Results 1 to 2 of 2

Thread: what is the correct path

  1. #1

    Question what is the correct path

    Hi everyone,

    I have a software embedded in a BSD distribution for remote IP camera control. It is currently limited to x cams and n streams.

    A menu is called from the shell with a command (bash script) that invokes the program causing my troubles.
    I don't believe it to be protected with something, I'm just rusty at finding the correct path. Especially with ELF and UNIX

    So when everything is installed it relies on a key file containing the licence information:

    9999|C|Software DEMO|00000|FreeBSD||8|4|GSi8CIHRhX12X2Pj
    FORMAT: unknown|unknown|licensee name|postal code|operating system|soft version|number of streams|number of cams|licence

    There is few functions of interests:
    check_key: parse the keyfile, hardware signature, call keysigcheck
    keysigcheck: parsing the key and doing MD5 operations on it (Init, Update, Final) so I guess it's a kind of integrity check, there is a few xrefs to this one but I can easily nop the calls...
    check_license: read the key, call keysigcheck and then enters DEMO or LIMITED mode and tells I am limited to x cams and n streams

    install_license: opens the keyfile, read the key and process the serialization, write/saves the key (I guess it's to edit the license information)

    view_license: prints the licence information and calls keysigcheck several times...

    My problem is that I'm not sure it uses all the function above due to the DEMO state, it may look pretty obvious so far but several patching attempts always resulted in a data serialization fail.

    I want the software to accept more cams and streams (and therefore bypass the key signature verification and demo limitations). If someone would be kind enough to point me my mistakes or the right path.

    I'm using IDA for deadlisting, CFF Explorer for patching.

    As the code for each function is vast it'd be vain to paste it (I put the address instead).

    ELF file
    MD5: 19a843bab9119e86cb1cfab10456fe49


    Please consider donating to help staying online (here is why).
    Any amount greatly appreciated. Thank you.

  2. #2
    Another precision.

    The 4 cams and 8 clients limitation is hardcoded as we can see there:

    .text:080707F0 ; =============== S U B R O U T I N E =======================================
    .text:0807083E loc_807083E:                            ; CODE XREF: scamd_check_license+132j
    .text:0807083E                 mov     eax, ebx
    .text:08070840                 call    keyfree
    .text:08070845                 cmp     edi, 0
    .text:08070848                 jl      loc_80708E7
    .text:0807084E                 mov     esi, esi
    .text:08070850                 jnz     short loc_80708C0
    .text:08070852                 mov     edx, [ebp+arg_0]
    .text:08070855                 mov     eax, offset aDemo ; "DEMO"
    .text:0807085A                 mov     dword ptr [edx+2Ch], 2
    .text:08070861 loc_8070861:                            ; CODE XREF: scamd_check_license+EDj
    .text:08070861                                         ; scamd_check_license+1A6j
    .text:08070861                 mov     dword ptr [esp+10h], 5
    .text:08070869                 mov     [esp+0Ch], eax  ; arg
    .text:0807086D                 mov     dword ptr [esp+8], offset aWarningEnterin ; "WARNING: Entering %s mode (recording li"...
    .text:08070875                 mov     dword ptr [esp+4], offset aScamd_check_li ; "scamd_check_license"
    .text:0807087D                 mov     dword ptr [esp], 0 ; int
    .text:08070884                 call    mydebug
    .text:08070889                 cmp     [ebp+var_24], 4
    .text:0807088D                 jg      loc_8070957
    .text:08070893 loc_8070893:                            ; CODE XREF: scamd_check_license+192j
    .text:08070893                 cmp     [ebp+var_28], 8
    .text:08070897                 jg      loc_8070927
    signed int __cdecl scamd_check_license(int a1)
      bool v1; // edi@1
      int v2; // eax@5
      signed int result; // eax@8
      char v4; // ST0C_1@15
      char v5; // [sp+28h] [bp-40h]@1
      char v6; // [sp+2Ch] [bp-3Ch]@10
      int v7; // [sp+40h] [bp-28h]@7
      int v8; // [sp+44h] [bp-24h]@6
      char v9; // [sp+4Ch] [bp-1Ch]@1
      memset(&v5, 0, 0x24u);
      v9 = 124;
      v1 = hw_sig();
      if ( v1 < 0 )
        v1 = keysigcheck((int)&v5, (int)&v9);
        if ( !v1 )
          v9 = 0;
          v1 = -((unsigned int)keysigcheck((int)&v5, (int)&v9) < 1);
        if ( v1 >= 0 )
          if ( v1 )
            if ( v6 == 67 )
              *(_DWORD *)(a1 + 292) = v8;
              *(_DWORD *)(a1 + 284) = v7;
              return 1;
            if ( v1 <= 0 )
              *(_DWORD *)(a1 + 44) = 2;
              v2 = (int)"DEMO";
              *(_DWORD *)(a1 + 44) = 1;
              v2 = (int)"LIMITED";
            v2 = (int)"DEMO";
            *(_DWORD *)(a1 + 44) = 2;
          mydebug(0, (int)"scamd_check_license", "WARNING: Entering %s mode (recording limited to %d%% of disk space)", v2);
          if ( v8 > 4 )
            v8 = 4;
            mydebug(0, (int)"scamd_check_license", "WARNING: limiting to %d cameras due to DEMO mode ", 4);
          if ( v7 > 8 )
            v7 = 8;
            mydebug(0, (int)"scamd_check_license", "WARNING: limiting to %d clients due to DEMO mode ", 8);
          goto LABEL_8;
      result = 0;
      if ( v1 == -1 )
        mydebug(0, (int)"scamd_check_license", "WARNING: invalid license key !", v4);
        result = 0;
      return result;
    Changing those values may be hazardous considering it may be hardcoded somewhere else...

    Also, there is two mode "demo" and "limited" following the result of keysigcheck~.
    The only differences seems to be the disk space usage...

    In your opinion, is there a way to fix this (see my question in first post) without patching everywhere like a chainsaw ? It looks like it's only made for demo, but I'm rather pessimistic anyway..

    Please consider donating to help staying online (here is why).
    Any amount greatly appreciated. Thank you.

Similar Threads

  1. Which tool is correct:
    By Bengaly in forum Tools of Our Trade (TOT) Messageboard
    Replies: 17
    Last Post: April 13th, 2009, 04:05
  2. Help finding the correct api
    By michelinok in forum OllyDbg Support Forums
    Replies: 6
    Last Post: December 27th, 2005, 16:49
  3. execution path
    By ike in forum Tools of Our Trade (TOT) Messageboard
    Replies: 10
    Last Post: September 11th, 2005, 09:13
  4. Showing jump path???
    By homunculus in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 17th, 2003, 13:11
  5. W32DASM Max path length
    By redblkjck in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: February 18th, 2002, 17:24


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts