Log in

View Full Version : NEW '_time' obfuscation area in FLEXlm v10


roli_bark
January 17th, 2008, 08:46
From playing around with FLEXlm v10.8 target lately, I just want to let you old FLEXlm hackers know, that a NEW memory area is used for _time obfuscation area in newer FLEXlm versions.

To get clear SEEDS revealed, as opposed to the OLD Job Structure area [ where you'd clear 4 random dwords generated by multiple _time calls in "l_n36_buff" ], the new area is noted in "_l_sg" like so:

-----------------------------

.text:00417F35 _l_sg proc near
.text:00417F35 push ebp
.text:00417F36 mov ebp, esp
.text:00417F38 sub esp, 24h
.text:00417F3B mov [ebp+var_14], 0
.text:00417F3F xor eax, eax
.text:00417F41 mov [ebp+var_13], ax
.text:00417F45 mov [ebp+var_11], al
.text:00417F48 mov [ebp+var_C], 6F7330B8h
.text:00417F4F mov [ebp+var_4], 0
.text:00417F56 mov [ebp+var_8], 0
.text:00417F5D mov [ebp+var_10], 3
.text:00417F64 push 1000h
.text:00417F69 mov ecx, [ebp+arg_0]
.text:00417F6C push ecx
.text:00417F6D call sub_42CF2D
.text:00417F72 add esp, 8
.text:00417F75 test eax, eax
.text:00417F77 jz short loc_417FCB
.text:00417F79 mov edx, [ebp+arg_0]
.text:00417F7C mov eax, [edx+198h]
.text:00417F82 mov ecx, [eax+1CDCh]
.text:00417F88 cmp dword ptr [ecx+524h], 0
.text:00417F8F jz short loc_417FCB
.text:00417F91 mov edx, [ebp+arg_8] <--- arg_2 - PTR to vendor structure
.text:00417F94 push edx
.text:00417F95 mov eax, [ebp+arg_4] <--- arg_1 - PTR to vendor name (Id.)
.text:00417F98 push eax
.text:00417F99 mov ecx, [ebp+arg_0] <--- PTR to legacy job structure
.text:00417F9C mov edx, [ecx+198h]
.text:00417FA2 mov eax, [edx+1CDCh]
.text:00417FA8 add eax, 528h
.text:00417FAD push eax <--- arg_0 - PTR to NEW _time obfuscation area
.text:00417FAE mov ecx, [ebp+arg_0]
.text:00417FB1 mov edx, [ecx+198h]
.text:00417FB7 mov eax, [edx+1CDCh]
.text:00417FBD call dword ptr [eax+524h] <- call _user_l_sg (l_n36_buff)
.text:00417FC3 add esp, 0Ch
.text:00417FC6 jmp loc_4180DE

-----------------------------------

In order to get clear de-obfuscated SEEDs , in _user_l_sg, just before Order/Unique XORs, clear the _time 3 rand dwords at offsets .+0x8, .+0xC, .+0x10 @ arg_0 PTR (new obfuscation area). Then, just as before, break on RETN to get clear seeds [from vendorcode struct .+0x4 & .+0x8] ...

Of course, all the above is ONLY relevant with non-ECC targets ...

dELTA
January 17th, 2008, 12:42
Thanks for the info.

JMI
January 17th, 2008, 13:12
There is a large audience out there always searching for new information on FLEXlm subjects.

Regards,

roli_bark
January 17th, 2008, 13:17
You're welcome. However, since the ECC introduction FLEXlm reversal becomes less & less popular subject.

JMI
January 17th, 2008, 13:34
That would most likely be because "many" of those who were "reversing" FELXlm, were most frequently just using "cookie-cutter" tools which others had designed and implimented, without much real understanding of what was occurring behind the scenes or how it worked, or what they were actually doing.

Now that it might take some actual "work" or be more difficult, those folks tend to move on to "easier" subjects and target with other ready made "tools."

Real Reversers are always interested in "new" information, even if they only collect and read it and might not actually attempt to impliment the information in an actual reversing project. Learning new things and/or expanding one's knowledgebase is very useful to keep the brain functioning on an effective level for the rest of life.

Regards,

CrackZ
January 22nd, 2008, 19:07
Ran into this quite a while back; however kudos to roli_bark for posting this method.

I found the seeds slightly differently using memory breakpoints (since the method of license construction obviously remains the same); As an aside, even though Macrovision have now obfuscated all non-essential link names you can still get a lot of recognition from the last unobfuscated lmgr.lib (FLEXlm v9.5).

Regards

CrackZ.

dELTA
January 23rd, 2008, 13:38
Quote:
As an aside, even though Macrovision have now obfuscated all non-essential link names you can still get a lot of recognition from the last unobfuscated lmgr.lib (FLEXlm v9.5).
And if you have some good ready-made IDA signatures for that, you are of course very welcome to upload them to the already quite nice collection of dongle signatures in the CRCETL, at:

http://www.woodmann.com/collaborative/tools/Categoryongle_IDA_Signatures


JMI
January 23rd, 2008, 13:40
I added a space to the link so that it wouldn't have a smilie face in the middle because of the ":" next to the "D" which produced a !

Regards,

dELTA
January 23rd, 2008, 13:48
Actually, I fixed the link (simply by activating the "Disable smilies in text" post option, which would rather be the more appropriate way of doing it, since it keeps the link going to the right place ) apparently right before you did that, so I've now restored it to working order again. Thanks for your concern as ever though.

JMI
January 23rd, 2008, 14:34
True! That's probably the "more correct way."

But even with the added space in the link, it still defaulted to the "correct" listing, if one wanted to have both a link with an ":" followed immediately by a "D" and still have other smilies in the post.

But I realize the CRCETL is "your baby" and you want everything about it to be "perfect."
Which is, of course, not a "bad" thing to want.

Regards,

kiki
February 2nd, 2009, 04:45
I've problem to find seed in flexlm 11.0 target, it's very similar to code above here my code in IDA

=============inside _l_sg=============
textidx:00492BF9 jz short loc_492C4D
.textidx:00492BFB mov edx, [ebp+arg_0]
.textidx:00492BFE mov eax, [edx+19Ch]
.textidx:00492C04 mov ecx, [eax+1CDCh]
.textidx:00492C0A cmp dword ptr [ecx+524h], 0
.textidx:00492C11 jz short loc_492C4D
.textidx:00492C13 mov edx, [ebp+arg_8] ; ptr to vendor code structure
.textidx:00492C16 push edx
.textidx:00492C17 mov eax, [ebp+arg_4] ; ptr to vendor code name
.textidx:00492C1A push eax
.textidx:00492C1B mov ecx, [ebp+arg_0] ; ptr to job structure
.textidx:00492C1E mov edx, [ecx+19Ch]
.textidx:00492C24 mov eax, [edx+1CDCh]
.textidx:00492C2A add eax, 528h
.textidx:00492C2F push eax ; PTR to New Time Obfuscation
.textidx:00492C30 mov ecx, [ebp+arg_0]
.textidx:00492C33 mov edx, [ecx+19Ch]
.textidx:00492C39 mov eax, [edx+1CDCh]
.textidx:00492C3F call dword ptr [eax+524h] ; <- call _user_l_sg (l_n36_buff)
.textidx:00492C45 add esp, 0Ch
.textidx:00492C48 jmp loc_492D60
============

according to roli_bark describe, i've to clear the _time 3 rand dwords at offsets .+0x8, .+0xC, .+0x10 @ arg_0 PTR (new obfuscation area).

i step inside the call and there, i found many _time function call.
============== cut=========
.text:0041118E
.text:0041118E loc_41118E: ; CODE XREF: sub_411140+44j
.text:0041118E lea edx, [ebp+var_1C]
.text:00411191 mov [ebp+var_2C], edx
.text:00411194
.text:00411194 loc_411194: ; CODE XREF: sub_411140+4Cj
.text:00411194 cmp [ebp+arg_0], 0
.text:00411198 jz loc_41140E
.text:0041119E push 0 ; Time
.text:004111A0 call _time
.text:004111A5 add esp, 4
.text:004111A8 xor eax, 65001Ch
.text:004111AD mov ecx, [ebp+var_2C]
.text:004111B0 xor eax, [ecx+4]
.text:004111B3 mov edx, [ebp+var_2C]
.text:004111B6 mov [edx+4], eax
.text:004111B9 push 0 ; Time
.text:004111BB call _time
.text:004111C0 add esp, 4
.text:004111C3 and eax, 0FFh
.text:004111C8 xor eax, 7Eh
.text:004111CB mov ecx, [ebp+var_2C]
.text:004111CE mov [ecx+0Fh], al
.text:004111D1 push 0 ; Time
.text:004111D3 call _time
.text:004111D8 add esp, 4
.text:004111DB xor eax, 0A0050h
.text:004111E0 mov edx, [ebp+var_2C]
.text:004111E3 xor eax, [edx+4]
.text:004111E6 mov ecx, [ebp+var_2C]
.text:004111E9 mov [ecx+4], eax
.text:004111EC push 0 ; Time
.text:004111EE call _time
.text:004111F3 add esp, 4
.text:004111F6 and eax, 0FFh
.text:004111FB xor eax, 0B3h
.text:00411200 mov edx, [ebp+var_2C]
.text:00411203 mov [edx+10h], al
.text:00411206 push 0 ; Time
.text:00411208 call _time
.text:0041120D add esp, 4
.text:00411210 xor eax, 50h
.text:00411213 mov ecx, [ebp+var_2C]
.text:00411216 xor eax, [ecx+4]
.text:00411219 mov edx, [ebp+var_2C]
.text:0041121C mov [edx+4], eax
.text:0041121F push 0 ; Time
.text:00411221 call _time
===============cut===========

and my question is:
where i've to clear 3 rand dwords? as roli describe so i can get clear seed?


any guidence are welcome.

regards,
kiki

PS:
i've no problem to find correct seed with flexlm 7-9

RCER
February 6th, 2009, 05:13
kiki,

Quoting roli bark:

where you'd clear 4 random dwords generated by multiple _time calls in "l_n36_buff" ], the new area is noted in "_l_sg" like so:
Unquote:
What this means is that the multiple calls to time are responsible for the randomness in the vendor code after returning from the _l_n36_buff call.
So you will find your point of interest after the last call to _time

Clue: look for a JMP instruction


Regards

RCER

kiki
February 6th, 2009, 05:24
RCER, thanks, for your guide..
will try it, and inform my progress

JMI
February 6th, 2009, 16:40
Hey guys:

Try not to use the "Quote" buttion, unless "quoting" is necessary to make your Reply clear. It just adds to the size of the database and the length of the Thread, without adding new information.

The "Button" on right, that looks like a page of text with a down arrow on it is the "Quick Reply" button, which does not quote the previous message. Or simply use the "Post Reply" button on the bottom left.



Regards,

RCER
February 7th, 2009, 00:49
JMI,

O.K. and point well taken.


Regards
RCER

zhide1983
February 12th, 2009, 21:53
Hi, RCER

I compared the asm code with the lm_new.c code, and got:

1. a structure point t is a JOB point actually, and t->a[12] is the real job+8, job+b, and job+c data;
2. I found the position calling function 'time(0)' in the c code, which is corresponding to the '_time' function you mention above
3. my flexlm version is 10.8, do you mean that when this function reture, the job structure is a wrong one obfused by the _time function? Is it different frmo preV10 versions?
4. If yes, then how does it record the random information introduced by _time, and how could it recover it?
5. Could you plz tell me how the get the corrent JOB+8/b/c data?

Thank you very much...

RCER
February 15th, 2009, 23:54
zhide1983


Locate the first jmp at the end of multiple calls to _time.
( EB 09 JMP SHORT callmd.0040C227)

Break at this jump and check the memory address inside ecx or edx.(follow in dump).One of them will contain the location of the new obfuscation area.

zero out the random data and break on RET

regards

kiki
February 16th, 2009, 01:20
RCER:
according your instruction above, i find edx address and dump the content,

ebug027:014826A0 66 00 00 00 32 00 91 00 2A 24 76 EC 20 07 1E 00 f...2..*$v .
debug027:014826B0 00 00 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
debug027:014826C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
debug027:014826D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
debug027:014826E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
debug027:014826F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
debug027:01482700 00 00 00 00 00 00 00 00 60 11 48 01 50 2C 48 01 ........`HP,H
debug027:01482710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

my questioin is?
- where i have to zero out random data?
do i have to zero out this? 2A 24 76 EC 20 07 1E 00 00 00 EC 00

thank you

RCER
February 16th, 2009, 11:51
kiki,

If this was a pre-v10 target you would have to zero job+4 --> job+13

32 00 91 00 2A 24 76 EC 20 07 1E 00 00 00 EC 00

However for v10 & up, the obfuscation is different from the job structure, and starts with 00 00 00 00 instead of 66 00 00 00

I think you set your break point in the wrong spot

(The principle remains the same however meaning that you have to zero
obf+4 --> obf+13)

pm me a link to the vendor daemon and license file

regards
RCER

zhide1983
February 16th, 2009, 19:51
Hello,

Yes, the job structure is just as you said, starting with 0000 while not 66. I thought i got the wrong spot just because missing the 0x00000066. (My flexlm version is 10.x)

In the previous version, we break after calling the _l_sg() and find the JOB sturcture from ESP pointer, and use CALCSEED.exe to calculate the encrypted seeds 1 & 2. Any difference in v10.x if i still use CALCSEED.exe?

I have tried two different FEATUREs and got the same seeds 1 & 2, but the vander daemon cannot accept the license i generated, reporting INVALID LICENSE FILE. I checked the guide and found that maybe the seeds were wrong.

thank you

kiki
February 16th, 2009, 23:09
i'm sorry my post #18 dump content of edx is from different vendor.
here is dump content from same vendor:

break on jmp instruction,
dump content of edx:
debug021:00F82BC0 01 00 00 00 40 11 41 00 00 00 00 00 60 00 79 00 ...@A.....`.y.
debug021:00F82BD0 43 97 EA 57 BA 07 3A E8 25 FD B8 3D 00 00 00 00 CW:%=....
debug021:00F82BE0 00 00 00 00 F8 77 F8 00 00 00 00 00 C0 16 40 00

zero it out, but never got the clear seed.

check your pm.

thanks

RCER
February 17th, 2009, 05:12
Kiki,

I have zero'd below values and after breaking on return got the clear seeds in VC+4 and VC+8.

003D4530 00 00 00 00 60 00 79 00 74 A0 DD 6C 8D 30 0D DF ....`.y.t*l0.
003D4540 12 CA 8F 0A 00 00 00 00 00 00 00 00 E0 8F 3D 00 ʏ.........=.
003D4550 00 00 00 00 C0 16 40 00 40 FE 3D 00 00 00 00 00 ....@.@=.....
003D4560 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ...............

I have PM'd you the seeds

Regards
RCER

kiki
February 17th, 2009, 08:33
RCER:
thank you very much!
i got clear view of clear seed now

i play with another vendor on v8-v9 that i found using Nolan Blender technique the result is correct.
next i'll play with vendor that implement CRO/TRO, and hope you will guide too.

RCER
February 18th, 2009, 07:07
Hi zhide1983

see my comments in Blue

Quote:
[Originally Posted by zhide1983;79355]Hello,

Yes, the job structure is just as you said, starting with 0000 while not 66. I thought i got the wrong spot just because missing the 0x00000066. (My flexlm version is 10.x)

In the previous version, we break after calling the _l_sg() and find the JOB sturcture from ESP pointer, and use CALCSEED.exe to calculate the encrypted seeds 1 & 2. Any difference in v10.x if i still use CALCSEED.exe?

The obfuscation algorithm has not changed in the newer flexLM versions, which means that calcseed will still produce the correct encryption seeds, as long as you input the job values from the new obfuscation area (starting with 00 00 00 00)

I have tried two different FEATUREs and got the same seeds 1 & 2, but the vander daemon cannot accept the license i generated, reporting INVALID LICENSE FILE. I checked the guide and found that maybe the seeds were wrong.

send me a PM with a link to the VD and lic file, and I will see if I can help

thank you


Regards

RCER

zhide1983
February 25th, 2009, 22:03
Hi, RCER

I've already PM you, thanks.

kiki
March 27th, 2009, 01:37
Hi RCER, i've play with target using flexlm v.10 and i think i've got correct seed 1 and seed2, but the license i generated is invalid.

if you don't mind i'll PM you the target and see if seed that i've found is correct.

thank you

Please check your PM

RCER
March 27th, 2009, 01:41
O.K. no problem

go ahead

regards
RCER

kiki
March 28th, 2009, 02:16
Hi, RCER
please chech your PM, i've already send you vendor daemon and sample lic

thank you

TaTa
May 11th, 2009, 03:39
Thanx for information.

Regards

TaTa