Patching Themida / WinLicense Banned License

ZeNiX · #1 03-11-2009, 16:56

I saw Nooby's tut on patching the blacklist two days ago.
So, I tried it on some custom built versions of Themida.
Up to now, I have no luck on it.

Yes, I used the banned license from admin@free8xxxxxx.
Then I get lost in the VM of jmp ESI's.

Had anyone tried it?

Maybe it is because that I am not familiar with its VM.

Also, I see people saying that Shoooo uses another method which patches the BannedID check and corrects the CRC. However, I cannot find his tut.

Can you offer any help?

I did not try it on the WinLicense, as I do not have a banned key.
But I assume that the check of the banned key is same or similar.
Right?

quosego · #2 03-11-2009, 16:59

Haven't tried it, should be interesting.. Will take a look.

However as far as I know Themida and Winlicense are both protected with the same custom winlicense.

Ember · #3 03-25-2009, 02:34

I have never seen this tutorial before? Is it a private one?

leosmi05 · #4 03-27-2009, 04:46

Could you give some examples of applications protected with Themida/WinLicense? (Small size applications are preffered) :-)

I can't run WinLicense itself, as it crashes immediatelly after starting it.

ZeNiX · #5 03-27-2009, 13:02

Quote:

I can't run WinLicense itself, as it crashes immediatelly after starting it.

Which version of WinLicense did you use?
Maybe you used a cracked version?

All custom build versin of Themida and Winlicense are protected with Winlicense.

ZeNiX · #6 03-27-2009, 15:48

I have tried [quosego/snd] method to bypass the banned License on.
However, the protected file will result on Application Error.
Maybe there are more checks inside Themida itself?

Jupiter · #7 03-27-2009, 22:45

ZeNiX
to fix Themida CRC, you can use my Hiew plugin:

PE CheckSum Adjuster v1.33

[ENG]
PE CheckSum Adjuster can modify PE file to conform PE checksum. New and original checksums are the same! This means that checksum will be intact! Useful when you need to keep original checksum, for ex. for Themida patching.

[RUS]
PE CheckSum Adjuster изменяет PE файл для соответствия контрольной сумме (поле OptionalHeader.CheckSum).
Модуль не изменяет контрольную сумму: контрольная сумма нового файла равна контрольной сумме оригинального.
Полезно, когда нужно сохранить исходную контрольную сумму файла, например для патча Themida.

Compiled HEM: CheckSumAdjust133.zip (~3Kb)

Hiew version minimal: 7.45
HEM SDK version: 0.35

Hiew External Modules

leosmi05 · #8 03-28-2009, 04:22

Quote:

Originally Posted by ZeNiX

Which version of WinLicense did you use?
Maybe you used a cracked version?

All custom build versin of Themida and Winlicense are protected with Winlicense.

I wanted to analyze one file protected with Themida, so I downloaded the latest demo version of Themida and WinLicense (2.0.4.0) from Oreans.
But WinLincense crashes when you start it. How can people then try your code protector? :-)
BTW, no debugger was runnning.

Cheers!

gunterg · #9 03-28-2009, 17:20

What OS you had? Anyway it's very strange because since a few versions TMD/WL not use more ring0 protection.

leosmi05 · #10 03-29-2009, 04:41

Yep, very strange. I tried it on XP SP2.
Anyway, can anyone suggest some apps protected with TheMida v2.0.4+?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Themida/Winlicense	hobferret	General Discussion	1	05-10-2013 18:44

The Following 2 Users Gave Reputation+1 to Jupiter For This Useful Post:
ahmadmansoor (03-28-2009), Ember (03-28-2009)