I forgot the name..
reversengineering said
hi
this link Cpp1_src.exe (Non Packed) Download is not more there
thanx
Richie86 said
Sorry It’s just a proof of concept program.. I don’t backup it on my comp too :(
Me said
Would you mind sharing iceodbg?
Kabos said
Hello, every one.
What a nice topic! I have been trying to unpack this kind of protection for three months But, alas, no way. It has driven me mad.
It works fine my Olly, I have lodered my debuggy software, but some features were not activated.
If you allow me putting a link for that program, I’ll be so happy. I guess you don’t mind if I did.
Link:
http://fs06n4.sendspace.com/download/lite/84e1a85468dadbdb6ee6e356c5983f96/487fd073/e9xrlw/3c12d003b33cf0350fee1e54003523cc/fxp7Nnp4dlVPBmR1fWpHdF0HZm5tJURmMH5taGsqbXJrTil1Kg==/ELWAVE90cRetailOnlineSetup.exe
Plz! Any one help me unpacking that tagged file, or tell me what to do,
God bless you all.
Regards
Richie86 said
Reply to 48#
I will upload it when i’m free.
Reply to Kabos
what features were not activated?
Reply to Colin
Your comment is missing. You know how to load DLL in olly?
When target with impRec.. target olly and select pick dll. then choose the loaded dll there.
Richie86 said
erm i lost the olly file.. ice olly is actually a plugin to hide olly.. try the file i uploaded.. add to your olly plugin.
http://www.sendspace.com/file/hyecvg
Kabos said
Thanks Richei 86 for your reply.
Well, features not active are analysing, expert advisor…etc.
You can check them in about window. I’ve bypassed no license, but still can’t analyse. I always get this message ” Automatic module is required “. Older versions works fine. ” Cracked by unknown”.
The problem is in tracing that msg.
So, plz! tell me how can I unpack it. I’ve managed getting it working by lodering not by unpacking.
ThanX Richei again, and my God bless all Good people like you.
Regards
Richie86 said
can’t analyze? The “Automatic module is required “. Older versions works fine. ” Cracked by unknown” message is from olly script? Maybe it work for previous version of winlicense?
Me said
Thanks Richie86, I just found okdodo’s plugin on unpack.cn and was trying it out when I realized that was what I saw in your SS.
Kabos said
can’t analyze? The “Automatic module is required “. Older versions works fine. ” Cracked by unknown” message is from olly script? Maybe it work for previous version of winlicense?
Richie86, I meant that the program being debugged can’t analyse. It’s a stock program. This program is encrypted with winlicense. Olly works fine.
Regards
albert said
i richie n tom pls take a look at this tread……..
it`s giving a tutorial on how to unpack the winlicence but i could not understand maybe u could make a tutorial for it……….
thx in advance………
http://www.unpack.cn/viewthread.php?tid=21921&extra=&page=1
Richie86 said
I think that is bypass when you trying to open a program that fixed on certain hardware id.
Kabos said
Yeah albert, I think Richie can do that.
Unpack.cn uses credits or points in order to download a file or an attachment. I don’t have enough points to do that. So, plz! Richie or any one do us a favour and show us the road.
Regards
albert said
i kabos!!!!!!!
below is the attachment for the tread i provided, i hope someone can give me a better tutorial on how to unpack it……
http://rapidshare.com/files/133807570/tut.rar.html?killcode=3756218707822386330
albert said
i richie!!!
i just unpack the winlicence by purchasing it for a week time then i use the WINLICENCE UNPACKER to unpack the twinrsea2.0 but got some kind of error msg can u help me out……
below r the link
thx in advance…………
http://rapidshare.com/files/133855940/twinrsea2.0.rar.html
Richie86 said
I don’t think you can unpack it in Legitimate way by purchasing it. Sorry I haven’t have time to look into the tutorial yet, recently was busy with work.
oren_studio said
Albert. it seems that u and me are working on the same target. wanna join forces? lol
reversengineering said
thanx man for ur answering
ok not problem
good luck
http://reversengineering.wordpress.com
best regards
HelloWorld said
I can’t run the script on ollydbg. anyone can help?
Tom said
i haven’t looked at the file yet, but i’m guessing it’s a new version of themida. I posted links above that are scripts that work on newer versions.
Bypassing winlicense can be a pain if you dont have a legit license for your computer. I wish I could tell you how to do it, but I dont know.
SoccerMan said
Hello guys,
I’m back…We all have same target twinr2.x. it was packed by newest version of themida, so even I have legit license I can’t find right OEP…
Any guys here have ideal?
LinkInfo 9.0
Themida/Winlincese
Compiler Windows Visual C/C++
Thx
medic said
nice tut but is there any tuts on how to find the oep manually m8 ?
Tom said
@SoccerMan, I’ve already posted a script for it on here. If it doesn’t work, there are other scripts on that site that may work:
http://www.tuts4you.com/download.php?view.1855
matrix2000 said
Can anyone help me to get a file from unpackcn?
http://www.unpack.cn/viewthread.php?tid=21921&extra=&page=1
I can;t seems to register for the forum. Can anyone help me get the file and post it elsewhere? Thanx.
kanni said
sorry i want to have ICEODBG who can send link Download for me ?
I Wantted but not link Download
Ian said
Will this work for TheMida 2.X.X?
Richie86 said
never for sure..
lococrazy said
Anyone attempt to crack twinrSea? Please leave method of contact. Thanks.
LadyEv said
i need help with unpack themida and winlicense 2.0.4.0
thanks
Max said
Can any body help me to unpack some program packed with themida|winlicense?
rONi said
I need to unpack oxycube. Packed with themida/winlicence 1.8.0.2.
Anybody help me please.
You can find the Software
http://www.oxygensoftware.com/en/products/oxycube/
juki said
hi,
Im trying to use this algorithm to get unpacked version of some App. But when i run app with olly 1.10, application crashes. (phant0m is on) PEiD finds : Themida 1.0.x.x – 1.8.x.x (no compression) -> Oreans Technologies [Overlay]
I heard that new themida versions use some code, that crashes olly (exploiting olly bugs), but is fixed in new olly version 2.0. But i dont have pluggins for olly 2.0.
Any suggestions, every hint will be appretiated.
v01d said
@RONi oxycube is packed with version 2.0.3.0 which is relatively new version and this solution won’t work for you. Try this
v01d said
http://www.tuts4you.com/download.php?view.2495
Seabird said
any body her know how to unpack this
http://www.RequestCracks.com/files/pe.rar
hi richi said
hi richi i am getting prob to open okdodo.osc
its shows error like
error line 12
gmemi eip,MEMORYBASE
Abdul said
Hey richie. I was wondering if you could unpack Maplestory clients :) Get back to me if you can.
~abdul
Crypto said
Here is what the first 65 lines of okdodo.osc does. Its not hard to see what these scripts do if you follow the readme for what ever scripting plugin he used.
Sets a hardware bp on 7C80A874 for GetLocalTime.kernel32.dll
Executes Shift-F9
Then clears the hardware bp
Then returns to User Code with alt-F9
Sets hardware bp on 7C809AF1 for VirtualAlloc.kernel32.dll
Executes Shift-F9
Then clears the hardware bp
Then returns to User Code with alt-F9
saves apibase as 00CD0000
Sets a hardware bp on 7C801D7B for LoadLibraryA.kernel32.dll
Executes Shift-F9
Then clears the hardware bp
Then returns to User Code with alt-F9
Find these bytes #558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#
at the image base 00CD0000 the $result is CD8EF3
Sets hardware bp on 00CD8EF3 for VirtualAlloc.kernel32.dll
Executes Shift-F9
save esp, when you find this byte #50516033C0# locations address
Script Execution, item 59
Line=59
Command= mov tmp,[esp]
Result= j
EIP= i
Values <---=6D80F0?12FF20,6CB9BA?12FF20,65A057?12FF14,6A2276?12FEFC,6A2245?12FEFC,69D6DC?12FF24
Found in 6D80F0?12Ff20 on the stack then jump to patch
clear hardware bp
I will post 65 thru 162. Later. I’m using version 2 of his script.
Crypto said
Here is what the patch looks like when the script is finished.
028E0000 A3 00018E02 MOV DWORD PTR DS:[28E0100],EAX
028E0005 8908 MOV DWORD PTR DS:[EAX],ECX
028E0007 AD LODS DWORD PTR DS:[ESI]
028E0008 C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
028E000F – E9 4D8BDFFD JMP Cpp1.006D8B61
028E0014 50 PUSH EAX
028E0015 A1 00018E02 MOV EAX,DWORD PTR DS:[28E0100]
028E001A 8907 MOV DWORD PTR DS:[EDI],EAX
028E001C 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
028E0020 75 08 JNZ SHORT 028E002A
028E0022 66:C747 FE FF15 MOV WORD PTR DS:[EDI-2],15FF
028E0028 EB 06 JMP SHORT 028E0030
028E002A 66:C747 FE FF25 MOV WORD PTR DS:[EDI-2],25FF
028E0030 58 POP EAX
028E0031 – E9 018CDFFD JMP Cpp1.006D8C37
028E0036 50 PUSH EAX
028E0037 A1 00018E02 MOV EAX,DWORD PTR DS:[28E0100]
028E003C 8947 01 MOV DWORD PTR DS:[EDI+1],EAX
028E003F 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
028E0043 75 08 JNZ SHORT 028E004D
028E0045 66:C747 FF FF15 MOV WORD PTR DS:[EDI-1],15FF
028E004B EB 06 JMP SHORT 028E0053
028E004D 66:C747 FF FF25 MOV WORD PTR DS:[EDI-1],25FF
028E0053 58 POP EAX
028E0054 – 0F85 DD8BDFFD JNZ Cpp1.006D8C37
028E005A – E9 C08BDFFD JMP Cpp1.006D8C1F
028E005F 83C7 04 ADD EDI,4
028E0062 – E9 FA8ADFFD JMP Cpp1.006D8B61
Anonymous said
http://www.sendspace.com/file/qsid8s (Cpp1_src.exe (Non Packed)) doesn’t work
Dimitris said
My friend i have a program locked with the win license 1.8 could somebody crack this program for me is a gambling game a slot machine program..I offer 300 dollars to anyone who is interested i need to open this program and have full access to all the password protection it has as well settings for the gambling program etc..
سوال: دیباگری برای Themida | دایرکتوری هوشمند پی سی پارسی | گلچینی از اینترنت said
[…] های ODBGScript موجود هم اکثرا مشکل دارن. مثلا این اسکریپت: https://richie86.wordpress.com/2008/0…inlicense-18x/ یا خطا میدن یا تا آخر اجرا نمیشن (البته باید برم دنبال […]
Cialis said
wbtyjt Excellent article, I will take note. Many thanks for the story!
Brian said
Can someone unprotect this program for me ?
I tried the instructions above but I dont know what i am doing.
It is protected by HWID with Winlicense. I do not know which version. Took out HDD, Program not run anymore, and Author wont help me.
http://rapidshare.com/files/377472841/Program.rar
Great article, I just dont know what to do… really.
Mujo said
Hi
I’m trying to run this tutorial with the same file and the same okdodo script. But, when I ran the script, I ended up on 77B44CD7 address.
I checked the script and looks like (I’m not an expert in scripting) that it never finds apibase on line 60
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#
Looks like result is 0 then je command sends it to stop.
Any clue what this is happening?
I’m using Phantom from here and I set it as described here.
Thanks in advance
etichetat said
sweet site, I hadn’t noticed richie86.wordpress.com before in my searches
gamer22871 said
Vureo has the highest quality flash games as well as selection. click to go to vureo.com
Omnia said
Plzzzzzz i neeeeed your help urgently
abcdata said
hi i m trying to unpack this one for a few months…
http://www.megaupload.com/?d=13KC5G7H
rar-pass is: abcd
has anyone an idea …
thx
tienngoc1982 said
I ask for copies of the software patch for the software link was:
http://www.hoanggia.org/Products/SA.aspx
0dayarchive is Original Scene Download Ebook From Filesonic said
0dayarchive is Original Scene Download Game From Mediafire…
Unpacking Themida/WinLicense 1.8.x « Richie86′s Life!!…
wordpress business themes,best wordpress business themes,business themes wordpress said
wordpress business themes,best wordpress business themes,business themes wordpress…
[…]Unpacking Themida/WinLicense 1.8.x « Richie86′s Life!![…]…
mql4 builder said
mql4 builder…
[…]Unpacking Themida/WinLicense 1.8.x « Richie86′s Life!![…]…
Tom said
check out this software please:
ceaudio.com
/download/
breakaway_setup_1.30.02.exe
or
http://www.ceaudio.com
/beta/
breakaway_setup_1.30.02_rc.exe
reset password said
I for all time emailed this webpage post page to all my friends, because if
like to read it then my links will too.
pirate bay said
As such, it must not be too difficult to pay some time constructing a database of tables along the
lines of what is suggested at where they have got provided a sample database spec for usage in a
college accommodation reservation application.
Virus Barrier X5 can be a popular virus scanner designed for Mac computers.
Typically, the My Documents folder may be the best one to use.
working Maple Story Hack said
Hmm it looks like your site ate my first comment (it was extremely long) so I guess
I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog.
I too am an aspiring blog blogger but I’m still new to everything.
Do you have any recommendations for inexperienced blog writers?
I’d definitely appreciate it.
Aman said
Can somebody unpack that file please http://it.khanakia.com/baw.zip
WonYG said
is it old ver?
Richie86 said
yeah very old version
Nenita Moncur said
商品名ミニ四駆グレードアップパーツ No.399 MSシャーシ マルチブレーキセットメーカータミヤ発売日シリーズミニ四駆グレードアップパーツ 登場作品・原作商品仕様組み立てキットサイズ商品内容JANコード4950344153992 商品説明スポンジシートを貼り付けたパーツを車体下面に装着。ノースフェイス 限定 http://www.semsecurity.com/template/e3838ee383bce382b9e38395e382a7e382a4e382b9-e99990e5ae9a.htm
tcddy said
am asking for help with nacsport elite protected by themida/winlicense 2.x and obsidium
Denny said
This is the part of the desk with the minor pyramids or surges that are specially designed to randomly deflect the chop.