Hi all,

Im new to all this FlexLM stuff and from what ive read seems very complicated!

I have an app which has a deamon running on a central server. This app is protected by FlexLM v8.2a. I beleive i have the relevant tools required to reproduce a license file (IDA, W32Dasm and SDK 8.1a (hope this is ok))

I could do with a few pointers.

Firstly what dll/exe do i have to decompile. I tried lmgr326a.dll but im not sure if this is the right one.

I found lc_checkout in this but again im not too sure where to go from here.

Please if anyone can help me i would be very grateful

Skip

OK, I'll help you. Go back and actually READ THE FRIGGIN FAQ!

"Do not ask for help without showing you made an effort. This includes asking *lameass* questions in the Newbies Forum."

AFTER you have actually read the FAQ, you should tell US what YOU have actually done to try to help yourself, besides asking for help here!

What seaching on the net or here have YOU done and what have YOU read to prepared yourself for your task? If you had actually read some of the available materials you would at least have some clue where to begin. Now YOU do YOUR homework and come back with a more thoughtful question that shows you have done some work and tried to help yourself beyond asking someone to take you by the hand and lead you to your needed information.

Regards,

Hi,

Thanks for your reply, but as you think im very lazy i would just like to point out that i have done much research into flexlm and have read many tutorials.

I have read http://woodmann.com/crackz/Tutorials/Flex2004.htm which mentions _l_ckout_ok the only reference to this i can find in my executable is lm_ckout.c with no reference to _l_sg.

I am at a loss ive spent 3 days searching the internet and reading all sorts of materials of which each keep confusing me even more.

The Point is that if you has actually READ THE FAQ you would have known to state in your first post what you had done to research you topic.

How would anyone have known by reading what you wrote in your first post that you had done anything at all ??? That's WHY we have the FAQ and WHY you are instructed to explain the information which it required of posters on these Forums.

Regards,

Hi All,

I have decompiled my target and have found the following code...

sub_41AFC0 proc near ; CODE XREF: sub_40F940+C1Ep
.text:0041AFC0 ; sub_419407+B9p ...
.text:0041AFC0
.text:0041AFC0 var_24 = dword ptr -24h
.text:0041AFC0 var_20 = dword ptr -20h
.text:0041AFC0 var_1C = dword ptr -1Ch
.text:0041AFC0 var_14 = byte ptr -14h
.text:0041AFC0 var_13 = byte ptr -13h
.text:0041AFC0 var_12 = byte ptr -12h
.text:0041AFC0 var_11 = byte ptr -11h
.text:0041AFC0 var_10 = dword ptr -10h
.text:0041AFC0 var_C = dword ptr -0Ch
.text:0041AFC0 var_8 = dword ptr -8
.text:0041AFC0 var_4 = dword ptr -4
.text:0041AFC0 arg_0 = dword ptr 8
.text:0041AFC0 arg_4 = dword ptr 0Ch
.text:0041AFC0 arg_8 = dword ptr 10h
.text:0041AFC0
.text:0041AFC0 push ebp
.text:0041AFC1 mov ebp, esp
.text:0041AFC3 sub esp, 24h
.text:0041AFC6 mov [ebp+var_C], 6F7330B8h
.text:0041AFCD mov [ebp+var_10], 3
.text:0041AFD4 mov eax, [ebp+arg_0]
.text:0041AFD7 mov ecx, [eax+6Ch]
.text:0041AFDA mov edx, [ecx+394h]
.text:0041AFE0 and edx, 8000h
.text:0041AFE6 test edx, edx
.text:0041AFE8 jz short loc_41B00D
.text:0041AFEA cmp dword_4A2E18, 0
.text:0041AFF1 jz short loc_41B00D
.text:0041AFF3 mov eax, [ebp+arg_8]
.text:0041AFF6 push eax
.text:0041AFF7 mov ecx, [ebp+arg_4]
.text:0041AFFA push ecx
.text:0041AFFB mov edx, [ebp+arg_0]
.text:0041AFFE push edx
.text:0041AFFF call dword_4A2E18
.text:0041B005 add esp, 0Ch
.text:0041B008 jmp loc_41B120


I believe i have found the vendorcode struct at arg_8, vendor name at arg_4 and job struct at arg_0.

From reading Flex2004 tutorial i am at the point where it says note a copy of this. How do i reveal this? Do i select arg_8 and just look at the hex view in IDA or is there something im missing?

I also started the program in debug mode and after stepping into the code what values or where do i need to look in IDA. I appologise for my stupidness!

Thanks

Ummm... kid, a couple of pointers, in order of importance when cracking Flexlm:

1. Simply run a binary search for the words "Flexlm" without the quotes, in both normal and unicode on the ENTIRE directory where your app is installed. Keep a note of the files you find.

2. Ask yourself, what are you cracking? An application protected with Flexlm or the FlexlmSDK itself. Both will require different methods.

3. Flexlm can be complied as a library during your application protection, or call be used as a external dll protection. You need to find out which is what.

4. Generally, its protected with ECC... A simple ECC patch no longer works for v8.2, but the crack is *still* very trival. Patch 2 bytes and the prot is gangbanged. However, it can be made a lot tougher if the programmers include their OWN protection schemes. Find out if that is the case. Most programmers cannot understand Flexlm model for all the crap in the world, so you should be safe.

5. If your flexlm protection is tied in with SentinelLM (yes, there are, and they do) then you have just got yourself the excuse to stay awake all night for a long period of time. Hope you are not married.

6. Couple point 5 with Sentinel Dongle requirement then you are absolutely ... you know what. So find out if that is happening. The issue here is that points 5 and 6 rarely happen because dual heavy duty protections are seldom (very very rarely) compatible. But there are programs that do that and it can give you hell -- if you don't know what to look for

Other than that, I'd suggest you first find out how you want to crack the protection. If you are patching it (easier at first) then you need not worry about vendor code or the other 12/32 letter codes in the .lic file. If this is your first time cracking, I'd suggest breaking winzip and MIRC first. Otherwise, best of luck.

And next time, post more of what you've done, not just a dump of the disassembly. :P

Have Phun

Hiya,

"I have decompiled my target and have found the following code..."

Correct, this is _l_sg().

"I believe i have found the vendorcode struct at arg_8, vendor name at arg_4 and job struct at arg_0."

Correct again.

"From reading Flex2004 tutorial i am at the point where it says note a copy of this. How do i reveal this? Do i select arg_8 and just look at the hex view in IDA or is there something im missing?"

There is nothing you are missing. You'll need a copy of Calcseed from my site to make use of the values, note also that by using the search function I have answered how to do this exactly before.

As a side point that Aimless has touched on, if your target does exclusively use the ECC option the seeds are of no real consequence; you'll have 2 choices.

1. Patch the licensing layer to utilise the older checkout and thus recover the seeds to make a license generator (my preferred method).

2. Patch _lm_pubkey_verify to return 0 and generate a license using your own LM_SEED's.

Note also that many more FLEXlm protected applications don't just rely on the FLEXlm checkout return, some will desire VENDOR_STRING's, custom HOSTID's and much more in order to work successfully, of course one tends to find this out after realising the checkout isn't working quite as it should ;-).

Feel free to forward me the vendor daemon (if you have it) for my collection.

Regards

CrackZ.

HI, CrackZ, are you still collecting vendor daemon? I get some and will send to you.

As long as its not vendor daemon whyIII ;-).

Regards

CrackZ.