Page 1 of 3 123 LastLast
Results 1 to 15 of 37

Thread: FLEXNet

  1. #1
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815

    FLEXNet

    I've only got small experience playing with this protection (Of course, it IS a "new" thing out now). It's from Macrovision, so I'm thinking it's based off of FlexLM and the like. Anyway, the new Install***** 11 is based on it.

    Version 11 of the mentioned product has a 15 day demo out. One interesting thing about it is that after it expires on your machine, even re-imaging the hard disk doesn't restore the demo. In other words, I have a XP image of my hard disk from before I install the product, that I reapply to the drive. I tested this as well without any internet connection. So it appears to be physically writing something off somewhere else on the disk.

    I've read a tut by Tseph about SafeCast doing such a thing, writing to sector 0x32 on the hard drive, and that tut's target (I mean the protection on the target) was also from Macrovision, so no doubt a similar technique is being used here.

    Although I didn't notice any *.sys files being used by the app, one would think that would be necessary to write to the drive at the low level. Under Win2K and XP you can open the physical drive just as a file handle (CreateFile("\\.\\.\\\PhysicalDrive0")) but as far as I knew you could really only read from it, not write to it. I've done that myself to parse MBR and partition tables. Hm yes I guess you can write too....

    Anyway, pretty sure they are either doing it this way or writing something to BIOS (pretty inconcievable). Any else have some ideas?

    Guess I'll have to try BPX on WriteFile.

    I'm also going to play with it in VirtualPC and see how it behaves.

    -nt20
    Last edited by nikolatesla20; October 5th, 2005 at 09:17.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    It should be possible to both read and write to raw disks when mounting them with CreateFile, yes.

    And, to state the obvious, I assume that your computer was not in any way connected to the internet during the period of having the software installed? It is after all called FLEXNet...

  3. #3
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Nope, it's not connected at all. I only connected it once during install to let it download the .net framework.

    Then I disconnected it and ran the program after the install finished and it ran fine.

    Then I forced it to expire.

    Then I re-imaged the system and re-installed the program. This time I installed the .net framework off of a CD-ROM.

    Then I ran the program again and it said it was expired.

    I've managed to run it under SI and it definitely does lots of stuff with PHYSICALDRIVE0 and I saw it read in the partition table.

    I then tracked whenever it opened a handle to Drive0 and watched when writefile wrote to that handle..it writes 0x200 byte block out. Right now I'm scanning the drive for the beginning of that block. It might end up being at the end of the drive.

    Anyway, I know they are doing it this way because they read the parition table (I know because after a Drive0 open I watched ReadFile and I saw the buffer containing the string "invalid partition table" - which IS in the partition table)

    So now just a bunch of hunting in the drive woods...

    -nt20

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Ok, sounds good, I was just about to suggest hooking the file IO functions myself too. Please let us know about any interesting results as you proceed.

  5. #5
    At first sight (not deep at all) it looks like Flexnet has added an activation procedure which validates the app even before checking out the actual license. Depending on the publisher choice, this can be performed locally (that could be nikolatesla20 case) or through a remote server.

    nathan
    Attached Images Attached Images  
    Last edited by nathan; October 5th, 2005 at 13:02.

  6. #6
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Yes, from what I've read so far as well, the "activation" is a one-time-only event, which from that point forward the app does not talk to the activation server again.

    The part I'm interested in is mainly where they are keeping the expiration data which is clearly on some part of the hard drive that isn't affected by normal partitions. For example re-imaging or re-installing the OS does not affect it. This is similar to SecureROM though, which had a hidden value in sector 0x32 or something like that.

    -nt20

  7. #7
    Well, well, it looks like the guys didn't do the entire job themselves ... while disassembling FNP_Act_Installer.ddl

    ...

    This service performs licensing functions on behalf of FLEXnet enabled products.

    ...

    Copyright (c) 1992-2001 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED

    ... any comment ?

    nathan

  8. #8
    May not mean much. P.J. Plauger is the author of the standard C++ library shipped with Microsoft Visual C++. He is also the president of Dinkumware.

    More info here:

    http://www.google.com/search?hl=en&q=P.J.+Plauger%2C+licensed+by+Dinkumware

    http://www.embeddedstar.com/press/content/2002/9/embedded5005.html

    9/3/2002 - Dinkumware is now shipping the Dinkum CoreX Library, a source library that augments any Standard C++ library in several important ways. It provides a variety of cacheing strategies for STL containers, dozens of code conversions between Unicode and popular multibyte encodings, and a multithreading library that can be called from either C or C++.
    ...

    The code-conversions library lets you read and write files in over 70 different formats, but treat them uniformly within the program as sequences of Unicode characters. It even offers support for UTF-16 as a wide-character encoding. The library includes a template class for use with older C++ libraries, so you can use the code conversions even with conventional byte-oriented stream buffers. Another template class lets you convert between wide-character and byte strings, so you don't have to write to a file to convert between encodings.

    Regards,
    JMI

  9. #9
    Perhaps your "image" of the drive wasn't a complete image, i.e. one that contains every single sector from linear sector number 0 to the very end of the disk. I believe most imaging utilities won't image the "free space" of the drive. As well, on two of the HDDs I possess (a 4GB one and a 30GB one), there seems to be extra sectors present past the number that the drive reports. These are valid sectors, as they can be read and written. They aren't a wraparound to the first few sectors either. I tested how many there actually were with a small program that simply looped, reading all the sectors on the drive until it hit the very end. The 4GB drive claims to have 7821547 sectors (0-7821546), but there were actually 7822012, leaving a ~200K "empty" area at the very end. The 30GB drive had nearly 2M of extra sectors at the end. (An excellent place to hide something, isn't it? 2M is more than enough for some simple license data.)

    Try testing for those extra sectors, and do a complete image of your drive. Then fill the entire drive with nulls, reimage, and try again. My guess is that it's storing the expiration data at the end of the drive, past the end of the partition. (It might've even decremented the partition size in the partition table since you mentioned it writing to it...)

    As for writing to the CMOS RAM (which is what I assume when you said BIOS), that's highly unlikely as CMOS RAM locations are proprietary, and I think only 128 bytes long. Most of that 128 bytes is already taken by configuration data.

    For some more interesting info, take a look at my post in the thread here:
    http://www.woodmann.com/forum/showthread.php?t=7461
    Last edited by LLXX; October 5th, 2005 at 19:17.

  10. #10
    Howdy,

    It is not a BIOS/CMOS write.

    My thoughts are not "fact", they are my thoughts.
    It is writing to a sector on the disk that you cannot see/access.
    It could be a high "open" sector or MBR. The only way to determine this is to start with a "fresh" drive. Partioned and formated with a floppy or cd.

    Or you might find some utilities to reveal this "hidden" information.

    I'm with LLXX on this one .

    Woodmann

  11. #11
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Thanks guys.

    Yeah, I know most imaging utilities don't do every sector. It's just a matter of finding where on the drive it's writing. I can step thru the code which could get very boring....or I can find some sort of utility to compare a drive before/after...which I may have to write myself.

    *Sigh* just when I thought I was done reversing for a while (never leaves your blood though does it?)

    On the other hand, I have written some basic partition reading programs, and to be honest I could strengthen my knowledge up a bit in this topic, so maybe it's good discipline to write some more tools.

    -nt20
    Last edited by nikolatesla20; October 5th, 2005 at 21:24.

  12. #12
    Howdy,

    We are blessed to have a person like you. You always have excellent questions/answers. .

    As for utilities to do what you desire, good luck. I am always looking for those unique little progs to do such things. I have yet to find what I am looking for.

    Woodmann

  13. #13
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by nikolatesla20
    or I can find some sort of utility to compare a drive before/after...which I may have to write myself.
    Hex Workshop allows you to look at specific sectors... why not just use it to dump a bunch of sectors before and after, and then use its hex-compare feature to see what has changed?

  14. #14
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Protection like this was what I ad in mind when I thought about this:

    http://www.woodmann.com/forum/showthread.php?t=7025

  15. #15
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Quote Originally Posted by disavowed
    Hex Workshop allows you to look at specific sectors... why not just use it to dump a bunch of sectors before and after, and then use its hex-compare feature to see what has changed?
    disavowed:
    I tried this, but the problem with Hex Workshop (at least the version I have) is it opens the drive by its letter. Which means the sectors start not at zero on the drive, but at the partition where the letter is. For example, when I was investigating partition tables to get more familiar with them, I tried to use hex workshop, but it didn't start at sector 0 on the drive. It started at the NTFS tables. (which are at partition <sector 0> but not physical sector 0).

    Maybe I'm confused on that tho But I couldn't read partition tables or MBR with hex workshop. I wrote my own program which opened the disk with PHYSICALDRIVE0 and I could.

    EDIT: I just downloaded a new version of Hex workshop and it does open physical disk now so I'll play with it

    naides:

    Interesting. I remember reading this post actually. I agree I don't think any tool is out there for low level drive comparison - it probably would be slow, but it should be effective. Also, I was using VirtualPC for some testing as well, so I had the same idea of trying to compare VirtualPC images. I guess of course the would require reversing of the format, unless they just had a flat structure. I haven't investigated at all. If someone made a tool for VirtualPC or VMWare disk image compares it would be just as effective as a real hard disk compare tool, and probably would be faster too, and would have to deal less with errors (for example, files in use like pagefiles).


    -nt20
    Last edited by nikolatesla20; October 6th, 2005 at 10:15.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •