The license expiration routines are called in the main
function once the serial is checked and we just jump over that section entirely:
00000000004080cb mov rsi, qword [ds:License_Serial] 00000000004080d2 test rsi, rsi 00000000004080d5 jmp 0x4086c2 00000000004080da nop
This leads to a code-section that performs some consistency checks to determine whether the jump is legitimate - if not, the code winds back and leads to an exception. To avoid that behaviour, we eliminate that section and let M/Monit proceed blindly (from the previous unconditional jump to 0x4086c2
, we go forth with a nop sledge):
00000000004086c2 mov edi, 0x434880 ; "License serial: %ld\\n", argument "format" for method j_printf, XREF=main+1013 00000000004086c7 xor eax, eax 00000000004086c9 call j_printf 00000000004086ce nop 00000000004086cf nop 00000000004086d0 nop 00000000004086d1 nop 00000000004086d2 nop
The next invocation of the licensing functions lies in the show
function, where an expiration check is performed and the program leads out. This can again be avoided by turning an conditional jump into an unconditional one - even though, in this case, the conditional jump would not lead to anything relevant, we just ignore the rest of the function and return:
000000000040975f mov rcx, qword [ds:License_Expire] 0000000000409766 test rcx, rcx 0000000000409769 jmp 0x409a40 000000000040976e nop
The jump leads out of the function - note that this desired behaviour was obtained by observing that the undesired outcome, when the license would have been expired, would have been to proceed through the rest of the function. It was a long shot, but it yielded results.
libzild is used by mmonit to verify and expire mmonit once the trial period is over. The library is easily patched by short-circuiting the License_verify
subroutine with a very long jump over the entire body of the function to the very end:
License_verify: 0000000000022370 push r15 ; XREF=License_verify@GOT 0000000000022372 push r14 0000000000022374 push r13 0000000000022376 mov r13, rdi 0000000000022379 push r12 000000000002237b push rbp 000000000002237c push rbx 000000000002237d mov rbx, rsi 0000000000022380 sub rsp, 0x268 0000000000022387 test rsi, rsi 000000000002238a mov qword [ss:rsp+0x258], 0x0 0000000000022396 jmp 0x22652 ; ... 0000000000022652 add rsp, 0x268 ; XREF=License_verify+38, License_verify+711 0000000000022659 mov eax, 0x1 000000000002265e pop rbx 000000000002265f pop rbp 0000000000022660 pop r12 0000000000022662 pop r13 0000000000022664 pop r14 0000000000022666 pop r15
That is all it takes - our fleas are happy now.