Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   FLEXlm new versions: _time obfuscation area (https://forum.exetools.com/showthread.php?t=11396)

roli_bark 01-17-2008 16:52
FLEXlm new versions: _time obfuscation area
 
From playing around with FLEXlm v10.8 target lately, I just want to let you old FLEXlm hackers know, that a NEW memory area is used for _time obfuscation area in newer FLEXlm versions.

To get clear SEEDS revealed, as opposed to the OLD Job Structure area [ where you'd clear 4 random dwords generated by multiple _time calls in "l_n36_buff" ], the new area is noted in "_l_sg" like so:

-----------------------------

.text:00417F35 _l_sg proc near
.text:00417F35 push ebp
.text:00417F36 mov ebp, esp
.text:00417F38 sub esp, 24h
.text:00417F3B mov [ebp+var_14], 0
.text:00417F3F xor eax, eax
.text:00417F41 mov [ebp+var_13], ax
.text:00417F45 mov [ebp+var_11], al
.text:00417F48 mov [ebp+var_C], 6F7330B8h
.text:00417F4F mov [ebp+var_4], 0
.text:00417F56 mov [ebp+var_8], 0
.text:00417F5D mov [ebp+var_10], 3
.text:00417F64 push 1000h
.text:00417F69 mov ecx, [ebp+arg_0]
.text:00417F6C push ecx
.text:00417F6D call sub_42CF2D
.text:00417F72 add esp, 8
.text:00417F75 test eax, eax
.text:00417F77 jz short loc_417FCB
.text:00417F79 mov edx, [ebp+arg_0]
.text:00417F7C mov eax, [edx+198h]
.text:00417F82 mov ecx, [eax+1CDCh]
.text:00417F88 cmp dword ptr [ecx+524h], 0
.text:00417F8F jz short loc_417FCB
.text:00417F91 mov edx, [ebp+arg_8] <--- arg_2 - PTR to vendor structure
.text:00417F94 push edx
.text:00417F95 mov eax, [ebp+arg_4] <--- arg_1 - PTR to vendor name (Id.)
.text:00417F98 push eax
.text:00417F99 mov ecx, [ebp+arg_0] <--- PTR to legacy job structure
.text:00417F9C mov edx, [ecx+198h]
.text:00417FA2 mov eax, [edx+1CDCh]
.text:00417FA8 add eax, 528h
.text:00417FAD push eax <--- arg_0 - PTR to NEW _time obfuscation area
.text:00417FAE mov ecx, [ebp+arg_0]
.text:00417FB1 mov edx, [ecx+198h]
.text:00417FB7 mov eax, [edx+1CDCh]
.text:00417FBD call dword ptr [eax+524h] <- call _user_l_sg (l_n36_buff)
.text:00417FC3 add esp, 0Ch
.text:00417FC6 jmp loc_4180DE

-----------------------------------

In order to get clear de-obfuscated SEEDs , in _user_l_sg, just before Order/Unique XORs, clear the _time 3 rand dwords at offsets .+0x8, .+0xC, .+0x10 @ arg_0 PTR (new obfuscation area). Then, just as before, break on RETN to get clear seeds

Of course, all the above is ONLY relevant with non-ECC targets ...

ChupaChu 02-06-2008 19:06
Thanx for info, what target is it you "quoted"?

SlashZero 06-03-2009 00:10
Probably he does not want to share that information for obvious reasons.


All times are GMT +8. The time now is 05:03.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX