EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-17-2009, 18:05
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 28
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 2 Times in 2 Posts
nathan Reputation: 5
Flexlm ECC alternate patching methods

After the v8.01 release, I know only 2 ways to bypass ECC protection in Flexlm license manager:
1) a binary patch to force "the good guy" at the end of of _lm_pubverify
2) a binary patch that forces the license manager to use the no ECC option for checking out licenses

I want to state that has been quite a while since I worked on that, however, I was wondering if anyone has ever considered to build patches based on the obsucated signature that you can find inside the binary.

For instance I analize the vendor_struc and I can fish out the obfuscated signature used for the handshaking between the client and daemon. The interesting part of it is that the signature is unique for any product and it could be easily found by hex searching.

I was wondering if it would be possible to write a personalized daemon with the correct seed1-2 and our own ECC and inject the personalized ECC sig inside the binary and generate licenses accordingly.

Any thoughs ? Am I missing somting fundamental here ?

Thnx,

nathan
Reply With Quote
  #2  
Old 07-17-2009, 20:37
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,033
Rept. Given: 217
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 46
Thanks Rcvd at 60 Times in 32 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
Does (2) still work after V10.5?. I was told it had been defeated.

Git
Reply With Quote
  #3  
Old 07-18-2009, 01:10
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 28
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 2 Times in 2 Posts
nathan Reputation: 5
It may be the case ... I haven't tested it ... however, what do you think about the injection idea ?
Reply With Quote
  #4  
Old 07-18-2009, 01:57
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,033
Rept. Given: 217
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 46
Thanks Rcvd at 60 Times in 32 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
I don't know enough about ECC to comment, sorry.

Git
Reply With Quote
  #5  
Old 07-18-2009, 14:24
chenm001
 
Posts: n/a
I think the inject idea can work fine.
I try this in Synplicity's software.

You need found the init section and patch it to your ECC init code.
Reply With Quote
  #6  
Old 07-24-2009, 16:37
zhide1983
 
Posts: n/a
in this way, only the static data session would be changed...
Reply With Quote
  #7  
Old 09-11-2009, 10:12
MrGneissGuy's
 
Posts: n/a
I beat the feature check on 11.4. It loads the any features with any number of licenses and and expiration date regardless of checksum.
Reply With Quote
  #8  
Old 09-13-2009, 18:56
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 101
Rept. Given: 5
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 3
Thanks Rcvd at 0 Times in 0 Posts
rcer Reputation: 7
Smile

MrGneissGuy's

Can you elaborate a little on which method you used?

(Patch 1 or 2, or the suggested injection of the personalized ECC code?)

Regards,

RCER
Reply With Quote
  #9  
Old 01-06-2010, 00:08
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 256
Rept. Given: 47
Rept. Rcvd 306 Times in 98 Posts
Thanks Given: 14
Thanks Rcvd at 42 Times in 24 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Try this little toy by Mammoth/ZWT

MIME-Version: 1.0
Content-Type: application/octet-stream; name="patch.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="patch.exe"

TVqAAAEAAAAEABAA//8AAEABAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAgAAAAA4fug4AtAnNIbgBTM0hdGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQokAAAAAAAAAABQRQAATAECAGrUIEAAAAAAAAAAAOAAj4ELAQEyAAAAAAAAAAAAAAAAgCAA
AAAAAAAAAAAAAABAAAAQAAAAAgAAAQAAAAAAAAAEAAAAAAAAAABQAAAAAgAAVR4AAAIAAAAAEAAA
ABAAAAAAAQAAAAAAAAAAABAAAAAAAAAAAAAAAAAgAABkFQAAABAAAJwDAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5yc3JjAAAAnAMAAAAQAAAABAAAAAIA
AAAAAAAAAAAAAAAAAEAAAEAuZmxhdAAAAAAwAAAAIAAAAAwAAAAGAAAAAAAAAAAAAAAAAABgAADg
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAIAAwAAACAAAIAOAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAOAAAgAAA
AAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAAAQAAaAAAgAAAAAAAAAAAAAAA
AAAAAQAAAAAAeAMAAJAQAADoAgAAAAAAAAAAAAAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAAAICAAIAAAACAAIAAgIAAAICAgADAwMAAAAD/AAD/AAAA
//8A/wAAAP8A/wD//wAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAMAAAAAAAAAA7MA
AAAAAAA7MAAAAAAAADs7MAAAAAADs7MAAAAAAAOzs7MAAAAAOzs7MAAAAAA7Ozs7MAAAA7Ozs7MA
AAADs7Ozs7MAADs7Ozs7MAAAOzs7Ozs7MAOzs7Ozs7MAA/Ozs7Ozs7MzOzs7Ozs7MAA/Ozs7Ozsz
szOzs7OzswAAA/Ozs7OzOzszOzs7OzAAAAA/Ozs7M7OzszOzs7MAAAAAA/Ozszs7OzszOzswAAAA
AAA/OzOzs7OzszOzAAAAAAAAA/M7Ozs7OzszMAAAAAAAAAAzs7Ozs7OzswAAAAAAAAAAPzs7Ozs7
OzMAAAAAAAAAA7Pzs7Ozs7M7MAAAAAAAADs7Pzs7Ozszs7MAAAAAAAOzs7Pzs7OzOzs7MAAAAAA7
Ozs7Pzs7M7Ozs7MAAAADs7Ozs7Pzszs7Ozs7MAAAOzs7Ozs7PzOzs7Ozs7MAA/Ozs7Ozs7M/Ozs7
Ozs7MAA/Ozs7OzswA/Ozs7OzswAAA/Ozs7OzAAA/Ozs7OzAAAAA/Ozs7MAAAA/Ozs7MAAAAAA/Oz
swAAAAA/OzswAAAAAAA/OzAAAAAAA/OzAAAAAAAAA/MAAAAAAAA/MAAAAAAAAAAwAAAAAAAAAwAA
AAAAAAAAAAAAAAAAAAAAAAAA/3/+//4//H/8H/g/+A/wH/AH4A/gA8AHwAGAA4AAAAEAAAAAgAAA
AcAAAAPgAAAH8AAAD/gAAB/8AAA//gAAf/4AAH/8AAA/+AAAH/AAAA/gAAAHwAAAA4AAAAEAAAAA
gAAAAcABgAPgA8AH8AfgD/gP8B/8H/g//j/8f/9//v+IEwAAFAAAAAAAAAAAAAAAAAABAAEAICAQ
AAAAAADoAgAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAKCAAADUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGtlcm5lbDMyLmRsbABFIAAAVCAA
AGUgAAAAAAAAAABMb2FkTGlicmFyeUEAAABHZXRQcm9jQWRkcmVzcwAAAEV4aXRQcm9jZXNzAAAA
AAAAAAAAAAAAAABSMcDo/////8deg+4PBaAAAABZ6QEAAADA/CnRjTwGAchoDyFAAKmph84oD4TW
AAAAPSwcjD93GDVYadEID4RiAQAAMwdHuwAgAACD6QV01k+hpyBAAIsVsiBAAKOyIEAAAdADBbkg
QACJFbkgQADoEgAAAPfxiRWnIEAA6QEAAABpMRcZz1334+n/////5ei8////6Lf///9RVFp+v7r/
7qdKlSelSYqdCBDx9NiFl7dvAKtjmtOa+dsFsBC56l6UaeRZAsfkPh8apTXx1/CrmN5T+QBDwvhX
FBgFwJCRGORhGOrjue/e+WqgnwYJo5KceP99mhQQp39w0naCZx6YstFNtTlX7D3Y/ml++HCpVO/G
2fKCU8oAtBNwkxUdFI3YvJ2BvMiuhyuF0EFVEm9Gre9bbaruSQu2ctDVIM2Zo7FrPaowbx72KtyO
mw6p40mjIBR8Q7eTGrqhquaYGI61G2Le/StHXtWmy78NHvGdTyGk3FnXZV21VvJ8URbgpCxmEwLm
LCyNaKv8TLZ/DdiTKk15AhUZ6z59Sh7zYxp9ssomedAhejCMimAfzelpfqaCKbgOf1Qnun183W1C
0ZCDozT4bVYQdWyLjVqD4bO4dqgZqo5nHUrA31MBV0G7hwAT15CG2tEap8q0waVVHg3UfvPaOi7x
lqnvMrqyCpt+ydXEAL8rzgFXjuaWSV0aYFfoZDx9NKVeOo3ZE2UZZAsIrrSm/0w8sfDUgA80tbLA
3EGCfHLPDYlQw3AZZXi8UesNOHSmuyMOM42auD4HVH8ODucJwifq2AKLNfDO8KHgo23eObGaWxeO
QH70tRvV7Ojeg5YIwTodWajPxhKETaosBlfQ3g2WijkipGkzvh3KmfZ1wdJjb80GFVb2Q91n1EeG
rixdem39gtJxSgiv2rQYdELqs/9fQOr3Trb9FmQK7KusJ7stIvup+rgHQmPMouWL+PeSl1rynyZ8
NbyoCrIrwJjrn+927Jy7hCE4IgtDrkuD3jbDI9MFDHHgDdUTzJQOqFzqrL86D3n3agtpJQObThLd
da3fNFWjWKo50PvuSRDR9WfjcRNWhjE/pQiSZWAF5HFffu77Be2Gpn8i7nx24QkrgIiwT6rMulsz
bIlxaEuI7tAU6gbHdzs1lWfo3b3VRgk5emh5wmGQCVLDgZlq0t2HLznmgPpijS5fVgabD6EI6t0a
ovvesG1rPx7+sVpeXqqV1CTkFOo0PyJaDbADl3FXr93zGbzsszgsJpGbN3Vucn9QoWB3udFThOSs
kjAxHUxcgM4Ua5gvefZsRb5vUrBl4mRvhO1lajiF1sdIlgZcPjxe1E3heJplcc8iXeG8or/QXDjE
rcXN6wWDkFyymKci+JL8ZSHszLZFbpq5UN4MwbDHkaw5GyiElMU2x47T9zhARSWEFTCHTUPypCzx
t6J2sxT36iGUta5BKACGr+ZckfLmYtsoMkiiOv2wxmdBFRsRhxSlRShdgZLcNAIVEZ/+h464Hbn/
QwvssiRizMuzjMEwTTa6sXHcVt6BwzpP9omp0JTXM3EZZJoyThJlxfedrxENvwAB18qf+f4wjRcW
Hf+1YpeCIV16LkSDG8dy6W9MSOuOs07+MOEIPHpyyTTpKHoIQDc2iinx1xHlxXQrA1wcFlFa56ub
vpaftrkHDHIeFzYsTfnpER0Ao1MOAYfeCd2ePxhuDM0sS/jzCvuWBYfeOBxaLaiIK2jn+8NavkIV
S36VJawSrPIK7umEf5K+rDQimC7LAhoBdmuCyO3R2nBgVGh1S47GJs6iGnccNUShqr6Nd1T3DR9D
NHCo3pVCB+qyDHrskZBKJUeGl56oYBX0j+L8YcfmXiCY8yfsttNdk7M7EbkOUpEgcOoYA/BvB4cT
JBQRLC5ZxzZGAfL6l1ymdDwl1LctAzgUJyj4YPus8wgOPIbgkVclwpD5xzOOoGfK3GXVEtQAgCMt
NoeZ3iEgTRGc4SZIO7j7mYmOZ9gkrvPIAhdOiQMbljJMAopUURB9vdxL0+m1IoR6KV/OyVgBBBas
J1S4Uz4gGUsmV/BJW86IIKkl+5EaVMdpBRnhXS44l2LLPKpdk6H+qjTwjL04GU+2ee6xQH8+MujP
2tiAx38358LDVzO0SWz5H93JAmQ68vetWyIbhcOPxQFb58CQnsi6k+iZeATfl/17vHurv5NQ93g7
0NfXJ+xuhaeImIrL5MoksXzOex9NA8/e+Lc/ph2NOLN+TkAXdR8LDwsx17WYhgaCj+ZsvR/f/BXV
0yMp9raKcPyRo78sYfRm/bR0YgK/TDFtz/bpQgHHuykpFRdgeM8in8kQBok3d97BrjgDAF2D8olq
sT14xh68lGi6DBQxStDoRg31OH0Ob+Y2yfv1UHyh4DPbKMtK3YxUGfWuC6jP8L6pXoo9+w3tossx
sP67/1+xDNKNdf9JjGNfkWi2cm2CYgd+uNDXiiU3KGB6SSK863+JJTn/f4x6zYCKdn4k9vhtwpiQ
oAdAhP3GIlHKcBe2svb+WJyzYhE6rLogvjPmohWSJz0CeWHxXTEEyrPIvc1U5Kt1VksodOXhN/jc
7O1hk1Em7I3QYbXHeQqeeujivkdERy3D/0rRbFauw3kPVD7td0rG0oEBNZfcNrmYqgWOdfh/MXn1
TgMXEIn0cYIDSQ+HnwttW4l49iiznqgS7VG2NYPzFjrTZEnX1ZLWkUS0aHbMCHwicyZ7moDJePEW
cY+JLBGPhgY7XsLECyrZ9MJ+BfZ6Js7itIIplP35aVgDQpZ8sKnE+4AJgjNIc2MJlb9GoOaeUInx
WOqdJL1uDUrzMrfc/ay8bF9IvFW6L+kNZQvO+3zEiVZmUFMG1ywn3xQD9/v19p+tlJKahMEjv1Up
nb7gK3CbK67zSNRUGhxj+CHIV7zJr0auc4VGxEAFT+graCFNFCMFIbnZDkauVQh55L5RvUJVTDcA
YuYEXs1dLnYBL0z+PzXvBi3I7HsH7Zm8gG6FTa7+l5fSg3WF43Ea9N5JKKD6Au2+LchmAB/cN97o
aclWwvsAH3FOELRAD5+pNtylAOLnsd5VlLLUuIoynINrhDkcnkKKzj+of/bWA8p1xqaMNtMJbN+Y
C9tiJ12ojQSKz1R/dhdoOydQrTGMXRuAAVloGvXjmzvMeAJldLtlvY10k512jloALuVVHDF9hRtH
CupY5NwAI/dZdqLoRyJSU7EZ2y4e8kytB9D2vpZyIHHyFCspKjZx4SA1yXNLFnYUMsZc61RIoUFi
qtruRTqGlt/Ywf0YmFJpPN/xwUw9vWv0ngi6aD3ehH3rUEkl7XsuEPPY1UCVEsPVqa8VZ+rfjlsH
zoxbixkLIKAD1jM9Wm6YkbPmpSih0VlHPZoucZZ0h9BDW/PdiRnb69f2BqFiHBfgumKKO2+VajR9
mlizOgEELHmv0fVDpMG53hRwsHij1pHrieagEAQkzDcPjvq3uxAX7PVzS28h9l5xtBtwYUzRcs5l
3T29wh7Yd598KN8VFruUdTSgf+fQ44XfYQYQXLVV0Co6pSk1LotIC0cPJ1ZX2UrsTWg5bLTLPuWR
uVFSfgP6V+Tdx+4ZPWaD0fbBap1ZqykLvbjmlSLkGUlrYWnOUsdKKugPh1dX84BNECvu5pfh/N7A
dpTUpK9n2cLYX6Iv1AbZIMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Reply With Quote
The Following User Gave Reputation+1 to arlequim For This Useful Post:
rcer (01-21-2010)
  #10  
Old 01-10-2010, 16:17
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 156
Rept. Given: 3
Rept. Rcvd 84 Times in 27 Posts
Thanks Given: 7
Thanks Rcvd at 64 Times in 18 Posts
toro Reputation: 84
@nathan
the idea you mentioned is possible to work. actually i did it in another way but i got same result. i made a daemon which work ok. by finding correct infos and set in lm_code.h you can compile a daemon with different ecc seeds which work same as original daemon. it was for long time ago, but as i remember a special kind of license needed too. in this way even if program itself check ecc signature rather than daemon, verification still will return true.
Reply With Quote
  #11  
Old 11-22-2011, 19:41
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 28
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 2 Times in 2 Posts
nathan Reputation: 5
@toro: yes the idea can work indeed ... plus it's quite useful to build a database of ECC signatures which help the patch right away. I've been out for quite a long time but I'm back to exercise now XD
Reply With Quote
  #12  
Old 11-25-2011, 16:12
swlepus swlepus is offline
Friend
 
Join Date: Nov 2011
Posts: 23
Rept. Given: 6
Rept. Rcvd 5 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
swlepus Reputation: 5
patch the pubkey data is another method.
and as far as i know, patch ECDSA data is the most powerful method. this can defeat any platform and any version FlexLM in second.
Reply With Quote
  #13  
Old 12-08-2011, 14:31
oracle009 oracle009 is offline
Friend
 
Join Date: Dec 2011
Posts: 10
Rept. Given: 1
Rept. Rcvd 5 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
oracle009 Reputation: 5
@swlepus:how ro patch ecdsa?
Reply With Quote
  #14  
Old 12-12-2011, 00:52
nikkapedd nikkapedd is offline
VIP
 
Join Date: Mar 2011
Location: Somewhere In Europe
Posts: 195
Rept. Given: 275
Rept. Rcvd 146 Times in 61 Posts
Thanks Given: 96
Thanks Rcvd at 100 Times in 40 Posts
nikkapedd Reputation: 100-199 nikkapedd Reputation: 100-199
Quote:
Originally Posted by oracle009 View Post
@swlepus:how ro patch ecdsa?
Search in the forum, "arlequim" has made a good patcher for vendors v10.5--11.9...
But in some cases doesn't work.. You need to find manually the flexlm ECC routine inside the vendor/exe/dll.....
Reply With Quote
  #15  
Old 03-17-2013, 22:47
flexlm
 
Posts: n/a
Quote:
Originally Posted by Git View Post
Does (2) still work after V10.5?. I was told it had been defeated.

Git
still ok
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Methods of detecting dongle emulator MeteO General Discussion 4 02-17-2006 09:43
Where are the Class methods? 5Alive General Discussion 0 07-28-2005 03:22
All Known and (so called) Unknown Autostart Methods taos General Discussion 0 04-15-2005 19:02
Different Detection Methods OHPen General Discussion 0 10-21-2003 10:11


All times are GMT +8. The time now is 06:12.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX