#16
|
|||
|
|||
Quote:
|
The Following User Says Thank You to nathan For This Useful Post: | ||
Indigo (07-19-2019) |
#17
|
|||
|
|||
Hi Nathan,
This is what I bumped into, some recent (Jan 2013) comments on the specific method of creating your own daemon with your own ECC seed: === Hiya, This is the approach I've been using for the last 5 years or so. I had planned to write a quick tutorial showing the method I'm using, but essentially it goes something like this. 1. Build a lmcrypt.exe for target vendor using your own LM_SEEDS. 2. Dig out the 3 public keys from generated lmcrypt. They are 0x10/0x16 & 0X1F bytes in length as I recall. 3. Replace public keys in target with those from your lmcrypt. 4. Licenses can now be generated. This is an over-simplification of the process, the public keys are rebuilt byte by byte at run-time so digging out all of the bytes to patch is kind of boring, (I wrote a program to do it). There are some other pitfalls I've seen, some targets have multiple public keys, you can also patch only the public key length your actually interested in, so if the program uses short ECC keys then only the shortest key needs patching. Best regards, CrackZ. === Cheers, roli |
#18
|
|||
|
|||
Quote:
|
#19
|
|||
|
|||
Quote:
a long time since we talked on old edaboard !!! Yes that is exactly the method I was mentioning. It has a significant advatange on the ECC pacth since the pubkey is unique for each daemon and can be easily found in the binary. Any chance you can send me the link to the discussion or involve me into that one ? Thnx, nathan |
The Following User Says Thank You to nathan For This Useful Post: | ||
Indigo (07-19-2019) |
#23
|
|||
|
|||
Hi nathan,
could you please send me the link to the discussion as well. rgds rcer |
The Following User Says Thank You to rcer For This Useful Post: | ||
Indigo (07-19-2019) |
#24
|
|||
|
|||
Quote:
|
The Following User Says Thank You to iconstart For This Useful Post: | ||
Indigo (07-19-2019) |
#25
|
|||
|
|||
#26
|
|||
|
|||
2 glucose :
Simply convert base64 code to binary ) h**p://www.motobit.com/util/base64-decoder-encoder.asp |
The Following User Says Thank You to WRP For This Useful Post: | ||
Indigo (07-19-2019) |
#27
|
|||
|
|||
In the perspective of digging deeper into the pubkey patch approach I would like to share few very useful information for those that intend to spend time on it.
Find attached the Generic pubkey replacer made by Tanker (win + linux). I tested the Win version on a couple of targets (v11.10 and v11.9.1) and it identifies the pubkey correctly (I double checked in the vendorcode struct in memory), however, I didn't manage to produce a working license, yet (work in progress as I may be missing something crucial in the generation). Also I would like to recommend the follwing discussion which is quite informative IMHO: http://bbs.pediy.com/showthread.php?t=152615 What am missing: reverse the obsucation algorithm used to store the pubkey in the client binary (any help is appreciated: CrackZ may be have something to say about ) (note: not the one the scramble it in memory). Anyone who would like to join the challenge is more than welcome of course. Feel free to test the Pubkey Replacer and feed back with success/unsuccess stories. Enjoy ! nathan |
#28
|
|||
|
|||
nathan i tried the tool, but you need also to change the pub key in the crypter, otherwise the new license will be always useless...
Unfortunately the tool does not recognize the pubkey in the crypter..... Now i see the version is v1.70... Have you tried to patch the ecc inside the crypter...???? anyway thanks for the new version.... |
The Following User Says Thank You to nikkapedd For This Useful Post: | ||
Indigo (07-19-2019) |
#29
|
|||
|
|||
Quote:
Last edited by nathan; 05-11-2013 at 03:22. |
The Following User Gave Reputation+1 to nathan For This Useful Post: | ||
nikkapedd (05-12-2013) |
The Following User Says Thank You to nathan For This Useful Post: | ||
Indigo (07-19-2019) |
#30
|
Why do you all still spend so much time trying to patch this silly Elliptic Curve ?!?!? The best alternate, fastest and working method is to patch the return compare of pubkey verify, isn't it? Here is the solution applied on some well-known flexlm library.
ORIGINAL CODE .textidx:1015779B loc_1015779B: ; CODE XREF: sub_10157010+73Aj .textidx:1015779B ; sub_10157010+76Aj .textidx:1015779B lea ecx, [ebp+var_4] .textidx:1015779E push ecx .textidx:1015779F lea edx, [ebp+var_D8] .textidx:101577A5 push edx .textidx:101577A6 lea eax, [ebp+Dst] .textidx:101577A9 push eax .textidx:101577AA mov ecx, [ebp+Memory] .textidx:101577B0 add ecx, 44h .textidx:101577B3 push ecx .textidx:101577B4 mov edx, [ebp+Memory] .textidx:101577BA mov eax, [edx+4] .textidx:101577BD push eax .textidx:101577BE call sub_100B28B0 .textidx:101577C3 add esp, 14h .textidx:101577C6 mov [ebp+var_20], eax .textidx:101577C9 cmp [ebp+var_20], 0 .textidx:101577CD jz short loc_101577EB .textidx:101577CF ; --------------------------------------------------------------------------- .textidx:101577CF mov ecx, [ebp+var_20] .textidx:101577D2 push ecx .textidx:101577D3 push 2930h .textidx:101577D8 mov edx, [ebp+arg_0] .textidx:101577DB push edx .textidx:101577DC call sub_10129060 .textidx:101577E1 add esp, 0Ch .textidx:101577E4 mov eax, 0FFFFFF8Dh .textidx:101577E9 jmp short loc_10157853 .textidx:101577EB ; --------------------------------------------------------------------------- .textidx:101577EB .textidx:101577EB loc_101577EB: ; CODE XREF: sub_10157010+7BDj .textidx:101577EB cmp [ebp+var_4], 0 .textidx:101577EF jnz short loc_10157850 PATCHED CODE .textidx:1015779B loc_1015779B: ; CODE XREF: sub_10157010+73Aj .textidx:1015779B ; sub_10157010+76Aj .textidx:1015779B lea ecx, [ebp+var_4] .textidx:1015779E push ecx .textidx:1015779F lea edx, [ebp+var_D8] .textidx:101577A5 push edx .textidx:101577A6 lea eax, [ebp+Dst] .textidx:101577A9 push eax .textidx:101577AA mov ecx, [ebp+Memory] .textidx:101577B0 add ecx, 44h .textidx:101577B3 push ecx .textidx:101577B4 mov edx, [ebp+Memory] .textidx:101577BA mov eax, [edx+4] .textidx:101577BD push eax .textidx:101577BE call sub_100B28B0 .textidx:101577C3 add esp, 14h .textidx:101577C6 mov [ebp+var_20], eax .textidx:101577C9 cmp [ebp+var_20], 0 .textidx:101577CD jmp short loc_101577EB .textidx:101577CF ; --------------------------------------------------------------------------- .textidx:101577CF mov ecx, [ebp+var_20] .textidx:101577D2 push ecx .textidx:101577D3 push 2930h .textidx:101577D8 mov edx, [ebp+arg_0] .textidx:101577DB push edx .textidx:101577DC call sub_10129060 .textidx:101577E1 add esp, 0Ch .textidx:101577E4 mov eax, 0FFFFFF8Dh .textidx:101577E9 jmp short loc_10157853 .textidx:101577EB ; --------------------------------------------------------------------------- .textidx:101577EB .textidx:101577EB loc_101577EB: ; CODE XREF: sub_10157010+7BDj .textidx:101577EB cmp [ebp+var_4], 0 .textidx:101577EF jmp short loc_10157850 After all, you can't achieve the impossible without attempting the absurd
__________________
<<< The L10n won't give up >>> Last edited by arlequim; 05-21-2013 at 03:37. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Alternate Approach to FlexLM Brute-Force | Windoze | General Discussion | 9 | 10-21-2020 19:23 |
Anti tamper methods - .Net | msaly | General Discussion | 1 | 07-27-2020 05:27 |
Where are the Class methods? | 5Alive | General Discussion | 0 | 07-28-2005 03:22 |
Different Detection Methods | OHPen | General Discussion | 0 | 10-21-2003 10:11 |