In CrackZ's paper, he said:

Flag 1

6AF454 - Set to 1 using a static ADD ECX, 1 instruction at 6AF426, this could be patched to ADD ECX, 0 for a 1 byte change however Imaris has the same reference so there must be a variation in code path. By comparing the flow between Imaris and *censored*, we discover the following 'switching' code :

:006AF354 mov edx, [ebp+var_5DC]
:006AF35A cmp dword ptr [edx], 0
:006AF35D jz loc_6AF434 ; 0x0 Imaris, 0x10 *censored*

This is the real switch we have to backtrace and its set deep inside the _l_buf_36() (routine described below), the only way I reliably found to locate where the static value is stored is as follows.

i). Breakpoint the _l_buf_36() routine, do d *(esp+8) to display in the data window the pointer to the vendor code structure, in some instances you may need to pagein this address via SoftICE.

ii). Set a bpm w on [vendor code structure + 3Ch] and monitor writes, anything other than zero should yield the static location of the data being written there (note that you'll probably get 3 or so breaks on access before finding the right one), once we've located the correct place we can make a small patch of the static data.

:00405FB6 mov eax, [edx+3Ch]
:00405FB9 add eax, dword_81C7F8 ; 0x10 static data
:00405FBF mov ecx, [ebp+0Ch]
:00405FC2 mov [ecx+3Ch], eax ; Write flag

what's the meanning about the two question:

1) Breakpoint the _l_buf_36() routine, do d *(esp+8) :
2) Set a bpm w on [vendor code structure + 3Ch] and monitor writes...

How can i locate the ECC Flag1?

what's the meanning about the two question:

1) Breakpoint the _l_buf_36() routine, do d *(esp+8) : This means that you have to set a PBX at _l_n36_buf(), then look at the stack pointer+8, follow this address in dump, (this will be your pointer to the vendor code stucture). De-reference the pointer (jump to the address the pointer points to).
2) Set a bpm w on [vendor code structure + 3Ch] and monitor writes..., Then set a BPM ( memory on write breakpoint) at VC + 3CH now continue debugging and watch the breakpoints on memory write access

I tried this on one of my ECC targets but was never able to pinpoint the exact location of the ECC flag.

Let me know your progress.

rgards

flexlm,

Post me a priv message with the target name and I'll endeavour to assist.

From recollection, check that when you do the d *(esp+8) the pointer is actually somewhere valid in memory, I recall there sometimes being a few breaks at _l_36_buf() and the pointer not being valid.

Regards,

CrackZ.

Hi,

is there any other flag which is checked? Because even if i patch the two flag checks i get the ECC signature check instead of the old one.

Regards
tr1stan

I have understanded crackz's approach used to find the 2 ecc flag!

flexlm

Can you PM me your target and give me some clues as how you found the correct flags

regards
RCER

My target protected with Flexlm v11.4.100.0 build 50818 using ECC,

Step1. extracting seed1 and seed2 ...done
patching _l_pubkey_verify return 0 not work, target still check ECC

Step2. Patching target to accept old style SIGN
following Crackz' Paper i only get one Flag 1

Flag 1.
text:0040ABC3 mov ecx, [ebp+arg_4]
.text:0040ABC6 mov edx, [ecx+3Ch]
.text:0040ABC9 add edx, dword_56FBEC ; 0x10 static data
.text:0040ABC9 ;
.text:0040ABCF mov eax, [ebp+arg_4]
.text:0040ABD2 mov [eax+3Ch], edx ; Write Flag

i can't find Flag 2, according to Crackz's Paper "6B219C - Set via function call at the start of _lc_new_job()."
i try to find function _lc_new_job() but have no luck.
following *Tips* by Crackz it's seem different.

my question is:
1. Does my Flag 1 is correct?, what i've to do with my flag1 ? do I have to change static data to 0x0
2. Any other way to find _lc_new_job()

thanks and sorry for my bad english

*Update:*
I defeat my Target

kiki
could you post the answers for your questions?
also any new details how you become the winner!

Are signatures for 11.6 available somewhere? I'm trying analyze my target, but do not have SDK to made them by itself.