 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#11
01-06-2003, 06:18 PM
|
|||
|
|||
hi
hey i've just begun to reverse the zmud. I unpacked the zmud.exe, i found the random dll (which for me is s1xxxx), nothing strange till now, i only have to rebuild iat. However whats your final goal? To FULLY reverse the elicense system so you can make unwrappers etc? Hope i'll be useful
 I'm gonna continue my reversing so c u later!Bye! AndreaGeddon ps, hey dont tell me you already finished it off! :-P 
|
|
#12
01-07-2003, 04:32 AM
|
|||
|
|||
|
Zmud Dumpin
I dumped the Zmud 6.40 exe file which was 6,723kb and the dump is 6,784kb. this was done by breakpointing on OEP, changing jump to eb fb, lord pe to dump file. When executed it displays the elicense menu (free trial, buy etc) but when i click free trial it crashes. Is this a bad dump? do i need to dump more stuff, whats with the random dll, do i need to dump it for some reason? or is it a good dump, but i need to fix the IAT now. Also if u get a good dump does the trial message at the start dissappear or do i have to reverse it. One more thing, if possible does anyone know of a target with earlier versions of elicense.
Thnx X-Factor
|
|
#13
01-07-2003, 06:09 AM
|
|||
|
|||
|
well the dump itself is useless because the iat is redirected. The random dll is the responsible of iat building and creating the redirection microroutines. The iat build routine is from address 2538F52 to 25392F4, it loads a block with all original first thunks crypted in memory (dynamically allocated), then it decrypts the api name in 253908D (the decryption key appears to be always "rp1041899125", but i didnt study the decrypt algo yet) then got the address and cleared the decrypted api name a microroutine is created for redirection (microroutines addresses change at every execution). Each api ha its own microroutine (but the routines are alwayes the same in their structure). So you simply need to find an easy way to rebuild a working IT.
All this work (iat building, oep decryption and program running) happens AFTER you press FREE TRIAL, so i think once you have the exe decrypted and the IT rebuilded you are free from eLicense. Bye AndreaGeddon
|
|
#15
01-11-2003, 09:16 AM
|
|||
|
|||
|
Zmud
Just ignore my previous statement, i realised everything now. However, i still would be interested to know if anyone has succesfully dumped zmud and got it working and if so could they please reply how they achieved this (preferably for the new version but 6.16 welcome also)
Thnx X-Factor
|
|
#16
01-13-2003, 06:31 AM
|
|||
|
|||
|
Dumping problems
Hi All,
I was practising on Autozip v4.2 and AutoZip 4.3 (which was using an old elicense) .... just to catch up and come upto speed. The newer elicense (v4.0) from ZMud v6.16 and ZMud 6.40 does not dump that way. Also practising with a smaller image size: the elicensed tick tac toe from their site. My problem is this: I bpx with GetModuleHandleA (looks like FreeLibrary also works reliably) and trace through the kernel32 and s3vxxx temp files up to the elicen40.dll module - which is where we get the OEP. 016F:02483C38 FF9574E2FFFF CALL [EBP+FFFFE274] -----> we land here 016F:02483C3E 898508E4FFFF MOV [EBP+FFFFE408],EAX 016F:02483C44 8B85B0F3FFFF MOV EAX,[EBP+FFFFF3B0] 016F:02483C4A 50 PUSH EAX 016F:02483C4B FF1584914902 CALL [KERNEL32!FreeLibrary] 016F:02483C51 83BD08E4FFFF00 CMP DWORD PTR [EBP+FFFFE408],00 016F:02483C58 750A JNZ 02483C64 Trace on, and we notice the OEP shown below: 016F:02483CC9 5E POP ESI 016F:02483CCA 5D POP EBP 016F:02483CCB 5B POP EBX 016F:02483CCC 8BE5 MOV ESP,EBP 016F:02483CCE 5D POP EBP 016F:02483CCF FF255CF84902 JMP [0249F85C] -----> OEP 016F:02483CD5 5E POP ESI 016F:02483CD6 5D POP EBP 016F:02483CD7 5B POP EBX I take the jump, and then try to dump. But nothing works? I've tried 2 methods: A) straight forward dumping with icedump - using both /dump and /pedump. /Dump produces a file which does not run - it complains about aligning or something like that.. /Pedump reports : /pedump 400000 4185f4 c:/mud.exe ICEDUMP: Phoenix : DLL List allocated ICEDUMP: Phoenix : Failed to rebuild Import table B) stopping the process with the a eip, jmp eip method and dumping the thread with procdump. Both a partial and a full dump crashes procdump. Killing the runservice and other lic related processes does not make a difference. I noticed all the exe, dll and cpl files are packed with Aspack (1.08c if i remember correctly) and unpacked everything in the meanwhile...for later interesting work as Muad'Dib stated... Can someone help me please? How do i correctly unpack these? Or am i a little hasty, and is unpacking not really necessary in the big picture? Regards, MeaCulpa
|
|
#17
01-13-2003, 02:04 PM
|
|||
|
|||
|
This project is going to be more than we bargained for. Here is an email I got from the author:
>> Have you actually tried running zMUD, connected to a MUD, for an >> extended >> period with the eLicense unwrapped? If you do, you will discover that >> zMUD >> checks to make sure it is still wrapped and checks your system for a >> valid >> license even while it is running at random intervals when connected to a >> MUD. Even my development code, which is never wrapped with eLicense, >> crashes if my own license expires. >> * >> It might be possible to track down all of the places that zMUD checks >> for >> stuff like this, but the checks are pretty obscure and do not cause any >> special error messages. It just corrupts memory which eventually leads >> to > a >> access violation (and probably a corrupt settings file). >> * >> There isn't any way to completely remove all trace of a license short of >> reformatting the computer and reinstalling Windows. At least eLicense >> has >> never provided me with any method. They have an uninstall program that >> is >> linked at http://www.zuggsoft.com/zmud/elicense.htm but it just removes >> the >> eLicense control panel. The actual license is still buried somewhere. >> * >> I have a decent background in encryption myself and so I know quite a >> bit >> about how this stuff works. Having looked at lots of alternatives, I >> still >> feel that eLicense is one of the best available. There is no way at all >> to >> make a program hard to crack unless you have the program periodically >> check >> with a remote server to verify reg codes. Anything self-contained to >> the >> user's computer is eventually hacked, and once hacked, a program can > usually >> be created to make the process easy to run. >> * >> The 30-day trial is important to me. I don't want to disable features. >> In >> the past I used my own public/private key encryption and then had my own >> server keep track of the 30-day trial based upon a "system id" >> algorithm, >> but it also had problems. Mainly, I just don't want to spend time on >> this >> stuff. I have very little time to program as it is and would much >> rather >> spend time on adding features. That's why I outsourced this to >> eLicense, > so >> that it's their problem to fix. >> * >> The method you mention basically can't be stopped. It will always be >> possible to grab the image of a program once it is running no matter how >> it >> is wrapped. That's why zMUD has the additional checks in it. The >> combination of the wrapper and the internal checking should eliminate >> this >> method. But I'd be happy to hear your additional thoughts on this. >> * >> Zugg
__________________
-mjuad muaddib at reteam dot org
|
|
#18
01-28-2003, 01:40 AM
|
|||
|
|||
|
Zmud
Well, i havnt really looked at it for a while, been busy reversing other progs, and other elicense versions. I was wondering, before i satarted again, how exactly you came accross finding the iat redirection and figuring out how to patch the exe. I will look at as soon as i get the chance, but will be busy atm as School starts again...
X-Factor
|
Linear Mode
