Results 1 to 4 of 4

Thread: Masking a DLL from FleXnet? Or just making a modified DLL look like a normal one.

  1. #1

    Masking a DLL from FleXnet? Or just making a modified DLL look like a normal one.

    I'm working on a little something. I've gotten past the activation window and activation checks, BUT these people have some sort of Flexnet(?) implementation that checks for modified files. If it detects the file has been modified it allows "limited" use of the program.

    My solution would be to mask this dll as its non modified counterpart so that when it gets checked it appears correct, but executes as if it where modified.

    To summarize:
    1. I already got past activation screens and checks
    2. A system(flexnet probably)checks to see if the file has been modified
    3. It detects the modification so it causes mayhem in the program
    4. My solution would be to "trick" the system into thinking it has not been modified.

    The DLL was modified with a hex editor and has only a few edits (like 5 bytes have been changed)

    Or I could just use OllyDBG to remove the call or something (but I dont know how to use olly)
    Or I could just tell flexnet to look for the modified file instead of the un-modified one

    If someone could give me some tip,hints or point me in the right direction (or the solution :P) that would be fantastic.

    Thanks!

  2. #2
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Hey,

    first of all: "Well done!, you made your homework!" ;D
    Good to see that there is still people who first try and then ask, hehe.

    After reading your post it appears to me that you have almost done everything needed. Obviously you detected the validation routine already so can either do:

    1. nop the call ( don't forget to nop/fix stack accordingly if parameters are used ) - can be done easily within olly
    2. take a deeper look at the verification routine and understand the way the validation of the original dll is done. if it for example is a simple checksum over the bytes of the dll, patch either the checksum value or inject the bytes of the original dll at runtime ( not to much work if you use a loader... ). there are plenty of different ways how someone could implement a validation check, so at the end you will have to understand the functionality and find a way to trick it.

    Your are so close to a working solution, so keep on bashing your head! feeling of success will be worth it, trust me ;D!!!!

    regards,
    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  3. #3
    Well I had a wireshark dump of a legitimate activation but I dont know if I have it anymore, I'll have to look for it. The thing with the loader is that since this is a module I dont know if it is loaded at start up, I'm going to have to check that. If I could use a loader that modifies the activation portion the second it begins to load that would be better. But what if flex is also checking memory to see if it has been modified?

    I think I'm better off removing the call with olly or tricking it into thinking that the modified one is the real one.

    Do you have any recommendations on finding this call? Maybe I could try to compare load procedures with another product of theirs (That one was cracked with just those 5 edits in a DLL :P)

    Thanks for the tips.

  4. #4
    Well from a traffic dump from the activation port I have found that this is flexnet 11. There was some info on this site about something, I'll check it out.

Similar Threads

  1. Tricking FleXnet into thinking its been activated?
    By cookiemaster in forum The Newbie Forum
    Replies: 6
    Last Post: January 30th, 2014, 10:24
  2. Is this behaviour of Virtual Memory normal?
    By Hero in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: October 20th, 2008, 10:52
  3. ollys modified
    By master in forum OllyDbg Support Forums
    Replies: 2
    Last Post: June 21st, 2007, 17:11
  4. Need help making a keygen.
    By ljre24 in forum The Newbie Forum
    Replies: 2
    Last Post: January 6th, 2007, 20:25
  5. des modified algo
    By LiSa in forum RCE Cryptographics
    Replies: 1
    Last Post: May 30th, 2003, 03:01

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •