Many beginners, like me, initially don't understand neither the sentences even like "patch it to return eax=0" nor the output texts from IDA. For most it is even difficult to work with IDA. I decided to make this tut because for me the sentence "just replace the first 3 hex digits with 33C0C3, which is actually the eax=0, is much more understandable. @darsy mentioned in an another topic that the ECC (l_pubkey_verify) can be patched manually by any hex editor and this is true, it is simple and even by this way you can patch the RSA defence.
OK let's start. You need of just Hex editor and IDA. I prefer the HWorks64 and IDA 6.6 that both can be find easy here or I can give the links later.
1) You need of some demo (patched previously, etc.) license. After the patching you can change what you want and also to add a new features, which is very helpful!
2) The first step is to find and patch the so called l_pubkey_verify function (ECC defense). In most of the cases you can do it by:
a) The Generic patcher available here and on many other places.
b) You can use the patterns that @darsy regular provide here, very useful!
c) To do that by finding alone what and where to patch in IDA. It is simple!
The first two methods work in most of the cases but personally it is a good idea to know how to do it alone because you will be not dependent of any other knowledge, flexlm version and don't need to worry...oh whether the patcher will work. Thus, my first tut is how to patch the l_pubkey_verify (ECC). I patched before some minutes the ECC of a Linux target and didn't know priory any patterns. My target was not trivial and use flexlm 11.10.
Just open IDA-go to the View-Open Subviews - Signatures (or just Shift+F5), then right click and select "Apply new signature.." and select the flexlm 11.9 signatures (FNP 119x64 or 32 .sig, which you should copy to the IDA sig folder) available here in the forum, just Google. Then move to the Signatures - right click and select Quick filter. Then type into the box l_pubkey_verify or just pubkey and you will find l_pubkey_verify. Click two times on the name (function) and you will see the structure. Next, on the right screen click on the l_pubkey_verify, right click and select Text view. You will see some strange text, which is good to start to learn what actually is. Just put the mouse on the l_pubkey_verify and then open Hex View-1 window. The first 3 hex digits which you will see are those that should be replaced in HWorks64 with 33C0C3.
That's it, this is the patch! Just copy the row hexs from IDA, paste it in notepad, make the values to be not separated and search in HWors64. Replace them with 33C0C3, which actually will make "the function to return eax=0". In my case this 3 hex digits was 4C894C, which means that this is 11.10 version x64 as @darsy shown here. But you don't care what you will see just replace (as in my case 4C894C) with 33C0C3. Flexnetv11.10x64# 4C894C24204489442418488954241048894C24084881EC78010000488B05 ( pattern6_addr: pattern6_addr+3 ==> 4C894C>33C0C3). In the video tut they are 4C894C>33C0C3 but it is 11.12.0.1
@darsy can explain much better here but you can make also your own sig file by the .map file in IDA. But for me 11.9 works even for 11.12.1
Here is the video and the target is exactly 11.12.0.1:
Next is the RSA...
P.S. Use Notepad above, I have a specific reason to do that in google ))))))
Hi Darsy,
Yes, I am doing this exactly in your way and used the same software for screen recording as you used, but you can see..The file is 2.12MB, which much smaller than allowed here but it not allows me to upload it..
Reputations, Permissions, Promotions...
1.We have following Member Groups:
★Junior Member
★Member
★Senior Member
★Limited User
★Banned User
★VIP Member
2.Privileges that each group have:
Junior Member :PM capacity is 200,attachments size is 2M,cannot download attachments;
Member: PM capacity is 400,attachments size is 4M
Senior Member: PM capacity is 600,attachments size is 8M
Limited User: posts/replies need validation.
Hi kometata this is from thread reputation system.
You can see only junior members can upload attachements up to 2MB.
Please contact administrator - GEZA
Thanks @darsy! Ok, I wrote PM to GEZA and hope the problem to be solved.
I wanted also to ask you, to avoid any confusions here, if in the cases when l_pubkey_verify is not found whether this directly means that there is no ECC defence or other options are also possible? I mean that it might be hidden and than we have to use/check by your approach here? : http://www.finetopix.com/showthread....l=1#post233024
I answer on this question myself but @Darsy can explain why. So, if it is not present in IDA just start to search manually for the ECC defence by IDA and/or any Hex editor. We need here to update the patterns. For instance, if I am not wrong, for V11.13x86 we have:
v11.13 x86 # DCC745E4000000008B45088B88A8 (pattern5_addr-18 , attern5_addr-18+3 ==> 558BEC>33C0C3). This is strange because it is the same as 11.10x86 but anyway look for a 558BEC81ECFC0000 sequence and replace 558BEC with 33C0C3 in any Hex editor. @carlitos this should work for you!
Thanks @darsy! Ok, I wrote PM to GEZA and hope the problem to be solved.
I wanted also to ask you, to avoid any confusions here, if in the cases when l_pubkey_verify is not found whether this directly means that there is no ECC defence or other options are also possible? I mean that it might be hidden and than we have to use/check by your approach here? : http://www.finetopix.com/showthread....l=1#post233024
I answer on this question myself but @Darsy can explain why. So, if it is not present in IDA just start to search manually for the ECC defence by IDA and/or any Hex editor. We need here to update the patterns. For instance, if I am not wrong, for V11.13x86 we have:
v11.13 x86 # DCC745E4000000008B45088B88A8 (pattern5_addr-18 , attern5_addr-18+3 ==> 558BEC>33C0C3). This is strange because it is the same as 11.10x86 but anyway look for a 558BEC81ECFC0000 consequence and replace 558BEC with 33C0C3 in any Hex editor. @carlitos this should work for you!
There is a database limit on uploading attachments, please upload your staff with password to other sharing sites before I figure out how to increase the limit.
Thanks.
Changes have been made:
Max Post Size 11.00 MB
Maximum Upload Size 10.00 MB
for different types of attachments, there are another limitation:
Extension Maximum Filesize(Bytes)
7z 5000000
bmp 200000
doc 20000
gif 200000
jpe 200000
jpeg 200000
jpg 100000
pdf 20000
png 200000
psd 20000
rar 10000000
txt 20000
zip 5000000
Here something really useful, which I didn't see in other forums!! For the Linux versions 11.10, 11.11 and might be even 11.12 the l_pubkey_verify function in hex is: 41574989FF415641554154554889CD53
Thus to patch the ECC just search for this sequence and replace 415749 with 33C0C3 (415749>33C0C3).
Probably @darsy have already added that to his patcher?
I made an another FlexLm ECC l_pubkey_verify patcher for the newer versions v.11.10-11.13 (tested on 11.10, 11.11 and 32 bit 11.13). It should work for most of the cases for both Win64/32 and Linux64/32 but might be also more patterns to be added. It can be used also, in some cases, for other defences as described in the topic.
Thanks: 
ECC+RSA patching example (video tutorial)
))))))
Originally Posted by kometata
Re: ECC+RSA patching example (video tutorial)
Bookmarks