PDA

View Full Version : flexlm 9.2.0

RCER
February 16th, 2008, 03:50
I am a beginning reverser and am trying to reverse a program which is protected with flexlm v9.2.0.
The program is made out of several executable modules, which run independently from each other,
but all the modules use a shared directory which contains several dll`s
I already had an expired demo license with one feature line for each module, and changed the date to 2025.
When I start any of the modules, I get the well known bad boy message -8,130

From reading several flexlm essays, I learned that the following breakpoints need to be set in order to find important information:

_lc_checkout for features
_l_good_lic and _ln36_buff for the seeds

I loaded the vendor daemon into olly dbg and IDA, and used the following parameters -l -c c:\flexlm\license.lic
I used Gerbays plugin for lmgr9 signature recognition, but when I search inside IDA for _ln36_buff and _l_good_lic key program, I cannot find any of them.
Also noted that the shared directory contains a vendor compiled lmgr9a.dll file with the name lmgr9a_xxx.dll, (where xxx stands for the vendor name)
From the essays I understood that dynamically linked libraries were abandoned after version 6, and that nowadays only statically linked libraries are used.
When I look in Ollydbg's executable module window the lmgr9a_xxx.dll is not listed which tells me that the executable does not use this dll.
So if this is the case, what is the purpose of this dll? Furthermore another program of the same vendor, which is using flexlm 11.3, also has this lmgr9a_xxx.dll in the shared directory, which really puzzles me?

I am also struggling with trying to learn the ins and outs of both IDA and Ollydbg, and am not sure which program is better for debugging?

For instance when I load one of the executables into Olly & IDA, and run the debuggers, IDA will run and break once the badboy message pops up, but Olly dbg refuses to show this pop-up window after breaking.

Maybe some of you guys think that I didn't do my homework, but believe me I did! I read a lot essays, but I am just struggling and need some help with the above flexlm questions and some good practical tips on how to best use IDA & Olly, in particularly with setting breakpoints, and what to look for

Thanks

RCER
naides
February 16th, 2008, 09:41
Quote:
[Originally Posted by RCER;72727]I am a beginning reverser and am trying to reverse a program which is protected with flexlm v9.2.0.

I don't know what exactly do you mean by beginning reverser, but flexlm is not the kind of protection I would use to train my wings in reversing.

The program is made out of several executable modules, which run independently from each other,
but all the modules use a shared directory which contains several dll`s
I already had an expired demo license with one feature line for each module, and changed the date to 2025.
When I start any of the modules, I get the well known bad boy message -8,130



From reading several flexlm essays, I learned that the following breakpoints need to be set in order to find important information:

_lc_checkout for features
_l_good_lic and _ln36_buff for the seeds

I loaded the vendor daemon into olly dbg and IDA, and used the following parameters -l -c c:\flexlm\license.lic
I used Gerbays plugin for lmgr9 signature recognition, but when I search inside IDA for _ln36_buff and _l_good_lic key program, I cannot find any of them.

Keep in mind that the protectors read those tutorials too and routinely set up countermeasures
Also noted that the shared directory contains a vendor compiled lmgr9a.dll file with the name lmgr9a_xxx.dll, (where xxx stands for the vendor name)
From the essays I understood that dynamically linked libraries were abandoned after version 6, and that nowadays only statically linked libraries are used.

So there seems to be a contradiction: lmgr9a_xxx.dll IS a dynamically linked library. It may well be a decoy. When static libraries are used, the code is copied into the main executable file
When I look in Ollydbg's executable module window the lmgr9a_xxx.dll is not listed which tells me that the executable does not use this dll.

So perhaps it is a decoy
So if this is the case, what is the purpose of this dll? Furthermore another program of the same vendor, which is using flexlm 11.3, also has this lmgr9a_xxx.dll in the shared directory, which really puzzles me?

It may be activated when you have a valid license, it may be a decoy, the only way to figure out what it does is disassemble it, understand it and figure out who loads it. Search all the files within the executable folders for the string lmgr9a_xxx.dll using a grep utility

I am also struggling with trying to learn the ins and outs of both IDA and Ollydbg, and am not sure which program is better for debugging?

Go for Olly

For instance when I load one of the executables into Olly & IDA, and run the debuggers, IDA will run and break once the badboy message pops up, but Olly dbg refuses to show this pop-up window after breaking.

Maybe some of you guys think that I didn't do my homework, but believe me I did! I read a lot essays, but I am just struggling and need some help with the above flexlm questions and some good practical tips on how to best use IDA & Olly, in particularly with setting breakpoints, and what to look for

Thanks

RCER


In Blue: Take one step at a time.
Don't follow the tuts at face value, understand what is the purpose of each of the steps.
SiGiNT
February 16th, 2008, 13:12
I have never seen "_l_good_lic" in any FlexLm target, but perhaps, your sig labels a sub with that, do not ignore the lmgr dll, frequently implementors of FlexLm write their own custom managers, however this is good news! in every case I've seen where the programmer wrote his own manager it's possible to patch the main executable ECC and _l_checkout or _lc_checkout, and then just the ECC in the manager and have all features enabled without a license file.

SiGiNT

Note: What I'm calling ECC may differ from what CrackZ and some others call ECC, if you need any details PM me.
RCER
February 17th, 2008, 03:52
I don't know what exactly do you mean by beginning reverser, but flexlm is not the kind of protection I would use to train my wings in reversing.
Beginning means that I have no experience in reversing whatsoever, and am presently familiarizing myself with ASM @ C# syntax, and am reading every flexlm essay I can get my hands on. From reading the essays, I know that flexlm is not the easiest protection system to reverse, buy unfortunately I have personal interest in this target, and am determined to dig out the seeds. Even if this will take me a considerable amount of time.

It may be activated when you have a valid license, it may be a decoy, the only way to figure out what it does is disassemble it, understand it and figure out who loads it. Search all the files within the executable folders for the string lmgr9a_xxx.dll using a grep utility I searched all the executables with the grep utility, but was unable to find any string reference to lmgr9a_xxx.dll which probably means as you already mentioned that this is a decoy

I am also struggling with trying to learn the ins and outs of both IDA and Ollydbg, and am not sure which program is better for debugging?

Go for OllyO.K. I will do, and thanks for your advice


Thanks for your reply

RCER
naides
February 17th, 2008, 09:20
RCER: Regarding lmgr9a_xxx.dll: If the protectors are paranoid enough and have used encrypted strings and LoadLibrary APIs to load the dll at runtime, or if the executables are packed using a Flex envelope, the lmgr9a_xxx.dll strings may not show up in a grep search.

Disassemble lmgr9a_xxx.dll and take a look at the functions it exports ( if any), see if other executables have string references to those functions.

Using Process Explorer (From Microsoft/Russinovich) take a look at the strings that the executables have IN MEMORY, and IN DISK, see if they are substantially different, meaning tht some in memory string decrypting has taken place.
RCER
February 17th, 2008, 10:54
naides,

thanks for the advice. I will follow your tips to see where they take me.


RCER
dELTA
February 17th, 2008, 17:46
RCER, please use the quote feature of the board for anything else other than what you have written yourself, it can get very confusing otherwise.
SiGiNT
February 17th, 2008, 20:49
Naides,

I copied you on my PM to RCER, you may find the info useful, something else I finally had time to convince myself of - if a moderately competent reverser (on the imbecile scale) approaches a FlexLM app with out knowing it's FlexLM - it's quite possible to get it up and running using traditional cracking techniques.

SiGiNT
naides
February 17th, 2008, 22:42
Thank you sigint33.
I got to the same conclusion myself: If the software protectors were naive in the implementation, a single byte patch is all it takes to bypass the license check.

Actually this tut: "Advanced Study on FLEXlm System" available in tuts 4 you is excellently written, illustrating, very comprehensively, all the by-passing methods for FlexLM. From the imbecile level, which I love and practice (See this related thread regarding Sentinel http://www.woodmann.com/forum/showthread.php?t=10129), to the all the way level of generating your own license, passing through catching the FlexLM code validating the license. A definitely rewarding reading.
SiGiNT
February 17th, 2008, 23:11
Naides,

In virtually all of the older <=9.x this trick works, although most will require a bogus license with the lines formatted correctly, so I don't think this is a vulnerability of just poor implementation - actually FlexLM was never intended to be a protection system, it was originally meant to be a license management system only - their are similar tricks for later versions if you are reeaaally nice to me I'll give you some examples, (actually just ask). if the proprietors here, think it's ok I'll post my PM - it is very close to the line of supplying a crack, but you still must study a little and it does teach somewhat, also it only applies only to what is now an obsolete version - I'm even willing to take the heat from CrackZ when he, as always so delicately tells me how big an idiot I am - I can't argue on that point .

SiGiNT

And yes I have generated my own licenses several times, very rewarding, but it really offends my lazy half!!!!

I'm really curious as to the lack of success even by some of the top teams in generating licenses for the very newest implementations, AFAIK all that was really done was done to be more compatible with 64 bit op systems and (it hurts even to type it's name!!!!) Vista or otherwise known as Millennium II (the return of the migraine)
dELTA
February 18th, 2008, 07:36
We normally allow more detailed information regarding packers/protectors themselves, as long as no specific target application protected by it is mentioned at the same time. Please send me a copy of the PM and I'll take a look at if it's ok.
RCER
February 18th, 2008, 09:47
Quote:
[Originally Posted by dELTA;72754]RCER, please use the quote feature of the board for anything else other than what you have written yourself, it can get very confusing otherwise.


O.K. will do from now onwards

RCER
SiGiNT
February 18th, 2008, 10:44
dELTA,

My concern wasn't about violating the rules, I can censor out any target info, (I don't think there is any), rather my concern was violating the spirit and intent of what we preach here, although you could memorize the SDK and still not come up with this technique, it takes many hours of debugging and analysis, but of course we encourage that! - Anyway PM sent.

SiGiNT
dELTA
February 18th, 2008, 11:03
As long as it is in connection to a somewhat serious discussion (contrary to a direct response to a "please help me do this and that" request) it is usually acceptable as long as the normal non-specific target rule is followed.
SiGiNT
February 19th, 2008, 03:10

RCER,

Note: the stuff below may primarily applies to versions 7.x - 8.x, but I believe that early versions of 9.x may also act similarly - please notice <font color=&quot;Red&quot;>I've corrected _lm_checkout to _lc_checkout</font> - if you encounter an lc.ckout - then PM me your target name and I'll point you in a slightly different way - but first you must understand that if you set your clock ahead - then turned it back - YOU'RE SCREWED - you need to do a lot of fixing that action - heres how to do it:

1. Search your entire c: drive for files and folders with a date farther ahead than your current time.

2. Create an empty text file in all of the folders you find, this resets their date back to present. That may fix it.

3. If not then use WinHex or Hackman or any other that will let you change file dates and fix as many as you can.

That should fix it. Patching around the clock set back error is difficult.

Well in the circles I travel - mostly EDA apps, this has been called the ECC patch for versions &lt;10.x, how it works is it forces FlexLM to ignore the encrypted info on the feature lines, when this patch is used you must also have a correctly formated license, a demo is fine, all you have to do is copy the feature line down and replace the feature name, and of course you may change the expiration date, (don't get greedy some implementations can choke on a date too far in the future), once you have it up and running in any mode the feature list is usually easily found by searching memory.

Here is the code to look for, it always looks exactly like this, registers other than eax may change but the rest is the same, in FlexNet you'll see a hard jump over the patched instruction, so other tricks are needed. anyway here's the section to look for -



text:10014D9C loc_10014D9C:                           ; CODE XREF: sub_10014698+6F8
.text:10014D9C                 mov     eax, [ebp+arg_0]
.text:10014D9F                 mov     ecx, [ebp+var_F0]
.text:10014DA5                 mov     [eax+14h], ecx
.text:10014DA8                 push    0
.text:10014DAA                 push    0FFh               ; __int16
.text:10014DAF                 push    0                     ; char *
.text:10014DB1                 push    0                     ; int
.text:10014DB3                 push    214h               ; int       &lt;-   I usually search for this push
.text:10014DB8                 push    0FFFFFFF8h      ; int
.text:10014DBA                 mov     edx, [ebp+arg_0]
.text:10014DBD                 push    edx             ; int
.text:10014DBE                 call    sub_10029A50
.text:10014DC3                 add     esp, 1Ch
.text:10014DC6                 mov     [ebp+var_50], 0FFFFFFF8h
.text:10014DCD
.text:10014DCD loc_10014DCD:                           ; CODE XREF: sub_10014698+166
.text:10014DCD                                                    ; sub_10014698+1C9..
.text:10014DCD                 mov     eax, [ebp+var_50] ;    &lt;-  Change this instruction to: XOR EAX,EAX
.text:10014DCD                                                                        nop the extra byte
.text:10014DD0
.text:10014DD0 loc_10014DD0:                           ; CODE XREF: sub_10014698+BF
.text:10014DD0                                                    ; sub_10014698+EE
.text:10014DD0                 mov     esp, ebp
.text:10014DD2                 pop     ebp
.text:10014DD3                 retn
.text:10014DD3 sub_10014698    endp 


That's it for this patch, apply it to every FlexLM file in your target's directory, that contains this code, you can narrow down that list by doing a search using 010 editor or similar for the word FlexLM, only the files that contain that word need to be looked at.

As I said in my post in most of the targets I've worked on that have a custom manager patching the _l_checkout and the _lc_checkout subroutines by replacing the first instruction in the sub with XOR EAX,EAX followed by a RETN , MAY allow you to run the app full featured with out a license.

SiGiNT