Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 05-21-2013, 04:12
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
Arlequim,

I agree the patching way is the easiest path as long as you can identify the pubkey_verify function. However, as far as I know in the very latest SDK (v11.10) the .map file for the libraries is not included anymore and the obfuscated names are not easily reversable (*). In fact I haven't seen any working "automated" patcher for version 11.10. On the other hand the pubkey substitution is practically SDK independent. The obfuscated pubkey is easily fetched and de-obfuscated by debugging the binary. The hard task is to re-build the pubkey from the binary as it is saved together with a lot of random garbage.

(*) The name randomization function is as follows:

static void randomize(L_STRIP_OPTIONS * options,NAMELIST *np)
{
int i;
int len;
static char *letters = "abcdefghijklmnopqrstuvwxyz";
static char *letters_num = "0123456789abcdefghijklmnopqrstuvwxyz_ABCDEFGHIJKLMNOPQRSTUVWXYZ";
static char *emptyString = "";

if ( np == NULL )
return ;
if (options->zeros)
{
for (i=0 ; np[i].name != NULL ; i++)
if ( np[i].randname == NULL )
np[i].randname = emptyString;
}
else
{
for (i=0 ; np[i].name != NULL ; i++)
{
if ( np[i].randname == NULL && strlen(np[i].name) > 0)
{
int x;

len = strlen(np[i].name);
np[i].randname = (char *)malloc(len + 1);
np[i].randname[0] = letters[rand()%26];
for (x = 1; x < len; x++)
np[i].randname[x] = letters_num[rand()%63];
np[i].randname[len] = '\0'; /* null terminate */
}
}
}
}
Reply With Quote
The Following 2 Users Say Thank You to nathan For This Useful Post:
Indigo (07-19-2019), synkro (03-21-2017)
  #32  
Old 05-21-2013, 15:15
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Hi, if you are familiar with FLEXlm, you don't need to know names via .map file, you should be able to "explore" the binary file by recognition of several flow-chart, at least this is my personal approach. Mangled names (= exported functions) are nothing of serious. I didn't update my generic patcher as today ECC is apparently checked out, but the real challenge is TS and activation, alto i have figured out there are several weakness inside binary code but not so easy to find out. Anyway my previous example has been taken from @(#) FLEXnet Licensing v11.10.1.0 build 99220 i86_n3 (lmgr.lib), Copyright (c) 1988-2012 Flexera Software LLC. All Rights Reserved. So nothing has changed, and everything is possible
__________________
<<< The L10n won't give up >>>

Last edited by arlequim; 05-21-2013 at 15:24.
Reply With Quote
The Following 2 Users Gave Reputation+1 to arlequim For This Useful Post:
sendersu (05-21-2013), zzfeed (05-21-2013)
The Following 4 Users Say Thank You to arlequim For This Useful Post:
Indigo (07-19-2019), synkro (06-29-2016), tonyweb (04-17-2017), zyNoT (05-31-2019)
  #33  
Old 05-22-2013, 00:13
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
I haven't worked on Flexm reversing for a while indeed, however, if I recall propelry (correct me if I'm mistakening) activation is an option which is rarely used and uses streams to store the information.
I'm not sure I fully understand TS. I'll be more than willing to collaborate if you think I could be of any help.
Reply With Quote
The Following User Says Thank You to nathan For This Useful Post:
Indigo (07-19-2019)
  #34  
Old 05-22-2013, 02:01
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
to find verification function simply search for push21b.
TS and activation is very weak, just 2 patch and you can add any license you want to license manager.
for changing pubkey, the best way is api hooking. every target which compiled with vs 2005 and higher with shared library is possible to hook to change pubkey.
Reply With Quote
The Following User Says Thank You to toro For This Useful Post:
Indigo (07-19-2019)
  #35  
Old 05-22-2013, 03:18
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Sometimes TS is bad implemented through the hook thats talks to the main app, i mean some developers left the front door opened S0lidw0rks by DSS is already a relevant example.
Last time i have mentioned about some weak point. Well, the weakest point of libFNP ASR-based activation is the a Trusted Storage itself. There is an assumption, if something is put into TS it becomes trusted. So, if you inject a tampered ASR into TS via the cracked libFNP library, the original library will treat it as legal.
It is also possible to inject a tampered ASR without any memory or static patches, all that you need is to kill some exceptions with VEH during ASR processing call.
Then you have to write your own routine to obtain the context of trusted storage and make a call to _flxActAddSpecifiedASR with VEH handler set on the custom handler.
Obviously this hacking works for client TS-based activation, the Server TS activation checks SIGN apparently, so it is useless to do the hack, anyway you have to patch ECC check.
Good luck
__________________
<<< The L10n won't give up >>>
Reply With Quote
The Following 2 Users Say Thank You to arlequim For This Useful Post:
Indigo (07-19-2019), synkro (06-29-2016)
  #36  
Old 05-22-2013, 08:40
zzfeed zzfeed is offline
Friend
 
Join Date: Apr 2012
Posts: 73
Rept. Given: 67
Rept. Rcvd 18 Times in 10 Posts
Thanks Given: 31
Thanks Rcvd at 35 Times in 20 Posts
zzfeed Reputation: 18
Quote:
Originally Posted by toro View Post
to find verification function simply search for push21b.
TS and activation is very weak, just 2 patch and you can add any license you want to license manager.
for changing pubkey, the best way is api hooking. every target which compiled with vs 2005 and higher with shared library is possible to hook to change pubkey.
It means two files need to be patched or other things? please expains in details,thanks
Reply With Quote
The Following User Says Thank You to zzfeed For This Useful Post:
Indigo (07-19-2019)
  #37  
Old 06-25-2013, 18:55
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Hi Nathan,

I also tried tankers little pubkey tool, on a couple of different binaries, but had the same result and was unable to checkout any licences.
Could it be that somehow the pub/priv key pair is rejected because it was generated using default LMSEED values (0x1111111/0x22222222/0x33333333)?
I there a way to input different LMSEED values into tankers tool?

I also noticed that if you build lmcrypt using the above seed values, and you try to generate a license with SIGN= & SIGN2=; the length of the SIGN Key is 113/163/239 bit (depending on LM_STRENGTH), but the SIGN2 key length = 12 characters (i.e default)

rgds

RCER
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
Indigo (07-19-2019)
  #38  
Old 06-25-2013, 19:25
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 26 Times in 17 Posts
nathan Reputation: 5
Hi RCER,

to be honest I didn't spend so much time on it (good old days when I could spend as much time I could on RCE) and I didn't dig deeper into the issue. I will try on a couple of apps as soon as I can and let you know.

- nathan
Reply With Quote
The Following User Says Thank You to nathan For This Useful Post:
Indigo (07-19-2019)
  #39  
Old 06-25-2013, 21:17
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Hi Nathan,

thanks

and regards

rcer
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
Indigo (07-19-2019)
  #40  
Old 07-07-2013, 23:10
ballad88
 
Posts: n/a
The first study Flexlm ECC

Hi, friends.
I just a student, and study Flexlm ECC, hope study updates.
Reply With Quote
  #41  
Old 07-10-2013, 13:27
iconstart iconstart is offline
Friend
 
Join Date: Mar 2013
Posts: 21
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 10
Thanks Rcvd at 10 Times in 9 Posts
iconstart Reputation: 1
The Tiger won't give up
Reply With Quote
The Following User Says Thank You to iconstart For This Useful Post:
Indigo (07-19-2019)
  #42  
Old 08-08-2013, 23:00
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Exactly, that's why here is another interesting tool in attachment, most of time it's still working on traditional victims
Attached Files
File Type: rar XF-Flexlm_Patcher.rar (61.4 KB, 249 views)
__________________
<<< The L10n won't give up >>>
Reply With Quote
The Following 10 Users Gave Reputation+1 to arlequim For This Useful Post:
alekine322 (08-09-2013), Av0id (08-13-2013), besoeso (08-09-2013), sendersu (08-09-2013), uranus64 (08-09-2013), wilson bibe (08-09-2013), zeuscane (08-09-2013), zzfeed (08-09-2013), [hepL3r] (08-08-2013)
The Following 2 Users Say Thank You to arlequim For This Useful Post:
Indigo (07-19-2019), tonyweb (04-17-2017)
  #43  
Old 08-09-2013, 08:42
alekine322's Avatar
alekine322 alekine322 is offline
VIP
 
Join Date: Apr 2011
Location: North America
Posts: 238
Rept. Given: 960
Rept. Rcvd 60 Times in 33 Posts
Thanks Given: 1,104
Thanks Rcvd at 104 Times in 60 Posts
alekine322 Reputation: 60
Hi @arlequim

your previous tools, only patch files win 32
You new tools patch files win 64, very good : )
test the tools friend, Thanks

Regards
Reply With Quote
The Following User Says Thank You to alekine322 For This Useful Post:
Indigo (07-19-2019)
  #44  
Old 11-08-2013, 15:51
nano
 
Posts: n/a
Good discussion, and I learned a lot from here
Reply With Quote
  #45  
Old 11-18-2013, 02:08
alekine322's Avatar
alekine322 alekine322 is offline
VIP
 
Join Date: Apr 2011
Location: North America
Posts: 238
Rept. Given: 960
Rept. Rcvd 60 Times in 33 Posts
Thanks Given: 1,104
Thanks Rcvd at 104 Times in 60 Posts
alekine322 Reputation: 60
Hi

As background information:

- All my licenses and FlexNet FlexLM both, I made them with version 9.2.
- patch ECC-protected files.
- My Licenses worked.

New software licenses are more complicated and no longer work my licenses.

A friend told me that:
- is not the same FlexLM and FlexNet.
- The Tools for FlexLM, do not work for FlexNet.
- New Tools are required

If this is correct, can you give me feedback (Any subject matter expert of FlexLM and FlexNet):

What are the differences between the previous version (FLEXlm) and the current version (FlexNet):

1. - In encryptadas seed vendor daemon?
2. - In patch, ECC-protected files?
3. - In the preparation of licenses?

Thanks in advance

Regards
Reply With Quote
The Following User Says Thank You to alekine322 For This Useful Post:
Indigo (07-19-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Alternate Approach to FlexLM Brute-Force Windoze General Discussion 9 10-21-2020 19:23
Anti tamper methods - .Net msaly General Discussion 1 07-27-2020 05:27
Where are the Class methods? 5Alive General Discussion 0 07-28-2005 03:22
Different Detection Methods OHPen General Discussion 0 10-21-2003 10:11


All times are GMT +8. The time now is 19:13.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )