 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#1
12-11-2002, 08:28 PM
|
|||
|
|||
eLicense -> esneciLe
This is the thread for discussing the complete reversal of the eLicense software protection system. The first target will be zMUD available at http://www.zuggsoft.com. Surprisingly, this is one of the few softwares I would actually pay for, but the author gave me a free license for helping him with his protection. Sadly, he stuck with eLicense instead of writing his own. I'm sure he will appreciate a whole team of reversers working on eLicense, but as for the company that produces it, I'm not so sure :) I'll see if I can dig out my old copy of the eLicense protector somewhere...if not, it just makes our job more fun =)
__________________
-mjuad muaddib at reteam dot org 
|
|
#3
12-12-2002, 02:32 AM
|
|||
|
|||
|
Hi rmlobvx,
I downloaded the program... the protection itself is really weak like you said... It makes no attempt to hide any information from us crackers... PE-header is intact... (gosh, i was scratching my head and thinking LordPE was buggy, when i select BreaknEnter with bpint3 and the program runs on without breaking  ...After a while i concluded that the DLL does the job of decrypting the exe... to unpack the exe is simple.. I put a bpm on OEP then let it run, the second time the programbreaks, the exe is fully decrypted only IAT redirected with a simple xor scheme... I look for the IAT redirection routine and found that it uses a DLL created at run time, store in temp directory... so i dump and rebuild this dll, disassemble it and find where to patch the IAt redirection, once done our IAT will not be redirected and Imprec rebuilds for me fine... Now the easy part is over, i attempt to look for license checking routine but alas i found none??? Filemon and regmons both dont give anything... i foudn where the Nag is called but the routine is REALLY long... the variables list itself is already about 3 pages on IDA :/... and the dll that i dump form temp directory is more than 1Mb :/... I must admit that i am not accustomed to playing with overly bloated code... simple routines looks like MD5 hash now :/... and here i am kinda stumped and unable to locate the license checking routine... :/... how should i find the license checking routine? Thanks crUs... PS : i am going on a holiday so i'll be back in a short while... keep it up and i'll catch up with ya hopefully ...
|
|
#5
12-20-2002, 12:29 PM
|
|||
|
|||
|
Cool!
Looks like some of you old ID guys got something new rolling...
Sounds like a worthwhile effort. I also purchased zMUD (YEARS AGO!!!), but don't play MUDs much anymore, so I haven't upgraded my software in a while... I'm gonna grab the new version this weekend and see if I can contribute to the group's efforts. I've been away from Reversing for a little while, but have a 2 week vacation coming up! Only issue is that I'm getting married in 8 days....but I promise I'll try to post anything interesting I find. -eT
__________________
Make people think you're strange. If you can't, at least make them think there's two of you!
|
|
#6
12-20-2002, 08:00 PM
|
|||
|
|||
|
Hey...Looks like Zugg has released version 6.40 as of Dec 18th. I can't seem to find a way to download the old version from his site. Could someone post the v6.16 so others could join in the research?
Thanks!
__________________
Make people think you're strange. If you can't, at least make them think there's two of you!
|
|
#7
12-21-2002, 07:01 AM
|
|||
|
|||
|
Quote:
I'll give you more than one way: 1) http://www.google.it/search?q=zmud616&ie=U...UTF-8&hl=it&lr= 2) http://www.zuggsoft.com/redirect.asp?target=zmud , see the URL and try to connect manually to the ftp you've found, that is ftp://download.elicense.com/pub/zuggsoft/ Why all of this? - now you have different copies of the same package (why do we have two different files, one exe and one zip, at http://glorglas.dyndns.dk/stuff/ ?) - now you know an address where some more zmud files are available - now you know where many elicense programs are stored, to test your findings about the program with other apps. 
__________________
byez, +mala
|
|
#8
12-23-2002, 12:57 PM
|
|||
|
|||
|
yah..thanks!
I actually got it from tucows but didn't post that I got it...figure others might have the same question so I left it...
The info about all the eLicense archives might be useful
__________________
Make people think you're strange. If you can't, at least make them think there's two of you!
|
|
#9
12-23-2002, 03:10 PM
|
|||
|
|||
|
Quote:
Crudd
__________________
Just another freak, in the freak kingdom.
|
|
#10
12-30-2002, 05:25 PM
|
|||
|
|||
|
OK guys...sorry about this but we'll be working on zMUD 6.40 now that I'm back and ready to work on this. I have just unpacked everything related to eLicense running in memory. There are a few things you need to unpack. First, unpack elicen40.dll, then that S3VXXXX random one...unpack it as a DLL. Finally, unpack lcmmfu.cpl in c:windowssystem. This is the control panel extension and we'll be using this for making some tools (we're gonna make some fun LM tools! :) Well, I must be off to start reversing these unpacked files some more, I hope to hear from you guys soon! =)
__________________
-mjuad muaddib at reteam dot org
|
Linear Mode
