The publisher of the software package that I mentioned in a previous post entitled " Embedded Linux based internet appliance keygen" just published an update. So, I grabbed the pertinent file (the shared object) and threw it into IDA. A quick cursory glace shows that in one aspect they STILL haven't learned their lesson. As they still don't strip it before shipping it. So, all the important functions "VerifyKey" "IsTrialKey", etc. are still labeled automatically by IDA. And it looks like their algorithm is still the same for computing the keys.
BUT! Maybe they've learned something. Now, when you enter a key, they package it up, and send it to their webserver for verification. How do I know this? Simple! There's now a function called "SendActivationRequest". And, a quick spin through that function shows that it builds a nice URL, with a hashed component, and the normal sections for serial number, etc. Then, they use libcurl to send this to themselves for verification.
Could I whack this step, and make it always assume that it succeeded? Sure, but the truth is. There's NO WAY, short of a FULL tracing of all the possible code paths, to know that they don't send this data somewhere else, at some random time. And, since this isn't a "warez" release for the world, and just a mod for some friends, I don't want to be responsible for them getting in trouble for using it. So, I'm not going to touch this new version.
The device that this code runs on, HAS to be connected to the network, and in some cases, the internet. So, short of blocking all the companies IPs/domains in the firewall, you just can't be sure.
Lastly, they now appear to have *2* blacklists for unauthorized serial numbers. The normal "compile time" one. (list of them is in the .so itself), and they also now have a list on their server. How do I know this? Maybe it could be because of the function called "UpdateOnlineBlacklist".
So, there you have it. Some people DO pay attention, and learn, while others do the same thing over and over. Or worse yet, rely on some 3rd party to do it for them.
Sunday, November 1, 2015
Subscribe to:
Posts (Atom)