How to crack eLicense protected software
(Another Poor Commercial Protection Defeated)

Published March 2001 by +Tsehp



Target:

AutoZip v4.2 - http://www.soft-trade.com



Tools:

SoftICE
IceDump - http://icedump.tsx.org



Method:

Load the program in some SoftICE loader. Wait for the trial
screen to come up and then put a bpx on GetModuleHandleA.
Push the "Try It" button and press F12 until you enter the
KERNEL32 module. Press F12 three (it's always been three for
every eLicense program I've cracked) more times until you get
to this line:

0167:BFF86A5B C20400 RET 0004

Press F10 and you will enter the VTCPAK24 module. Here is the
code you will see:

0167:024833F7 8985D4F2FFFF MOV [EBP+FFFFF2D4],EAX
0167:024833FD 8B85D4F2FFFF MOV EAX,[EBP+FFFFF2D4]
0167:02483403 50 PUSH EAX
0167:02483404 FF1560F04802 CALL [KERNEL32!FreeLibrary]
0167:0248340A 8D8D18F4FFFF LEA ECX,[EBP+FFFFF418]
0167:02483410 51 PUSH ECX
0167:02483411 E8800E0000 CALL 02484296
0167:02483416 83C404 ADD ESP,04
0167:02483419 83BDD4F2FFFF00 CMP DWORD PTR [EBP+FFFFF2D4],00
0167:02483420 7505 JNZ 02483427
0167:02483422 E927010000 JMP 0248354E
0167:02483427 833D3417490201 CMP DWORD PTR [02491734],01
0167:0248342E 751D JNZ 0248344D
0167:02483430 A128174902 MOV EAX,[02491728]
0167:02483435 50 PUSH EAX
0167:02483436 A110174902 MOV EAX,[02491710]
0167:0248343B 50 PUSH EAX
0167:0248343C A158174902 MOV EAX,[02491758]
0167:02483441 50 PUSH EAX
0167:02483442 A160174902 MOV EAX,[02491760]
0167:02483447 FFD0 CALL EAX
0167:02483449 85C0 TEST EAX,EAX
0167:0248344B 740C JZ 02483459
0167:0248344D 5E POP ESI
0167:0248344E 5D POP EBP
0167:0248344F 5B POP EBX
0167:02483450 8BE5 MOV ESP,EBP
0167:02483452 5D POP EBP
0167:02483453 FF2544174902 JMP [02491744]

Keep tracing until you reach the line 2483453. Press F10 once
to trace into it and then dump the file. When you trace into
the jump you will see code like this:

0167:00491580 55 PUSH EBP
0167:00491581 8BEC MOV EBP,ESP
0167:00491583 83C4F4 ADD ESP,-0C


To dump the file, type /pedump 400000 91580 c:\azd.exe. If you
dont know how to use /pedump, the syntax is
"/pedump <image base address> <eip> <filename>". The EIP argument
should actually be "EIP - image base". Also, the image base for
most EXE files is 400000. Test your file and you will find that
it runs without the nag screen or time trial.



Conclusion:

Well I hope you learned something from this tutorial. All softwares
protected by eLicense are pretty much the same. The web site
http://www.soft-trade.com is a great resource if you want to practice
unpacking eLicense, as all of the software on that site is protected
it. This example goes to show software authors that commercial
protections can't be trusted. Once the protection is broken once, it
can be done over and over using the same method.

-Muad'Dib
Wed. March 21, 2001
muaddib(at)immortaldescendants(dot)org