Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Flexlm ECC (https://forum.exetools.com/showthread.php?t=18914)

rcer 08-27-2018 23:21
Flexlm ECC
 
I am trying to reverse a flexlm protected program which uses ECC.
I Managed to find the seeds and features, build lmcrypt, and patched l_pubkey_verifyl
However the program refuses to run, and crashes every time, so I assume that it uses some form of CRC check, and crashes because this value has changed due to patching.
What is the general approach to defeat the CRC check?

user1 08-28-2018 02:40
how about you show us how to in a tutorial?

someone will help if you serious.

rcer 08-28-2018 19:55
Not sure what you mean with show us how to in a tutorial?
Do you want me to write a tutorial on how to extract the encryption seeds & patching of l_pubkey_verify??

user1 08-29-2018 01:58
yes please do. not worry 90% are just persons of scripts and automated tool olly plugins.

if very private ask one VIP to move your complete tutorial to VIP area.

long time I not seen such one.

ahmadmansoor 08-29-2018 13:24
is your target x64?

rcer 08-30-2018 02:46
Yes the target is x64

rcer 08-30-2018 22:24
fishing of encryption seeds, and patching of l_pubkey_verify is common knowledge, so no need to write a tutorial:)

rcer 08-31-2018 22:30
ahmadmansoor ,

why did you ask if my target is x64?

user1 09-01-2018 03:44
if that common show us !

I want see basic instinct again, reloaded !

eAGLe_eYe 09-01-2018 04:31
Simple,In common way catch CRC checking routine and modify asm code for jmp.

rcer 09-01-2018 16:18
Understood, but I have never dealt with CRC checking routines, so can you give me a hint as how do I find the dll or executable which checks the CRC?

eAGLe_eYe 09-02-2018 03:59
Quote:
Originally Posted by rcer (Post 114625)
Understood, but I have never dealt with CRC checking routines, so can you give me a hint as how do I find the dll or executable which checks the CRC?
search all Exitprocess call in exe with olly,bookmarks all call,run exe its stop on exitprocess call.its most likely your crc check routine.

ahmadmansoor 09-02-2018 13:01
Quote:
Originally Posted by eAGLe_eYe (Post 114629)
search all Exitprocess call in exe with olly,bookmarks all call,run exe its stop on exitprocess call.its most likely your crc check routine.
First, it is an x64 target so ollyDbg will not work ;) , you need x64dbg.
did you check if it is packed -if yes you will see that the target has many calls out of the .text section with many anti-debug checks -
what you need ( as I remember) is dll inject and huck some API before you use HW-BP to bypass anti-debug, then you apply ur patches.

rcer 09-02-2018 17:29
Well it looks that I have a lot of studying to do, and learn about anti-debug checks, API hooking and dll injecting, because i don't have a clue:D

ahmadmansoor 09-02-2018 17:52
Can you mention your target name?
Because I already have a target with same protection, I hope it not same yours :)

rcer 09-04-2018 04:41
Agilent N8900 Infiniium SW

souz 09-04-2018 14:00
For similar products in ARM code Agilent use stripped version of FlexLM and CRC in firmare is custom.

rcer 09-05-2018 03:11
O.K. & I have some homework to do

kangalooj 11-09-2018 22:24
Quote:
Originally Posted by souz (Post 114695)
For similar products in ARM code Agilent use stripped version of FlexLM and CRC in firmare is custom.
Do you have any info about agilent ARM customized flexLM ?

Daemon 11-10-2018 17:13
Can anyone provide the latest SDKs if possible?

gemuz 03-12-2019 05:16
Who can share the most recent sdk?

rcer 08-08-2019 00:36
Quote:
Originally Posted by ahmadmansoor (Post 114635)
First, it is an x64 target so ollyDbg will not work ;) , you need x64dbg.
did you check if it is packed -if yes you will see that the target has many calls out of the .text section with many anti-debug checks -
what you need ( as I remember) is dll inject and huck some API before you use HW-BP to bypass anti-debug, then you apply ur patches.
Unfortunately I have been too busy with other things to do my homework about dll inject and API hooking:o

rcer 09-14-2019 17:08
Hi kangalooj, a while back you sent me a PM asking me if I needed help with reversing Agilent. When I lnoticed your PM, I was already degraded to friend, so I lost the right to PM you. Is there another way I can contact you?

rcer 09-15-2019 17:23
Hi kangalooj

maybe you can contact me on [email protected]

kangalooj 12-05-2019 14:56
Quote:
Originally Posted by souz (Post 114695)
For similar products in ARM code Agilent use stripped version of FlexLM and CRC in firmare is custom.
Can anyone help me with this?
I want to generate license for AGILENT products with ARM embedded os.

yijun 12-09-2019 10:50
Quote:
Originally Posted by kangalooj (Post 118849)
Can anyone help me with this?
I want to generate license for AGILENT products with ARM embedded os.
Have you solved it?:D

souz 12-11-2019 07:57
What Device model you working on?

kangalooj 03-01-2020 18:45
Quote:
Originally Posted by souz (Post 118881)
What Device model you working on?
N5181A Signal generator


All times are GMT +8. The time now is 16:43.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX