I have a DLL that is used as part of webpage (ASP code). This DLL now shows a Expired Now please purchase information. So I thought bring out trusty debugger and have a look see.

The following Information I have found out.
1) the DLL is called when required by the webpage via Inetinfo (Personal Webserver). No significant registry checks are conducted.
2) Filemon shows no weird activity License file etc
3) DLL is digitally signed by Verisign. Sign Algo md5RSA RSA (512bits)
It has a 'Valid from' and 'Valid to' date
Also a 'Signing Time'
4) DLL is written In Visual Basic 6.0 (PEid)
5) Found expiration Date after installing today is 1 March So more than 30 Days. (moving Date forward Produces 'Please Register Me Option'. Moving Date back clears the Please Register Me.)

So question is what method of attack is going to work.
Can the Dll use the Digital Signature Date Information to check for expiration.
Can the Digital Signature be removed.
What information is entered into the registry when you regsvr32 the DLL.
Is an installation date stored anywhere in the system???
How do you patch a digitally signed DLL?? (no loaders to path memory)

Actually debugging is also interesting. What method of investigation will lead me down the path

Peterg70

Edit: Does anyone have a listing of the Functions contained inside the MSVBVM60.DLL file. Something Like an API reference file. Name,ShortDescr,Arguements,Return

why not just disassemble and trace back from the string reference to "Expired Now..." to see what caused the app to reach that point in code?


use google

g'day peterg70

>> Can the Dll use the Digital Signature Date Information to check for expiration.
Yes.. you can programmatically check for and retrieve information from a digital signature/certificate.

>> Can the Digital Signature be removed.
Yes.. but it depends on the implementation.

>> What information is entered into the registry when you regsvr32 the DLL.
The dll is implemented as a COM object. regsvr32 registers (makes available) the COM object to windows. Basically a class id (clisd) is entered into the registry with the location of the object, its name, threading mode, program id etc. Other data can be found here, but it depends on the object..

>>Is an installation date stored anywhere in the system???
Not sure what you mean, but the dll probably implements its own date check scheme.

>>How do you patch a digitally signed DLL?? (no loaders to path memory)
Depends on the implementation..

>>So question is what method of attack is going to work.
>>Actually debugging is also interesting. What method of investigation will lead me down the path

As it is a COM object, you use the dll in any development environment that allows access to COM objects.. for example VB.. This will allow you to load the object and access/call its properties and methods.. You can also make an executable that calls the dll to debug it.. However not all methods may be accessible/triggered because it wants a webpage.

Zac