oldbrat
December 28th, 2007, 09:11
Hiya,
I got the new target recently, which is one Linux binary protected with FlexLM 8.2a.
Maybe this is my first crack after few years doing non-computer related things.
Get the TOT complete this time is hardest part. Lost all the old connections, but Google is our friend. So after 1 days I collected all the tools: IDA + FLAIR, Hiew, and ald as debugger (since I was on Linux), got also the FlexSDK 8.1a.
The worse things is IDA cannot identify all these lc_checkout, lm_start_real, etc... all. Maybe because all the symbols was stripped by lmstrip on Linux, maybe bad signatures, I dunno.
I was at the wit end. Reading all other tuts on Crackz site does not help to clarify how we can find out the lc_checkout (actually he has mentioned the "lm_ckout.c" inside lc_checkout function).
More ftpsearch reveal that there are also SOURCE for a whole flexlm sdk 9.2. Oh, great!!!
After that, reading through the C source code and FlexLM object code is like reading a tut about how C compiler translate C code to assembly.
Yep, all other functions was there l_sg, lm_start_real, l_zcp ....
Once the target was identified, 1 break point before l_sg can help me to recover all the vendor and job structure (thanks Crackz again), and calcseed deliver your encriptions seeds in 1 minute.
That's it. TYA. A lot of reading and searching, 5 minutes of debugging give me desired results.
with best regards,
oldbrat
I got the new target recently, which is one Linux binary protected with FlexLM 8.2a.
Maybe this is my first crack after few years doing non-computer related things.
Get the TOT complete this time is hardest part. Lost all the old connections, but Google is our friend. So after 1 days I collected all the tools: IDA + FLAIR, Hiew, and ald as debugger (since I was on Linux), got also the FlexSDK 8.1a.
The worse things is IDA cannot identify all these lc_checkout, lm_start_real, etc... all. Maybe because all the symbols was stripped by lmstrip on Linux, maybe bad signatures, I dunno.
I was at the wit end. Reading all other tuts on Crackz site does not help to clarify how we can find out the lc_checkout (actually he has mentioned the "lm_ckout.c" inside lc_checkout function).
More ftpsearch reveal that there are also SOURCE for a whole flexlm sdk 9.2. Oh, great!!!
After that, reading through the C source code and FlexLM object code is like reading a tut about how C compiler translate C code to assembly.
Yep, all other functions was there l_sg, lm_start_real, l_zcp ....
Once the target was identified, 1 break point before l_sg can help me to recover all the vendor and job structure (thanks Crackz again), and calcseed deliver your encriptions seeds in 1 minute.
That's it. TYA. A lot of reading and searching, 5 minutes of debugging give me desired results.
with best regards,
oldbrat