How to crack eLicense protected software
(Another Poor Commercial Protection Defeated)

Published March 2001 by +Tsehp



Target:

AutoZip v4.2 - http://www.soft-trade.com



Tools:

SoftICE
IceDump - http://icedump.tsx.org



Method:

Load the program in some SoftICE loader.  Wait for the trial
screen to come up and then put a bpx on GetModuleHandleA.
Push the "Try It" button and press F12 until you enter the
KERNEL32 module.  Press F12 three (it's always been three for
every eLicense program I've cracked) more times until you get
to this line:

0167:BFF86A5B  C20400              RET       0004

Press F10 and you will enter the VTCPAK24 module.  Here is the
code you will see:

0167:024833F7  8985D4F2FFFF        MOV       [EBP+FFFFF2D4],EAX
0167:024833FD  8B85D4F2FFFF        MOV       EAX,[EBP+FFFFF2D4]
0167:02483403  50                  PUSH      EAX
0167:02483404  FF1560F04802        CALL      [KERNEL32!FreeLibrary]
0167:0248340A  8D8D18F4FFFF        LEA       ECX,[EBP+FFFFF418]
0167:02483410  51                  PUSH      ECX
0167:02483411  E8800E0000          CALL      02484296
0167:02483416  83C404              ADD       ESP,04
0167:02483419  83BDD4F2FFFF00      CMP       DWORD PTR [EBP+FFFFF2D4],00
0167:02483420  7505                JNZ       02483427
0167:02483422  E927010000          JMP       0248354E
0167:02483427  833D3417490201      CMP       DWORD PTR [02491734],01
0167:0248342E  751D                JNZ       0248344D
0167:02483430  A128174902          MOV       EAX,[02491728]
0167:02483435  50                  PUSH      EAX
0167:02483436  A110174902          MOV       EAX,[02491710]
0167:0248343B  50                  PUSH      EAX
0167:0248343C  A158174902          MOV       EAX,[02491758]
0167:02483441  50                  PUSH      EAX
0167:02483442  A160174902          MOV       EAX,[02491760]
0167:02483447  FFD0                CALL      EAX
0167:02483449  85C0                TEST      EAX,EAX
0167:0248344B  740C                JZ        02483459
0167:0248344D  5E                  POP       ESI
0167:0248344E  5D                  POP       EBP
0167:0248344F  5B                  POP       EBX
0167:02483450  8BE5                MOV       ESP,EBP
0167:02483452  5D                  POP       EBP
0167:02483453  FF2544174902        JMP       [02491744]

Keep tracing until you reach the line 2483453.  Press F10 once
to trace into it and then dump the file.  When you trace into
the jump you will see code like this:

0167:00491580  55                  PUSH      EBP
0167:00491581  8BEC                MOV       EBP,ESP
0167:00491583  83C4F4              ADD       ESP,-0C


To dump the file, type /pedump 400000 91580 c:\azd.exe. If you 
dont know how to use /pedump, the syntax is 
"/pedump <image base address> <eip> <filename>".  The EIP argument
should actually be "EIP - image base".  Also, the image base for
most EXE files is 400000.  Test your file and you will find that
it runs without the nag screen or time trial.



Conclusion:

Well I hope you learned something from this tutorial.  All softwares
protected by eLicense are pretty much the same.  The web site
http://www.soft-trade.com is a great resource if you want to practice
unpacking eLicense, as all of the software on that site is protected
it.  This example goes to show software authors that commercial
protections can't be trusted.  Once the protection is broken once, it
can be done over and over using the same method.

-Muad'Dib
Wed. March 21, 2001
muaddib(at)immortaldescendants(dot)org