Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 12-11-2002, 08:28 PM
muaddib muaddib is offline
Administrator
 
Join Date: Dec 2002
Location: Western USA
Posts: 29
Default eLicense -> esneciLe

This is the thread for discussing the complete reversal of the eLicense software protection system. The first target will be zMUD available at http://www.zuggsoft.com. Surprisingly, this is one of the few softwares I would actually pay for, but the author gave me a free license for helping him with his protection. Sadly, he stuck with eLicense instead of writing his own. I'm sure he will appreciate a whole team of reversers working on eLicense, but as for the company that produces it, I'm not so sure :) I'll see if I can dig out my old copy of the eLicense protector somewhere...if not, it just makes our job more fun =)
__________________
-mjuad
muaddib at reteam dot org
Reply With Quote
  #2  
Old 12-12-2002, 01:33 AM
muaddib muaddib is offline
Administrator
 
Join Date: Dec 2002
Location: Western USA
Posts: 29
Default

I forgot to mention that we will be using v6.16 NOT v6.39a BETA. That's all, now I'm about to get started on it.
__________________
-mjuad
muaddib at reteam dot org
Reply With Quote
  #3  
Old 12-12-2002, 02:32 AM
crUsAdEr crUsAdEr is offline
Member
 
Join Date: Dec 2002
Posts: 7
Default

Hi rmlobvx,

I downloaded the program... the protection itself is really weak like you said... It makes no attempt to hide any information from us crackers... PE-header is intact... (gosh, i was scratching my head and thinking LordPE was buggy, when i select BreaknEnter with bpint3 and the program runs on without breaking ...

After a while i concluded that the DLL does the job of decrypting the exe... to unpack the exe is simple.. I put a bpm on OEP then let it run, the second time the programbreaks, the exe is fully decrypted only IAT redirected with a simple xor scheme...

I look for the IAT redirection routine and found that it uses a DLL created at run time, store in temp directory... so i dump and rebuild this dll, disassemble it and find where to patch the IAt redirection, once done our IAT will not be redirected and Imprec rebuilds for me fine...

Now the easy part is over, i attempt to look for license checking routine but alas i found none??? Filemon and regmons both dont give anything... i foudn where the Nag is called but the routine is REALLY long... the variables list itself is already about 3 pages on IDA :/... and the dll that i dump form temp directory is more than 1Mb :/... I must admit that i am not accustomed to playing with overly bloated code... simple routines looks like MD5 hash now :/... and here i am kinda stumped and unable to locate the license checking routine...

:/... how should i find the license checking routine?

Thanks
crUs...

PS : i am going on a holiday so i'll be back in a short while... keep it up and i'll catch up with ya hopefully ...
Reply With Quote
  #4  
Old 12-16-2002, 09:30 AM
PhotoPaul PhotoPaul is offline
Junior Member
 
Join Date: Dec 2002
Location: USA
Posts: 1
Send a message via ICQ to PhotoPaul
Default

crUsAdEr:

If the code is really big, then try to use OllyDebugger to help you analyze it. It happens to have a very good analyzer.
__________________
PhotoPaulŪ
Reply With Quote
  #5  
Old 12-20-2002, 12:29 PM
evilTeach evilTeach is offline
Junior Member
 
Join Date: Dec 2002
Location: MA, USA
Posts: 4
Default Cool!

Looks like some of you old ID guys got something new rolling...

Sounds like a worthwhile effort. I also purchased zMUD (YEARS AGO!!!), but don't play MUDs much anymore, so I haven't upgraded my software in a while...

I'm gonna grab the new version this weekend and see if I can contribute to the group's efforts. I've been away from Reversing for a little while, but have a 2 week vacation coming up! Only issue is that I'm getting married in 8 days....but I promise I'll try to post anything interesting I find.

-eT
__________________
Make people think you're strange. If you can't, at least make them think there's two of you!
Reply With Quote
  #6  
Old 12-20-2002, 08:00 PM
evilTeach evilTeach is offline
Junior Member
 
Join Date: Dec 2002
Location: MA, USA
Posts: 4
Default

Hey...Looks like Zugg has released version 6.40 as of Dec 18th. I can't seem to find a way to download the old version from his site. Could someone post the v6.16 so others could join in the research?

Thanks!
__________________
Make people think you're strange. If you can't, at least make them think there's two of you!
Reply With Quote
  #7  
Old 12-21-2002, 07:01 AM
mala mala is offline
Administrator
 
Join Date: Dec 2002
Posts: 41
Default

Quote:
Hey...Looks like Zugg has released version 6.40 as of Dec 18th. * I can't seem to find a way to download the old version from his site. *Could someone post the v6.16 so others could join in the research?

Thanks!
Hi!
I'll give you more than one way:

1) http://www.google.it/search?q=zmud616&ie=U...UTF-8&hl=it&lr=
2) http://www.zuggsoft.com/redirect.asp?target=zmud , see the URL and try to connect manually to the ftp you've found, that is ftp://download.elicense.com/pub/zuggsoft/

Why all of this?
- now you have different copies of the same package (why do we have two different files, one exe and one zip, at http://glorglas.dyndns.dk/stuff/ ?)
- now you know an address where some more zmud files are available
- now you know where many elicense programs are stored, to test your findings about the program with other apps.

__________________
byez,

+mala
Reply With Quote
  #8  
Old 12-23-2002, 12:57 PM
evilTeach evilTeach is offline
Junior Member
 
Join Date: Dec 2002
Location: MA, USA
Posts: 4
Default yah..thanks!

I actually got it from tucows but didn't post that I got it...figure others might have the same question so I left it...

The info about all the eLicense archives might be useful
__________________
Make people think you're strange. If you can't, at least make them think there's two of you!
Reply With Quote
  #9  
Old 12-23-2002, 03:10 PM
Crudd Crudd is offline
Administrator
 
Join Date: Dec 2002
Posts: 22
Default

Quote:
- now you have different copies of the same package (why do we have two different files, one exe and one zip, at http://glorglas.dyndns.dk/stuff/ ?)
The zip file is a 'keymaker' for zMUD. You guys might find the .nfo in the zip to be quite useful for you project.
Crudd
__________________
Just another freak, in the freak kingdom.
Reply With Quote
  #10  
Old 12-30-2002, 05:25 PM
muaddib muaddib is offline
Administrator
 
Join Date: Dec 2002
Location: Western USA
Posts: 29
Default

OK guys...sorry about this but we'll be working on zMUD 6.40 now that I'm back and ready to work on this. I have just unpacked everything related to eLicense running in memory. There are a few things you need to unpack. First, unpack elicen40.dll, then that S3VXXXX random one...unpack it as a DLL. Finally, unpack lcmmfu.cpl in c:windowssystem. This is the control panel extension and we'll be using this for making some tools (we're gonna make some fun LM tools! :) Well, I must be off to start reversing these unpacked files some more, I hope to hear from you guys soon! =)
__________________
-mjuad
muaddib at reteam dot org
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.