NEW '_time' obfuscation area in FLEXlm v10 by roli_bark
来源:互联网 发布:2015国产耽美网络剧 编辑:程序博客网 时间:2024/06/01 10:06
From playing around with FLEXlm v10.8 target lately, I just want to let you old FLEXlm hackers know, that a NEW memory area is used for _time obfuscation area in newer FLEXlm versions.To get clear SEEDS revealed, as opposed to the OLD Job Structure area [ where you'd clear 4 random dwords generated by multiple _time calls in "l_n36_buff" ], the new area is noted in "_l_sg" like so:-----------------------------.text:00417F35 _l_sg proc near.text:00417F35 push ebp.text:00417F36 mov ebp, esp.text:00417F38 sub esp, 24h.text:00417F3B mov [ebp+var_14], 0.text:00417F3F xor eax, eax.text:00417F41 mov [ebp+var_13], ax.text:00417F45 mov [ebp+var_11], al.text:00417F48 mov [ebp+var_C], 6F7330B8h.text:00417F4F mov [ebp+var_4], 0.text:00417F56 mov [ebp+var_8], 0.text:00417F5D mov [ebp+var_10], 3.text:00417F64 push 1000h.text:00417F69 mov ecx, [ebp+arg_0].text:00417F6C push ecx.text:00417F6D call sub_42CF2D.text:00417F72 add esp, 8.text:00417F75 test eax, eax.text:00417F77 jz short loc_417FCB.text:00417F79 mov edx, [ebp+arg_0].text:00417F7C mov eax, [edx+198h].text:00417F82 mov ecx, [eax+1CDCh].text:00417F88 cmp dword ptr [ecx+524h], 0.text:00417F8F jz short loc_417FCB.text:00417F91 mov edx, [ebp+arg_8] <--- arg_2 - PTR to vendor structure.text:00417F94 push edx.text:00417F95 mov eax, [ebp+arg_4] <--- arg_1 - PTR to vendor name (Id.).text:00417F98 push eax.text:00417F99 mov ecx, [ebp+arg_0] <--- PTR to legacy job structure.text:00417F9C mov edx, [ecx+198h].text:00417FA2 mov eax, [edx+1CDCh].text:00417FA8 add eax, 528h.text:00417FAD push eax <--- arg_0 - PTR to NEW _time obfuscation area.text:00417FAE mov ecx, [ebp+arg_0].text:00417FB1 mov edx, [ecx+198h].text:00417FB7 mov eax, [edx+1CDCh].text:00417FBD call dword ptr [eax+524h] <- call _user_l_sg (l_n36_buff).text:00417FC3 add esp, 0Ch.text:00417FC6 jmp loc_4180DE-----------------------------------In order to get clear de-obfuscated SEEDs , in _user_l_sg, just before Order/Unique XORs, clear the _time 3 rand dwords at offsets .+0x8, .+0xC, .+0x10 @ arg_0 PTR (new obfuscation area). Then, just as before, break on RETN to get clear seeds [from vendorcode struct .+0x4 & .+0x8] ...Of course, all the above is ONLY relevant with non-ECC targets ...
- NEW '_time' obfuscation area in FLEXlm v10 by roli_bark
- _Time
- Area in Triangle
- poj1265 in e area
- Area in Triangle(poj1927)
- replicate session in clustering weblogic v10.3
- FlexLM 5.12
- 术语:Obfuscation
- Code obfuscation
- POJ 1927 Area in Triangle
- Visual.Assist.X.v10.4.1626.Cracked by CCDebuger
- Public UTIs supported by Mac OS X v10.3
- Export file created by EXPORT:V10.01.00 via conventional path
- php5.3 的问题 “Assigning the return value of new by reference is deprecated in xxxx”
- Assigning the return value of new by reference is deprecated in xxxx
- php报错:Deprecated: Assigning the return value of new by reference is deprecated in
- PHP显示Deprecated: Assigning the return value of new by reference is deprecated in解决办法
- PHP显示Deprecated: Assigning the return value of new by reference is deprecated in解决办法
- 通过js ,给页面的隐藏值赋值
- MSNP10协议分析 05.文本信息 [by progsoft]
- MSNP10协议分析 06.帐户验证 [by progsoft]
- EDB Linux Debugger 0.8.22 by proxy
- .net 中的file->new->webSite与create->webSite的区别
- NEW '_time' obfuscation area in FLEXlm v10 by roli_bark
- 第21次中国互联网报告九点解读
- Visual C++编译器常用选项设置2
- Snd Reverser Tool 1.3, by Loki & PuNkDuDe
- 可以延年益寿的世界之最,您知多少?
- 对张孝祥C语言试题其中一题的探讨 (转载)
- table 行的显示与隐藏
- 设计模式之设计原则
- A sample of Generics.