Page 3 of 3 FirstFirst 123
Results 31 to 39 of 39

Thread: how to generat "1" instead of "uncounted" license

  1. #31
    Quote Originally Posted by FoxB View Post
    next im try to debug the Check.exe from synopsys

    initial string for MD5 hash inside sub_4173DE:
    ripped from ISSUER="" and NOTICE="" context and 2 dword.

    [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80

    .text:00417566 lea eax, [ebp+hash]
    .text:00417569 push eax
    .text:0041756A call sub_4173DE

    i'm dont known about last 2 dword.
    hash it and got:

    8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76

    next used in BlowFish Init:
    .text:00417576 lea ecx, [ebp+hash]
    .text:00417579 push ecx
    .text:0041757A push eax ; BF init table
    .text:0041757E call Blowfish_init

    and use VENDOR_STRING for the blow_fish cipher:
    .text:00417595 push eax ; vendor_string lendth 0x18
    .text:00417596 push edi ; vendor_string
    ; DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5
    .text:00417597 push [ebp+var_24] ; after BlowFish init table
    .text:0041759A call BlowFish_Cipher
    I guess the MD5 hash is part of the 'Plain Text String' for Blowfish, if can find out the 'Plain Text String' and the 'Key' for Blowfish, then the 'VENDOR_STRING' can be generated.

  2. #32
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    first:
    8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 = MD5( [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80 )

    second:
    BlowFish_Init( 8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 )

    final:
    deciphered = BlowFish_Cipher( DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 )

    and

    first:
    8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 = MD5( [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80 )

    second:
    BlowFish_Init( 8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 )

    final:
    VENDOR_STRING like DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 = BlowFish_Cipher( deciphered )
    Last edited by FoxB; March 26th, 2012 at 04:47.

  3. #33
    Quote Originally Posted by FoxB View Post
    first:
    8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 = MD5( [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80 )

    second:
    BlowFish_Init( 8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 )

    final:
    deciphered = BlowFish_Cipher( DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 )

    and

    first:
    8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 = MD5( [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80 )

    second:
    BlowFish_Init( 8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 )

    final:
    VENDOR_STRING like DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 = BlowFish_Cipher( deciphered )
    Hi FoxB,

    Seems you have worked it out, but sorry, I still haven't understood, you say VENDOR_STRING get from:
    VENDOR_STRING like DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 = BlowFish_Cipher( deciphered )[/QUOTE]

    But,
    deciphered = BlowFish_Cipher( DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 )

    Then whether loop call between deciphered and VENDOR_STRING ?
    If no valid license, how to get this vaule of 'DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5' that you see at 00417569 , would you give more explaination? Thanks!
    Last edited by joyung; March 26th, 2012 at 05:25.

  4. #34
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    RTFM

  5. #35
    Quote Originally Posted by FoxB View Post
    RTFM

  6. #36
    Quote Originally Posted by FoxB View Post
    next im try to debug the Check.exe from synopsys

    initial string for MD5 hash inside sub_4173DE:
    ripped from ISSUER="" and NOTICE="" context and 2 dword.

    [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80

    .text:00417566 lea eax, [ebp+hash]
    .text:00417569 push eax
    .text:0041756A call sub_4173DE

    i'm dont known about last 2 dword.
    Former one is encryption for 'START' date, and latter one is encryption for 'EXPIRE' date.

  7. #37
    Hi FoxB,

    I almost understand your inputs now, still want get your help on last step, would you check the PM?

    Thanks for your time and trouble!

  8. #38

    Question

    Thanks FoxB's help. Anyone can go on help what message encrypted into the 'VENDOR_STRING' and direct how to debug? I only understand part of the numbers.

    Seems not easy...... I can PM to provide some more message if needed, thanks in advance.
    Last edited by joyung; April 3rd, 2012 at 09:51.

  9. #39
    Sorry, just found that, the latter part of 'VENDOR_STRING' only exist in lic, still not be checked neither in lic checker nor in daemon file, also not in application file, so only former part is ok, latter part only contribute on SIGN check, FoxB's check results are almost all that can be gotten at present.
    Last edited by joyung; April 11th, 2012 at 08:23.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. Replies: 4
    Last Post: May 28th, 2009, 13:02
  3. Replies: 1
    Last Post: December 14th, 2007, 13:35
  4. Can't "Step" after "Pause
    By Lena in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 5th, 2004, 21:14
  5. Setting up a broadcast socket in a LAN as "license server"
    By DakienDX in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: February 17th, 2001, 08:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •