Ltrace: The Tool.
XprismPro 1.0
Written by SiuL+Hacky

Some months ago Snatch and +Fravia presented what probably is one of the more powerful tools available for win32 analysis: Numega SmartCheck. I do agree, is just a perfect engine that must be tuned. If you run a linux box, now you can enjoy that power again, though you'll not get those beautiful menus and windows ( but it would fit in an old low density 5 1/4 diskette )

Ltrace ftp://ftp.debian.org/pub/
Dasm ( available in older essays)
DDD http://www.cs.tu-bs.de/softech/ddd

XprismPro: http://www.khoral.com (though i fear the demo is no longer availabe)

After partially solving the problem of disassembling in linux, I studied how such a
powerful win32 tool could be ported to linux ( BTW, you should know that last versions of
IDA support ELF-32 exectutables, so you can run IDA via dosemu. For most of the cases I
find dasm handy enough for the task, but IDA fans will be able to use it under Linux).
Sadly in the last times I don't have the time I used to, and moreover, it turned to be a
BiG project that needed a lot of time. For that time I was told that someone was developing a
debian package, called ltrace that covered the main lack of linux analysis tools. As you
should know there's a very valuable tool called strace (see my first linux essay, presenting basic
tools) that monitors system calls, well ltrace does accomplish it with shared library function calls.

I don't know if you all understand what that means, remember that shared libraries in
linux are quite important and practically EVERY app calls functions from C library, X
library or Xt library.

The program is being developed by a linux magician called Juan Céspedes under GNU license,
so you cannot only enjoy it for free, but take the source code and try to improve it
yourself. I'm sure many +hcukers would be quite happy ameliorating applications that carry
the source code (and imagine if they were commented ). The features of the program are
being increased because it is now in a developing stage, but currently you can trace all
shared lib. calls or select a group of them. The parameter definition of the shared calls
is specified in a configuration file located at /etc/ltrace.conf. The definition is quite
simple and you can add whatever function you fancy in a format like this:

; ltrace.conf

; Argument types:
; + == May vary (ie, is a returned value) (prefix)
; void
; int
; uint == (unsigned int)
; octal == (unsigned) [written in octal]
; char
; addr == (void *) [unsigned, written in hexa]
; file == (FILE *)
[TODO]
; format == ((const char *), ...) [printf() like]
[TODO]
; string == (char *)
; stringN == (char *) [N>=0] [show only up to (arg N) bytes]

; arpa/inet.h
int inet_aton(string,addr);
string inet_ntoa(addr);

How it works is easy to tell, the target process is executed and controlled by ltrace and
with the information provided by the symbol table the "links" to the shared functions are
substituted by breakpoint instructions that will be logged by ltrace. Both actions are
accomplished by the facilities that the system call "ptrace" provides. If you want to know
more about linux kernel internals there's a good compilation of information in a frech
book called Programmation Linux 2.0 by Remy Card, Eric Dumas and Frack Mevel.

As an example of the use of ltrace and its possibilities, we'll crack a nice 2D/3D graphics
program (OpenGL based) called XprismPro. The protection used is under a known commercial
software that you probably know: Flexlm. I would like to study a bit about it ASAIGTT (as
soon as i get the time). The basics is that vendors provide some daemon that validates the
licenses, and it is installed in the (remote) license server, in a way that the server calls the
specific daemon that validates a program. The interest IMO is to trace the network dialog between
client-server.

A temporary license is provided as usual, and after 15 days (i think) you receive a
message that your license is not valid and so on. Flexlm license are written in plain
ascii. All the protection may be easily bypassed, that's not new, but is a good example to
show the power of ltrace. The switches that you may use with ltrace are similar to the
ones used in strace (btw, with ltrace you can monitor system calls too).

If the license is written in plain text, you may expect some text manipulation with the
known functions, strcat, strcmp, strcpy and so on. This way run an ltrace session with the
following parameters (you'll see that's not windows :-):

ltrace -o/tmp/salida -i -s100 -e strcmp,strncpy,fopen xprismPro

-i: indicates the program to show the index pointer
-s: sets the length string for each call, so with 100 chars you can see all
    the parameters you need.
-e: you choose the function that must be traced.

your main task here, is to tune switch -e, and choose the appropiate functions and not to
get a huge log and very slow execution. Remember to look that the functions traced has
their parameters configured at /etc/ltrace.conf. This is an extract of the log:

[081c0b9e]fopen("/usr/local/xpplinux.v10/xpp_home/repos/Flexlm/license.dat",     "r") = 0x088c16c8
[081b350c] strcmp("INCREMENT", "INCREMENT") = 0
[081bc611] strncpy(0xbfff96c9, "1.000", 10) = 0xbfff96c9
[081bc6f7] strncpy(0xbfff96d4, "khoral", 10) = 0xbfff96d4
[081b350c] strcmp("UNCOUNTED", "UNCOUNTED") = 0
[081bc87c] strncpy(0xbfff96fc, "9CDF04C230D2", 20) = 0xbfff96fc
[081cebc4] strncpy(0xbfff862c, "HOSTID=DEMO ck=86", 2048) = 0xbfff862c
[081b2b16] strncpy(0x088bd8d8, "DEMO", 4) = 0x088bd8d8
[081d0b8e] strcmp("DEMO", "DEMO") = 0
[081b2b16] strncpy(0x088bdec0, "86", 2) = 0x088bdec0
[081b350c] strcmp("XPRISMPRO", "XPRISMPRO") = 0
[081c5d12] strncpy(0xbffff298, "1.000", 10) = 0xbffff298
[081b2b6c] strcmp("1.00", "1.000") = -1
[081b2c8d] strcmp("1", "1") = 0
[081b2d6d] strcmp("", "") = 0
[081c8474] strcmp("may", "jan") = 1
[081c8474] strcmp("may", "feb") = 1
[081c8474] strcmp("may", "mar") = 1
[081c8474] strcmp("may", "apr") = 1
[081c8474] strcmp("may", "may") = 0
[081cd47d] strcmp("06.0", "03.0") = 1
[081cd627] strcmp("06.0", "04.0") = 1
[081cd6d7] strcmp("06.0", "05.0") = 1
[081cd797] strcmp("06.0", "05.1") = 1
[081cd847] strcmp("06.0", "06.0") = 0
[081c4adf] strncpy(0xbfffe858, "1.000", 10) = 0xbfffe858
[081cd47d] strcmp("06.0", "03.0") = 1
[081cd627] strcmp("06.0", "04.0") = 1
[081cd6d7] strcmp("06.0", "05.0") = 1
[081cd797] strcmp("06.0", "05.1") = 1
[081cd847] strcmp("06.0", "06.0") = 0
[081c4adf] strncpy(0xbfffe858, "1.000", 10) = 0xbfffe858
[081b2b16] strncpy(0x088c2198, " The license-key and data for the feature do     no match.\n This usually happens when a license"..., 1024)=0x088c2198
[081b2b16] strncpy(0x088c2198, " The license-key and data for the feature do     no match.\n This usually happens when a license"..., 1024) = 0x088c2198
[081a9545] strcmp("/root/app-defaults/xvutils", "-") = 1

This is the "hot area". How can you use effectively this information ? Well, i'll take
here two addresses: 081c0b9e and 081b2b16. In the first one the license file is opened, so
no check up has been made, and in the second one the error message is being constructed,
so the check failed. Now let's start ddd (Data Display Debugger) for a little job, we are
gonna show the call tree at both addresses and compare:

Call tree (via "back" command) at 081c0b9e

#0 0x81c0b9e in convert_ubyte ()
#1 0x81bef4b in convert_ubyte ()
#2 0x81c5875 in convert_ubyte ()
#3 0x81c0ff4 in convert_ubyte ()
#4 0x81c0d93 in convert_ubyte ()
#5 0x8078b4a in sigprocmask ()
#6 0x80786ef in sigprocmask ()
#7 0x80545ab in sigprocmask ()

(remember that the upper addresses are the most recent functions )

Call tree at 081b2b16

#0 0x81b2b16 in convert_ubyte ()
#1 0x81b731e in convert_ubyte ()
#2 0x8078b75 in sigprocmask ()
#3 0x80786ef in sigprocmask ()
#4 0x80545ab in sigprocmask ()

Hmmm, interesting, so look at the third older function call in both trees
#5 0x8078b4a     and      #2 0x8078b75
the are very close, but something important has happened in the mean time. Let's look now at the disassemled listing:

08078b2c pushl $0x4000
08078b31 pushl %edi
08078b32 pushl $0x3
08078b34 pushl $0x1
08078b36 pushl 0xc(%ebp)
08078b39 pushl 0x6d8(%ebx)
08078b3f pushl 0x1570(%ebx)
08078b45 call 081c0c90; <--- it will open the file
08078b4a movl %eax,%esi
08078b4c addl $0x1c,%esp
08078b4f testl %esi,%esi
08078b51 je 08078bda
08078b57 pushl 0x1570(%ebx)
08078b5d call 081ba4a0
08078b62 addl $0x4,%esp
08078b65 testl %eax,%eax
08078b67 jne 08078bda
08078b69 pushl %esi
08078b6a pushl 0x1570(%ebx)
08078b70 call 081b72a0; <---- it is building the error message
08078b75 movl %eax,%edi
08078b77 xorb %al,%al
08078b79 cld


well no more details for the clever crackers. I'd like to go deeper analysing Flexlm, but as now it is not possible for me I just wanted to show you ltrace capabilities, a mighty tool that may be is not known by many of you.

For improving the program I'm thinking about some triggering options to reduce log sizes.

Thank you Juan for writing ltrace and keep developing it :-).

I WILL bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you are a moron. This is the kind of software that WE NEED. Many people should register it and allow its Author to write even more interesting stuff!

You are deep inside Fravia's page of reverse engineering, choose your way out:

---

Back to our tools

homepage links search_forms +ORC students' essays academy database
reality cracking how to search javascript wars
tools anonymity academy cocktails antismut CGI-scripts mail_Fravia
Is reverse engineering legal?

---