what is the correct path [Archive] - RCE Messageboard's Regroupment

Silkut

December 20th, 2010, 06:05

Hi everyone,

I have a software embedded in a BSD distribution for remote IP camera control. It is currently limited to x cams and n streams.

A menu is called from the shell with a command (bash script) that invokes the program causing my troubles.
I don't believe it to be protected with something, I'm just rusty at finding the correct path. Especially with ELF and UNIX

Code:

.text:08070C50

keysigcheck: parsing the key and doing MD5 operations on it (Init, Update, Final) so I guess it's a kind of integrity check, there is a few xrefs to this one but I can easily nop the calls...

Code:

.text:080705D0

check_license: read the key, call keysigcheck and then enters DEMO or LIMITED mode and tells I am limited to x cams and n streams

Code:

.text:080707F0

install_license: opens the keyfile, read the key and process the serialization, write/saves the key (I guess it's to edit the license information)

Code:

.text:08070CF0

view_license: prints the licence information and calls keysigcheck several times...

Code:

.text:080709A0

My problem is that I'm not sure it uses all the function above due to the DEMO state, it may look pretty obvious so far but several patching attempts always resulted in a data serialization fail.

I want the software to accept more cams and streams (and therefore bypass the key signature verification and demo limitations). If someone would be kind enough to point me my mistakes or the right path.

I'm using IDA for deadlisting, CFF Explorer for patching.

As the code for each function is vast it'd be vain to paste it (I put the address instead).

ELF file http://www.mediafire.com/?7q3b60t3i8i8n80
MD5: 19a843bab9119e86cb1cfab10456fe49

Thanks.

Regards,
S~

Silkut

December 20th, 2010, 10:23

Another precision.

The 4 cams and 8 clients limitation is hardcoded as we can see there:

Code:

.text:080707F0 ; =============== S U B R O U T I N E =======================================

...

.text:0807083E loc_807083E:                            ; CODE XREF: scamd_check_license+132j

.text:0807083E                 mov     eax, ebx

.text:08070840                 call    keyfree

.text:08070845                 cmp     edi, 0

.text:08070848                 jl      loc_80708E7

.text:0807084E                 mov     esi, esi

.text:08070850                 jnz     short loc_80708C0

.text:08070852                 mov     edx, [ebp+arg_0]

.text:08070855                 mov     eax, offset aDemo ; "DEMO"

.text:0807085A                 mov     dword ptr [edx+2Ch], 2

.text:08070861

.text:08070861 loc_8070861:                            ; CODE XREF: scamd_check_license+EDj

.text:08070861                                         ; scamd_check_license+1A6j

.text:08070861                 mov     dword ptr [esp+10h], 5

.text:08070869                 mov     [esp+0Ch], eax  ; arg

.text:0807086D                 mov     dword ptr [esp+8], offset aWarningEnterin ; "WARNING: Entering %s mode (recording li"...

.text:08070875                 mov     dword ptr [esp+4], offset aScamd_check_li ; "scamd_check_license"

.text:0807087D                 mov     dword ptr [esp], 0 ; int

.text:08070884                 call    mydebug

.text:08070889                 cmp     [ebp+var_24], 4

.text:0807088D                 jg      loc_8070957

.text:08070893

.text:08070893 loc_8070893:                            ; CODE XREF: scamd_check_license+192j

.text:08070893                 cmp     [ebp+var_28], 8

.text:08070897                 jg      loc_8070927

pseudocode

Code:

signed int __cdecl scamd_check_license(int a1)

{

  bool v1; // edi@1

  int v2; // eax@5

  signed int result; // eax@8

  char v4; // ST0C_1@15

  char v5; // [sp+28h] [bp-40h]@1

  char v6; // [sp+2Ch] [bp-3Ch]@10

  int v7; // [sp+40h] [bp-28h]@7

  int v8; // [sp+44h] [bp-24h]@6

  char v9; // [sp+4Ch] [bp-1Ch]@1



  memset(&v5, 0, 0x24u);

  keyread();

  v9 = 124;

  v1 = hw_sig();

  if ( v1 < 0 )

  {

    keyfree();

  }

  else

  {

    v1 = keysigcheck((int)&v5, (int)&v9);

    if ( !v1 )

    {

      v9 = 0;

      v1 = -((unsigned int)keysigcheck((int)&v5, (int)&v9) < 1);

    }

    keyfree();

    if ( v1 >= 0 )

    {

      if ( v1 )

      {

        if ( v6 == 67 )

        {

LABEL_8:

          *(_DWORD *)(a1 + 292) = v8;

          *(_DWORD *)(a1 + 284) = v7;

          return 1;

        }

        if ( v1 <= 0 )

        {

          *(_DWORD *)(a1 + 44) = 2;

          v2 = (int)"DEMO";

        }

        else

        {

          *(_DWORD *)(a1 + 44) = 1;

          v2 = (int)"LIMITED";

        }

      }

      else

      {

        v2 = (int)"DEMO";

        *(_DWORD *)(a1 + 44) = 2;

      }

      mydebug(0, (int)"scamd_check_license", "WARNING: Entering %s mode (recording limited to %d%% of disk space)", v2);

      if ( v8 > 4 )

      {

        v8 = 4;

        mydebug(0, (int)"scamd_check_license", "WARNING: limiting to %d cameras due to DEMO mode ", 4);

      }

      if ( v7 > 8 )

      {

        v7 = 8;

        mydebug(0, (int)"scamd_check_license", "WARNING: limiting to %d clients due to DEMO mode ", 8);

      }

      goto LABEL_8;

    }

  }

  result = 0;

  if ( v1 == -1 )

  {

    mydebug(0, (int)"scamd_check_license", "WARNING: invalid license key !", v4);

    result = 0;

  }

  return result;

}

Changing those values may be hazardous considering it may be hardcoded somewhere else...

Also, there is two mode "demo" and "limited" following the result of keysigcheck~.
The only differences seems to be the disk space usage...

In your opinion, is there a way to fix this (see my question in first post) without patching everywhere like a chainsaw ? It looks like it's only made for demo, but I'm rather pessimistic anyway..

YO!