Procedure

The license expiration routines are called in the main function once the serial is checked and we just jump over that section entirely:

00000000004080cb         mov        rsi, qword [ds:License_Serial]
00000000004080d2         test       rsi, rsi
00000000004080d5         jmp        0x4086c2
00000000004080da         nop        

This leads to a code-section that performs some consistency checks to determine whether the jump is legitimate - if not, the code winds back and leads to an exception. To avoid that behaviour, we eliminate that section and let M/Monit proceed blindly (from the previous unconditional jump to 0x4086c2, we go forth with a nop sledge):

00000000004086c2         mov        edi, 0x434880                               ; "License serial: %ld\\n", argument "format" for method j_printf, XREF=main+1013
00000000004086c7         xor        eax, eax
00000000004086c9         call       j_printf
00000000004086ce         nop        
00000000004086cf         nop        
00000000004086d0         nop        
00000000004086d1         nop        
00000000004086d2         nop        

The next invocation of the licensing functions lies in the show function, where an expiration check is performed and the program leads out. This can again be avoided by turning an conditional jump into an unconditional one - even though, in this case, the conditional jump would not lead to anything relevant, we just ignore the rest of the function and return:

000000000040975f         mov        rcx, qword [ds:License_Expire]
0000000000409766         test       rcx, rcx
0000000000409769         jmp        0x409a40
000000000040976e         nop        

The jump leads out of the function - note that this desired behaviour was obtained by observing that the undesired outcome, when the license would have been expired, would have been to proceed through the rest of the function. It was a long shot, but it yielded results.

Patching the libzild Library

libzild is used by mmonit to verify and expire mmonit once the trial period is over. The library is easily patched by short-circuiting the License_verify subroutine with a very long jump over the entire body of the function to the very end:

                     License_verify:
0000000000022370         push       r15                                         ; XREF=License_verify@GOT
0000000000022372         push       r14
0000000000022374         push       r13
0000000000022376         mov        r13, rdi
0000000000022379         push       r12
000000000002237b         push       rbp
000000000002237c         push       rbx
000000000002237d         mov        rbx, rsi
0000000000022380         sub        rsp, 0x268
0000000000022387         test       rsi, rsi
000000000002238a         mov        qword [ss:rsp+0x258], 0x0
0000000000022396         jmp        0x22652
; ...
0000000000022652         add        rsp, 0x268                                  ; XREF=License_verify+38, License_verify+711
0000000000022659         mov        eax, 0x1
000000000002265e         pop        rbx
000000000002265f         pop        rbp
0000000000022660         pop        r12
0000000000022662         pop        r13
0000000000022664         pop        r14
0000000000022666         pop        r15

Results

That is all it takes - our fleas are happy now. :-)


cracks/mmonit/3.6.2/start.txt ยท Last modified: 2017/04/10 19:56 by Wizardry and Steamworks

Access website using Tor


For the copyright, license, warranty and privacy terms for the usage of this website please see the license and privacy pages.