Flexlm ECC alternate patching methods

nathan · #1 05-21-2013, 04:12

Arlequim,

I agree the patching way is the easiest path as long as you can identify the pubkey_verify function. However, as far as I know in the very latest SDK (v11.10) the .map file for the libraries is not included anymore and the obfuscated names are not easily reversable (*). In fact I haven't seen any working "automated" patcher for version 11.10. On the other hand the pubkey substitution is practically SDK independent. The obfuscated pubkey is easily fetched and de-obfuscated by debugging the binary. The hard task is to re-build the pubkey from the binary as it is saved together with a lot of random garbage.

(*) The name randomization function is as follows:

static void randomize(L_STRIP_OPTIONS * options,NAMELIST *np)
{
int i;
int len;
static char *letters = "abcdefghijklmnopqrstuvwxyz";
static char *letters_num = "0123456789abcdefghijklmnopqrstuvwxyz_ABCDEFGHIJKLMNOPQRSTUVWXYZ";
static char *emptyString = "";

if ( np == NULL )
return ;
if (options->zeros)
{
for (i=0 ; np[i].name != NULL ; i++)
if ( np[i].randname == NULL )
np[i].randname = emptyString;
}
else
{
for (i=0 ; np[i].name != NULL ; i++)
{
if ( np[i].randname == NULL && strlen(np[i].name) > 0)
{
int x;

len = strlen(np[i].name);
np[i].randname = (char *)malloc(len + 1);
np[i].randname[0] = letters[rand()%26];
for (x = 1; x < len; x++)
np[i].randname[x] = letters_num[rand()%63];
np[i].randname[len] = '\0'; /* null terminate */
}
}
}
}

arlequim · #2 05-21-2013, 15:15

Hi, if you are familiar with FLEXlm, you don't need to know names via .map file, you should be able to "explore" the binary file by recognition of several flow-chart, at least this is my personal approach. Mangled names (= exported functions) are nothing of serious. I didn't update my generic patcher as today ECC is apparently checked out, but the real challenge is TS and activation, alto i have figured out there are several weakness inside binary code but not so easy to find out. Anyway my previous example has been taken from @(#) FLEXnet Licensing v11.10.1.0 build 99220 i86_n3 (lmgr.lib), Copyright (c) 1988-2012 Flexera Software LLC. All Rights Reserved. So nothing has changed, and everything is possible

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Harmony A library for patching, replacing and decorating .NET and Mono methods during	ahmadmansoor	Source Code	1	01-12-2024 15:06
Alternate Approach to FlexLM Brute-Force	Windoze	General Discussion	9	10-21-2020 19:23
Where are the Class methods?	5Alive	General Discussion	0	07-28-2005 03:22
Different Detection Methods	OHPen	General Discussion	0	10-21-2003 10:11

The Following 2 Users Say Thank You to nathan For This Useful Post:
Indigo (07-19-2019), synkro (03-21-2017)

The Following 2 Users Gave Reputation+1 to arlequim For This Useful Post:
sendersu (05-21-2013), zzfeed (05-21-2013)

The Following 4 Users Say Thank You to arlequim For This Useful Post:
Indigo (07-19-2019), synkro (06-29-2016), tonyweb (04-17-2017), zyNoT (05-31-2019)