PDA

View Full Version : FLEXNet


nikolatesla20
October 5th, 2005, 09:01
I've only got small experience playing with this protection (Of course, it IS a "new" thing out now). It's from Macrovision, so I'm thinking it's based off of FlexLM and the like. Anyway, the new Install***** 11 is based on it.

Version 11 of the mentioned product has a 15 day demo out. One interesting thing about it is that after it expires on your machine, even re-imaging the hard disk doesn't restore the demo. In other words, I have a XP image of my hard disk from before I install the product, that I reapply to the drive. I tested this as well without any internet connection. So it appears to be physically writing something off somewhere else on the disk.

I've read a tut by Tseph about SafeCast doing such a thing, writing to sector 0x32 on the hard drive, and that tut's target (I mean the protection on the target) was also from Macrovision, so no doubt a similar technique is being used here.

Although I didn't notice any *.sys files being used by the app, one would think that would be necessary to write to the drive at the low level. Under Win2K and XP you can open the physical drive just as a file handle (CreateFile("\\.\\.\\\PhysicalDrive0") but as far as I knew you could really only read from it, not write to it. I've done that myself to parse MBR and partition tables. Hm yes I guess you can write too....

Anyway, pretty sure they are either doing it this way or writing something to BIOS (pretty inconcievable). Any else have some ideas?

Guess I'll have to try BPX on WriteFile.

I'm also going to play with it in VirtualPC and see how it behaves.

-nt20

dELTA
October 5th, 2005, 09:20
It should be possible to both read and write to raw disks when mounting them with CreateFile, yes.

And, to state the obvious, I assume that your computer was not in any way connected to the internet during the period of having the software installed? It is after all called FLEXNet...

nikolatesla20
October 5th, 2005, 10:34
Nope, it's not connected at all. I only connected it once during install to let it download the .net framework.

Then I disconnected it and ran the program after the install finished and it ran fine.

Then I forced it to expire.

Then I re-imaged the system and re-installed the program. This time I installed the .net framework off of a CD-ROM.

Then I ran the program again and it said it was expired.

I've managed to run it under SI and it definitely does lots of stuff with PHYSICALDRIVE0 and I saw it read in the partition table.

I then tracked whenever it opened a handle to Drive0 and watched when writefile wrote to that handle..it writes 0x200 byte block out. Right now I'm scanning the drive for the beginning of that block. It might end up being at the end of the drive.

Anyway, I know they are doing it this way because they read the parition table (I know because after a Drive0 open I watched ReadFile and I saw the buffer containing the string "invalid partition table" - which IS in the partition table)

So now just a bunch of hunting in the drive woods...

-nt20

dELTA
October 5th, 2005, 10:40
Ok, sounds good, I was just about to suggest hooking the file IO functions myself too. Please let us know about any interesting results as you proceed.

nathan
October 5th, 2005, 12:42
At first sight (not deep at all) it looks like Flexnet has added an activation procedure which validates the app even before checking out the actual license. Depending on the publisher choice, this can be performed locally (that could be nikolatesla20 case) or through a remote server.

nathan

nikolatesla20
October 5th, 2005, 13:23
Yes, from what I've read so far as well, the "activation" is a one-time-only event, which from that point forward the app does not talk to the activation server again.

The part I'm interested in is mainly where they are keeping the expiration data which is clearly on some part of the hard drive that isn't affected by normal partitions. For example re-imaging or re-installing the OS does not affect it. This is similar to SecureROM though, which had a hidden value in sector 0x32 or something like that.

-nt20

nathan
October 5th, 2005, 14:22
Well, well, it looks like the guys didn't do the entire job themselves ... while disassembling FNP_Act_Installer.ddl

...

This service performs licensing functions on behalf of FLEXnet enabled products.

...

Copyright (c) 1992-2001 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED

... any comment ?

nathan

JMI
October 5th, 2005, 14:52
May not mean much. P.J. Plauger is the author of the standard C++ library shipped with Microsoft Visual C++. He is also the president of Dinkumware.

More info here:

http://www.google.com/search?hl=en&q=P.J.+Plauger%2C+licensed+by+Dinkumware

http://www.embeddedstar.com/press/content/2002/9/embedded5005.html

9/3/2002 - Dinkumware is now shipping the Dinkum CoreX Library, a source library that augments any Standard C++ library in several important ways. It provides a variety of cacheing strategies for STL containers, dozens of code conversions between Unicode and popular multibyte encodings, and a multithreading library that can be called from either C or C++.
...

The code-conversions library lets you read and write files in over 70 different formats, but treat them uniformly within the program as sequences of Unicode characters. It even offers support for UTF-16 as a wide-character encoding. The library includes a template class for use with older C++ libraries, so you can use the code conversions even with conventional byte-oriented stream buffers. Another template class lets you convert between wide-character and byte strings, so you don't have to write to a file to convert between encodings.

Regards,

LLXX
October 5th, 2005, 19:13
Perhaps your "image" of the drive wasn't a complete image, i.e. one that contains every single sector from linear sector number 0 to the very end of the disk. I believe most imaging utilities won't image the "free space" of the drive. As well, on two of the HDDs I possess (a 4GB one and a 30GB one), there seems to be extra sectors present past the number that the drive reports. These are valid sectors, as they can be read and written. They aren't a wraparound to the first few sectors either. I tested how many there actually were with a small program that simply looped, reading all the sectors on the drive until it hit the very end. The 4GB drive claims to have 7821547 sectors (0-7821546), but there were actually 7822012, leaving a ~200K "empty" area at the very end. The 30GB drive had nearly 2M of extra sectors at the end. (An excellent place to hide something, isn't it? 2M is more than enough for some simple license data.)

Try testing for those extra sectors, and do a complete image of your drive. Then fill the entire drive with nulls, reimage, and try again. My guess is that it's storing the expiration data at the end of the drive, past the end of the partition. (It might've even decremented the partition size in the partition table since you mentioned it writing to it...)

As for writing to the CMOS RAM (which is what I assume when you said BIOS), that's highly unlikely as CMOS RAM locations are proprietary, and I think only 128 bytes long. Most of that 128 bytes is already taken by configuration data.

For some more interesting info, take a look at my post in the thread here:
http://www.woodmann.com/forum/showthread.php?t=7461

Woodmann
October 5th, 2005, 20:56
Howdy,

It is not a BIOS/CMOS write.

My thoughts are not "fact", they are my thoughts.
It is writing to a sector on the disk that you cannot see/access.
It could be a high "open" sector or MBR. The only way to determine this is to start with a "fresh" drive. Partioned and formated with a floppy or cd.

Or you might find some utilities to reveal this "hidden" information.

I'm with LLXX on this one .

Woodmann

nikolatesla20
October 5th, 2005, 21:21
Thanks guys.

Yeah, I know most imaging utilities don't do every sector. It's just a matter of finding where on the drive it's writing. I can step thru the code which could get very boring....or I can find some sort of utility to compare a drive before/after...which I may have to write myself.

*Sigh* just when I thought I was done reversing for a while (never leaves your blood though does it?)

On the other hand, I have written some basic partition reading programs, and to be honest I could strengthen my knowledge up a bit in this topic, so maybe it's good discipline to write some more tools.

-nt20

Woodmann
October 5th, 2005, 22:00
Howdy,

We are blessed to have a person like you. You always have excellent questions/answers. .

As for utilities to do what you desire, good luck. I am always looking for those unique little progs to do such things. I have yet to find what I am looking for.

Woodmann

disavowed
October 5th, 2005, 23:52
Quote:
[Originally Posted by nikolatesla20]or I can find some sort of utility to compare a drive before/after...which I may have to write myself.

Hex Workshop allows you to look at specific sectors... why not just use it to dump a bunch of sectors before and after, and then use its hex-compare feature to see what has changed?

naides
October 6th, 2005, 07:43
Protection like this was what I ad in mind when I thought about this:

http://www.woodmann.com/forum/showthread.php?t=7025

nikolatesla20
October 6th, 2005, 10:05
Quote:
[Originally Posted by disavowed]Hex Workshop allows you to look at specific sectors... why not just use it to dump a bunch of sectors before and after, and then use its hex-compare feature to see what has changed?


disavowed:
I tried this, but the problem with Hex Workshop (at least the version I have) is it opens the drive by its letter. Which means the sectors start not at zero on the drive, but at the partition where the letter is. For example, when I was investigating partition tables to get more familiar with them, I tried to use hex workshop, but it didn't start at sector 0 on the drive. It started at the NTFS tables. (which are at partition <sector 0> but not physical sector 0).

Maybe I'm confused on that tho But I couldn't read partition tables or MBR with hex workshop. I wrote my own program which opened the disk with PHYSICALDRIVE0 and I could.

EDIT: I just downloaded a new version of Hex workshop and it does open physical disk now so I'll play with it

naides:

Interesting. I remember reading this post actually. I agree I don't think any tool is out there for low level drive comparison - it probably would be slow, but it should be effective. Also, I was using VirtualPC for some testing as well, so I had the same idea of trying to compare VirtualPC images. I guess of course the would require reversing of the format, unless they just had a flat structure. I haven't investigated at all. If someone made a tool for VirtualPC or VMWare disk image compares it would be just as effective as a real hard disk compare tool, and probably would be faster too, and would have to deal less with errors (for example, files in use like pagefiles).


-nt20

disavowed
October 6th, 2005, 10:47
Quote:
[Originally Posted by nikolatesla20]EDIT: I just downloaded a new version of Hex workshop and it does open physical disk now so I'll play with it

w00t

dELTA
October 6th, 2005, 14:08
For a cleaner way than "run and compare", wouldn't it be possible to hook CreateFile and pals, then once the program opens something suspicious (like a drive or partition), breakpoint all file writing functions from that point on, and as soon as it writes something to the handle in question (conditional breakpoint, anyone?) check what offset the file pointer is located at (if nothing else, inject a SetFilePointerEx() call with the correct arguments, and check the return value).

And to once again ask the obvious, did you monitor it with FileMon or the likes? FileMon normally reports offsets for all I/O operations it logs.

nikolatesla20
October 6th, 2005, 14:18


I watched the thing with filemon too but no success.

I found it now guys, no new trix here at all. Still writing to sector 32 on the hard disk, just like SecureROM did in +Tseph's tutorial. I just used Hex Workshop (the newest version) to open the physical drive and I cleared to zero all sectors from 1 thru 62 (NTFS boot sector is sector 63, and MBR is sector 0). Re-imaged and then re-installed the program, and it's all back to normal again.

Basically it's really the only part to write on a drive safely, is in that sector buffer area between the MBR and the first partition. In this case there were 61 sectors available that anything could be put in...

Thanks for the support and the new ideas. Unfortunately nothing new here (well, that may be a good thing since it didn't drive me insane !)

-nt20

LLXX
October 6th, 2005, 21:11
So it still writes to sector 32. I'm surprised they're still doing that. If your first partition's boot sector began at sector 1 (it's completely possible, and it does work), would the software blindly write over sector 32, destroying what used to be there (FAT or other filesystem data)? This is indeed a highly dangerous software protection system.

nikolatesla20
October 6th, 2005, 23:08
no, I think it would work ok because it clearly looks up the MBR and partition table, I saw it read it into memory, so no doubt they are caculating it. But MBR's are always sector 0. And every comp. I've seen so far - the first partition is way above sector 32 (every one I've seen with Win2K or XP start at sector 63).

-nt20

nikolatesla20
October 7th, 2005, 15:07
Learned some more:

Each time program is run, it creates a "random" GUID and inserts it into the CLSID registry table. This is normal for most protections, however this one puts in valid data into that HKLM\Software\CLSID key so it's impossible to tell that it's fake. Only by watching it with a registry logger (a snapshot of before-after) can you see the new key it inserts.

When program starts up it deletes the old CLSID key from last time and creates a new one. It also adds a GUID registry key under HKLM\Software\Microsoft\ActiveSetup as well, each time deleting the old one and creating a new one.

Program has one license file and one license registry entry, both encrypted. Each time program starts, the file gets updated.

On first run of program it also inserts data into sector 32 of hard disk - to prevent a OS wipe and re-install of product.

If you delete the license file the program fails to start. If you delete the license file and the license reg key and temp files, AND clear sector 32, the program still fails to start.

BUT: if you delete the license file, and the license key reg, and the temp files, and clear sector 32, AND delete the 2 registry entries mentioned above (CLSID and "ActiveSetup" Key), program will again start over fresh.

THEORY:

One would say, clearly the program must know, if it's using the registry entry under the CLSID, and it changes it every time it starts, it must keep track somewhere what the key was to check for it next time. This is not true however since I deleted every license file and license reg, and sector as mentioned above, but the program still failed to start (still said expired). BUT when I did all of that AND deleted the CLSID and ActiveSetup keys it made, it DID start.

What that means is the program must just contain an internal list of CLSID's ahead of time that it can use. A nice big list. A list of GUIDS and keys that look real. It then could just enumerate thru the list upon startup. If it finds a CLSID key in its list , but no license files and no license reg key, it can assume expired. If it finds a CLSID key and a license file both, it assumes continue trial (only if encrypted data in license file is ok). If it finds no CLSID key or ActiveSetup key AND no license file AND no license reg key, it assumes brand new and starts over. (Confused yet? ) A pointer to this theory possibly being true is running RegMon during program's startup and watching it enumerate every key under the known universe. No wonder it starts up so slow.

The hard part of course is knowing which CLSID & ActiveSetup key it's looking for. Before the expiration you can track that..but after I don't think it's possible.

I've verified the deletion works by moving the calendar back up to 4 days with success. Perhaps a loader which disallows the program to write to CLSID and then of course take care of the other deletions.

Of course you can always re-image and clear sector 32 and you will also be ok again.

Just some observations...

-nt20

nathan
October 7th, 2005, 15:22
Is it possible that ActiveSetup keeps track of the previous CLSID state ? I assume you compared the ActiveSetup key everytime you start the app. I find quite strange that the app actually incorporate a list of valid CLSID because I presume the CLSID needs to have the time information in it.

Nevertheless, great work (as usual)

nathan

nikolatesla20
October 7th, 2005, 15:35
I dont think it tracks it that way since the key in ActiveSetup contains only normal text values. No guid strings (except for the keyname itself) and no encrypted strings. I think the protection enums the registry and compares each key to its internal list. That way it never reveals the list.

I thought of a way to elimiate possibly the CLSID - make a program which scan's CLSID's, and if InprocServer has an entry than open up the file mentioned and verify the key's GUID is indeed in the file. Of course you have to parse the Type Library, but there have been tools for that. Basically it would detect invalid GUIDS in the CLSID tree instead of the other way around like most tools do (most tools detect invalid InprocServer paths, or missing info, etc.). If the GUID is not in the file, or the file has no type library, it's pretty safe to delete the GUID...of course testing on Virtual system would be prudent

Don't know of a good way to detect an "invalid" ActiveSetup key as of this moment tho.

If this is really what the protection does, which is what it appears to be doing to me right now, then it's actually pretty well thought up as far as leaving a trail behind which no one can really detect easily.

-nt20

nathan
October 7th, 2005, 15:59
I quickly went through the ProgRef and I think you are right, infact, the licensing rights are contained in the so called "Trusted Storage" (fancy, isn't it ?).
Trusted Storage implements the machine Binding:

"Binding is used to lock license rights to a machine and prevent them being transferred illegally to another machine. This is implemented by storing identities obtained from the machine in trusted storage. Each time trusted storage is accessed these binding identities are checked and compared with the values held in trusted storage."

Binding identities are described in the first attached table and a note states the following:
"Note: Machine serial number, HID_MSN, is only available if anchoring is in use. If there are no anchors in use, then there is no machine serial number. The security of the machine serial number is dependent on the level of security provided by the anchors in use."

Finally, you can see in the second table that evil Win has more than one anchor ! In particular FIle, Registry and HW based (i.e., track 0) are supported !

I guess you are right then !

Good job!

nathan

nikolatesla20
October 10th, 2005, 10:13
Just an example of log files from RegShot.

Running the software after moving 1 day forward:
(the files are larger than this but here I am showing the example of the "rotational registry entry"

This reg file is also created by : Snapshot the system, run the software, exit the software, snapshot the second shot, compare.

Pay attention to the "Keys Deleted" and "Keys added" sections.

Code:

----------------------------------
Keys deleted:5
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2084A42F-F56F-A557-3D48-40C4A91E8802}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2084A42F-F56F-A557-3D48-40C4A91E8802}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ActorBvr.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ActorBvr.2\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{985439F5-7D1B-A579-B006-63B56A5243A6}

----------------------------------
Keys added:6
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCA1D4E1-2737-3808-B570-CFCEA624E3EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCA1D4E1-2737-3808-B570-CFCEA624E3EE}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CDO.Recordset.3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CDO.Recordset.3\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9912A09-9F8C-3CF0-F471-D3C73433AF15}
HKEY_USERS\S-1-5-21-1177238915-789336058-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012005100820051009




Now, after exiting the software, setting the day back again (back one day) and running the program again letting the program expire when it warned me it was about to expire because the date was wrong:

Code:


----------------------------------
Keys deleted:5
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CDO.Recordset.3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CDO.Recordset.3\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCA1D4E1-2737-3808-B570-CFCEA624E3EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCA1D4E1-2737-3808-B570-CFCEA624E3EE}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9912A09-9F8C-3CF0-F471-D3C73433AF15}

----------------------------------
Keys added:5
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{200DE769-9342-C3B3-E88B-A960D23604B0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{200DE769-9342-C3B3-E88B-A960D23604B0}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CCWU.DHTMLSafe.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CCWU.DHTMLSafe.2\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{614DB443-757A-CBDE-C691-B4082CCB9E91}




As you can see under "keys deleted", it deletes the keys upon startup, that it had created last time upon startup. So each time it starts it deletes the old key it used to start last time, and creates a new key. Unfortunately this key is valid in structure. Also, I found no location where this keyname was stored so it knew where to look next time. I thought perhaps is was encrypted in the license file, but I deleted the license file and everything else I could find, but yet upon startup it still found the correct key to delete ! So 2 options: either it's storing the keyname somewhere else yet that I have yet to find, or it has an internal list of GUIDS that it uses over and over and just fills with valid data. It then Enums the reg. looking for these GUIDS and if found it knows it's been here before - then it checks license file.

However, I would beg to argue no doubt the GUID is completely fake (the module it indicates no doubt does not contain that GUID) but I haven't looked at that detail yet. But since the key is complete and looks valid it's impossible to track down without knowing, before the program expires, what it put in the registry. Unless of course: I can find the "hidden" area that it's keeping track of the last registry entry it used - OR - find that internal list.

These are the only things I can think of right now..

Very well done I shall say.

-nt20

cyberheg
October 21st, 2005, 11:50
Very interesting discussion.

Can you tell me what exactly is stored in those reg entries? I assume they must contain some information about the expire date.
If no "non normal" information is stored I would guess that it keeps information about the application as a part of the GUID string.

One important question... When you posted a string like "{2084A42 F-F56F-A557-3D48-40C4A91E8802}" are there spaces in it or is it a typo? I am asking because a normal GUID would not have spaces as far as I know. This is also interesting for another matter. What would happen incase of collision?
Lets say (theoretically) that you have a generated GUID which already exists. Then either the program must bail out or it would find another way to solve the problem. Overwriting the GUID would mean doing some destruction on the system.

Would it be possible to post a sample of how this algorithm might look like?

Btw. FLEXNet is a new name for a combined FLEXlm and Safecast. So from what it sounds like here, it's a discussion of what was known as safecast before.
http://www.macrovision.com/products/flexnet_publisher/promotional/index.shtml
This is (most likely) the promotional licensing module. The reason is that it only works under Win32 as described on the website.

Thanks in advance.

nathan
October 21st, 2005, 15:13
cyberheg,

for sure flexnet works under Linux as well (since I have the beta version).

nathan

cyberheg
October 21st, 2005, 15:49
Quote:
[Originally Posted by nathan]cyberheg,

for sure flexnet works under Linux as well (since I have the beta version).

nathan


FLEXnet is splitted up in different modules. So yes you're right and yes I am right. You have the license manager (former known as flexlm) right?

http://www.macrovision.com/products/flexnet_publisher/licensing/overview/index.shtml

These are different products. Or are you saying you have the same functionality as what is discussed here in linux? (I doubt that).
Once you'll tell which module you're referring to, it'll be clear we're talking about two different products.

nathan
October 21st, 2005, 16:38
The linux version definitively has the publisher (not only the license manager AKA flexlm).
I haven't tested it, yet (since I'm focusing (in my little spare time) on the Win version).
However, what is not going to be the same is the so called "Trusted Storage" (which also uses the registry info under Win). If I'm not wrong the linux version will be file based instead of registry based.

nathan

LLXX
October 21st, 2005, 19:16
Quote:
[Originally Posted by cyberheg]One important question... When you posted a string like "{2084A42 F-F56F-A557-3D48-40C4A91E8802}" are there spaces in it or is it a typo? I am asking because a normal GUID would not have spaces as far as I know.

Theforumsoftwareputsspacesintoreallyreallyreallyreallyreallylongwords.

cyberheg
October 22nd, 2005, 17:09
Could anyone explain me how they found the sector 32 thingy? I took a copy of sector 32 (512 bytes) before installing and it was identical after installation and first run.

It seems it has some anti debugging (among other things). It just terminates when starting up.

I did a little test and recorded some regkeys which are stored and deleted. They contain basicly no information:

[HKEY_CLASSES_ROOT\CLSID\{73B84E3F-8E5C-E303-C26D-F8B6D7261DA3}]
@="objref"

[HKEY_CLASSES_ROOT\CLSID\{73B84E3F-8E5C-E303-C26D-F8B6D7261DA3}\InprocServer32]
@="C:\\WINDOWS\\System32\\alrsvc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{C2A0E8F2-90C2-47BC-DAC0-7E2E4B005E2C}]
@="Microsoft Word Basic"

[HKEY_CLASSES_ROOT\CLSID\{C2A0E8F2-90C2-47BC-DAC0-7E2E4B005E2C}\InprocServer32]
@="C:\\WINDOWS\\System32\\cMPG1V.dll"
"ThreadingModel"="Both"

It seems the only importance here are the GUID values.

Here is a trace of what happens:

685C0000 Module C:\Program Files\InstallShield 11 Express Edition\System\ProtectionProcessor.dll
76C90000 Module C:\WINDOWS\system32\IMAGEHLP.DLL
00BB0000 Module C:\DOCUME~1\hg\LOCALS~1\Temp\ProtectionProcessorCleanup.0001.dir.0000\~df394b.tmp
75F40000 Module C:\WINDOWS\system32\Apphelp.dll
66AF0000 Module C:\Program Files\InstallShield 11 Express Edition\System\IsUiServices.dll
00FA0000 Module C:\DOCUME~1\hg\LOCALS~1\Temp\InstallShieldClean.0001.dir.0000\~df394b.tmp
763B0000 Module C:\WINDOWS\system32\COMDLG32.DLL
01320000 Module C:\DOCUME~1\hg\LOCALS~1\Temp\InstallShieldClean.0001.dir.0000\~deede4.tmp
66AF0000 Unload C:\Program Files\InstallShield 11 Express Edition\System\IsUiServices.dll
763B0000 Unload C:\WINDOWS\system32\COMDLG32.DLL
00BB0000 Unload C:\DOCUME~1\hg\LOCALS~1\Temp\ProtectionProcessorCleanup.0001.dir.0000\~df394b.tmp
64720000 Unload C:\Program Files\InstallShield 11 Express Edition\System\ClientPliApi.dll
65160000 Unload C:\Program Files\InstallShield 11 Express Edition\System\IsAppServices.dll

It seems ProtectionProcessor.dll is the main driving power. Some files are even put in System32 (I saw shell005.dll among others) but they seem to be deleted again.
It's just over 1 mb though which could contain alot of crap.

Kayaker
October 22nd, 2005, 23:36
Quote:
Theforumsoftwareputsspacesintoreallyreallyreallyreallyreallylongwords.

Not any more, I changed the limit for the VBulletin word length from 50 to 100 so we don't get this adding of spaces to CLSID registry strings and such. Some reallyreallyreally.. long strings will still get spaces entered every 100 characters, but if we increase it any more than that then the string will scroll off the right side of the page and be lost entirely.
Besides which, we've got to keep the buffer overflow script kiddies at bay...
[/end forum management mode]


Re the sector 32 thingy, this was the first time I had played with this myself, make sure you're looking at the physical drive not the logical one...


Interesting side note, while I was playing with the original SafeCast target and scrolling through the sectors in Hexworks looking for #32, I also found an old reference to a very nasty app I had looked at a long time ago which had written into sector 25, (unbeknownst to me).

In case anyone wants to play with it, it's called
D.I.R.T. - Data Interception by Remote Transmission
Codex Data Systems, Inc.

D.I.R.T.TM is a specialized program designed to allow remote monitoring of a target PC by military, government and law enforcement agencies...

Base functionality includes a specialized application with surreptitious keystroke logging capabilities and stealth transmission of captured data to a pre-determined internet address monitored and decoded by the Codex D.I.R.T.TM Command Center Software.


I HIGHLY recommend using a VM image which you can just delete when done with it. I only mention it here because it's small and could probably be reversed to some degree and there may be parallels to how Macrovision writes to sector 32. There is a lot of information about DIRT but I don't know if the sector 25 writing has been explained, I haven't looked in any great detail. If anyone does try to reverse DIRT, it might make an interesting discussion in another thread.

Cheers,
Kayaker

SiGiNT
June 30th, 2008, 16:35
GAWD my memory is still good!! - I can't believe I found this thread.

Just a heads up, brand "A" the guys that make dongles that sound a lot like door parts, have a new very Flexnet looking trial licensing scheme - the only difference is that the lic. is XML rather than ascii, and it uses all the same tricks described here - a real pain in the ass, not quite sure if it qualifies as a rootkit.

SiGiNT

adamas
March 26th, 2012, 14:19
Quote:
[Originally Posted by nikolatesla20;47812]

I watched the thing with filemon too but no success.

I found it now guys, no new trix here at all. Still writing to sector 32 on the hard disk, just like SecureROM did in +Tseph's tutorial. I just used Hex Workshop (the newest version) to open the physical drive and I cleared to zero all sectors from 1 thru 62 (NTFS boot sector is sector 63, and MBR is sector 0). Re-imaged and then re-installed the program, and it's all back to normal again.

Basically it's really the only part to write on a drive safely, is in that sector buffer area between the MBR and the first partition. In this case there were 61 sectors available that anything could be put in...

Thanks for the support and the new ideas. Unfortunately nothing new here (well, that may be a good thing since it didn't drive me insane !)

-nt20

Hey there, guys! I was wondering if anyone could help me out with a few points:
- Is it safe to clear that sector 32 on a production (read: working) machine? I mean without breaking anything or need for reformatting.
- What's the proper way to do it?

I got a Hex Workshop and here are the steps so far: Disk > Open Drive > Physical Disk 0; Disk > Goto Sector > Offset 32 (Dec). Is it correct (eg. how to get to that sector, etc.) so far? If so, how to actually clear it?

On a related subject, in in case of FlexLM a host id is a combination of MAC Address (Physical Address) and a VolumeID (e.g. vol c: in command promt). I tried changing both of those and still a trial version of a program says it's ended (won't run, won't allow a new trial). Is that supposed to be like this?


I would appreciate any help! Thanks so much in advance!

istigatore
March 29th, 2012, 15:44
adamas
If your program use the standard license file, try to recover the seeds and make a new permanent license.....
But if the program use the ECC protection, patch plus license file is the only way....
Upload the vendor....

adamas
April 5th, 2012, 02:46
Quote:
[Originally Posted by istigatore;92177]adamas
If your program use the standard license file, try to recover the seeds and make a new permanent license.....
But if the program use the ECC protection, patch plus license file is the only way....
Upload the vendor....

Any good pointers (e.g. articles) that you might recommend to start in this direction?
The reason I asked the original question is that the program in question wrote something in that 32nd sector, trial is over and I no matter what I do I can't renew it (which is necessary to keep experimenting with the target, so to say). So I figured it might be a good idea to start with resetting a trial, because until I do that I can't really do anything at all. Well, unless you might recommend something else.

Thanks so much in advance!

istigatore
April 6th, 2012, 10:08
Quote:
[Originally Posted by SiGiNT;75525]GAWD my memory is still good!! - I can't believe I found this thread.

Just a heads up, brand "A" the guys that make dongles that sound a lot like door parts, have a new very Flexnet looking trial licensing scheme - the only difference is that the lic. is XML rather than ascii, and it uses all the same tricks described here - a real pain in the ass, not quite sure if it qualifies as a rootkit.

SiGiNT


SiGiNT, your program maybe use the new Trusted Storage... Is a implementation of the flexnet technology, and for the standalone license use a customized xml file with extension ".respc"... Now also arcgis 10 use this protection, but you can use the floating mode with a ascii license, if the program accept this other way....