How you found this string?

[Whhhatttt]

A very interesting find. I don’t use this program, but I wanted to do a little of it too. How, even through IDA, were you able to find a line or function (which is unlikely) with the words “studio”. I found similar lines only in version 1.2.+

[sl4v3k]

Saying "studio" i assume You refer to "STUDIO_FEATURES". The string is present in jsc file and is related to IsFreeTial and HasEntitlement. Espetially HasEntitlement is checking if license is containing FREE_FEATURES or STUDIO_FEATURES. Function is implemented in NodeJs and compiled to byte code jsc. Is called by app via pk.node (dll) interface.

[sl4v3k]

00007FFD747201B2 | 48:8BCE         | mov rcx,rsi                   | rcx:"STUDIO_FEATURES", rsi:"STUDIO_FEATURES"
00007FFD747201B5 | 49:83FF 10      | cmp r15,10                    |
00007FFD747201B9 | 72 03           | jb pk.7FFD747201BE            |
00007FFD747201BB | 48:8B0E         | mov rcx,qword ptr ds:[rsi]    | rcx:"STUDIO_FEATURES", rsi:"STUDIO_FEATURES"
00007FFD747201BE | 48:3BE8         | cmp rbp,rax                   |
00007FFD747201C1 | 75 0C           | jne pk.7FFD747201CF           |
00007FFD747201C3 | 4C:8BC5         | mov r8,rbp                    |
00007FFD747201C6 | E8 8A81F9FF     | call pk.7FFD746B8355          |

[Whhhatttt]

This is really fun, or I'm doing something wrong :)

I'm looking for similar strings through Ghidra, found both HasEntitlement and "STUDIO_FEATURES". But, alas, it shows it just as a line; I’m unlikely to be able to find calls or functions that under this line.

       0063:af3e 48 61 73 45 6e 74 69 74      ds         "HasEntitlement"
                 6c 65 6d 65 6e 74 00
       0063:af4d 00                           ??         00h
       0063:af4e 01                           ??         01h
       0063:af4f 1c                           ??         1Ch
       0063:af50 51                           ??         51h    Q
       0063:af51 65                           ??         65h    e
       0063:af52 7e                           ??         7Eh    ~
       0063:af53 03                           ??         03h
       0063:af54 ed                           ??         EDh
       0063:af55 4e                           ??         4Eh    N
       0063:af56 0f                           ??         0Fh
       0063:af57 00                           ??         00h
       0063:af58 00                           ??         00h
       0063:af59 00                           ??         00h
       0063:af5a 53 54 55 44 49 4f 5f 46      ds         "STUDIO_FEATURES"
                 45 41 54 55 52 45 53 00

Previously, I was able to bypass the protection through Ghidra, and used the inversion of JZ values for this (I had to change about 7 functions) and everything worked. But I'm amazed how you were able to get around this by changing only 1 byte.

Is it really better to use IDA for this? Because I am clearly lagging behind in understanding what is happening

[sl4v3k]

I used IDA only for initial analysis. The right place was spoted by dynamic analysis using xdbg. I was tracing HasEntitlement calls and landed in NodeJS format of "true" or "false" and from there i spot where decision is taken to return true or false.

[sl4v3k]

There is NodeJS byte code mixed with native code calls, so it is necessary to go for dynamic. Additionaly You have to use 2 instancess of debugger same time because Plasticy is spawning 5 different processes.

[Whhhatttt]

There is NodeJS byte code mixed with native code calls, so it is necessary to go for dynamic. Additionaly You have to use 2 instancess of debugger same time because Plasticy is spawning 5 different processes.

So you did debugging of the process itself? Or just debugging a specific file? I once tried to debug a non-.exe file, but nothing worked. I'm new to this topic.

How did you actually come to this? It's interesting to listen to a professional.

[Whhhatttt]

There is NodeJS byte code mixed with native code calls, so it is necessary to go for dynamic. Additionaly You have to use 2 instancess of debugger same time because Plasticy is spawning 5 different processes.

And there is one more question. Previously, through index.js itself, I was able to replace the ID and change the code a little so that there was essentially an endless indie license. Now, of course, this is impossible, because the file is compiled, and it seems to be able to check changes in the compiled files. In this case, what can be done in theory?

[sl4v3k]

This is actually very easy, i already manegd to modify license xml on the fly. If You put breakpoint on AES GCM decryption function that comes from libcrypto-1_1-x64.dll and is referenced from pk.node (dll) You will get license decryption buffer. After decryption it does signature check. And after this step its free to modify. You can actually change tial to full or replace FREE_FEATURES to STDIO_FEATURES and skip patching the function.

[sl4v3k]

There is NodeJS byte code mixed with native code calls, so it is necessary to go for dynamic. Additionaly You have to use 2 instancess of debugger same time because Plasticy is spawning 5 different processes.

So you did debugging of the process itself? Or just debugging a specific file? I once tried to debug a non-.exe file, but nothing worked. I'm new to this topic. How did you actually come to this? It's interesting to listen to a professional.

Of course debugging whole process, actually 2 out of 5 in parallel. because as mentioned Plasticy is spawning 5 processes. Only renderer process is executing license decryption and validation.

[Whhhatttt]

You know this really well. Of course, I wouldn’t refuse a tutor 😂But I understand that this is impossible. Well, I'll try to study. Perhaps I will ask you something else in the future, you are the first person who responded to my comment and gave advice on a similar topic.

[sl4v3k]

It is difficult to say what and how just by describing. It is necessary to see it. Yes, dont hesitate to ask if some more questions.

[Whhhatttt]

Also..

It would certainly be nice if you also posted patchers for license, haha.

But seriously. Is it possible to trick the program so that it always works without registration? The functionality is on our computer, not in the cloud.

[sl4v3k]

How to reproduce this issue?

[Whhhatttt]

How to reproduce this issue?

Just try to register 1.4.10, 1.4.11, 1.4.12. Now i cant resgister, Nick says, that older version now cant work

[Whhhatttt]

How to reproduce this issue?

In general, the whole village is waiting for your files, haha

[sl4v3k]

I can not reproduce the error on my side

[sl4v3k]

ok i see Your point now

[Whhhatttt]

I can not reproduce the error on my side

Change UUID, delete .lic, .key files and try to register on 1.4.10

[sl4v3k]

i have 1.4.13 now and They changed something, yes i see Your point now checking

[sl4v3k]

do You have access to the running Plasticity with paid license?

[Whhhatttt]

do You have access to the running Plasticity with paid license?

Maybe i have someone. What You want to do?

[sl4v3k]

just login by tv and get decrypted license, i would like to see json fields in paid license

[Whhhatttt]

just login by tv and get decrypted license, i would like to see json fields in paid license

you mean check it in console of license window? Also, i forgot how to open this hahha

[Whhhatttt]

nah, i got it, hah

[sl4v3k]

i need teamViewer access and dump license from paid Plasticity version

[sl4v3k]

check new version, let me know if works for You

[Whhhatttt]

i need teamViewer access and dump license from paid Plasticity version

I dont think so lmao, my friend has a license, but he will not give access to the computer. I can just simply ask him to do what needs to be done.

[sl4v3k]

i dont need that anymore

[Whhhatttt]

i dont need that anymore

Nice. But will this work if the system UUID does not match the data in the keys? Of course I am. I don’t remember if UUID data is stored there

[sl4v3k]

just check, let me know, remember it does not work on 1.4.13 yet, You have to use 1.4.10 or 11

[Whhhatttt]

just check, let me know, remember it does not work on 1.4.13 yet, You have to use 1.4.10 or 11

R u genius?

[Whhhatttt]

just check, let me know, remember it does not work on 1.4.13 yet, You have to use 1.4.10 or 11

Thats works. In license manager invalid token. But its works!

[sl4v3k]

dont look on lic manager, it does not matter

[Whhhatttt]

Works only in 1.4.11, 1.4.10 not checked, you can rename folder

[sl4v3k]

1.4.10 works also i checked here, not sure abut 1.4.12

[sl4v3k]

still working on 1.4.13, They fixed "one byte patch"

[Whhhatttt]

1.4.10 works also i checked here, not sure abut 1.4.12

i checked. 1.4.12 not works

[Whhhatttt]

still working on 1.4.13, They fixed "one byte patch"

haha, they are watching you.

[sl4v3k]

yes looks like yes, They watch github for activities

[sl4v3k]

ok, dir name changed, Thanks for testing

[Whhhatttt]

ok, dir name changed, Thanks for testing

Always happy to help and learn something new :)

[Whhhatttt]

there's an idea you'll probably give up on, haha. Could you make a video of how you access plasticity? I would say time lapse without commentary or something similar.

The goal here is not even to gain access to free plasticity, but rather to understand such things. Don't know. I think other people would also be interested. But that's true, I was just asking 🙃🙃

[crazybata]

Hi there! im new at all of this, about programation and all that kind of stuf i only understand the basic of the basic, i want to know more about this app ( plasticity ) so i can work and model. I read the instructions but it didnt work, so i decide to do it manually, i dowload visual studio code and node.js and ILSpy to change the number or the variable, but doesnt let me change anything because is a code binary (something that i dont understand). someone can help me?. I apraciate a lot the person who is doing all of this and explains detailed and try to help the people who asks. sorry about my english.