Page 2 of 2 FirstFirst 12
Results 16 to 29 of 29

Thread: NEW '_time' obfuscation area in FLEXlm v10

  1. #16
    zhide1983
    Guest
    Hi, RCER

    I compared the asm code with the lm_new.c code, and got:

    1. a structure point t is a JOB point actually, and t->a[12] is the real job+8, job+b, and job+c data;
    2. I found the position calling function 'time(0)' in the c code, which is corresponding to the '_time' function you mention above
    3. my flexlm version is 10.8, do you mean that when this function reture, the job structure is a wrong one obfused by the _time function? Is it different frmo preV10 versions?
    4. If yes, then how does it record the random information introduced by _time, and how could it recover it?
    5. Could you plz tell me how the get the corrent JOB+8/b/c data?

    Thank you very much...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #17
    zhide1983


    Locate the first jmp at the end of multiple calls to _time.
    ( EB 09 JMP SHORT callmd.0040C227)

    Break at this jump and check the memory address inside ecx or edx.(follow in dump).One of them will contain the location of the new obfuscation area.

    zero out the random data and break on RET

    regards

  3. #18
    RCER:
    according your instruction above, i find edx address and dump the content,

    ebug027:014826A0 66 00 00 00 32 00 91 00 2A 24 76 EC 20 07 1E 00 f...2..*$v .
    debug027:014826B0 00 00 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
    debug027:014826C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    debug027:014826D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    debug027:014826E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    debug027:014826F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    debug027:01482700 00 00 00 00 00 00 00 00 60 11 48 01 50 2C 48 01 ........`HP,H
    debug027:01482710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    my questioin is?
    - where i have to zero out random data?
    do i have to zero out this? 2A 24 76 EC 20 07 1E 00 00 00 EC 00

    thank you

  4. #19
    kiki,

    If this was a pre-v10 target you would have to zero job+4 --> job+13

    32 00 91 00 2A 24 76 EC 20 07 1E 00 00 00 EC 00

    However for v10 & up, the obfuscation is different from the job structure, and starts with 00 00 00 00 instead of 66 00 00 00

    I think you set your break point in the wrong spot

    (The principle remains the same however meaning that you have to zero
    obf+4 --> obf+13)

    pm me a link to the vendor daemon and license file

    regards
    RCER

  5. #20
    zhide1983
    Guest
    Hello,

    Yes, the job structure is just as you said, starting with 0000 while not 66. I thought i got the wrong spot just because missing the 0x00000066. (My flexlm version is 10.x)

    In the previous version, we break after calling the _l_sg() and find the JOB sturcture from ESP pointer, and use CALCSEED.exe to calculate the encrypted seeds 1 & 2. Any difference in v10.x if i still use CALCSEED.exe?

    I have tried two different FEATUREs and got the same seeds 1 & 2, but the vander daemon cannot accept the license i generated, reporting INVALID LICENSE FILE. I checked the guide and found that maybe the seeds were wrong.

    thank you
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #21
    i'm sorry my post #18 dump content of edx is from different vendor.
    here is dump content from same vendor:

    break on jmp instruction,
    dump content of edx:
    debug021:00F82BC0 01 00 00 00 40 11 41 00 00 00 00 00 60 00 79 00 ...@A.....`.y.
    debug021:00F82BD0 43 97 EA 57 BA 07 3A E8 25 FD B8 3D 00 00 00 00 CW:%=....
    debug021:00F82BE0 00 00 00 00 F8 77 F8 00 00 00 00 00 C0 16 40 00

    zero it out, but never got the clear seed.

    check your pm.

    thanks
    Last edited by kiki; February 17th, 2009 at 00:00.

  7. #22

    Thumbs up

    Kiki,

    I have zero'd below values and after breaking on return got the clear seeds in VC+4 and VC+8.

    003D4530 00 00 00 00 60 00 79 00 74 A0 DD 6C 8D 30 0D DF ....`.y.t*l0.
    003D4540 12 CA 8F 0A 00 00 00 00 00 00 00 00 E0 8F 3D 00 ʏ.........=.
    003D4550 00 00 00 00 C0 16 40 00 40 FE 3D 00 00 00 00 00 ....@.@=.....
    003D4560 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ...............

    I have PM'd you the seeds

    Regards
    RCER

  8. #23
    RCER:
    thank you very much!
    i got clear view of clear seed now

    i play with another vendor on v8-v9 that i found using Nolan Blender technique the result is correct.
    next i'll play with vendor that implement CRO/TRO, and hope you will guide too.

  9. #24
    Hi zhide1983

    see my comments in Blue

    Quote Originally Posted by zhide1983 View Post
    Hello,

    Yes, the job structure is just as you said, starting with 0000 while not 66. I thought i got the wrong spot just because missing the 0x00000066. (My flexlm version is 10.x)

    In the previous version, we break after calling the _l_sg() and find the JOB sturcture from ESP pointer, and use CALCSEED.exe to calculate the encrypted seeds 1 & 2. Any difference in v10.x if i still use CALCSEED.exe?

    The obfuscation algorithm has not changed in the newer flexLM versions, which means that calcseed will still produce the correct encryption seeds, as long as you input the job values from the new obfuscation area (starting with 00 00 00 00)

    I have tried two different FEATUREs and got the same seeds 1 & 2, but the vander daemon cannot accept the license i generated, reporting INVALID LICENSE FILE. I checked the guide and found that maybe the seeds were wrong.

    send me a PM with a link to the VD and lic file, and I will see if I can help

    thank you
    Regards

    RCER

  10. #25
    zhide1983
    Guest
    Hi, RCER

    I've already PM you, thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26

    want to confirm from you

    Hi RCER, i've play with target using flexlm v.10 and i think i've got correct seed 1 and seed2, but the license i generated is invalid.

    if you don't mind i'll PM you the target and see if seed that i've found is correct.

    thank you

    Please check your PM
    Last edited by kiki; March 27th, 2009 at 02:02.

  12. #27
    O.K. no problem

    go ahead

    regards
    RCER

  13. #28
    Hi, RCER
    please chech your PM, i've already send you vendor daemon and sample lic

    thank you

  14. #29
    TaTa
    Guest
    Thanx for information.

    Regards

    TaTa
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Javascript obfuscation
    By Foreigner in forum The Newbie Forum
    Replies: 1
    Last Post: September 13th, 2013, 03:14
  2. Really weird obfuscation
    By andyred in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: February 2nd, 2010, 20:24
  3. What APIs place an icon in the taskbar notification area?
    By zambuka42 in forum The Newbie Forum
    Replies: 11
    Last Post: May 9th, 2009, 13:37
  4. could a combo box be added in notepad.exe 's client area?
    By MathewMickle in forum The Newbie Forum
    Replies: 1
    Last Post: March 4th, 2009, 07:21
  5. Delphi obfuscation
    By Lbolt99 in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: July 12th, 2002, 19:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •