Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-27-2018, 23:21
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Flexlm ECC

I am trying to reverse a flexlm protected program which uses ECC.
I Managed to find the seeds and features, build lmcrypt, and patched l_pubkey_verifyl
However the program refuses to run, and crashes every time, so I assume that it uses some form of CRC check, and crashes because this value has changed due to patching.
What is the general approach to defeat the CRC check?
Reply With Quote
  #2  
Old 08-28-2018, 02:40
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,041
Rept. Given: 547
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 695
Thanks Rcvd at 566 Times in 337 Posts
user1 Reputation: 41
how about you show us how to in a tutorial?

someone will help if you serious.
Reply With Quote
  #3  
Old 08-28-2018, 19:55
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Not sure what you mean with show us how to in a tutorial?
Do you want me to write a tutorial on how to extract the encryption seeds & patching of l_pubkey_verify??
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
niculaita (08-29-2018)
  #4  
Old 08-29-2018, 01:58
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,041
Rept. Given: 547
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 695
Thanks Rcvd at 566 Times in 337 Posts
user1 Reputation: 41
yes please do. not worry 90% are just persons of scripts and automated tool olly plugins.

if very private ask one VIP to move your complete tutorial to VIP area.

long time I not seen such one.
Reply With Quote
The Following User Says Thank You to user1 For This Useful Post:
chants (09-02-2018)
  #5  
Old 08-29-2018, 13:24
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
is your target x64?
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #6  
Old 08-30-2018, 02:46
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Yes the target is x64
Reply With Quote
  #7  
Old 08-30-2018, 22:24
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
fishing of encryption seeds, and patching of l_pubkey_verify is common knowledge, so no need to write a tutorial
Reply With Quote
  #8  
Old 08-31-2018, 22:30
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
ahmadmansoor ,

why did you ask if my target is x64?
Reply With Quote
  #9  
Old 09-01-2018, 03:44
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,041
Rept. Given: 547
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 695
Thanks Rcvd at 566 Times in 337 Posts
user1 Reputation: 41
if that common show us !

I want see basic instinct again, reloaded !

Last edited by user1; 09-01-2018 at 03:58.
Reply With Quote
  #10  
Old 09-01-2018, 04:31
eAGLe_eYe eAGLe_eYe is offline
Family
 
Join Date: Aug 2012
Posts: 113
Rept. Given: 8
Rept. Rcvd 54 Times in 12 Posts
Thanks Given: 6
Thanks Rcvd at 20 Times in 11 Posts
eAGLe_eYe Reputation: 54
Simple,In common way catch CRC checking routine and modify asm code for jmp.
Reply With Quote
  #11  
Old 09-01-2018, 16:18
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Understood, but I have never dealt with CRC checking routines, so can you give me a hint as how do I find the dll or executable which checks the CRC?
Reply With Quote
  #12  
Old 09-02-2018, 03:59
eAGLe_eYe eAGLe_eYe is offline
Family
 
Join Date: Aug 2012
Posts: 113
Rept. Given: 8
Rept. Rcvd 54 Times in 12 Posts
Thanks Given: 6
Thanks Rcvd at 20 Times in 11 Posts
eAGLe_eYe Reputation: 54
Quote:
Originally Posted by rcer View Post
Understood, but I have never dealt with CRC checking routines, so can you give me a hint as how do I find the dll or executable which checks the CRC?
search all Exitprocess call in exe with olly,bookmarks all call,run exe its stop on exitprocess call.its most likely your crc check routine.
Reply With Quote
The Following 2 Users Say Thank You to eAGLe_eYe For This Useful Post:
niculaita (09-02-2018), tonyweb (09-02-2018)
  #13  
Old 09-02-2018, 13:01
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Quote:
Originally Posted by eAGLe_eYe View Post
search all Exitprocess call in exe with olly,bookmarks all call,run exe its stop on exitprocess call.its most likely your crc check routine.
First, it is an x64 target so ollyDbg will not work , you need x64dbg.
did you check if it is packed -if yes you will see that the target has many calls out of the .text section with many anti-debug checks -
what you need ( as I remember) is dll inject and huck some API before you use HW-BP to bypass anti-debug, then you apply ur patches.
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following 5 Users Say Thank You to ahmadmansoor For This Useful Post:
eAGLe_eYe (09-02-2018), gsaralji (09-02-2018), niculaita (09-02-2018), TechLord (09-02-2018), tonyweb (09-02-2018)
  #14  
Old 09-02-2018, 17:29
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Well it looks that I have a lot of studying to do, and learn about anti-debug checks, API hooking and dll injecting, because i don't have a clue
Reply With Quote
  #15  
Old 09-02-2018, 17:52
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Can you mention your target name?
Because I already have a target with same protection, I hope it not same yours
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Flexlm 7.2 LIC file use on Flexlm 9.2 display error -73 ? hanzi General Discussion 9 07-05-2006 18:51


All times are GMT +8. The time now is 16:25.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )