Page 3 of 3 FirstFirst 123
Results 31 to 37 of 37

Thread: FLEXNet

  1. #31
    Could anyone explain me how they found the sector 32 thingy? I took a copy of sector 32 (512 bytes) before installing and it was identical after installation and first run.

    It seems it has some anti debugging (among other things). It just terminates when starting up.

    I did a little test and recorded some regkeys which are stored and deleted. They contain basicly no information:

    [HKEY_CLASSES_ROOT\CLSID\{73B84E3F-8E5C-E303-C26D-F8B6D7261DA3}]
    @="objref"

    [HKEY_CLASSES_ROOT\CLSID\{73B84E3F-8E5C-E303-C26D-F8B6D7261DA3}\InprocServer32]
    @="C:\\WINDOWS\\System32\\alrsvc.dll"
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\CLSID\{C2A0E8F2-90C2-47BC-DAC0-7E2E4B005E2C}]
    @="Microsoft Word Basic"

    [HKEY_CLASSES_ROOT\CLSID\{C2A0E8F2-90C2-47BC-DAC0-7E2E4B005E2C}\InprocServer32]
    @="C:\\WINDOWS\\System32\\cMPG1V.dll"
    "ThreadingModel"="Both"

    It seems the only importance here are the GUID values.

    Here is a trace of what happens:

    685C0000 Module C:\Program Files\InstallShield 11 Express Edition\System\ProtectionProcessor.dll
    76C90000 Module C:\WINDOWS\system32\IMAGEHLP.DLL
    00BB0000 Module C:\DOCUME~1\hg\LOCALS~1\Temp\ProtectionProcessorCleanup.0001.dir.0000\~df394b.tmp
    75F40000 Module C:\WINDOWS\system32\Apphelp.dll
    66AF0000 Module C:\Program Files\InstallShield 11 Express Edition\System\IsUiServices.dll
    00FA0000 Module C:\DOCUME~1\hg\LOCALS~1\Temp\InstallShieldClean.0001.dir.0000\~df394b.tmp
    763B0000 Module C:\WINDOWS\system32\COMDLG32.DLL
    01320000 Module C:\DOCUME~1\hg\LOCALS~1\Temp\InstallShieldClean.0001.dir.0000\~deede4.tmp
    66AF0000 Unload C:\Program Files\InstallShield 11 Express Edition\System\IsUiServices.dll
    763B0000 Unload C:\WINDOWS\system32\COMDLG32.DLL
    00BB0000 Unload C:\DOCUME~1\hg\LOCALS~1\Temp\ProtectionProcessorCleanup.0001.dir.0000\~df394b.tmp
    64720000 Unload C:\Program Files\InstallShield 11 Express Edition\System\ClientPliApi.dll
    65160000 Unload C:\Program Files\InstallShield 11 Express Edition\System\IsAppServices.dll

    It seems ProtectionProcessor.dll is the main driving power. Some files are even put in System32 (I saw shell005.dll among others) but they seem to be deleted again.
    It's just over 1 mb though which could contain alot of crap.

  2. #32
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,087
    Blog Entries
    5
    Theforumsoftwareputsspacesintoreallyreallyreallyreallyreallylongwords.
    Not any more, I changed the limit for the VBulletin word length from 50 to 100 so we don't get this adding of spaces to CLSID registry strings and such. Some reallyreallyreally.. long strings will still get spaces entered every 100 characters, but if we increase it any more than that then the string will scroll off the right side of the page and be lost entirely.
    Besides which, we've got to keep the buffer overflow script kiddies at bay...
    [/end forum management mode]


    Re the sector 32 thingy, this was the first time I had played with this myself, make sure you're looking at the physical drive not the logical one...


    Interesting side note, while I was playing with the original SafeCast target and scrolling through the sectors in Hexworks looking for #32, I also found an old reference to a very nasty app I had looked at a long time ago which had written into sector 25, (unbeknownst to me).

    In case anyone wants to play with it, it's called
    D.I.R.T. - Data Interception by Remote Transmission
    Codex Data Systems, Inc.

    D.I.R.T.TM is a specialized program designed to allow remote monitoring of a target PC by military, government and law enforcement agencies...

    Base functionality includes a specialized application with surreptitious keystroke logging capabilities and stealth transmission of captured data to a pre-determined internet address monitored and decoded by the Codex D.I.R.T.TM Command Center Software.


    I HIGHLY recommend using a VM image which you can just delete when done with it. I only mention it here because it's small and could probably be reversed to some degree and there may be parallels to how Macrovision writes to sector 32. There is a lot of information about DIRT but I don't know if the sector 25 writing has been explained, I haven't looked in any great detail. If anyone does try to reverse DIRT, it might make an interesting discussion in another thread.

    Cheers,
    Kayaker

  3. #33
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    GAWD my memory is still good!! - I can't believe I found this thread.

    Just a heads up, brand "A" the guys that make dongles that sound a lot like door parts, have a new very Flexnet looking trial licensing scheme - the only difference is that the lic. is XML rather than ascii, and it uses all the same tricks described here - a real pain in the ass, not quite sure if it qualifies as a rootkit.

    SiGiNT

  4. #34

    Question

    Quote Originally Posted by nikolatesla20 View Post


    I watched the thing with filemon too but no success.

    I found it now guys, no new trix here at all. Still writing to sector 32 on the hard disk, just like SecureROM did in +Tseph's tutorial. I just used Hex Workshop (the newest version) to open the physical drive and I cleared to zero all sectors from 1 thru 62 (NTFS boot sector is sector 63, and MBR is sector 0). Re-imaged and then re-installed the program, and it's all back to normal again.

    Basically it's really the only part to write on a drive safely, is in that sector buffer area between the MBR and the first partition. In this case there were 61 sectors available that anything could be put in...

    Thanks for the support and the new ideas. Unfortunately nothing new here (well, that may be a good thing since it didn't drive me insane !)

    -nt20
    Hey there, guys! I was wondering if anyone could help me out with a few points:
    - Is it safe to clear that sector 32 on a production (read: working) machine? I mean without breaking anything or need for reformatting.
    - What's the proper way to do it?

    I got a Hex Workshop and here are the steps so far: Disk > Open Drive > Physical Disk 0; Disk > Goto Sector > Offset 32 (Dec). Is it correct (eg. how to get to that sector, etc.) so far? If so, how to actually clear it?

    On a related subject, in in case of FlexLM a host id is a combination of MAC Address (Physical Address) and a VolumeID (e.g. vol c: in command promt). I tried changing both of those and still a trial version of a program says it's ended (won't run, won't allow a new trial). Is that supposed to be like this?


    I would appreciate any help! Thanks so much in advance!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #35
    Registered User
    Join Date
    Jul 2011
    Location
    somewhere in Italy
    Posts
    19
    adamas
    If your program use the standard license file, try to recover the seeds and make a new permanent license.....
    But if the program use the ECC protection, patch plus license file is the only way....
    Upload the vendor....

  6. #36
    Quote Originally Posted by istigatore View Post
    adamas
    If your program use the standard license file, try to recover the seeds and make a new permanent license.....
    But if the program use the ECC protection, patch plus license file is the only way....
    Upload the vendor....
    Any good pointers (e.g. articles) that you might recommend to start in this direction?
    The reason I asked the original question is that the program in question wrote something in that 32nd sector, trial is over and I no matter what I do I can't renew it (which is necessary to keep experimenting with the target, so to say). So I figured it might be a good idea to start with resetting a trial, because until I do that I can't really do anything at all. Well, unless you might recommend something else.

    Thanks so much in advance!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #37
    Registered User
    Join Date
    Jul 2011
    Location
    somewhere in Italy
    Posts
    19

    customized xml

    Quote Originally Posted by SiGiNT View Post
    GAWD my memory is still good!! - I can't believe I found this thread.

    Just a heads up, brand "A" the guys that make dongles that sound a lot like door parts, have a new very Flexnet looking trial licensing scheme - the only difference is that the lic. is XML rather than ascii, and it uses all the same tricks described here - a real pain in the ass, not quite sure if it qualifies as a rootkit.

    SiGiNT
    SiGiNT, your program maybe use the new Trusted Storage... Is a implementation of the flexnet technology, and for the standalone license use a customized xml file with extension ".respc"... Now also arcgis 10 use this protection, but you can use the floating mode with a ascii license, if the program accept this other way....

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •