Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page FLEXlm new versions: _time obfuscation area
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 01-17-2008, 16:52
roli_bark
 
Posts: n/a
FLEXlm new versions: _time obfuscation area
From playing around with FLEXlm v10.8 target lately, I just want to let you old FLEXlm hackers know, that a NEW memory area is used for _time obfuscation area in newer FLEXlm versions.

To get clear SEEDS revealed, as opposed to the OLD Job Structure area [ where you'd clear 4 random dwords generated by multiple _time calls in "l_n36_buff" ], the new area is noted in "_l_sg" like so:

-----------------------------

.text:00417F35 _l_sg proc near
.text:00417F35 push ebp
.text:00417F36 mov ebp, esp
.text:00417F38 sub esp, 24h
.text:00417F3B mov [ebp+var_14], 0
.text:00417F3F xor eax, eax
.text:00417F41 mov [ebp+var_13], ax
.text:00417F45 mov [ebp+var_11], al
.text:00417F48 mov [ebp+var_C], 6F7330B8h
.text:00417F4F mov [ebp+var_4], 0
.text:00417F56 mov [ebp+var_8], 0
.text:00417F5D mov [ebp+var_10], 3
.text:00417F64 push 1000h
.text:00417F69 mov ecx, [ebp+arg_0]
.text:00417F6C push ecx
.text:00417F6D call sub_42CF2D
.text:00417F72 add esp, 8
.text:00417F75 test eax, eax
.text:00417F77 jz short loc_417FCB
.text:00417F79 mov edx, [ebp+arg_0]
.text:00417F7C mov eax, [edx+198h]
.text:00417F82 mov ecx, [eax+1CDCh]
.text:00417F88 cmp dword ptr [ecx+524h], 0
.text:00417F8F jz short loc_417FCB
.text:00417F91 mov edx, [ebp+arg_8] <--- arg_2 - PTR to vendor structure
.text:00417F94 push edx
.text:00417F95 mov eax, [ebp+arg_4] <--- arg_1 - PTR to vendor name (Id.)
.text:00417F98 push eax
.text:00417F99 mov ecx, [ebp+arg_0] <--- PTR to legacy job structure
.text:00417F9C mov edx, [ecx+198h]
.text:00417FA2 mov eax, [edx+1CDCh]
.text:00417FA8 add eax, 528h
.text:00417FAD push eax <--- arg_0 - PTR to NEW _time obfuscation area
.text:00417FAE mov ecx, [ebp+arg_0]
.text:00417FB1 mov edx, [ecx+198h]
.text:00417FB7 mov eax, [edx+1CDCh]
.text:00417FBD call dword ptr [eax+524h] <- call _user_l_sg (l_n36_buff)
.text:00417FC3 add esp, 0Ch
.text:00417FC6 jmp loc_4180DE

-----------------------------------

In order to get clear de-obfuscated SEEDs , in _user_l_sg, just before Order/Unique XORs, clear the _time 3 rand dwords at offsets .+0x8, .+0xC, .+0x10 @ arg_0 PTR (new obfuscation area). Then, just as before, break on RETN to get clear seeds

Of course, all the above is ONLY relevant with non-ECC targets ...
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Removing Obfuscation Git General Discussion 4 01-04-2012 19:35
why not create a net area tools? goku General Discussion 4 04-05-2009 05:51


All times are GMT +8. The time now is 00:40.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )