Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page FLEXlm new versions: _time obfuscation area
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-17-2008, 16:52
roli_bark
 
Posts: n/a
FLEXlm new versions: _time obfuscation area
From playing around with FLEXlm v10.8 target lately, I just want to let you old FLEXlm hackers know, that a NEW memory area is used for _time obfuscation area in newer FLEXlm versions.

To get clear SEEDS revealed, as opposed to the OLD Job Structure area [ where you'd clear 4 random dwords generated by multiple _time calls in "l_n36_buff" ], the new area is noted in "_l_sg" like so:

-----------------------------

.text:00417F35 _l_sg proc near
.text:00417F35 push ebp
.text:00417F36 mov ebp, esp
.text:00417F38 sub esp, 24h
.text:00417F3B mov [ebp+var_14], 0
.text:00417F3F xor eax, eax
.text:00417F41 mov [ebp+var_13], ax
.text:00417F45 mov [ebp+var_11], al
.text:00417F48 mov [ebp+var_C], 6F7330B8h
.text:00417F4F mov [ebp+var_4], 0
.text:00417F56 mov [ebp+var_8], 0
.text:00417F5D mov [ebp+var_10], 3
.text:00417F64 push 1000h
.text:00417F69 mov ecx, [ebp+arg_0]
.text:00417F6C push ecx
.text:00417F6D call sub_42CF2D
.text:00417F72 add esp, 8
.text:00417F75 test eax, eax
.text:00417F77 jz short loc_417FCB
.text:00417F79 mov edx, [ebp+arg_0]
.text:00417F7C mov eax, [edx+198h]
.text:00417F82 mov ecx, [eax+1CDCh]
.text:00417F88 cmp dword ptr [ecx+524h], 0
.text:00417F8F jz short loc_417FCB
.text:00417F91 mov edx, [ebp+arg_8] <--- arg_2 - PTR to vendor structure
.text:00417F94 push edx
.text:00417F95 mov eax, [ebp+arg_4] <--- arg_1 - PTR to vendor name (Id.)
.text:00417F98 push eax
.text:00417F99 mov ecx, [ebp+arg_0] <--- PTR to legacy job structure
.text:00417F9C mov edx, [ecx+198h]
.text:00417FA2 mov eax, [edx+1CDCh]
.text:00417FA8 add eax, 528h
.text:00417FAD push eax <--- arg_0 - PTR to NEW _time obfuscation area
.text:00417FAE mov ecx, [ebp+arg_0]
.text:00417FB1 mov edx, [ecx+198h]
.text:00417FB7 mov eax, [edx+1CDCh]
.text:00417FBD call dword ptr [eax+524h] <- call _user_l_sg (l_n36_buff)
.text:00417FC3 add esp, 0Ch
.text:00417FC6 jmp loc_4180DE

-----------------------------------

In order to get clear de-obfuscated SEEDs , in _user_l_sg, just before Order/Unique XORs, clear the _time 3 rand dwords at offsets .+0x8, .+0xC, .+0x10 @ arg_0 PTR (new obfuscation area). Then, just as before, break on RETN to get clear seeds

Of course, all the above is ONLY relevant with non-ECC targets ...
Reply With Quote
  #2  
Old 02-06-2008, 19:06
ChupaChu's Avatar
ChupaChu ChupaChu is offline
Friend
  
Join Date: Dec 2007
Posts: 38
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
ChupaChu Reputation: 0
Thanx for info, what target is it you "quoted"?
Reply With Quote
  #3  
Old 06-03-2009, 00:10
SlashZero SlashZero is offline
Friend
  
Join Date: Aug 2002
Posts: 28
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SlashZero Reputation: 0
Probably he does not want to share that information for obvious reasons.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Removing Obfuscation Git General Discussion 4 01-04-2012 19:35
why not create a net area tools? goku General Discussion 4 04-05-2009 05:51


All times are GMT +8. The time now is 03:01.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )