nnrayan
05-02-2011, 08:19 AM
Dear Masters.
I try to generate a license file for FlexLm 10.8 protected demon . after reading the " Seed Extraction 7.X - 11.4.pdf" I paced
BP#1 on 00418E76
Bp#2 on 00418E7C
Bp#3 on 00407CE2
00418DFE |. 8845 EF MOV BYTE PTR SS:[EBP-11],AL
00418E01 |. C745 F4 B830736F MOV DWORD PTR SS:[EBP-C],6F7330B8
00418E08 |. C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0
00418E0F |. C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
00418E16 |. C745 F0 03000000 MOV DWORD PTR SS:[EBP-10],3
00418E1D |. 68 00100000 PUSH 1000 ; /Arg2 = 00001000
00418E22 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; |
00418E25 |. 51 PUSH ECX ; |Arg1
00418E26 |. E8 62500100 CALL 0042DE8D ; \XXX.0042DE8D
00418E2B |. 83C4 08 ADD ESP,8
00418E2E |. 85C0 TEST EAX,EAX
00418E30 |. 74 52 JE SHORT 00418E84
00418E32 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00418E35 |. 8B82 98010000 MOV EAX,DWORD PTR DS:[EDX+198]
00418E3B |. 8B88 DC1C0000 MOV ECX,DWORD PTR DS:[EAX+1CDC]
00418E41 |. 83B9 24050000 00 CMP DWORD PTR DS:[ECX+524],0
00418E48 |. 74 3A JE SHORT 00418E84
00418E4A |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
00418E4D |. 52 PUSH EDX
00418E4E |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00418E51 |. 50 PUSH EAX
00418E52 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00418E55 |. 8B91 98010000 MOV EDX,DWORD PTR DS:[ECX+198]
00418E5B |. 8B82 DC1C0000 MOV EAX,DWORD PTR DS:[EDX+1CDC]
00418E61 |. 05 28050000 ADD EAX,528
00418E66 |. 50 PUSH EAX
00418E67 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00418E6A |. 8B91 98010000 MOV EDX,DWORD PTR DS:[ECX+198]
00418E70 |. 8B82 DC1C0000 MOV EAX,DWORD PTR DS:[EDX+1CDC]
00418E76 |. FF90 24050000 CALL DWORD PTR DS:[EAX+524] ===================> BP#1
00418E7C |. 83C4 0C ADD ESP,0C ===================> BP#2
00418E7F |. E9 13010000 JMP 00418F97
00418E84 |> 6A 04 PUSH 4 ; /Arg4 = 00000004
00418E86 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] ; |
00418E89 |. 51 PUSH ECX ; |Arg3
00418E8A |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10] ; |
00418E8D |. 83C2 0C ADD EDX,0C ; |
00418E90 |. 52 PUSH EDX ; |Arg2
00418E91 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; |
00418E94 |. 50 PUSH EAX ; |Arg1
00418E95 |. E8 C9700300 CALL 0044FF63 ; \XXX.0044FF63
00418E9A |. 83C4 10 ADD ESP,10
00418E9D |. C645 EF 00 MOV BYTE PTR SS:[EBP-11],0
00418EA1 |. 8A4D EF MOV CL,BYTE PTR SS:[EBP-11]
00418EA4 |. 884D EE MOV BYTE PTR SS:[EBP-12],CL
00418EA7 |. 8A55 EE MOV DL,BYTE PTR SS:[EBP-12]
.........
..........
.........
00407CB5 |. 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
00407CB8 |. 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
00407CBB |. 6A 00 PUSH 0 ; /timer = NULL
00407CBD |. FF15 40224D00 CALL DWORD PTR DS:[<&MSVCR71.time>] ; \time
00407CC3 |. 83C4 04 ADD ESP,4
00407CC6 |. 25 FF000000 AND EAX,0FF
00407CCB |. 83F0 6A XOR EAX,6A
00407CCE |. 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00407CD1 |. 8842 0A MOV BYTE PTR DS:[EDX+A],AL
00407CD4 |. EB 05 JMP SHORT 00407CDB
00407CD6 |> E9 55010000 JMP 00407E30
00407CDB |> C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
00407CE2 |. EB 09 JMP SHORT 00407CED ========================> Bp#3
00407CE4 |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8]
00407CE7 |. 83C0 01 |ADD EAX,1
00407CEA |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX
00407CED |> 837D F8 0A CMP DWORD PTR SS:[EBP-8],0A
00407CF1 |. 7D 62 |JGE SHORT 00407D55
00407CF3 |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8]
00407CF6 |. 81E1 03000080 |AND ECX,80000003
00407CFC |. 79 05 |JNS SHORT 00407D03
00407CFE |. 49 |DEC ECX
00407CFF |. 83C9 FC |OR ECX,FFFFFFFC
00407D02 |. 41 |INC ECX
00407D03 |> 0FBE4C0D D8 |MOVSX ECX,BYTE PTR SS:[EBP+ECX-28]
00407D08 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
After reached 00407CE2 the EDX points to 00354518
00354518 00 00 00 00 CA 00 EA 00 ....Ê.ê.
00354520 78 AB 25 D0 07 94 1A 00 x«%Д.
I changed the Bytes to 00 and after it brakes at BP#2
the ESP points to 0012CBAC
0012CBAC 18 45 35 00 EC 44 35 00 E5.ìD5.
0012CBB4 28 CF 12 00 60 E2 12 00 (Ï.`â.
0012CBBC 60 E2 12 00 B6 B1 42 00 `â.¶±B.
0012CBC4 D4 CB 12 00 00 00 00 00 ÔË.....
0012CBCC 03 00 00 00 B8 30 73 6F ...¸0so
0012CBD4 00 00 00 00 00 00 00 00 ........
0012CBDC A8 D1 12 00 3B 6C 41 00 ¨Ñ.;lA.
0012CBE4 F8 4D 35 00 EC 44 35 00 øM5.ìD5.
0012CBEC 28 CF 12 00 60 E2 12 00 (Ï.`â.
0012CBF4 1C 00 00 00 E4 CC 12 00 ...äÌ.
0012CBFC 50 05 35 00 80 93 94 7C P5.€“”|
0012CC04 F0 CF A4 00 10 00 00 00 ðϤ....
0012CC0C EE FE EE FE 00 00 35 00 îþîþ..5.
0012CC14 B8 CF A4 00 00 00 00 00 ¸Ï¤.....
0012CC1C 08 CD 12 00 40 06 35 00 Í.@5.
0012CC24 0F 00 00 00 EA 76 92 7C ...êv’|
0012CC2C 00 00 35 00 64 77 92 7C ..5.dw’|
0012CC34 B8 CF A4 00 00 00 35 00 ¸Ï¤...5.
0012CC3C 01 00 00 00 00 00 00 00 .......
Here i could not able to figure the Seed 1 and Seed 2.
Guid me how to fine the seed1 and seed2 i am new to the reversing i am not able to follow the point
"Now Look at the following stack locations: (follow in dump)
o ESP+04: Pointer to vendor name (name of vendor daemon)
o ESP+08: Pointer to vendor code (which now will contain the clean seed 1 and 2)
o VC+04 = Seed1
o VC+08 = Seed2"
Thanks,
nnrayan
Mod : Please close this thread reason Wrong Section
I try to generate a license file for FlexLm 10.8 protected demon . after reading the " Seed Extraction 7.X - 11.4.pdf" I paced
BP#1 on 00418E76
Bp#2 on 00418E7C
Bp#3 on 00407CE2
00418DFE |. 8845 EF MOV BYTE PTR SS:[EBP-11],AL
00418E01 |. C745 F4 B830736F MOV DWORD PTR SS:[EBP-C],6F7330B8
00418E08 |. C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0
00418E0F |. C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
00418E16 |. C745 F0 03000000 MOV DWORD PTR SS:[EBP-10],3
00418E1D |. 68 00100000 PUSH 1000 ; /Arg2 = 00001000
00418E22 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; |
00418E25 |. 51 PUSH ECX ; |Arg1
00418E26 |. E8 62500100 CALL 0042DE8D ; \XXX.0042DE8D
00418E2B |. 83C4 08 ADD ESP,8
00418E2E |. 85C0 TEST EAX,EAX
00418E30 |. 74 52 JE SHORT 00418E84
00418E32 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00418E35 |. 8B82 98010000 MOV EAX,DWORD PTR DS:[EDX+198]
00418E3B |. 8B88 DC1C0000 MOV ECX,DWORD PTR DS:[EAX+1CDC]
00418E41 |. 83B9 24050000 00 CMP DWORD PTR DS:[ECX+524],0
00418E48 |. 74 3A JE SHORT 00418E84
00418E4A |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
00418E4D |. 52 PUSH EDX
00418E4E |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00418E51 |. 50 PUSH EAX
00418E52 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00418E55 |. 8B91 98010000 MOV EDX,DWORD PTR DS:[ECX+198]
00418E5B |. 8B82 DC1C0000 MOV EAX,DWORD PTR DS:[EDX+1CDC]
00418E61 |. 05 28050000 ADD EAX,528
00418E66 |. 50 PUSH EAX
00418E67 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00418E6A |. 8B91 98010000 MOV EDX,DWORD PTR DS:[ECX+198]
00418E70 |. 8B82 DC1C0000 MOV EAX,DWORD PTR DS:[EDX+1CDC]
00418E76 |. FF90 24050000 CALL DWORD PTR DS:[EAX+524] ===================> BP#1
00418E7C |. 83C4 0C ADD ESP,0C ===================> BP#2
00418E7F |. E9 13010000 JMP 00418F97
00418E84 |> 6A 04 PUSH 4 ; /Arg4 = 00000004
00418E86 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] ; |
00418E89 |. 51 PUSH ECX ; |Arg3
00418E8A |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10] ; |
00418E8D |. 83C2 0C ADD EDX,0C ; |
00418E90 |. 52 PUSH EDX ; |Arg2
00418E91 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; |
00418E94 |. 50 PUSH EAX ; |Arg1
00418E95 |. E8 C9700300 CALL 0044FF63 ; \XXX.0044FF63
00418E9A |. 83C4 10 ADD ESP,10
00418E9D |. C645 EF 00 MOV BYTE PTR SS:[EBP-11],0
00418EA1 |. 8A4D EF MOV CL,BYTE PTR SS:[EBP-11]
00418EA4 |. 884D EE MOV BYTE PTR SS:[EBP-12],CL
00418EA7 |. 8A55 EE MOV DL,BYTE PTR SS:[EBP-12]
.........
..........
.........
00407CB5 |. 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
00407CB8 |. 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
00407CBB |. 6A 00 PUSH 0 ; /timer = NULL
00407CBD |. FF15 40224D00 CALL DWORD PTR DS:[<&MSVCR71.time>] ; \time
00407CC3 |. 83C4 04 ADD ESP,4
00407CC6 |. 25 FF000000 AND EAX,0FF
00407CCB |. 83F0 6A XOR EAX,6A
00407CCE |. 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00407CD1 |. 8842 0A MOV BYTE PTR DS:[EDX+A],AL
00407CD4 |. EB 05 JMP SHORT 00407CDB
00407CD6 |> E9 55010000 JMP 00407E30
00407CDB |> C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
00407CE2 |. EB 09 JMP SHORT 00407CED ========================> Bp#3
00407CE4 |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8]
00407CE7 |. 83C0 01 |ADD EAX,1
00407CEA |. 8945 F8 |MOV DWORD PTR SS:[EBP-8],EAX
00407CED |> 837D F8 0A CMP DWORD PTR SS:[EBP-8],0A
00407CF1 |. 7D 62 |JGE SHORT 00407D55
00407CF3 |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8]
00407CF6 |. 81E1 03000080 |AND ECX,80000003
00407CFC |. 79 05 |JNS SHORT 00407D03
00407CFE |. 49 |DEC ECX
00407CFF |. 83C9 FC |OR ECX,FFFFFFFC
00407D02 |. 41 |INC ECX
00407D03 |> 0FBE4C0D D8 |MOVSX ECX,BYTE PTR SS:[EBP+ECX-28]
00407D08 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
After reached 00407CE2 the EDX points to 00354518
00354518 00 00 00 00 CA 00 EA 00 ....Ê.ê.
00354520 78 AB 25 D0 07 94 1A 00 x«%Д.
I changed the Bytes to 00 and after it brakes at BP#2
the ESP points to 0012CBAC
0012CBAC 18 45 35 00 EC 44 35 00 E5.ìD5.
0012CBB4 28 CF 12 00 60 E2 12 00 (Ï.`â.
0012CBBC 60 E2 12 00 B6 B1 42 00 `â.¶±B.
0012CBC4 D4 CB 12 00 00 00 00 00 ÔË.....
0012CBCC 03 00 00 00 B8 30 73 6F ...¸0so
0012CBD4 00 00 00 00 00 00 00 00 ........
0012CBDC A8 D1 12 00 3B 6C 41 00 ¨Ñ.;lA.
0012CBE4 F8 4D 35 00 EC 44 35 00 øM5.ìD5.
0012CBEC 28 CF 12 00 60 E2 12 00 (Ï.`â.
0012CBF4 1C 00 00 00 E4 CC 12 00 ...äÌ.
0012CBFC 50 05 35 00 80 93 94 7C P5.€“”|
0012CC04 F0 CF A4 00 10 00 00 00 ðϤ....
0012CC0C EE FE EE FE 00 00 35 00 îþîþ..5.
0012CC14 B8 CF A4 00 00 00 00 00 ¸Ï¤.....
0012CC1C 08 CD 12 00 40 06 35 00 Í.@5.
0012CC24 0F 00 00 00 EA 76 92 7C ...êv’|
0012CC2C 00 00 35 00 64 77 92 7C ..5.dw’|
0012CC34 B8 CF A4 00 00 00 35 00 ¸Ï¤...5.
0012CC3C 01 00 00 00 00 00 00 00 .......
Here i could not able to figure the Seed 1 and Seed 2.
Guid me how to fine the seed1 and seed2 i am new to the reversing i am not able to follow the point
"Now Look at the following stack locations: (follow in dump)
o ESP+04: Pointer to vendor name (name of vendor daemon)
o ESP+08: Pointer to vendor code (which now will contain the clean seed 1 and 2)
o VC+04 = Seed1
o VC+08 = Seed2"
Thanks,
nnrayan
Mod : Please close this thread reason Wrong Section