|
|
#11
05-21-2013, 04:12
|
|||
|
|||
|
Arlequim,
I agree the patching way is the easiest path as long as you can identify the pubkey_verify function. However, as far as I know in the very latest SDK (v11.10) the .map file for the libraries is not included anymore and the obfuscated names are not easily reversable (*). In fact I haven't seen any working "automated" patcher for version 11.10. On the other hand the pubkey substitution is practically SDK independent. The obfuscated pubkey is easily fetched and de-obfuscated by debugging the binary. The hard task is to re-build the pubkey from the binary as it is saved together with a lot of random garbage. (*) The name randomization function is as follows: static void randomize(L_STRIP_OPTIONS * options,NAMELIST *np) { int i; int len; static char *letters = "abcdefghijklmnopqrstuvwxyz"; static char *letters_num = "0123456789abcdefghijklmnopqrstuvwxyz_ABCDEFGHIJKLMNOPQRSTUVWXYZ"; static char *emptyString = ""; if ( np == NULL ) return ; if (options->zeros) { for (i=0 ; np[i].name != NULL ; i++) if ( np[i].randname == NULL ) np[i].randname = emptyString; } else { for (i=0 ; np[i].name != NULL ; i++) { if ( np[i].randname == NULL && strlen(np[i].name) > 0) { int x; len = strlen(np[i].name); np[i].randname = (char *)malloc(len + 1); np[i].randname[0] = letters[rand()%26]; for (x = 1; x < len; x++) np[i].randname[x] = letters_num[rand()%63]; np[i].randname[len] = '\0'; /* null terminate */ } } } } 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Alternate Approach to FlexLM Brute-Force | Windoze | General Discussion | 9 | 10-21-2020 19:23 |
| Anti tamper methods - .Net | msaly | General Discussion | 1 | 07-27-2020 05:27 |
| Where are the Class methods? | 5Alive | General Discussion | 0 | 07-28-2005 03:22 |
| Different Detection Methods | OHPen | General Discussion | 0 | 10-21-2003 10:11 |
Threaded Mode