#1
|
|||
|
|||
Flexlm ECC alternate patching methods
After the v8.01 release, I know only 2 ways to bypass ECC protection in Flexlm license manager:
1) a binary patch to force "the good guy" at the end of of _lm_pubverify 2) a binary patch that forces the license manager to use the no ECC option for checking out licenses I want to state that has been quite a while since I worked on that, however, I was wondering if anyone has ever considered to build patches based on the obsucated signature that you can find inside the binary. For instance I analize the vendor_struc and I can fish out the obfuscated signature used for the handshaking between the client and daemon. The interesting part of it is that the signature is unique for any product and it could be easily found by hex searching. I was wondering if it would be possible to write a personalized daemon with the correct seed1-2 and our own ECC and inject the personalized ECC sig inside the binary and generate licenses accordingly. Any thoughs ? Am I missing somting fundamental here ? Thnx, nathan |
The Following User Says Thank You to nathan For This Useful Post: | ||
Indigo (07-19-2019) |
#2
|
||||
|
||||
Does (2) still work after V10.5?. I was told it had been defeated.
Git |
The Following User Says Thank You to Git For This Useful Post: | ||
Indigo (07-19-2019) |
#3
|
|||
|
|||
It may be the case ... I haven't tested it ... however, what do you think about the injection idea ?
|
The Following User Says Thank You to nathan For This Useful Post: | ||
Indigo (07-19-2019) |
#4
|
||||
|
||||
I don't know enough about ECC to comment, sorry.
Git |
The Following User Says Thank You to Git For This Useful Post: | ||
Indigo (07-19-2019) |
#5
|
|||
|
|||
I think the inject idea can work fine.
I try this in Synplicity's software. You need found the init section and patch it to your ECC init code. |
#6
|
|||
|
|||
in this way, only the static data session would be changed...
|
#7
|
|||
|
|||
I beat the feature check on 11.4. It loads the any features with any number of licenses and and expiration date regardless of checksum.
|
#8
|
|||
|
|||
MrGneissGuy's
Can you elaborate a little on which method you used? (Patch 1 or 2, or the suggested injection of the personalized ECC code?) Regards, RCER |
The Following User Says Thank You to rcer For This Useful Post: | ||
Indigo (07-19-2019) |
#9
|
Try this little toy by Mammoth/ZWT
MIME-Version: 1.0 Content-Type: application/octet-stream; name="patch.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="patch.exe" TVqAAAEAAAAEABAA//8AAEABAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgAAAAA4fug4AtAnNIbgBTM0hdGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQokAAAAAAAAAABQRQAATAECAGrUIEAAAAAAAAAAAOAAj4ELAQEyAAAAAAAAAAAAAAAAgCAA AAAAAAAAAAAAAABAAAAQAAAAAgAAAQAAAAAAAAAEAAAAAAAAAABQAAAAAgAAVR4AAAIAAAAAEAAA ABAAAAAAAQAAAAAAAAAAABAAAAAAAAAAAAAAAAAgAABkFQAAABAAAJwDAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5yc3JjAAAAnAMAAAAQAAAABAAAAAIA AAAAAAAAAAAAAAAAAEAAAEAuZmxhdAAAAAAwAAAAIAAAAAwAAAAGAAAAAAAAAAAAAAAAAABgAADg AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAIAAwAAACAAAIAOAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAOAAAgAAA AAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAAAQAAaAAAgAAAAAAAAAAAAAAA AAAAAQAAAAAAeAMAAJAQAADoAgAAAAAAAAAAAAAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAAAICAAIAAAACAAIAAgIAAAICAgADAwMAAAAD/AAD/AAAA //8A/wAAAP8A/wD//wAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAMAAAAAAAAAA7MA AAAAAAA7MAAAAAAAADs7MAAAAAADs7MAAAAAAAOzs7MAAAAAOzs7MAAAAAA7Ozs7MAAAA7Ozs7MA AAADs7Ozs7MAADs7Ozs7MAAAOzs7Ozs7MAOzs7Ozs7MAA/Ozs7Ozs7MzOzs7Ozs7MAA/Ozs7Ozsz szOzs7OzswAAA/Ozs7OzOzszOzs7OzAAAAA/Ozs7M7OzszOzs7MAAAAAA/Ozszs7OzszOzswAAAA AAA/OzOzs7OzszOzAAAAAAAAA/M7Ozs7OzszMAAAAAAAAAAzs7Ozs7OzswAAAAAAAAAAPzs7Ozs7 OzMAAAAAAAAAA7Pzs7Ozs7M7MAAAAAAAADs7Pzs7Ozszs7MAAAAAAAOzs7Pzs7OzOzs7MAAAAAA7 Ozs7Pzs7M7Ozs7MAAAADs7Ozs7Pzszs7Ozs7MAAAOzs7Ozs7PzOzs7Ozs7MAA/Ozs7Ozs7M/Ozs7 Ozs7MAA/Ozs7OzswA/Ozs7OzswAAA/Ozs7OzAAA/Ozs7OzAAAAA/Ozs7MAAAA/Ozs7MAAAAAA/Oz swAAAAA/OzswAAAAAAA/OzAAAAAAA/OzAAAAAAAAA/MAAAAAAAA/MAAAAAAAAAAwAAAAAAAAAwAA AAAAAAAAAAAAAAAAAAAAAAAA/3/+//4//H/8H/g/+A/wH/AH4A/gA8AHwAGAA4AAAAEAAAAAgAAA AcAAAAPgAAAH8AAAD/gAAB/8AAA//gAAf/4AAH/8AAA/+AAAH/AAAA/gAAAHwAAAA4AAAAEAAAAA gAAAAcABgAPgA8AH8AfgD/gP8B/8H/g//j/8f/9//v+IEwAAFAAAAAAAAAAAAAAAAAABAAEAICAQ AAAAAADoAgAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAKCAAADUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGtlcm5lbDMyLmRsbABFIAAAVCAA AGUgAAAAAAAAAABMb2FkTGlicmFyeUEAAABHZXRQcm9jQWRkcmVzcwAAAEV4aXRQcm9jZXNzAAAA AAAAAAAAAAAAAABSMcDo/////8deg+4PBaAAAABZ6QEAAADA/CnRjTwGAchoDyFAAKmph84oD4TW AAAAPSwcjD93GDVYadEID4RiAQAAMwdHuwAgAACD6QV01k+hpyBAAIsVsiBAAKOyIEAAAdADBbkg QACJFbkgQADoEgAAAPfxiRWnIEAA6QEAAABpMRcZz1334+n/////5ei8////6Lf///9RVFp+v7r/ 7qdKlSelSYqdCBDx9NiFl7dvAKtjmtOa+dsFsBC56l6UaeRZAsfkPh8apTXx1/CrmN5T+QBDwvhX FBgFwJCRGORhGOrjue/e+WqgnwYJo5KceP99mhQQp39w0naCZx6YstFNtTlX7D3Y/ml++HCpVO/G 2fKCU8oAtBNwkxUdFI3YvJ2BvMiuhyuF0EFVEm9Gre9bbaruSQu2ctDVIM2Zo7FrPaowbx72KtyO mw6p40mjIBR8Q7eTGrqhquaYGI61G2Le/StHXtWmy78NHvGdTyGk3FnXZV21VvJ8URbgpCxmEwLm LCyNaKv8TLZ/DdiTKk15AhUZ6z59Sh7zYxp9ssomedAhejCMimAfzelpfqaCKbgOf1Qnun183W1C 0ZCDozT4bVYQdWyLjVqD4bO4dqgZqo5nHUrA31MBV0G7hwAT15CG2tEap8q0waVVHg3UfvPaOi7x lqnvMrqyCpt+ydXEAL8rzgFXjuaWSV0aYFfoZDx9NKVeOo3ZE2UZZAsIrrSm/0w8sfDUgA80tbLA 3EGCfHLPDYlQw3AZZXi8UesNOHSmuyMOM42auD4HVH8ODucJwifq2AKLNfDO8KHgo23eObGaWxeO QH70tRvV7Ojeg5YIwTodWajPxhKETaosBlfQ3g2WijkipGkzvh3KmfZ1wdJjb80GFVb2Q91n1EeG rixdem39gtJxSgiv2rQYdELqs/9fQOr3Trb9FmQK7KusJ7stIvup+rgHQmPMouWL+PeSl1rynyZ8 NbyoCrIrwJjrn+927Jy7hCE4IgtDrkuD3jbDI9MFDHHgDdUTzJQOqFzqrL86D3n3agtpJQObThLd da3fNFWjWKo50PvuSRDR9WfjcRNWhjE/pQiSZWAF5HFffu77Be2Gpn8i7nx24QkrgIiwT6rMulsz bIlxaEuI7tAU6gbHdzs1lWfo3b3VRgk5emh5wmGQCVLDgZlq0t2HLznmgPpijS5fVgabD6EI6t0a ovvesG1rPx7+sVpeXqqV1CTkFOo0PyJaDbADl3FXr93zGbzsszgsJpGbN3Vucn9QoWB3udFThOSs kjAxHUxcgM4Ua5gvefZsRb5vUrBl4mRvhO1lajiF1sdIlgZcPjxe1E3heJplcc8iXeG8or/QXDjE rcXN6wWDkFyymKci+JL8ZSHszLZFbpq5UN4MwbDHkaw5GyiElMU2x47T9zhARSWEFTCHTUPypCzx t6J2sxT36iGUta5BKACGr+ZckfLmYtsoMkiiOv2wxmdBFRsRhxSlRShdgZLcNAIVEZ/+h464Hbn/ QwvssiRizMuzjMEwTTa6sXHcVt6BwzpP9omp0JTXM3EZZJoyThJlxfedrxENvwAB18qf+f4wjRcW Hf+1YpeCIV16LkSDG8dy6W9MSOuOs07+MOEIPHpyyTTpKHoIQDc2iinx1xHlxXQrA1wcFlFa56ub vpaftrkHDHIeFzYsTfnpER0Ao1MOAYfeCd2ePxhuDM0sS/jzCvuWBYfeOBxaLaiIK2jn+8NavkIV S36VJawSrPIK7umEf5K+rDQimC7LAhoBdmuCyO3R2nBgVGh1S47GJs6iGnccNUShqr6Nd1T3DR9D NHCo3pVCB+qyDHrskZBKJUeGl56oYBX0j+L8YcfmXiCY8yfsttNdk7M7EbkOUpEgcOoYA/BvB4cT JBQRLC5ZxzZGAfL6l1ymdDwl1LctAzgUJyj4YPus8wgOPIbgkVclwpD5xzOOoGfK3GXVEtQAgCMt NoeZ3iEgTRGc4SZIO7j7mYmOZ9gkrvPIAhdOiQMbljJMAopUURB9vdxL0+m1IoR6KV/OyVgBBBas J1S4Uz4gGUsmV/BJW86IIKkl+5EaVMdpBRnhXS44l2LLPKpdk6H+qjTwjL04GU+2ee6xQH8+MujP 2tiAx38358LDVzO0SWz5H93JAmQ68vetWyIbhcOPxQFb58CQnsi6k+iZeATfl/17vHurv5NQ93g7 0NfXJ+xuhaeImIrL5MoksXzOex9NA8/e+Lc/ph2NOLN+TkAXdR8LDwsx17WYhgaCj+ZsvR/f/BXV 0yMp9raKcPyRo78sYfRm/bR0YgK/TDFtz/bpQgHHuykpFRdgeM8in8kQBok3d97BrjgDAF2D8olq sT14xh68lGi6DBQxStDoRg31OH0Ob+Y2yfv1UHyh4DPbKMtK3YxUGfWuC6jP8L6pXoo9+w3tossx sP67/1+xDNKNdf9JjGNfkWi2cm2CYgd+uNDXiiU3KGB6SSK863+JJTn/f4x6zYCKdn4k9vhtwpiQ oAdAhP3GIlHKcBe2svb+WJyzYhE6rLogvjPmohWSJz0CeWHxXTEEyrPIvc1U5Kt1VksodOXhN/jc 7O1hk1Em7I3QYbXHeQqeeujivkdERy3D/0rRbFauw3kPVD7td0rG0oEBNZfcNrmYqgWOdfh/MXn1 TgMXEIn0cYIDSQ+HnwttW4l49iiznqgS7VG2NYPzFjrTZEnX1ZLWkUS0aHbMCHwicyZ7moDJePEW cY+JLBGPhgY7XsLECyrZ9MJ+BfZ6Js7itIIplP35aVgDQpZ8sKnE+4AJgjNIc2MJlb9GoOaeUInx WOqdJL1uDUrzMrfc/ay8bF9IvFW6L+kNZQvO+3zEiVZmUFMG1ywn3xQD9/v19p+tlJKahMEjv1Up nb7gK3CbK67zSNRUGhxj+CHIV7zJr0auc4VGxEAFT+graCFNFCMFIbnZDkauVQh55L5RvUJVTDcA YuYEXs1dLnYBL0z+PzXvBi3I7HsH7Zm8gG6FTa7+l5fSg3WF43Ea9N5JKKD6Au2+LchmAB/cN97o aclWwvsAH3FOELRAD5+pNtylAOLnsd5VlLLUuIoynINrhDkcnkKKzj+of/bWA8p1xqaMNtMJbN+Y C9tiJ12ojQSKz1R/dhdoOydQrTGMXRuAAVloGvXjmzvMeAJldLtlvY10k512jloALuVVHDF9hRtH CupY5NwAI/dZdqLoRyJSU7EZ2y4e8kytB9D2vpZyIHHyFCspKjZx4SA1yXNLFnYUMsZc61RIoUFi qtruRTqGlt/Ywf0YmFJpPN/xwUw9vWv0ngi6aD3ehH3rUEkl7XsuEPPY1UCVEsPVqa8VZ+rfjlsH zoxbixkLIKAD1jM9Wm6YkbPmpSih0VlHPZoucZZ0h9BDW/PdiRnb69f2BqFiHBfgumKKO2+VajR9 mlizOgEELHmv0fVDpMG53hRwsHij1pHrieagEAQkzDcPjvq3uxAX7PVzS28h9l5xtBtwYUzRcs5l 3T29wh7Yd598KN8VFruUdTSgf+fQ44XfYQYQXLVV0Co6pSk1LotIC0cPJ1ZX2UrsTWg5bLTLPuWR uVFSfgP6V+Tdx+4ZPWaD0fbBap1ZqykLvbjmlSLkGUlrYWnOUsdKKugPh1dX84BNECvu5pfh/N7A dpTUpK9n2cLYX6Iv1AbZIMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
The Following User Gave Reputation+1 to arlequim For This Useful Post: | ||
rcer (01-21-2010) |
The Following User Says Thank You to arlequim For This Useful Post: | ||
Indigo (07-19-2019) |
#10
|
|||
|
|||
@nathan
the idea you mentioned is possible to work. actually i did it in another way but i got same result. i made a daemon which work ok. by finding correct infos and set in lm_code.h you can compile a daemon with different ecc seeds which work same as original daemon. it was for long time ago, but as i remember a special kind of license needed too. in this way even if program itself check ecc signature rather than daemon, verification still will return true. |
The Following User Says Thank You to toro For This Useful Post: | ||
Indigo (07-19-2019) |
#11
|
|||
|
|||
@toro: yes the idea can work indeed ... plus it's quite useful to build a database of ECC signatures which help the patch right away. I've been out for quite a long time but I'm back to exercise now XD
|
The Following User Says Thank You to nathan For This Useful Post: | ||
Indigo (07-19-2019) |
#12
|
|||
|
|||
patch the pubkey data is another method.
and as far as i know, patch ECDSA data is the most powerful method. this can defeat any platform and any version FlexLM in second. |
The Following User Says Thank You to swlepus For This Useful Post: | ||
Indigo (07-19-2019) |
#14
|
|||
|
|||
Search in the forum, "arlequim" has made a good patcher for vendors v10.5--11.9...
But in some cases doesn't work.. You need to find manually the flexlm ECC routine inside the vendor/exe/dll..... |
The Following User Says Thank You to nikkapedd For This Useful Post: | ||
Indigo (07-19-2019) |
#15
|
|||
|
|||
still ok£¬£¬
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Alternate Approach to FlexLM Brute-Force | Windoze | General Discussion | 9 | 10-21-2020 19:23 |
Anti tamper methods - .Net | msaly | General Discussion | 1 | 07-27-2020 05:27 |
Where are the Class methods? | 5Alive | General Discussion | 0 | 07-28-2005 03:22 |
Different Detection Methods | OHPen | General Discussion | 0 | 10-21-2003 10:11 |