Results 1 to 3 of 3

Thread: Dll protection with Digital Signature

  1. #1
    Lost in Lala Land peterg70's Avatar
    Join Date
    Oct 2001
    Location
    Down Under
    Posts
    195

    Dll protection with Digital Signature

    I have a DLL that is used as part of webpage (ASP code). This DLL now shows a Expired Now please purchase information. So I thought bring out trusty debugger and have a look see.

    The following Information I have found out.
    1) the DLL is called when required by the webpage via Inetinfo (Personal Webserver). No significant registry checks are conducted.
    2) Filemon shows no weird activity License file etc
    3) DLL is digitally signed by Verisign. Sign Algo md5RSA RSA (512bits)
    It has a 'Valid from' and 'Valid to' date
    Also a 'Signing Time'
    4) DLL is written In Visual Basic 6.0 (PEid)
    5) Found expiration Date after installing today is 1 March So more than 30 Days. (moving Date forward Produces 'Please Register Me Option'. Moving Date back clears the Please Register Me.)

    So question is what method of attack is going to work.
    Can the Dll use the Digital Signature Date Information to check for expiration.
    Can the Digital Signature be removed.
    What information is entered into the registry when you regsvr32 the DLL.
    Is an installation date stored anywhere in the system???
    How do you patch a digitally signed DLL?? (no loaders to path memory)

    Actually debugging is also interesting. What method of investigation will lead me down the path

    Peterg70

    Edit: Does anyone have a listing of the Functions contained inside the MSVBVM60.DLL file. Something Like an API reference file. Name,ShortDescr,Arguements,Return
    Last edited by peterg70; January 13th, 2004 at 22:23.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    why not just disassemble and trace back from the string reference to "Expired Now..." to see what caused the app to reach that point in code?

    Quote Originally Posted by peterg70
    Edit: Does anyone have a listing of the Functions contained inside the MSVBVM60.DLL file. Something Like an API reference file. Name,ShortDescr,Arguements,Return
    use google

  3. #3
    g'day peterg70

    >> Can the Dll use the Digital Signature Date Information to check for expiration.
    Yes.. you can programmatically check for and retrieve information from a digital signature/certificate.

    >> Can the Digital Signature be removed.
    Yes.. but it depends on the implementation.

    >> What information is entered into the registry when you regsvr32 the DLL.
    The dll is implemented as a COM object. regsvr32 registers (makes available) the COM object to windows. Basically a class id (clisd) is entered into the registry with the location of the object, its name, threading mode, program id etc. Other data can be found here, but it depends on the object..

    >>Is an installation date stored anywhere in the system???
    Not sure what you mean, but the dll probably implements its own date check scheme.

    >>How do you patch a digitally signed DLL?? (no loaders to path memory)
    Depends on the implementation..

    >>So question is what method of attack is going to work.
    >>Actually debugging is also interesting. What method of investigation will lead me down the path

    As it is a COM object, you use the dll in any development environment that allows access to COM objects.. for example VB.. This will allow you to load the object and access/call its properties and methods.. You can also make an executable that calls the dll to debug it.. However not all methods may be accessible/triggered because it wants a webpage.

    Zac

Similar Threads

  1. Adobe Digital Editions DRM
    By SHaG in forum RCE Cryptographics
    Replies: 13
    Last Post: September 8th, 2010, 17:24
  2. PE "Digital Signature" format?
    By Maximus in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: August 23rd, 2010, 10:28
  3. Adobe DRM (Digital Right Management)
    By kepeto in forum RCE Cryptographics
    Replies: 13
    Last Post: August 7th, 2007, 05:48

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •