05-21-2013, 03:27
|
 |
IBMSecuritySystemsXForce
|
|
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 186 Times in 61 Posts
|
|
Why do you all still spend so much time trying to patch this silly Elliptic Curve ?!?!? The best alternate, fastest and working method is to patch the return compare of pubkey verify, isn't it? Here is the solution applied on some well-known flexlm library.
ORIGINAL CODE
.textidx:1015779B loc_1015779B: ; CODE XREF: sub_10157010+73Aj
.textidx:1015779B ; sub_10157010+76Aj
.textidx:1015779B lea ecx, [ebp+var_4]
.textidx:1015779E push ecx
.textidx:1015779F lea edx, [ebp+var_D8]
.textidx:101577A5 push edx
.textidx:101577A6 lea eax, [ebp+Dst]
.textidx:101577A9 push eax
.textidx:101577AA mov ecx, [ebp+Memory]
.textidx:101577B0 add ecx, 44h
.textidx:101577B3 push ecx
.textidx:101577B4 mov edx, [ebp+Memory]
.textidx:101577BA mov eax, [edx+4]
.textidx:101577BD push eax
.textidx:101577BE call sub_100B28B0
.textidx:101577C3 add esp, 14h
.textidx:101577C6 mov [ebp+var_20], eax
.textidx:101577C9 cmp [ebp+var_20], 0
.textidx:101577CD jz short loc_101577EB
.textidx:101577CF ; ---------------------------------------------------------------------------
.textidx:101577CF mov ecx, [ebp+var_20]
.textidx:101577D2 push ecx
.textidx:101577D3 push 2930h
.textidx:101577D8 mov edx, [ebp+arg_0]
.textidx:101577DB push edx
.textidx:101577DC call sub_10129060
.textidx:101577E1 add esp, 0Ch
.textidx:101577E4 mov eax, 0FFFFFF8Dh
.textidx:101577E9 jmp short loc_10157853
.textidx:101577EB ; ---------------------------------------------------------------------------
.textidx:101577EB
.textidx:101577EB loc_101577EB: ; CODE XREF: sub_10157010+7BDj
.textidx:101577EB cmp [ebp+var_4], 0
.textidx:101577EF jnz short loc_10157850
PATCHED CODE
.textidx:1015779B loc_1015779B: ; CODE XREF: sub_10157010+73Aj
.textidx:1015779B ; sub_10157010+76Aj
.textidx:1015779B lea ecx, [ebp+var_4]
.textidx:1015779E push ecx
.textidx:1015779F lea edx, [ebp+var_D8]
.textidx:101577A5 push edx
.textidx:101577A6 lea eax, [ebp+Dst]
.textidx:101577A9 push eax
.textidx:101577AA mov ecx, [ebp+Memory]
.textidx:101577B0 add ecx, 44h
.textidx:101577B3 push ecx
.textidx:101577B4 mov edx, [ebp+Memory]
.textidx:101577BA mov eax, [edx+4]
.textidx:101577BD push eax
.textidx:101577BE call sub_100B28B0
.textidx:101577C3 add esp, 14h
.textidx:101577C6 mov [ebp+var_20], eax
.textidx:101577C9 cmp [ebp+var_20], 0
.textidx:101577CD jmp short loc_101577EB
.textidx:101577CF ; ---------------------------------------------------------------------------
.textidx:101577CF mov ecx, [ebp+var_20]
.textidx:101577D2 push ecx
.textidx:101577D3 push 2930h
.textidx:101577D8 mov edx, [ebp+arg_0]
.textidx:101577DB push edx
.textidx:101577DC call sub_10129060
.textidx:101577E1 add esp, 0Ch
.textidx:101577E4 mov eax, 0FFFFFF8Dh
.textidx:101577E9 jmp short loc_10157853
.textidx:101577EB ; ---------------------------------------------------------------------------
.textidx:101577EB
.textidx:101577EB loc_101577EB: ; CODE XREF: sub_10157010+7BDj
.textidx:101577EB cmp [ebp+var_4], 0
.textidx:101577EF jmp short loc_10157850
After all, you can't achieve the impossible without attempting the absurd 
__________________
<<< The L10n won't give up >>>
Last edited by arlequim; 05-21-2013 at 03:37.
|