Thanks Thanks:  212
Page 9 of 18 FirstFirst ... 7891011 ... LastLast
Showing results 81 to 90 of 175

Thread: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

  1. #81
    Junior Member Reputation: 11
    Join Date
    2015-01-29
    Posts
    2


    1 out of 1 members found this post helpful.

    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    ups, it is my mistake. Sorry about that
    Last edited by anr27835; 2015-04-27 at 11:46 PM

  2. #82
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    Hi Darcy and all,
    I interest in a software that become very popular last months here - SCH...D. After your helpful discussion with the @pharmacist and @Aleksej some "temporary" solution for win7x64 2014.4 version has been made. Meantime a new version became available- 2015.1. I intersect in the Linux versions 2015.1 because many features are available only under Linux. For the Linux version I saw, in a Chienese forum that the user @wtscrystal just replays the public keys with those obtained by @boot32, and available here, and used his license for the Linux 2014.4 but for me "just" is a bit more difficult because I don't have access to the necessary tools (reputation problem...) and honestly lack of deep knowledge How to replays the pubkeys?...I tried some old pubkey replacers without success. I don't know how to do that by IDA... The Boot32 license is up to December, but I think it will never actually expired, correct me if I am wrong?
    Can you help please with this software? I really need of it and will be very thankful!! I sent you a PM with the necessary files.

  3. #83
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    1 out of 1 members found this post helpful.

    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    They did not change FlexLM version and target files for 2015.1:
    Linux-x86_64\..... FLEXnet Licensing v11.10.0.0 buil
    d 95001 x64_lsb (liblmgr.a), Copyright (c) 1988-2011
    Thus the patch way should be the same..

  4. #84
    Users Awaiting Email Confirmation Reputation: 17
    Join Date
    2014-10-27
    Location
    Russia
    Posts
    12


    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    Quote Originally Posted by kometata View Post
    I intersect in the Linux versions 2015.1 because many features are available only under Linux.
    ...
    The Boot32 license is up to December, but I think it will never actually expired, correct me if I am wrong?
    Hi!

    Could you tell me which features are available only under Linux?

    Boot32 license will expire after 31-dec-2015, I guess

  5. Thanks kometata thanked for this post
  6. #85
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    1 out of 1 members found this post helpful.

    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    Thanks for joining to the discussion Aleksej! I know that you are one of the most experienced in this area. Respect.
    Probably these features are also present in the windows daemon and I didn't correctly explain that but because they are part of the Desmond indeed can be used only under Linux. For instance such feature is:
    FEP_GPGPU
    I receive the following massage: "Could not obtain license for feature "FEP_GPGPU" of FEP+". For me it is strange because I wanted to try the "regular" FEP module not the FEP+ (FEP/RESP and OPLS 2.1), which is distributed only to some companies. I suppose that some new features will be also present inside this FEP+ module and btw I am very interest in this direction...

    Boot32 license will expire after 31-dec-2015, I guess
    Yes, I know and think in this direction too but at the moment the FEP module is mainly in my toughs.
    You helped to @pharmacist to find a solution and hope that will help a bit in that direction again.
    The only point which is problematic for me and asked in the next topic too is this:
    2-firing lictest in ida and look for function that calls pubkey and patch it to return eax=0
    At first look in IDA the 2015.1 and 2014.4 versions look a bit different and when I tried to find in IDA this function I released that I am doing something wrong:
    http://www.finetopix.com/showthread....l=1#post236863
    The Pubkey was linked with an instance and I try to change this Jz but without effect:
    --------------------------------------------------------------------------------
    .text:000000014001BF9F jz short $+2 (here changed to 00, probably had to be jmp)
    .text:000000014001BFA1
    .text:000000014001BFA1 loc_14001BFA1: ; CODE XREF: sub_14001BEE0+BFj
    .text:000000014001BFA1 db 66h, 66h, 66h, 66h, 66h, 66h
    .text:000000014001BFA1 nop word ptr [rax+rax+00000000h]
    .......
    .......
    .......
    .text:000000014001C002 loc_14001C002: ; CODE XREF: sub_14001BEE0+68j
    .text:000000014001C002 lea rcx, [rsp+1138h+var_1018] ; Dst
    .text:000000014001C00A lea rdx, Src ; "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk"...(pubkey was linked to 1BF9F)
    .text:000000014001C011 mov r8d, 1C3h ; Size
    .text:000000014001C017 call memcpy

    Can you help me a bit in this direction please? Indeed it would be great if you just PM me only this one file nothing more.
    Thank you in advance!

    But in this case, following the @pharmacist procedure, do you think that the new features can be added just including them in the existing license (randomly filed license for them in a correct format) or one should start from the scrap/beginning?

  7. #86
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    Quote Originally Posted by pharmacist View Post
    Regarding the analysis of the target:
    1-U can open lictest.exe and you will see the following functions in IDA
    There is subroutine called check_signature which calls another subroutine that read pubkey.
    The check_signature subroutine is called by validate_license and mmlic3_verify_signature subroutines.
    validate_license is called by mmlic3_feature_exists and mmlic3_set_tokens
    check_signature is called by mmlic3_verify_signature
    2-what is needed is to get the right response from the subtroutine that reads pubkey.
    Come on friends help me a bit. I can't find the above functions. I use 11.9 signatures for IDA, any problem? Anyway, I think that the function that is linked to the public key is visible both in IDA and Olly but I am not sure which one to patch and what to be the exact patch. Please give some advices.
    This is from IDA:



    Routine 14001BEE0 looks like that:
    .text:000000014001BEE0 ; =============== S U B R O U T I N E =======================================
    .text:000000014001BEE0
    .text:000000014001BEE0
    .text:000000014001BEE0 sub_14001BEE0 proc near ; CODE XREF: sub_14001C960+173p
    .text:000000014001BEE0 ; DATA XREF: .pdata:000000014017D504o ...
    .text:000000014001BEE0
    .text:000000014001BEE0 Buf = byte ptr -1118h
    .text:000000014001BEE0 var_1018 = byte ptr -1018h
    .text:000000014001BEE0 Dst = byte ptr -1017h
    .text:000000014001BEE0 var_18 = qword ptr -18h
    .text:000000014001BEE0 arg_8 = qword ptr 10h
    .text:000000014001BEE0
    .text:000000014001BEE0 push rdi
    .text:000000014001BEE2 mov eax, 1130h
    .text:000000014001BEE7 call __alloca_probe
    .text:000000014001BEEC sub rsp, rax
    .text:000000014001BEEF mov rax, cs:qword_140156458
    .text:000000014001BEF6 xor rax, rsp
    .text:000000014001BEF9 mov [rsp+1138h+var_18], rax
    .text:000000014001BF01 mov rdi, rcx
    .text:000000014001BF04 lea rcx, [rsp+1138h+Dst] ; Dst
    .text:000000014001BF0C xor edx, edx ; Val
    .text:000000014001BF0E mov r8d, 0FFFh ; Size
    .text:000000014001BF14 mov [rsp+1138h+var_1018], 0
    .text:000000014001BF1C call memset
    .text:000000014001BF21 mov rcx, cs:qword_140158D48
    .text:000000014001BF28 test rcx, rcx
    .text:000000014001BF2B jz short loc_14001BF3D
    .text:000000014001BF2D call RSA_free
    .text:000000014001BF32 mov cs:qword_140158D48, 0
    .text:000000014001BF3D
    .text:000000014001BF3D loc_14001BF3D: ; CODE XREF: sub_14001BEE0+4Bj
    .text:000000014001BF3D mov [rsp+1138h+arg_8], rbx
    .text:000000014001BF45 test rdi, rdi
    .text:000000014001BF48 jz loc_14001C002
    .text:000000014001BF4E lea rdx, aR ; "r"
    .text:000000014001BF55 mov rcx, rdi
    .text:000000014001BF58 call mmwin32_fopen
    .text:000000014001BF5D mov rbx, rax
    .text:000000014001BF60 test rax, rax
    .text:000000014001BF63 jnz short loc_14001BF89
    .text:000000014001BF65 lea rcx, ErrMsg ; "fopen"
    .text:000000014001BF6C call cs:__imp_perror
    .text:000000014001BF72 lea rcx, aErrorUnableToO ; "Error: Unable to open '%s' for reading."...
    .text:000000014001BF79 mov rdx, rdi
    .text:000000014001BF7C call csrintf
    .text:000000014001BF82 xor eax, eax
    .text:000000014001BF84 jmp loc_14001C055
    .text:000000014001BF89 ; ---------------------------------------------------------------------------
    .text:000000014001BF89
    .text:000000014001BF89 loc_14001BF89: ; CODE XREF: sub_14001BEE0+83j
    .text:000000014001BF89 lea rcx, [rsp+1138h+Buf] ; Buf
    .text:000000014001BF8E mov r8, rax ; File
    .text:000000014001BF91 mov edx, 100h ; MaxCount
    .text:000000014001BF96 call cs:__imp_fgets
    .text:000000014001BF9C test rax, rax
    .text:000000014001BF9F jz short $+2
    .text:000000014001BFA1
    .text:000000014001BFA1 loc_14001BFA1: ; CODE XREF: sub_14001BEE0+BFj
    .text:000000014001BFA1 db 66h, 66h, 66h, 66h, 66h, 66h
    .text:000000014001BFA1 nop word ptr [rax+rax+00000000h]
    .text:000000014001BFB0
    .text:000000014001BFB0 loc_14001BFB0: ; CODE XREF: sub_14001BEE0+115j
    .text:000000014001BFB0 xor eax, eax
    .text:000000014001BFB2 or rcx, 0FFFFFFFFFFFFFFFFh
    .text:000000014001BFB6 lea rdi, [rsp+1138h+var_1018]
    .text:000000014001BFBE repne scasb
    .text:000000014001BFC0 xor ecx, ecx
    .text:000000014001BFC2 lea rdx, [rsp+1138h+Buf]
    .text:000000014001BFC7 nop word ptr [rax+rax+00000000h]
    .text:000000014001BFD0
    .text:000000014001BFD0 loc_14001BFD0: ; CODE XREF: sub_14001BEE0+FDj
    .text:000000014001BFD0 movzx eax, byte ptr [rdx+rcx]
    .text:000000014001BFD4 inc rcx
    .text:000000014001BFD7 mov [rdi+rcx-2], al
    .text:000000014001BFDB test al, al
    .text:000000014001BFDD jnz short loc_14001BFD0
    .text:000000014001BFDF lea rcx, [rsp+1138h+Buf] ; Buf
    .text:000000014001BFE4 mov r8, rbx ; File
    .text:000000014001BFE7 mov edx, 100h ; MaxCount
    .text:000000014001BFEC call cs:__imp_fgets
    .text:000000014001BFF2 test rax, rax
    .text:000000014001BFF5 jnz short loc_14001BFB0
    .text:000000014001BFF7 mov rcx, rbx ; File
    .text:000000014001BFFA call cs:__imp_fclose
    .text:000000014001C000 jmp short loc_14001C01C
    .text:000000014001C002 ; ---------------------------------------------------------------------------
    .text:000000014001C002
    .text:000000014001C002 loc_14001C002: ; CODE XREF: sub_14001BEE0+68j
    .text:000000014001C002 lea rcx, [rsp+1138h+var_1018] ; Dst
    .text:000000014001C00A lea rdx, Src ; "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk"...
    .text:000000014001C011 mov r8d, 1C3h ; Size

    .text:000000014001C017 call memcpy
    .text:000000014001C01C
    .text:000000014001C01C loc_14001C01C: ; CODE XREF: sub_14001BEE0+120j
    .text:000000014001C01C lea rcx, [rsp+1138h+var_1018]
    .text:000000014001C024 or edx, 0FFFFFFFFh
    .text:000000014001C027 call BIO_new_mem_buf
    .text:000000014001C02C xor r9d, r9d
    .text:000000014001C02F xor r8d, r8d
    .text:000000014001C032 mov rcx, rax
    .text:000000014001C035 xor edx, edx
    .text:000000014001C037 mov rdi, rax
    .text:000000014001C03A call PEM_read_bio_RSA_PUBKEY
    .text:000000014001C03F mov rcx, rdi
    .text:000000014001C042 mov cs:qword_140158D48, rax
    .text:000000014001C049 call l_pubkey_verify
    .text:000000014001C04E mov rax, cs:qword_140158D48
    .text:000000014001C055
    .text:000000014001C055 loc_14001C055: ; CODE XREF: sub_14001BEE0+A4j
    .text:000000014001C055 mov rbx, [rsp+1138h+arg_8]
    .text:000000014001C05D mov rcx, [rsp+1138h+var_18]
    .text:000000014001C065 xor rcx, rsp ; StackCookie
    .text:000000014001C068 call __security_check_cookie
    .text:000000014001C06D add rsp, 1130h
    .text:000000014001C074 pop rdi
    .text:000000014001C075 retn
    .text:000000014001C075 sub_14001BEE0 endp
    .text:000000014001C075
    .text:000000014001C075 ; ---------------------------------------------------------------------------
    .text:000000014001C076 algn_14001C076: ; DATA XREF: .pdata:000000014017D510o
    .text:000000014001C076 align 20h
    .text:000000014001C080
    .text:000000014001C080 ; =============== S U B R O U T I N E =======================================

    Sorry for the long text...
    The second function is 1B730, which is the second time where the public key is visible and probably both should be patched here, am I correct? :

    .text:000000014001B730 ; =============== S U B R O U T I N E =======================================
    .text:000000014001B730
    .text:000000014001B730
    .text:000000014001B730 sub_14001B730 proc near ; CODE XREF: main+ADp
    .text:000000014001B730 ; DATA XREF: .pdata:000000014017D468o
    .text:000000014001B730 push rbx
    .text:000000014001B732 sub rsp, 20h
    .text:000000014001B736 lea rdx, Src ; "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk"...
    .text:000000014001B73D mov rbx, rcx
    .text:000000014001B740 call cs:__imp_fprintf
    .text:000000014001B746 lea rdx, asc_140124ABC ; "\n"
    .text:000000014001B74D mov rcx, rbx
    .text:000000014001B750 add rsp, 20h
    .text:000000014001B754 pop rbx
    .text:000000014001B755 jmp cs:__imp_fprintf
    .text:000000014001B755 sub_14001B730 endp
    .text:000000014001B755
    .text:000000014001B755 ; ---------------------------------------------------------------------------
    .text:000000014001B75C algn_14001B75C: ; DATA XREF: .pdata:000000014017D468o
    .text:000000014001B75C align 20h
    .text:000000014001B760
    ----


    But here there is a more general picture that confused me actually what should be my target.. :


    and finally for the 32 bit version from Olly I obtained this:




    Any help is valuable for me. Thanks in advance! I think also that these pictures would be helpful for other forum members...
    Last edited by kometata; 2015-04-26 at 03:14 PM

  8. #87
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    1 out of 1 members found this post helpful.

    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    Hi,
    I think that I found, or hope so, the function that call the PUBLIC key.
    This function is present in all files containing the MIIB ..PUBLIC key and in Hex format is 55 8B EC 83 E4 F8 B8 0C 11 00 00. It starts with 558BEC (Flexlm 11.10x86)..
    Then I applied a regular patch as those for I_pubkey_verify, i.e. at the beginning of the function I replaced the 3 hex values with 33C0C3 558BEC>33C0C3 and after that in Ida I see that the results is the same as the I_pubkey_verify, which means that I am pushing the function to respond eax=0. Am I correct? This is the patched function:

    .text:00416FB0 ; =============== S U B R O U T I N E =======================================
    .text:00416FB0
    .text:00416FB0
    .text:00416FB0 sub_416FB0 proc near ; CODE XREF: sub_417A60+12Fp
    .text:00416FB0 xor eax, eax
    .text:00416FB2 retn
    .text:00416FB2 sub_416FB0 endp
    .text:00416FB2
    .text:00416FB3 ; ---------------------------------------------------------------------------
    .text:00416FB3 and esp, 0FFFFFFF8h
    .text:00416FB6 mov eax, 110Ch
    .text:00416FBB call __alloca_probe
    .text:00416FC0 mov eax, ___security_cookie
    .text:00416FC5 xor eax, esp
    .text:00416FC7 mov [esp+1108h], eax
    .text:00416FCE push ebx
    .text:00416FCF push esi
    .text:00416FD0 push edi
    .text:00416FD1 push 0FFFh
    .text:00416FD6 lea eax, [esp+115h]
    .text:00416FDD push 0
    .text:00416FDF push eax
    .text:00416FE0 mov esi, ecx
    .text:00416FE2 mov byte ptr [esp+11Ch], 0

    However, the program not working...indeed I patched the ECC too.
    What can be the problem?
    Last edited by kometata; 2015-04-27 at 01:12 PM

  9. #88
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    2 out of 2 members found this post helpful.

    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    Original function was:
    .text:004170F0 ; =============== S U B R O U T I N E =======================================
    .text:004170F0
    .text:004170F0 ; Attributes: bp-based frame
    .text:004170F0
    .text:004170F0 sub_4170F0 proc near ; CODE XREF: sub_417270+12Fp
    .text:004170F0
    .text:004170F0 Buf = byte ptr -1108h
    .text:004170F0 var_1008 = byte ptr -1008h
    .text:004170F0 Dst = byte ptr -1007h
    .text:004170F0 var_4 = dword ptr -4
    .text:004170F0
    .text:004170F0 push ebp
    .text:004170F1 mov ebp, esp
    .text:004170F3 and esp, 0FFFFFFF8h
    .text:004170F6 mov eax, 110Ch
    .text:004170FB call __alloca_probe
    .text:00417100 mov eax, ___security_cookie
    .text:00417105 xor eax, esp
    .text:00417107 mov [esp+110Ch+var_4], eax
    .text:0041710E push ebx
    .text:0041710F push esi
    .text:00417110 push edi
    .text:00417111 push 0FFFh ; Size
    .text:00417116 lea eax, [esp+111Ch+Dst]
    .text:0041711D push 0 ; Val
    .text:0041711F push eax ; Dst
    .text:00417120 mov esi, ecx
    .text:00417122 mov [esp+1124h+var_1008], 0
    .text:0041712A call memset
    .text:0041712F mov eax, dword_53B928
    .text:00417134 add esp, 0Ch
    .text:00417137 test eax, eax
    .text:00417139 jz short loc_41714E
    .text:0041713B push eax
    .text:0041713C call RSA_free
    .text:00417141 add esp, 4
    .text:00417144 mov dword_53B928, 0
    .text:0041714E
    .text:0041714E loc_41714E: ; CODE XREF: sub_4170F0+49j
    .text:0041714E test esi, esi
    .text:00417150 jz loc_41720D (HERE IS A JUMP TO PUBLIC KEY)
    .text:00417156 push offset Mode ; "r"
    .text:0041715B push esi
    .....
    if I patch all the function as shown in previous post (eax=0) it crash...both meastro.exe and lictest.exe. The problem is only in libmmlibs.dll. I mean only the lictest and files are ok but...
    Any suggestions?
    Here are the lictest and this dll

    P.S. In fact suggested for patching function check_ signature and all others are located exactly in this .dll, at least for 2013-1, not in the lictest.exe. I used 2013-1x64 as an initial test.
    https://mega.co.nz/#!79Mj2ISb!1c5sFUyn7abiJTC9eum1LjeXEozW00od_eChn1E02CQ


    Last edited by kometata; 2015-04-27 at 02:08 PM

  10. #89
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    1 out of 1 members found this post helpful.

    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    I made it Thanks to all that give me suggestions in the previous posts and topics. Special thanks to @darsy and @istigatore. I will post a tut.
    Now the Linux version is my target..

  11. Thanks darsy, Aer73, synkro thanked for this post
  12. #90
    Member Reputation: 32
    Join Date
    2014-01-24
    Posts
    42


    Default Re: FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

    congratulations kometata
    we wait for your tut

  13. Thanks kometata thanked for this post

Tags for this Thread

Bookmarks

Bookmarks

Posting Rules

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •