|
|
|
|
#1
05-22-2013, 00:13
|
|||
|
|||
|
I haven't worked on Flexm reversing for a while indeed, however, if I recall propelry (correct me if I'm mistakening) activation is an option which is rarely used and uses streams to store the information.
I'm not sure I fully understand TS. I'll be more than willing to collaborate if you think I could be of any help. 
|
| The Following User Says Thank You to nathan For This Useful Post: | ||
Indigo (07-19-2019) | ||
|
#2
05-22-2013, 02:01
|
|||
|
|||
|
to find verification function simply search for push21b.
TS and activation is very weak, just 2 patch and you can add any license you want to license manager. for changing pubkey, the best way is api hooking. every target which compiled with vs 2005 and higher with shared library is possible to hook to change pubkey.
|
| The Following User Says Thank You to toro For This Useful Post: | ||
Indigo (07-19-2019) | ||
|
#3
05-22-2013, 03:18
|
||||
|
||||
|
Sometimes TS is bad implemented through the hook thats talks to the main app, i mean some developers left the front door opened
 S0lidw0rks by DSS is already a relevant example.Last time i have mentioned about some weak point. Well, the weakest point of libFNP ASR-based activation is the a Trusted Storage itself. There is an assumption, if something is put into TS it becomes trusted. So, if you inject a tampered ASR into TS via the cracked libFNP library, the original library will treat it as legal. It is also possible to inject a tampered ASR without any memory or static patches, all that you need is to kill some exceptions with VEH during ASR processing call. Then you have to write your own routine to obtain the context of trusted storage and make a call to _flxActAddSpecifiedASR with VEH handler set on the custom handler. Obviously this hacking works for client TS-based activation, the Server TS activation checks SIGN apparently, so it is useless to do the hack, anyway you have to patch ECC check. Good luck 
__________________
<<< The L10n won't give up >>>
|
|
#4
05-22-2013, 08:40
|
|||
|
|||
|
Quote:
|
| The Following User Says Thank You to zzfeed For This Useful Post: | ||
Indigo (07-19-2019) | ||
|
#5
06-25-2013, 18:55
|
|||
|
|||
|
Hi Nathan,
I also tried tankers little pubkey tool, on a couple of different binaries, but had the same result and was unable to checkout any licences. Could it be that somehow the pub/priv key pair is rejected because it was generated using default LMSEED values (0x1111111/0x22222222/0x33333333)? I there a way to input different LMSEED values into tankers tool? I also noticed that if you build lmcrypt using the above seed values, and you try to generate a license with SIGN= & SIGN2=; the length of the SIGN Key is 113/163/239 bit (depending on LM_STRENGTH), but the SIGN2 key length = 12 characters (i.e default) rgds RCER
|
| The Following User Says Thank You to rcer For This Useful Post: | ||
Indigo (07-19-2019) | ||
|
#6
05-04-2016, 04:08
|
|||
|
|||
|
Quote:
more common way is to find constant 2930h. it is contained only in l_pubkey_verify and l_prikey_sign. l_prikey_sign does not contain constant 0FFFFFFF8h, which occurs in l_pubkey_verify at least one time.
|
| The Following User Gave Reputation+1 to u_f_o For This Useful Post: | ||
synkro (06-29-2016) | ||
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Harmony A library for patching, replacing and decorating .NET and Mono methods during | ahmadmansoor | Source Code | 1 | 01-12-2024 15:06 |
| Alternate Approach to FlexLM Brute-Force | Windoze | General Discussion | 9 | 10-21-2020 19:23 |
| Where are the Class methods? | 5Alive | General Discussion | 0 | 07-28-2005 03:22 |
| Different Detection Methods | OHPen | General Discussion | 0 | 10-21-2003 10:11 |
Hybrid Mode
