I'm trying to generate a license for a popular verilog simulator from an eda vendor with sys in its name

Anyways, here's what I have so far.

- I have an expired license with all all features
- I have the vendor daemon

My problems:
- Don't have Olly for linux, but have been using ida for linux with some success. Its buggy and crashes but it works so I'm not going to complain too much.
- In the past, I've successfully extracted keys from windows flexlm apps using CrackZ's techniques of breakpointing on lc_checkout, however, I don't think its possible for me to do that with this target
1. I cannot find lc_init() or lc_checkout() in the disassembly. A good thing about the linux binaries is that, all the names seem to be intact. I did find another library which does have these routines, but that library isn't being called as far as i can tell
2. Using IDA to do an analysis of the daemon didn't yield too much information and I couldn't find very many flexlm lib signature matches (I think its using a v10 flexlm with obfuscated C++ names) but I'm still studying it hoping to find the elusive lc_checkout.

So my questions is what is the best way to proceed given what I've seen so far.

Plz PM me if you want more details about the app.

Thanks

Sailor_eda

1. You may, first of all, use the Flexlm diagnostic tools to determine the version of the Flexlm you are using.
2. Run a tool from linux that can search binaries, and search for "Flexlm" minus the quotes. All files that return (binary) are good candidates for cracking.
3. subsequently, you can try to (if v7 and before) to use the ECC patch. Bring the binary from linux to windows and run the ECC patcher there. If you are using v7.5+ (I think) and above, the ECC patch is useless.
4. You already have the names of all features with the license. Read the license and remove the date fields from the .lic file (just keep features and version. Other stuff not required)
5. Then replace the key with the 12 digit key (123456654321) does just good.
6. Patch the binary with flexlm to ensure that it does OLD STYLE checkout.
7. No need to change server settings, etc...

Have Phun

Hi Aimless,

Thanks for your response. Here are my answers to your steps.

1. The lmtools that come with the daemon are 10.8.6 but I don't think the daemon itself it of that version. When I use IDA to analyze and search for strings, I only see v10 string in there.

2. There are several files that have flexlm sting in them but I guess for now, I'm only interested in cracking a couple that I've identified.

3. I'm fairly sure the ecc patch will be useless on this target.

6. Patch the binary with flexlm to ensure that it does OLD STYLE checkout. - Do you mean with the ecc patch or is there another patch you are talking about?

Thanks again for your help, I really need it here as I'm running out of ideas here.

Sailor_EDA

Point 6: You will have to patch EACH file that has FLEXLM protection in order to enable the OLD style checkout... And No, its not the ECC patch...

What happens is this:

Flexlm, while its a good protection, is also a business that needs to make money. So, there is something called "COMPATIBILITY" built into current crop of FlexLM protections. Files, checked with the LATEST version of FLexLM, ALSO have the facility to be compatible and check using the method of older version of Flexlm (say v7.5). So, a single file protected with Flexlm can be checked by Flexlm using the current method or the older method.

Your patch will be to enable Flexlm to force an older method of checkout. Where to do that? You can read tuts for that (Crackz site, is a good starting point).

So, finally, you need to have 2 patches:

1. Patch your file once to ensure that NEW style checking is bypassed and OLD style checking is enabled (this is the 12 characters for your key).
2. Patch the old style checkout function so that it accepts ANY key of 12 digits (123456654321) does just fine...

Oh yes, if your app is now coded in .NET, then you will have to apply a THIRD patch to force .NET to ignore strongname, OR use the methods outlined on this board. But as you are in Linux, that is not a possibility so the first 2 methods should do.

Have Phun

Hi Aimless,

Thanks for your tips.

I found the CrackZ's tuts you mentioned and actually I was trying to follow some of the same steps he mentioned just to get to lc_checkout. Actually here is my biggest problem. I cannot find any routines for _lc_checkout at all. I cannot event find the bit patterns that correspond to lc_checkout (actually in lc_checkout, there are some routines that transfer immediate values so theoretically it is easy and I've done that with several other flexlm apps). I can only find a few identifiable routines of which one is l_n36_buf but again in my vendor daemon, its a pointer of some sort that probably doesn't get resolved until runtime.

Interestingly, just looking around the ida analysis, I did find the following data

.data:0824E900 public vendorkeys
.data:0824E900 vendorkeys db 4, 3 dup(0), 45h, 0A5h, 0A3h, 21h, 2Dh, 0E6h, 0E3h
.data:0824E900 ; DATA XREF: .got:082506A0o
.data:0824E900 db 4Dh, 22h, 0B9h, 8Eh, 0ECh, 0E1h, 92h, 0B7h, 0CAh, 0B3h
.data:0824E900 db 31h, 15h, 0C3h, 45h, 0A8h, 1Ah, 0C7h, 0Ah, 0, 8, 3 dup(0)
.data:0824E900 db 31h, 30h, 2Eh, 30h, 256h dup(0)

I have never seen vendor keys in plain disassembly before (I could be mistaken but I never looked for it either) so it would seem that somewhat silly that Macrovi$ion would just put these in plain sight. Also, using the vendor name in lmkey I get very different keys so I'm not sure if what I've stumbled upon is of any/much use.

So it really seems strange that the vendor daemon doesn't seem to have routines that I've come to expect inside. Since its running in Linux and like you mentioned, it cannot be .Net so we can rule out that sort of obfuscation. I can understand the function names being mangled making it difficult to do IDA signature matching, but I cannot even find the assembly instructions that correspond to the functions I'm looking for.
One last, thing, looking at lmgr.lib from v10.8.5, I see lm_ckout.obj and everything else that I expect from previous versions. I'm really confused why the vendor daemon does not include these functions? What am I overlooking?

Any more tips? Thankx

Sailor_EDA

PS: I cannot find anything related to flexlm patching for .Net stuff. Not that I need for my application but I'm just curious. Its not there on CrackZ's site and google didn't turn up much either.

Anyone .. anything?

I think what Aimless is hinting at is look for _l_checkout and _lm_checkout, find the main subroutines - force them to return with EAX=0, this is so easy it's not obvious - hint throw away the sub.

SiGiNT

You have multivendor daemon's file.

Mrs.

Any luck extracting encription seeds of snpslmd?
Anyone did recover seeds of FlexLM 10.8 version ?

I managed to manually identify the various calls in the vendor daemon by comparing the disassembly with the disassembly of liblmgr.a. I got caught up with exams and just got done, so I'll probably spend some more time looking at it
now.

NoLOcKs, as for seeds for Synopsys(snpslmd):
seed1 = 0x987d844e
seed2 = 0xf43dc726