I'm reversing my target with flexlm 6.1
As in essay I found out my real seeds ( by zeroing the random bits)
( It was the same seeds I got in lc_init proc 12345678 cmp )
But it's still not working.

Any ideas ?

I read in reverse group work essay , that VoxQuet had the same problem.

For 6.1, you have to null out the **pointer**
to the job structure that's being passed to
the decoding routine - simply zeroing the
data in the job structure is insufficient, as the routine in lm_new will divide the key
between the job structure, and the returned
value in the vendorcode structure. If you
look at Dan's essay or mine you can see how
this is done.
tsehp.cjb.net is where to go for these essays.

I didn't zero the data in the job structure , I zeroed the random bits. I tried to zero the pointer to the job structure and get same results . ( If I understood correctly the seeds then stored in the vendorcode structure in place of data[0] and data[1] ? ).

And I have some other progs in the same program package, that don't use static library and never take the "vector call" in l_sg(). So the seeds I found for those progs are same I found for main one. And they don't work too.

Any Ideas ????

P.S. Nolan , what's your e-mail ?

Well, they could be doing some tricks like
user defined encryption or crypt filters.
If you null out the pointer, you should get
at least different results than without
nulling it out. What's the program? What
error does it give when it's not working?

The target is Eagleware by GENESYS.
As for user-defined encryption and filters I checked it out and did not find any. And of course I get different seeds when I null the pointer.
But as I said this package includes different progs. And some of them are not using the new_job() function. The seeds I getting there ( by conventional ways) are same I found in main prog by zeroing out the pointer. in checkout() I got standart -8,-130 error - invalid seeds in all progs. Some of progs is about 400K in size. Want to look at it ?

Are you generating long keys? Some programs
(notably older ones) won't work if you use
the current shorter keys. If you've compiled
lmcrypt, you can ask for longer keys with
lmcrypt -verfmt 5 -longkey license.dat

Since this one doesn't appear to be a public
(i.e, easily downloadable) program, I'm
assuming you have access to some valid keys -
try running lmcrypt against those keys to
see if your seeds are correct.

Also, some programs have a custom HOSTID that
they use - if it requires something like
HOSTID=BLAH_ID=11-23-53-23-53-23 then
it may require a custom host ID.

A very helpful exercise is to check what
lc_set_attr is being called with - you'll
be able to determine the behavior version and
any other weird settings that may be implemented.

I can sometimes be found on #cracking4newbies
on EFnet. There are other people there who
are experts at FLEXlm too, so ask in the
channel for assistance. I suspect that one
of the above tips will get you going though.

--nb.

Hi

Looked at this a while back ( Nice RF simulator ) , got hold of a real lic ( below )
You can extract the code but
look at the hostid , they do something funny
at that end .
Also the server line x=xxx seems funny
Got sidtracked and havent had the time to finish up.


SERVER Y=xxxx
VENDOR eagle
FEATURE genesys eagle 6.5 12-feb-2000 1 AF8EE0CC38C6 HOSTID="ANY P=EFEF"

Good hunting
W

; Are you generating long keys? Some programs

I tried all possible combinations.

;Since this one doesn't appear to be a public
;(i.e, easily downloadable) program, I'm
;assuming you have access to some valid keys -

No I don't have any.

Also, some programs have a custom HOSTID

But I failed in checkout() func. As for l_host it's returns 0 . a check for user defined HOSTID usually comes after checkout()

lc_set_attr is called with 3f,2b,38,3a,47,6,44 parameters - nothing unusual.

also I have seeds from older version of this prog ( 6.1 ) I tried to create license with this seeds and it's not worked too. Does it mean anything ?

P.S. I'm using Eagleware v.7 by GENESYS.

Excuse me all, but do you have tried Skullcoder sniffind??

Perry.