PDA

View Full Version : Masking a DLL from FleXnet? Or just making a modified DLL look like a normal one.


cookiemaster
January 16th, 2014, 01:15
I'm working on a little something. I've gotten past the activation window and activation checks, BUT these people have some sort of Flexnet(?) implementation that checks for modified files. If it detects the file has been modified it allows "limited" use of the program.

My solution would be to mask this dll as its non modified counterpart so that when it gets checked it appears correct, but executes as if it where modified.

To summarize:
1. I already got past activation screens and checks
2. A system(flexnet probably)checks to see if the file has been modified
3. It detects the modification so it causes mayhem in the program
4. My solution would be to "trick" the system into thinking it has not been modified.

The DLL was modified with a hex editor and has only a few edits (like 5 bytes have been changed)

Or I could just use OllyDBG to remove the call or something (but I dont know how to use olly)
Or I could just tell flexnet to look for the modified file instead of the un-modified one

If someone could give me some tip,hints or point me in the right direction (or the solution :P) that would be fantastic.

Thanks!

OHPen
January 16th, 2014, 03:11
Hey,

first of all: "Well done!, you made your homework!" ;D
Good to see that there is still people who first try and then ask, hehe.

After reading your post it appears to me that you have almost done everything needed. Obviously you detected the validation routine already so can either do:

1. nop the call ( don't forget to nop/fix stack accordingly if parameters are used ) - can be done easily within olly
2. take a deeper look at the verification routine and understand the way the validation of the original dll is done. if it for example is a simple checksum over the bytes of the dll, patch either the checksum value or inject the bytes of the original dll at runtime ( not to much work if you use a loader... ). there are plenty of different ways how someone could implement a validation check, so at the end you will have to understand the functionality and find a way to trick it.

Your are so close to a working solution, so keep on bashing your head! feeling of success will be worth it, trust me ;D!!!!

regards,
OHPen

cookiemaster
January 16th, 2014, 12:59
Well I had a wireshark dump of a legitimate activation but I dont know if I have it anymore, I'll have to look for it. The thing with the loader is that since this is a module I dont know if it is loaded at start up, I'm going to have to check that. If I could use a loader that modifies the activation portion the second it begins to load that would be better. But what if flex is also checking memory to see if it has been modified?

I think I'm better off removing the call with olly or tricking it into thinking that the modified one is the real one.

Do you have any recommendations on finding this call? Maybe I could try to compare load procedures with another product of theirs (That one was cracked with just those 5 edits in a DLL :P)

Thanks for the tips.

cookiemaster
January 16th, 2014, 13:48
Well from a traffic dump from the activation port I have found that this is flexnet 11. There was some info on this site about something, I'll check it out.