Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 03-19-2013, 02:59
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
Quote:
Originally Posted by toro View Post
@nathan
the idea you mentioned is possible to work. actually i did it in another way but i got same result. i made a daemon which work ok. by finding correct infos and set in lm_code.h you can compile a daemon with different ecc seeds which work same as original daemon. it was for long time ago, but as i remember a special kind of license needed too. in this way even if program itself check ecc signature rather than daemon, verification still will return true.
Toro any update on this one ?
Reply With Quote
The Following User Says Thank You to nathan For This Useful Post:
Indigo (07-19-2019)
  #17  
Old 03-19-2013, 14:41
roli_bark
 
Posts: n/a
Hi Nathan,
This is what I bumped into, some recent (Jan 2013) comments on the specific method of creating your own daemon with your own ECC seed:

===

Hiya,

This is the approach I've been using for the last 5 years or so. I had planned to write a quick tutorial showing the method I'm using, but essentially it goes something like this.

1. Build a lmcrypt.exe for target vendor using your own LM_SEEDS.
2. Dig out the 3 public keys from generated lmcrypt. They are 0x10/0x16 & 0X1F bytes in length as I recall.
3. Replace public keys in target with those from your lmcrypt.
4. Licenses can now be generated.

This is an over-simplification of the process, the public keys are rebuilt byte by byte at run-time so digging out all of the bytes to patch is kind of boring, (I wrote a program to do it). There are some other pitfalls I've seen, some targets have multiple public keys, you can also patch only the public key length your actually interested in, so if the program uses short ECC keys then only the shortest key needs patching.

Best regards,

CrackZ.

===

Cheers,
roli
Reply With Quote
  #18  
Old 03-22-2013, 17:47
flexlm
 
Posts: n/a
Quote:
Originally Posted by roli_bark View Post
Hi Nathan,
This is what I bumped into, some recent (Jan 2013) comments on the specific method of creating your own daemon with your own ECC seed:

===

Hiya,

This is the approach I've been using for the last 5 years or so. I had planned to write a quick tutorial showing the method I'm using, but essentially it goes something like this.

1. Build a lmcrypt.exe for target vendor using your own LM_SEEDS.
2. Dig out the 3 public keys from generated lmcrypt. They are 0x10/0x16 & 0X1F bytes in length as I recall.
3. Replace public keys in target with those from your lmcrypt.
4. Licenses can now be generated.

This is an over-simplification of the process, the public keys are rebuilt byte by byte at run-time so digging out all of the bytes to patch is kind of boring, (I wrote a program to do it). There are some other pitfalls I've seen, some targets have multiple public keys, you can also patch only the public key length your actually interested in, so if the program uses short ECC keys then only the shortest key needs patching.

Best regards,

CrackZ.

===

Cheers,
roli
how to patch pubkey£¿
Reply With Quote
  #19  
Old 03-26-2013, 00:09
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
Quote:
Originally Posted by roli_bark View Post
Hi Nathan,
This is what I bumped into, some recent (Jan 2013) comments on the specific method of creating your own daemon with your own ECC seed:

===

Hiya,

This is the approach I've been using for the last 5 years or so. I had planned to write a quick tutorial showing the method I'm using, but essentially it goes something like this.

1. Build a lmcrypt.exe for target vendor using your own LM_SEEDS.
2. Dig out the 3 public keys from generated lmcrypt. They are 0x10/0x16 & 0X1F bytes in length as I recall.
3. Replace public keys in target with those from your lmcrypt.
4. Licenses can now be generated.

This is an over-simplification of the process, the public keys are rebuilt byte by byte at run-time so digging out all of the bytes to patch is kind of boring, (I wrote a program to do it). There are some other pitfalls I've seen, some targets have multiple public keys, you can also patch only the public key length your actually interested in, so if the program uses short ECC keys then only the shortest key needs patching.

Best regards,

CrackZ.

===

Cheers,
roli
Hi roli,

a long time since we talked on old edaboard !!! Yes that is exactly the method I was mentioning.
It has a significant advatange on the ECC pacth since the pubkey is unique for each daemon and can be easily found in the binary.

Any chance you can send me the link to the discussion or involve me into that one ?

Thnx,

nathan
Reply With Quote
The Following User Says Thank You to nathan For This Useful Post:
Indigo (07-19-2019)
  #20  
Old 03-26-2013, 00:40
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
Nevermind ... found it ...
Reply With Quote
The Following User Says Thank You to nathan For This Useful Post:
Indigo (07-19-2019)
  #21  
Old 03-26-2013, 21:49
FoxB FoxB is offline
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 975
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 23
Thanks Rcvd at 714 Times in 298 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
but gulson kill superprivate forum
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
Indigo (07-19-2019)
  #22  
Old 03-28-2013, 01:23
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
Yep ... unfortunaltely people not able to keep privacy ;-)
Reply With Quote
The Following User Says Thank You to nathan For This Useful Post:
Indigo (07-19-2019)
  #23  
Old 03-30-2013, 16:51
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Hi nathan,

could you please send me the link to the discussion as well.

rgds

rcer
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
Indigo (07-19-2019)
  #24  
Old 04-11-2013, 13:46
iconstart iconstart is offline
Friend
 
Join Date: Mar 2013
Posts: 21
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 10
Thanks Rcvd at 10 Times in 9 Posts
iconstart Reputation: 1
Quote:
Originally Posted by arlequim View Post
Try this little toy by Mammoth/ZWT

MIME-Version: 1.0
Content-Type: application/octet-stream; name="patch.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="patch.exe"

TVqAAAEAAAAEABAA//8AAEABAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAgAAAAA4fug4AtAnNIbgBTM0hdGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQokAAAAAAAAAABQRQAATAECAGrUIEAAAAAAAAAAAOAAj4ELAQEyAAAAAAAAAAAAAAAAgCAA
AAAAAAAAAAAAAABAAAAQAAAAAgAAAQAAAAAAAAAEAAAAAAAAAABQAAAAAgAAVR4AAAIAAAAAEAAA
ABAAAAAAAQAAAAAAAAAAABAAAAAAAAAAAAAAAAAgAABkFQAAABAAAJwDAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5yc3JjAAAAnAMAAAAQAAAABAAAAAIA
AAAAAAAAAAAAAAAAAEAAAEAuZmxhdAAAAAAwAAAAIAAAAAwAAAAGAAAAAAAAAAAAAAAAAABgAADg
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAIAAwAAACAAAIAOAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAOAAAgAAA
AAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAAAQAAaAAAgAAAAAAAAAAAAAAA
AAAAAQAAAAAAeAMAAJAQAADoAgAAAAAAAAAAAAAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAAAICAAIAAAACAAIAAgIAAAICAgADAwMAAAAD/AAD/AAAA
//8A/wAAAP8A/wD//wAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAMAAAAAAAAAA7MA
AAAAAAA7MAAAAAAAADs7MAAAAAADs7MAAAAAAAOzs7MAAAAAOzs7MAAAAAA7Ozs7MAAAA7Ozs7MA
AAADs7Ozs7MAADs7Ozs7MAAAOzs7Ozs7MAOzs7Ozs7MAA/Ozs7Ozs7MzOzs7Ozs7MAA/Ozs7Ozsz
szOzs7OzswAAA/Ozs7OzOzszOzs7OzAAAAA/Ozs7M7OzszOzs7MAAAAAA/Ozszs7OzszOzswAAAA
AAA/OzOzs7OzszOzAAAAAAAAA/M7Ozs7OzszMAAAAAAAAAAzs7Ozs7OzswAAAAAAAAAAPzs7Ozs7
OzMAAAAAAAAAA7Pzs7Ozs7M7MAAAAAAAADs7Pzs7Ozszs7MAAAAAAAOzs7Pzs7OzOzs7MAAAAAA7
Ozs7Pzs7M7Ozs7MAAAADs7Ozs7Pzszs7Ozs7MAAAOzs7Ozs7PzOzs7Ozs7MAA/Ozs7Ozs7M/Ozs7
Ozs7MAA/Ozs7OzswA/Ozs7OzswAAA/Ozs7OzAAA/Ozs7OzAAAAA/Ozs7MAAAA/Ozs7MAAAAAA/Oz
swAAAAA/OzswAAAAAAA/OzAAAAAAA/OzAAAAAAAAA/MAAAAAAAA/MAAAAAAAAAAwAAAAAAAAAwAA
AAAAAAAAAAAAAAAAAAAAAAAA/3/+//4//H/8H/g/+A/wH/AH4A/gA8AHwAGAA4AAAAEAAAAAgAAA
AcAAAAPgAAAH8AAAD/gAAB/8AAA//gAAf/4AAH/8AAA/+AAAH/AAAA/gAAAHwAAAA4AAAAEAAAAA
gAAAAcABgAPgA8AH8AfgD/gP8B/8H/g//j/8f/9//v+IEwAAFAAAAAAAAAAAAAAAAAABAAEAICAQ
AAAAAADoAgAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAKCAAADUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGtlcm5lbDMyLmRsbABFIAAAVCAA
AGUgAAAAAAAAAABMb2FkTGlicmFyeUEAAABHZXRQcm9jQWRkcmVzcwAAAEV4aXRQcm9jZXNzAAAA
AAAAAAAAAAAAAABSMcDo/////8deg+4PBaAAAABZ6QEAAADA/CnRjTwGAchoDyFAAKmph84oD4TW
AAAAPSwcjD93GDVYadEID4RiAQAAMwdHuwAgAACD6QV01k+hpyBAAIsVsiBAAKOyIEAAAdADBbkg
QACJFbkgQADoEgAAAPfxiRWnIEAA6QEAAABpMRcZz1334+n/////5ei8////6Lf///9RVFp+v7r/
7qdKlSelSYqdCBDx9NiFl7dvAKtjmtOa+dsFsBC56l6UaeRZAsfkPh8apTXx1/CrmN5T+QBDwvhX
FBgFwJCRGORhGOrjue/e+WqgnwYJo5KceP99mhQQp39w0naCZx6YstFNtTlX7D3Y/ml++HCpVO/G
2fKCU8oAtBNwkxUdFI3YvJ2BvMiuhyuF0EFVEm9Gre9bbaruSQu2ctDVIM2Zo7FrPaowbx72KtyO
mw6p40mjIBR8Q7eTGrqhquaYGI61G2Le/StHXtWmy78NHvGdTyGk3FnXZV21VvJ8URbgpCxmEwLm
LCyNaKv8TLZ/DdiTKk15AhUZ6z59Sh7zYxp9ssomedAhejCMimAfzelpfqaCKbgOf1Qnun183W1C
0ZCDozT4bVYQdWyLjVqD4bO4dqgZqo5nHUrA31MBV0G7hwAT15CG2tEap8q0waVVHg3UfvPaOi7x
lqnvMrqyCpt+ydXEAL8rzgFXjuaWSV0aYFfoZDx9NKVeOo3ZE2UZZAsIrrSm/0w8sfDUgA80tbLA
3EGCfHLPDYlQw3AZZXi8UesNOHSmuyMOM42auD4HVH8ODucJwifq2AKLNfDO8KHgo23eObGaWxeO
QH70tRvV7Ojeg5YIwTodWajPxhKETaosBlfQ3g2WijkipGkzvh3KmfZ1wdJjb80GFVb2Q91n1EeG
rixdem39gtJxSgiv2rQYdELqs/9fQOr3Trb9FmQK7KusJ7stIvup+rgHQmPMouWL+PeSl1rynyZ8
NbyoCrIrwJjrn+927Jy7hCE4IgtDrkuD3jbDI9MFDHHgDdUTzJQOqFzqrL86D3n3agtpJQObThLd
da3fNFWjWKo50PvuSRDR9WfjcRNWhjE/pQiSZWAF5HFffu77Be2Gpn8i7nx24QkrgIiwT6rMulsz
bIlxaEuI7tAU6gbHdzs1lWfo3b3VRgk5emh5wmGQCVLDgZlq0t2HLznmgPpijS5fVgabD6EI6t0a
ovvesG1rPx7+sVpeXqqV1CTkFOo0PyJaDbADl3FXr93zGbzsszgsJpGbN3Vucn9QoWB3udFThOSs
kjAxHUxcgM4Ua5gvefZsRb5vUrBl4mRvhO1lajiF1sdIlgZcPjxe1E3heJplcc8iXeG8or/QXDjE
rcXN6wWDkFyymKci+JL8ZSHszLZFbpq5UN4MwbDHkaw5GyiElMU2x47T9zhARSWEFTCHTUPypCzx
t6J2sxT36iGUta5BKACGr+ZckfLmYtsoMkiiOv2wxmdBFRsRhxSlRShdgZLcNAIVEZ/+h464Hbn/
QwvssiRizMuzjMEwTTa6sXHcVt6BwzpP9omp0JTXM3EZZJoyThJlxfedrxENvwAB18qf+f4wjRcW
Hf+1YpeCIV16LkSDG8dy6W9MSOuOs07+MOEIPHpyyTTpKHoIQDc2iinx1xHlxXQrA1wcFlFa56ub
vpaftrkHDHIeFzYsTfnpER0Ao1MOAYfeCd2ePxhuDM0sS/jzCvuWBYfeOBxaLaiIK2jn+8NavkIV
S36VJawSrPIK7umEf5K+rDQimC7LAhoBdmuCyO3R2nBgVGh1S47GJs6iGnccNUShqr6Nd1T3DR9D
NHCo3pVCB+qyDHrskZBKJUeGl56oYBX0j+L8YcfmXiCY8yfsttNdk7M7EbkOUpEgcOoYA/BvB4cT
JBQRLC5ZxzZGAfL6l1ymdDwl1LctAzgUJyj4YPus8wgOPIbgkVclwpD5xzOOoGfK3GXVEtQAgCMt
NoeZ3iEgTRGc4SZIO7j7mYmOZ9gkrvPIAhdOiQMbljJMAopUURB9vdxL0+m1IoR6KV/OyVgBBBas
J1S4Uz4gGUsmV/BJW86IIKkl+5EaVMdpBRnhXS44l2LLPKpdk6H+qjTwjL04GU+2ee6xQH8+MujP
2tiAx38358LDVzO0SWz5H93JAmQ68vetWyIbhcOPxQFb58CQnsi6k+iZeATfl/17vHurv5NQ93g7
0NfXJ+xuhaeImIrL5MoksXzOex9NA8/e+Lc/ph2NOLN+TkAXdR8LDwsx17WYhgaCj+ZsvR/f/BXV
0yMp9raKcPyRo78sYfRm/bR0YgK/TDFtz/bpQgHHuykpFRdgeM8in8kQBok3d97BrjgDAF2D8olq
sT14xh68lGi6DBQxStDoRg31OH0Ob+Y2yfv1UHyh4DPbKMtK3YxUGfWuC6jP8L6pXoo9+w3tossx
sP67/1+xDNKNdf9JjGNfkWi2cm2CYgd+uNDXiiU3KGB6SSK863+JJTn/f4x6zYCKdn4k9vhtwpiQ
oAdAhP3GIlHKcBe2svb+WJyzYhE6rLogvjPmohWSJz0CeWHxXTEEyrPIvc1U5Kt1VksodOXhN/jc
7O1hk1Em7I3QYbXHeQqeeujivkdERy3D/0rRbFauw3kPVD7td0rG0oEBNZfcNrmYqgWOdfh/MXn1
TgMXEIn0cYIDSQ+HnwttW4l49iiznqgS7VG2NYPzFjrTZEnX1ZLWkUS0aHbMCHwicyZ7moDJePEW
cY+JLBGPhgY7XsLECyrZ9MJ+BfZ6Js7itIIplP35aVgDQpZ8sKnE+4AJgjNIc2MJlb9GoOaeUInx
WOqdJL1uDUrzMrfc/ay8bF9IvFW6L+kNZQvO+3zEiVZmUFMG1ywn3xQD9/v19p+tlJKahMEjv1Up
nb7gK3CbK67zSNRUGhxj+CHIV7zJr0auc4VGxEAFT+graCFNFCMFIbnZDkauVQh55L5RvUJVTDcA
YuYEXs1dLnYBL0z+PzXvBi3I7HsH7Zm8gG6FTa7+l5fSg3WF43Ea9N5JKKD6Au2+LchmAB/cN97o
aclWwvsAH3FOELRAD5+pNtylAOLnsd5VlLLUuIoynINrhDkcnkKKzj+of/bWA8p1xqaMNtMJbN+Y
C9tiJ12ojQSKz1R/dhdoOydQrTGMXRuAAVloGvXjmzvMeAJldLtlvY10k512jloALuVVHDF9hRtH
CupY5NwAI/dZdqLoRyJSU7EZ2y4e8kytB9D2vpZyIHHyFCspKjZx4SA1yXNLFnYUMsZc61RIoUFi
qtruRTqGlt/Ywf0YmFJpPN/xwUw9vWv0ngi6aD3ehH3rUEkl7XsuEPPY1UCVEsPVqa8VZ+rfjlsH
zoxbixkLIKAD1jM9Wm6YkbPmpSih0VlHPZoucZZ0h9BDW/PdiRnb69f2BqFiHBfgumKKO2+VajR9
mlizOgEELHmv0fVDpMG53hRwsHij1pHrieagEAQkzDcPjvq3uxAX7PVzS28h9l5xtBtwYUzRcs5l
3T29wh7Yd598KN8VFruUdTSgf+fQ44XfYQYQXLVV0Co6pSk1LotIC0cPJ1ZX2UrsTWg5bLTLPuWR
uVFSfgP6V+Tdx+4ZPWaD0fbBap1ZqykLvbjmlSLkGUlrYWnOUsdKKugPh1dX84BNECvu5pfh/N7A
dpTUpK9n2cLYX6Iv1AbZIMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Hi where is the toy
Reply With Quote
The Following User Says Thank You to iconstart For This Useful Post:
Indigo (07-19-2019)
  #25  
Old 05-06-2013, 18:39
glucose
 
Posts: n/a
Quote:
Originally Posted by iconstart View Post
Hi where is the toy
Hello, I can only see base64 code.
Reply With Quote
  #26  
Old 05-09-2013, 14:31
WRP WRP is offline
Family
 
Join Date: Nov 2010
Posts: 186
Rept. Given: 34
Rept. Rcvd 52 Times in 33 Posts
Thanks Given: 220
Thanks Rcvd at 231 Times in 105 Posts
WRP Reputation: 52
2 glucose :

Simply convert base64 code to binary )
h**p://www.motobit.com/util/base64-decoder-encoder.asp
Reply With Quote
The Following User Says Thank You to WRP For This Useful Post:
Indigo (07-19-2019)
  #27  
Old 05-10-2013, 20:40
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
Smile

In the perspective of digging deeper into the pubkey patch approach I would like to share few very useful information for those that intend to spend time on it.

Find attached the Generic pubkey replacer made by Tanker (win + linux). I tested the Win version on a couple of targets (v11.10 and v11.9.1) and it identifies the pubkey correctly (I double checked in the vendorcode struct in memory), however, I didn't manage to produce a working license, yet (work in progress as I may be missing something crucial in the generation).

Also I would like to recommend the follwing discussion which is quite informative IMHO:
http://bbs.pediy.com/showthread.php?t=152615

What am missing: reverse the obsucation algorithm used to store the pubkey in the client binary (any help is appreciated: CrackZ may be have something to say about ) (note: not the one the scramble it in memory).

Anyone who would like to join the challenge is more than welcome of course. Feel free to test the Pubkey Replacer and feed back with success/unsuccess stories.

Enjoy !

nathan
Attached Files
File Type: rar PubKeyReplacer_latest.rar (1.43 MB, 293 views)
File Type: rar PUBKeyReplacerLinux.rar (191.2 KB, 140 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to nathan For This Useful Post:
WRP (05-16-2013), zeuscane (05-11-2013)
The Following 2 Users Say Thank You to nathan For This Useful Post:
Indigo (07-19-2019), synkro (06-29-2016)
  #28  
Old 05-11-2013, 01:49
nikkapedd nikkapedd is offline
VIP
 
Join Date: Mar 2011
Location: ::Bratva::
Posts: 276
Rept. Given: 275
Rept. Rcvd 151 Times in 65 Posts
Thanks Given: 205
Thanks Rcvd at 276 Times in 112 Posts
nikkapedd Reputation: 100-199 nikkapedd Reputation: 100-199
nathan i tried the tool, but you need also to change the pub key in the crypter, otherwise the new license will be always useless...
Unfortunately the tool does not recognize the pubkey in the crypter.....
Now i see the version is v1.70...
Have you tried to patch the ecc inside the crypter...????
anyway thanks for the new version....
Reply With Quote
The Following User Says Thank You to nikkapedd For This Useful Post:
Indigo (07-19-2019)
  #29  
Old 05-11-2013, 03:13
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
Quote:
Originally Posted by nikkapedd View Post
nathan i tried the tool, but you need also to change the pub key in the crypter, otherwise the new license will be always useless...
Unfortunately the tool does not recognize the pubkey in the crypter.....
Now i see the version is v1.70...
Have you tried to patch the ecc inside the crypter...????
anyway thanks for the new version....
Well, I'm not that junior in Flexlm ;-). I changed the pubkey in the crypter of course and to be honest I haven't tried to patch the crypter (with a different originating pubkey) but I'll try to do that next ... BTW: lmseeds1=0x1111111 lmseed2=22222222 lmseed3=33333333

Last edited by nathan; 05-11-2013 at 03:22.
Reply With Quote
The Following User Gave Reputation+1 to nathan For This Useful Post:
nikkapedd (05-12-2013)
The Following User Says Thank You to nathan For This Useful Post:
Indigo (07-19-2019)
  #30  
Old 05-21-2013, 03:27
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 293
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 45
Thanks Rcvd at 190 Times in 62 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Why do you all still spend so much time trying to patch this silly Elliptic Curve ?!?!? The best alternate, fastest and working method is to patch the return compare of pubkey verify, isn't it? Here is the solution applied on some well-known flexlm library.

ORIGINAL CODE

.textidx:1015779B loc_1015779B: ; CODE XREF: sub_10157010+73Aj
.textidx:1015779B ; sub_10157010+76Aj
.textidx:1015779B lea ecx, [ebp+var_4]
.textidx:1015779E push ecx
.textidx:1015779F lea edx, [ebp+var_D8]
.textidx:101577A5 push edx
.textidx:101577A6 lea eax, [ebp+Dst]
.textidx:101577A9 push eax
.textidx:101577AA mov ecx, [ebp+Memory]
.textidx:101577B0 add ecx, 44h
.textidx:101577B3 push ecx
.textidx:101577B4 mov edx, [ebp+Memory]
.textidx:101577BA mov eax, [edx+4]
.textidx:101577BD push eax
.textidx:101577BE call sub_100B28B0
.textidx:101577C3 add esp, 14h
.textidx:101577C6 mov [ebp+var_20], eax
.textidx:101577C9 cmp [ebp+var_20], 0
.textidx:101577CD jz short loc_101577EB
.textidx:101577CF ; ---------------------------------------------------------------------------
.textidx:101577CF mov ecx, [ebp+var_20]
.textidx:101577D2 push ecx
.textidx:101577D3 push 2930h
.textidx:101577D8 mov edx, [ebp+arg_0]
.textidx:101577DB push edx
.textidx:101577DC call sub_10129060
.textidx:101577E1 add esp, 0Ch
.textidx:101577E4 mov eax, 0FFFFFF8Dh
.textidx:101577E9 jmp short loc_10157853
.textidx:101577EB ; ---------------------------------------------------------------------------
.textidx:101577EB
.textidx:101577EB loc_101577EB: ; CODE XREF: sub_10157010+7BDj
.textidx:101577EB cmp [ebp+var_4], 0
.textidx:101577EF jnz short loc_10157850

PATCHED CODE

.textidx:1015779B loc_1015779B: ; CODE XREF: sub_10157010+73Aj
.textidx:1015779B ; sub_10157010+76Aj
.textidx:1015779B lea ecx, [ebp+var_4]
.textidx:1015779E push ecx
.textidx:1015779F lea edx, [ebp+var_D8]
.textidx:101577A5 push edx
.textidx:101577A6 lea eax, [ebp+Dst]
.textidx:101577A9 push eax
.textidx:101577AA mov ecx, [ebp+Memory]
.textidx:101577B0 add ecx, 44h
.textidx:101577B3 push ecx
.textidx:101577B4 mov edx, [ebp+Memory]
.textidx:101577BA mov eax, [edx+4]
.textidx:101577BD push eax
.textidx:101577BE call sub_100B28B0
.textidx:101577C3 add esp, 14h
.textidx:101577C6 mov [ebp+var_20], eax
.textidx:101577C9 cmp [ebp+var_20], 0
.textidx:101577CD jmp short loc_101577EB
.textidx:101577CF ; ---------------------------------------------------------------------------
.textidx:101577CF mov ecx, [ebp+var_20]
.textidx:101577D2 push ecx
.textidx:101577D3 push 2930h
.textidx:101577D8 mov edx, [ebp+arg_0]
.textidx:101577DB push edx
.textidx:101577DC call sub_10129060
.textidx:101577E1 add esp, 0Ch
.textidx:101577E4 mov eax, 0FFFFFF8Dh
.textidx:101577E9 jmp short loc_10157853
.textidx:101577EB ; ---------------------------------------------------------------------------
.textidx:101577EB
.textidx:101577EB loc_101577EB: ; CODE XREF: sub_10157010+7BDj
.textidx:101577EB cmp [ebp+var_4], 0
.textidx:101577EF jmp short loc_10157850


After all, you can't achieve the impossible without attempting the absurd
__________________
<<< The L10n won't give up >>>

Last edited by arlequim; 05-21-2013 at 03:37.
Reply With Quote
The Following 3 Users Say Thank You to arlequim For This Useful Post:
Indigo (07-19-2019), synkro (05-07-2015), tonyweb (04-17-2017)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Alternate Approach to FlexLM Brute-Force Windoze General Discussion 9 10-21-2020 19:23
Anti tamper methods - .Net msaly General Discussion 1 07-27-2020 05:27
Where are the Class methods? 5Alive General Discussion 0 07-28-2005 03:22
Different Detection Methods OHPen General Discussion 0 10-21-2003 10:11


All times are GMT +8. The time now is 06:25.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )