modified flexlm by UNIGRAPHICS -second part
Unassigned
by tsehp
|
modified flexlm by UNIGRAPHICS -second part |
Unassigned | |
|
by tsehp | |
If you are familiar with my previous essay, you will be able after reading this essay
to get the whole license file for SolidEdge v7.0 for all modules. For all others they want
to crack this target I recommend to read my previous essay on this target.
As I recently said : a nice example to show how the software companies are stupid
that they trust Flexlm and the Globetrotter's products. On the second week cracking this target
I could find the place inside ugflex.dll where the license key was compared with the good one.
Again without knowing the encryption algorithm of ugflex /*how amazing !*/.
Part One -let's continue
From the previous essay we know the feature names. That means we can create our fake
license file and much more.. We stopped last time at this location inside ugflex.dll:
04E53827 push edi
04E53828 push esi
04E53829 call sub_4E53E77 ; check if valid
04E5382E add esp, 0Ch
04E53831 test eax, eax ; eax should not be zero
04E53833 jz loc_4E53726 ; jump if bad boy
04E53839 cmp dword ptr [ebp+18h], 3
04E5383D jz loc_4E53924
04E53843 push edi ;license OK -continue
I marked the call "check if valid" because of high possibility where the check is done.
It doesn't seemed to be done elsewhere because our fake license file worked last time we patched
the 04e53833 location. We will now continue with stepping into subroutines as we did last time.
We step into sub_4e53e77:
04E53E77 push ebp
04E53E78 mov ebp, esp
04E53E7A sub esp, 58h
04E53E7D mov [ebp+var_4], 0
.
.
04E53ED2 push eax ;look where this points
04E53ED3 push edi
04E53ED4 push esi
04E53ED5 call sub_4E54AA9
04E53EDA add esp, 10h ; eax - pointer to good license /*if found*/
04E53EDD xor edx, edx
04E53EDF test eax, eax
The sub_4e54aa9 contains:
04E54AA9 push ebp
04E54AAA mov ebp, esp
04E54AAC sub esp, 4
04E54AAF push ebx
04E54AB0 push esi
04E54AB1 push edi ; look at the edi pointer
04E54AB2 mov ebx, [ebp+arg_4]
04E54AB5 push [ebp+arg_C]
04E54AB8 push [ebp+arg_8]
04E54ABB push ebx
04E54ABC mov esi, [ebp+arg_0]
04E54ABF push esi
04E54AC0 call sub_4E54B6B ;our call
04E54AC5 add esp, 10h
04E54AC8 mov edi, eax
04E54ACA lea eax, [ebx+54h]
04E54ACD push eax
04E54ACE call sub_4E55A7B
04E54AD3 add esp, 4
04E54AD6 test eax, eax
04E54AD8 jz loc_4E54B62
Our little call at 4e54ac0 returns the pointer where the good license key is stored. When you
don't have good license key it returns zero. Therefore step in...
You will land inside this long subroutine:
04E54B6B push ebp
04E54B6C xor eax, eax
04E54B6E mov ebp, esp
04E54B70 sub esp, 974h
04E54B76 push ebx
04E54B77 mov [ebp+var_18], eax
04E54B7A push esi
04E54B7B mov [ebp+var_24], eax
04E54B7E push edi
04E54B7F mov esi, [ebp+arg_4]
04E54B82 mov ecx, [ebp+arg_8]
04E54B85 mov [ebp+var_14], eax
04E54B88 mov edi, [esi+50h]
04E54B8B push 6
04E54B8D mov [ebp+var_20], eax
04E54B90 mov [ebp+var_8], ecx
04E54B93 push [ebp+arg_0]
04E54B96 mov [ebp+var_C], eax
04E54B99 call sub_4E60F04
04E54B9E add esp, 8
04E54BA1 cmp eax, 7Fh
04E54BA4 jz short loc_4E54BB7
We will use our old method of jump difference /*runing this sub once with the valid and once
with the fake license*/. There are 21 jumps made with the fake key and 20 jumps with the valid key:
4e54ba4 ok.
4e54bdb ok.
4e54c07 ok.
.
.
.
4e550d2 all ok.
4e55199 oops - the first difference
We sholud now examine what happens around the 4e55199 location.
04E55189 push ecx
04E5518A push [ebp+arg_0]
04E5518D call sub_4E55B03 ; look this time at esi poiter
04E55192 add esp, 18h
04E55195 mov esi, eax
04E55197 test esi, esi
04E55199 jnz short loc_4E5519F
04E5519B xor eax, eax ; bad license
04E5519D jmp short loc_4E551DD
04E5519F cmp [ebp+var_C], 0 ; pointer returned - continue
04E551A3 jz short loc_4E551B7
Step into the sub_4e55b03. Step through this subroutine and write down the jumps. See at
the differences. Again the same until you reach 4e55e58. Use the valid key and you will now see
the loop:
04E55DD8 cmp dword_4E7FC1C, 1
04E55DDF mov bl, [edi] ; edi - pointer to our key
04E55DE1 jle short loc_4E55DF3
.
.
.
04E55E52 cmp byte_4E80940[esi], bl ; compare something
04E55E58 jnz short loc_4E55E79 ;jump to end loop
04E55E5A add edi, 2
04E55E5D inc esi
04E55E5E cmp esi, [ebp+var_8]
04E55E61 jl loc_4E55DD8 ;our loop
04E55E67 push [ebp+arg_10]
04E55E6A push offset byte_4E80940
04E55E6F call sub_4E55F12
04E55E74 add esp, 8
04E55E77 jmp short loc_4E55E7B
As you can see our string is loaded to bl register and something at 04e55e52 is compared with....
Inside this loop you can see:
04E55DF3 movsx ecx, bl ;bl - our key in ASCII format, edi =pointer to the key
04E55DF6 mov edx, off_4E7FA10
04E55DFC xor eax, eax
04E55DFE mov ax, [edx+ecx*2]
04E55E02 and eax, 4
04E55E05 test eax, eax
04E55E07 jnz short loc_4E55E0C
04E55E09 sub bl, 7
04E55E0C shl bl, 4 ;shift 4 bits left
04E55E0F mov al, [edi+1] ;read the next character - pardon nibble
04E55E12 cmp dword_4E7FC1C, 1
04E55E19 mov byte ptr [ebp+var_4+3], al
04E55E1C jle short loc_4E55E2E
.
.
04E55E2E movsx ecx, byte ptr [ebp+var_4+3]
04E55E32 mov edx, off_4E7FA10
04E55E38 xor eax, eax
04E55E3A mov ax, [edx+ecx*2]
04E55E3E and eax, 4 ; and eax
04E55E41 test eax, eax
04E55E43 mov al, byte ptr [ebp+var_4+3]
04E55E46 jz short loc_4E55E4E
04E55E48 lea ebx, [eax+ebx-30h]
04E55E4C jmp short loc_4E55E52
04E55E4E lea ebx, [eax+ebx-37h]
04E55E52 cmp byte_4E80940[esi], bl ;our compare
04E55E58 jnz short loc_4E55E79
In this small loop is the hexadecimal string converted to single bytes and each after other
compared to the bytes at location 4e80940. When the byte matches - the loop continues.
The local pointer esi is increased until it reaches the [ebp+var_8] - variable.
Part Two - let's get them all
What does this mean? Yes, this is the final compare... So next do d 4e80940 and write
down the 6 bytes /*be careful - not dwords, neither words*/. And this will be your license key
-12 characters- of course in hexadecimal format. Do the same with other features -
just bpx at 04e55e52 and d 4e80940 - incredible what the Globetrotters do.
Engineering and reverse engineering - this will help you. Don't ask marketers or businessmen for passwords! You see - how stupid they can be. Just to sell... You should pay for this - the programmers can keep on, but the businessmen too.
homepage
links
search_forms
+ORC
how to protect
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_reverser
Is reverse engineering legal?