Hi Carlitos
Share you daemon vendor and install of target (upload MEGA)
I help you
Regards
Hi Carlitos
Share you daemon vendor and install of target (upload MEGA)
I help you
Regards
Hi bilbobaggins,
Yes, it's l_prikey_sign, I fully understand that it's caused by IDA limitation, and this proc is not directly called, so IDA can't convert it to pro directly. After manually creating function, I can trace it now. Thanks for the great help, I need to look at more IDA doc for such tips.
I just setup the macosx environment and matlb in virtual machine, wha file do you analyze in IDA? I find that MLM(daemon program) seems to be obfuscated. There are ecc in 2014alibmwservices.dylib/2014alibmwservices_p.dylib/2014blibmwservices.dylib/2014blibmwservices_p.dylib, but l_prikey_sign/l_pubkey_verify is not found directly, l_sg/l_checkoutand and some other functions are non-obfuscated. My IDA is 6.6 windoze version, matlab is 2014b mac version. Please help share your step and tool version/platform, thanks a lot.
Last edited by dionysosww; 2015-05-09 at 11:36 AM
Hi dionysosww,
There is only one file you need to be concerned with .. libmwservices.dylib. ( in the windoze verson there are 4 files PST.exe. compiler.dll etc, but in Macosx , normally one the one file) If I recall, MLM just uses libmwserices.dylib. AS Matlab will run standalone or server, will just work with it in standlaone mode.
Some functions will not be found directly becasue . well IDA hasn't traversed the code , so it hasn't identified them as functions yet. However, it does know their "names" as that hasn't been obfuscated. View NAMES and you'll see pretty much all Flexlm "functions" Some will have a "D" symbol if they haven't been identified yet. In the NAMES window , find _l_pubkey_verify. Double click on it and it'll take you the start of the routine. IDA hasn't even defined the bytes as CODE, so Left click the first bytes , right click and select CODE, right click CREATE FUNCTION. Poof .. _l_pubkey_verify appears in functions list. Very simple. IDA is an incredibly powerful tool but sometime needs a little help. ( Analyze obfuscated malware and you'll be "helping" IDA a lot)
It's not always necessary though .. Load MATLAB2015a MACOSX in IDA and it it finds most functions correctly at the start, with no help. The linux versions ( MATLAB for example ) are similar . IDA is basically telling you it needs help .. you just have to look at the NAMES and go from there. Just take a few minutes to the scan the names and you'll see references to the Flexlm src that you have. Like _l_n36_buff, lmpubkey.h etc.
I should also mention that there will be occasions when IDA "gets it wrong" and makes mistakes. You'll have to UNDEFINE the bytes, then CODE, then CREATE FUNCTION etc... How to know when to you need to do that ? That will come with experience
EDIT : One thing I forgot to mention : Chris Eagles : IDA Pro Book (2011 2nd edition) is still a fantastic resource for using IDA ( just in case you weren't already aware of that) Chapter 21 provides a great overview of the challenges that disassemblers face when performing static analysis.
Hope this helps
Last edited by bilbobaggins; 2015-05-10 at 12:58 AM
thanks alekine322, check your pm box
Hi bilbobaggins,
I would say this is greate guide to identify function when IDA fails, I follow it and can identify most famous function in flex now, this also solved my questions why some program looks confusing in IDA. Really appreciate your help!
I didn't find Matlab2015a osx version, 2014b osx is also non-obfuscated, following names to create function is very convenient. The 2014b linux version shows much fewer names, however the important functions are included there. My plan is to traverse flexlm sign proc in IDA. For matlab, libmwservices.dylib contains main ecc, and is dynamicly loaded by MLM or Matlab. I have experience to deal with daemon or main program with ecc, but has no idea on such dylib/so/dll, Could you please point me some tutorial/webpage on this, I just need the right direction. Sorry for so many question, I really learned a lot from your answers.
Thanks
dionysosww & bilbobaggins, i checked the last matlab version, the R2015a x64 ans x86 and the ecc is not obfuscated at all.. Even the python extensions that contains the flexnet routine.. And the patch made of TBE is the usual ECC.. So maybe the linux and the mac version have the same building.. And patch te ECC is easy.. I also foud my holes to work without licenses, and that holes are present also the the tecnosoft target...
istigatore,
Thanks, Yes, Matlab2015a was just a _l_pubkey_verify patch as it has been in prior years. ( I do recall having to patch _l_prikey_sign as well in 2014a ?) It's been a while since I looked at it.
I have fixed both 2015a Linux and Macosx as they were the same Flexlm as windoze. I only suggested using the Macosx version as a guide as the function names are not obfuscated as they appear to be in windoze. It has made it easier , for me, to navigate in IDA/FLEXLM without using signature files. ( Although I do see what you mean about the python functions, I'm ashamed to say that I never noticed that ...Doh !
I'm extremely interested in how get FLEM targets to work without a license , as I've always assumed that it wasn't practical, too many patches etc. Is there any way I could convince you to point us in the right direction. Truth be told I'm far more interested in FLEXLM and it's inner workings than using any of the targets I've worked on. You obviously know your way around in flexlm, while I'm just scratching the surface.
Any hints wouldn't mind sharing ? I've been concentrating on the lm_checkout routine with little success. I find myslef , patching this to get to that,patching that to get this and so on and so on... a very simplistic "serial"approach that lacks any real "3D" or system level approach.
I did successfully patch Vivado 2014.4 ( 11.11.x.x.) to run without a license, but then the author implemented only very basic flexlm options/protections. It did provide a little deeper insight into flexlm, but I'm still stumbling on "multi option" flexlm targets
regards,
SB7
Last edited by bilbobaggins; 2015-05-11 at 10:59 AM
bilbobaggins, watching your posts i see you are good with ida.. Patch the program to work without license is not hard.. It works with all flex targets and with some trusted storage targets.. Even if some program does not accept if you patch the checkout and you still need a fake license file.. Good hunt
Patching lm_checkout used to be easy in the past, and you could run programs without a license file. But that was changed in higher flexlm versions, and doesn't work anymore.
Bookmarks