David
November 5th, 2000, 17:37
The last weeks I have been working with some serious reversing.
The target is a program called Advanced Design System 1.3 from
Agilent Technologies. It is an simulator for DSP and Microwave
designs. The target uses FlexLM 6.1 for license management and
I'm running it under Windows 98. I have a demo license file
for this target.
I started running lmgrd in the bin directory. This program
executes the vendor daemon 'hpeesofd'. Using a bpx on
'GetCommandLineA' I found the command line to execute
the vendor daemon directly.
The command line was 'hpeesofd -T myhost 6.1 -1 -lmgrd_port 6978'
Running this vendor daemon with a breakpoint on 'GetCommandLineA'
I can bpx the functions that I'm interrested in.
I have found some functions by comparing the vendor daemon with
lmgr326b.dll. The code in this dll and the code in the vendor
daemon are not identical, but it is still possible to recognize
some functions.
I first started to do the standard approach by breaking at
lc_init and write down the values stored in the vendorcode
structure. Then I used a generator for vendorkey 5 and created
a new license file. This didn't work.
Then I read the essay from Dan some more and tracing around
using w32dasm. After a lot of tracing I put a breakpoint on
the decrypt function in l_sg. The daemon is very similar to the
target described in Dan's essay about lc_new_job(). Passing
0 as the first argument to this function disabled the alternative
seed encryption. This will cause the seed encryption part of the
job structure to remain zero.
Watching the vendorcode structure after the call to decrypt
gave me another set of seeds which I tried without success.
I must say that I'm not really sure about what's happening after
the seed decryption. I think that somewhere the vendorcode
structure and the job structure would be used to generate
a license key which then would be compared to the key in the
license file.
Any idea on what I should try?
Thanks in advance,
David
The target is a program called Advanced Design System 1.3 from
Agilent Technologies. It is an simulator for DSP and Microwave
designs. The target uses FlexLM 6.1 for license management and
I'm running it under Windows 98. I have a demo license file
for this target.
I started running lmgrd in the bin directory. This program
executes the vendor daemon 'hpeesofd'. Using a bpx on
'GetCommandLineA' I found the command line to execute
the vendor daemon directly.
The command line was 'hpeesofd -T myhost 6.1 -1 -lmgrd_port 6978'
Running this vendor daemon with a breakpoint on 'GetCommandLineA'
I can bpx the functions that I'm interrested in.
I have found some functions by comparing the vendor daemon with
lmgr326b.dll. The code in this dll and the code in the vendor
daemon are not identical, but it is still possible to recognize
some functions.
I first started to do the standard approach by breaking at
lc_init and write down the values stored in the vendorcode
structure. Then I used a generator for vendorkey 5 and created
a new license file. This didn't work.
Then I read the essay from Dan some more and tracing around
using w32dasm. After a lot of tracing I put a breakpoint on
the decrypt function in l_sg. The daemon is very similar to the
target described in Dan's essay about lc_new_job(). Passing
0 as the first argument to this function disabled the alternative
seed encryption. This will cause the seed encryption part of the
job structure to remain zero.
Watching the vendorcode structure after the call to decrypt
gave me another set of seeds which I tried without success.
I must say that I'm not really sure about what's happening after
the seed decryption. I think that somewhere the vendorcode
structure and the job structure would be used to generate
a license key which then would be compared to the key in the
license file.
Any idea on what I should try?
Thanks in advance,
David