In CrackZ's paper, he said:

Flag 1

6AF454 - Set to 1 using a static ADD ECX, 1 instruction at 6AF426, this could be patched to ADD ECX, 0 for a 1 byte change however Imaris has the same reference so there must be a variation in code path. By comparing the flow between Imaris and *censored*, we discover the following 'switching' code :

:006AF354 mov edx, [ebp+var_5DC]
:006AF35A cmp dword ptr [edx], 0
:006AF35D jz loc_6AF434 ; 0x0 Imaris, 0x10 *censored*

This is the real switch we have to backtrace and its set deep inside the _l_buf_36() (routine described below), the only way I reliably found to locate where the static value is stored is as follows.

i). Breakpoint the _l_buf_36() routine, do d *(esp+8) to display in the data window the pointer to the vendor code structure, in some instances you may need to pagein this address via SoftICE.

ii). Set a bpm w on [vendor code structure + 3Ch] and monitor writes, anything other than zero should yield the static location of the data being written there (note that you'll probably get 3 or so breaks on access before finding the right one), once we've located the correct place we can make a small patch of the static data.

:00405FB6 mov eax, [edx+3Ch]
:00405FB9 add eax, dword_81C7F8 ; 0x10 static data
:00405FBF mov ecx, [ebp+0Ch]
:00405FC2 mov [ecx+3Ch], eax ; Write flag

what's the meanning about the two question:

1) Breakpoint the _l_buf_36() routine, do d *(esp+8) :
2) Set a bpm w on [vendor code structure + 3Ch] and monitor writes...

How can i locate the ECC Flag1?

what's the meanning about the two question:

1) Breakpoint the _l_buf_36() routine, do d *(esp+8) : This means that you have to set a PBX at _l_n36_buf(), then look at the stack pointer+8, follow this address in dump, (this will be your pointer to the vendor code stucture). De-reference the pointer (jump to the address the pointer points to).
2) Set a bpm w on [vendor code structure + 3Ch] and monitor writes..., Then set a BPM ( memory on write breakpoint) at VC + 3CH now continue debugging and watch the breakpoints on memory write access

I tried this on one of my ECC targets but was never able to pinpoint the exact location of the ECC flag.

Let me know your progress.

rgards

flexlm,

Post me a priv message with the target name and I'll endeavour to assist.

From recollection, check that when you do the d *(esp+8) the pointer is actually somewhere valid in memory, I recall there sometimes being a few breaks at _l_36_buf() and the pointer not being valid.

Regards,

CrackZ.

Hi,

is there any other flag which is checked? Because even if i patch the two flag checks i get the ECC signature check instead of the old one.

Regards
tr1stan

I have understanded crackz's approach used to find the 2 ecc flag!

flexlm

Can you PM me your target and give me some clues as how you found the correct flags

regards
RCER