PDA

View Full Version : Tricking FleXnet into thinking its been activated?


cookiemaster
January 28th, 2014, 15:26
Alright so I've been digging some more regarding my current "endeavor" ("http://www.woodmann.com/forum/showthread.php?15437-Masking-a-DLL-from-FleXnet-Or-just-making-a-modified-DLL-look-like-a-normal-one") and I've found what I'm sure may be the key to cracking this thing.

I have bypassed the activation windows, which means that the program loads but still remains un-activated. Here is what I found:

There is a menu that is called "product license". In this menu there are two things,
1. A button that says "activation codes". This one does a few things and returns a window saying that the product is not registered
2. A button that says "Unregister product". This one does nothing in the program but olly tells me it does the same as the one above, but does not return the window

I loaded up OllyDBG to see what these things do and they both appear to do the same, maybe they both check for activation files but none are found so the second one does noting more.

They activation codes button does this:
1. a non continuable exception with data:
74a2c41f - C9 - LEAVE
2. Another non continuable exception
Same stuff as above but a shift in the stack(jumps to a different address.)
3. Then this:
2909
4. Then it just continues as normal

What I also found is that there are a few things that refer to what may be another dll(there are 3 main dlls) so there may be something that I'm missing in there.

I have a traffic dump of activation if this is any use, The fleXnet version is 11.

My question is, how can I create a valid Flexnet license that will get recognized by this routines or how do I maybe crack the activation process to generate a valid license with any key(activation is online.)

I'm not far from success, I just need some assistance. Thanks.

condzero
January 29th, 2014, 10:02
A while back October 2007, I wrote a Tutorial on Flexnet / Safecast protection and how to deal with it.
Not sure how relevant it is today, but perhaps it might be worth a read.

Link is here: http://www.accessroot.com/arteam/site/download.php?view.213 ("http://www.accessroot.com/arteam/site/download.php?view.213")

Good Luck.

CZ

cookiemaster
January 29th, 2014, 13:18
I will read this, maybe it will give me a few ideas. Thanks.

istigatore
January 29th, 2014, 13:38
cookiemaster, If your program dont use The ECC protection, you can easly make a license with the standard sign.. IF the ECC is present you can patch the pub_key or force the program to accept the standard sign by patching the 2 flags..
IF you have a vendor and expired license, please send me links in PM..
REading your post the program use the flexnet TS->"Trusted storage"..
But i dont know if are present only the fnp libraries or is maybe present the flexnet routine inside a some files(dll/exe)..
I have your same problem with a program, but the my main problem is that the flexlm routine is obfuscated inside the files by "virtual protect"...

cookiemaster
January 29th, 2014, 16:20
Quote:
[Originally Posted by istigatore;96083]cookiemaster, If your program dont use The ECC protection, you can easly make a license with the standard sign.. IF the ECC is present you can patch the pub_key or force the program to accept the standard sign by patching the 2 flags..
IF you have a vendor and expired license, please send me links in PM..
REading your post the program use the flexnet TS->"Trusted storage"..
But i dont know if are present only the fnp libraries or is maybe present the flexnet routine inside a some files(dll/exe)..
I have your same problem with a program, but the my main problem is that the flexlm routine is obfuscated inside the files by "virtual protect"...


I dont have an expired licence, but I do have a traffic dump from the activation port, could that help me?

I dont know if the program is protected by ECC, how can I identify it?

cookiemaster
January 29th, 2014, 17:35
I've found something very interesting. When I load the program, I get "Debug Strings" in OllyDBG. They say "(company name) trace: 04". Still analyzing what they do.

Also, when Stepping through the debug messages, once it loads another DLL I get an error, the classic "Microsoft Visual C++ runtime library: The application has requested a runtime to terminate in an unusual way"

Could it be because this program has some sort of protection against debuggers?

istigatore
January 30th, 2014, 10:24
cookiemaster, if the program have the ECC protection the license show the long SIGN... TRy to search if is present any file with the extension .asr.. It contains the trial license....

Quote:
Could it be because this program has some sort of protection against debuggers?
Maybe is present a packer/obfuscator... Send me the name of the program in PM....