RCER
August 24th, 2008, 11:25
I am trying to reverse a target which is protected with flexlm 7.2, but am banging my head against the wall because i am unable to extract the correct seeds
Problem description: calcseed gives different values after every debugger run.
This what I did so far:
but for some reasons the data[0] and data[1] are always the same on each debugger run, however job+08, job+0c and job+10 are different on each run, which will give different seed values for each run.
I have a similar problem with atarget which uses flexlm 9.2, and I cannot figure out what I am doing wrong!!
Here is a breakpoint listing from one debugger run.
1st break @ _l_sg
009C1C60 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
2n break @ _l_good_lic_key
009C1C60 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
3rd break @ _l_sg
009C1C60 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
4rd break @ _l_crypt_private
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
5th break @ _real_crypt_1
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
6th break @ _real_crypt_1
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
7th break @ _l_good_lic_key
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
8th break @ _l_sg
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
9th break @ _l_crypt_private
009C1C60 66 00 00 00 0E 00 00 00 FA 91 A1 7A 87 84 90 E5
009C1C70 C4 50 25 FF F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
10th break @ _real_crypt_1
009C1C60 66 00 00 00 0E 00 00 00 FA 91 A1 7A 87 84 90 E5
009C1C70 C4 50 25 FF F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
11th break @ _real_crypt_1
009C1C60 66 00 00 00 0E 00 00 00 FA 91 A1 7A 87 84 90 E5
009C1C70 C4 50 25 FF F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
program terminates
009C1C60 66 00 00 00 0E 00 00 00 FA 91 A1 7A 87 84 90 E5
009C1C70 C4 50 25 FF F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
Looking at the breakpoint you will notice that the program doesn't break at _l_real_crypt() and _l_ckout_string_key The later I think is required to get the correct vendor code and job structure values for the correct seeds.
Going back and forward through the dead listing in IDA, I can find xrefs between _l_real_crypt() and _l_ckout_string_key() but no Xrefs between _real_crypt_1() and _l_ckout_string_key()
Plugging the values from the 4rd break @ _l_crypt_private
into calcseed (with vendorname l....v )gives me the following seed values:
encseed [0] f48e8726
encseed [1] f48e6909
However as mentioned before they change on every run.
Can anybody give me some clues to point me in the right direction
regards
RCER
Problem description: calcseed gives different values after every debugger run.
This what I did so far:
Constucted a dummy license with the correct feature name
extracted the important breakpoints from IDA
Loaded the vendor daemon into olly with the following arg: _T "Comp Name" 7.2 -1-c c:\ license.lic
Set the following brakepoints in Olly before tracing:
_lc_checkout()
_l_checkout()
_lm_start_real()
_l_good_lic_key()
_l_sg()
_l_ckout_crypt() or _l_crypt_private()
_l_real_crypt()
_l_real_crypt_1() exactly the same function as the previous one, but with different Xrefs
_l_ckout_string_key
When I run the vendor deamon inside olly the program breaks as described in below listing
but for some reasons the data[0] and data[1] are always the same on each debugger run, however job+08, job+0c and job+10 are different on each run, which will give different seed values for each run.
I have a similar problem with atarget which uses flexlm 9.2, and I cannot figure out what I am doing wrong!!
Here is a breakpoint listing from one debugger run.
1st break @ _l_sg
009C1C60 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
2n break @ _l_good_lic_key
009C1C60 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
3rd break @ _l_sg
009C1C60 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
4rd break @ _l_crypt_private
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
5th break @ _real_crypt_1
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
6th break @ _real_crypt_1
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A 00 00 00 00 00 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
7th break @ _l_good_lic_key
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
8th break @ _l_sg
009C1C60 66 00 00 00 AF 00 5A 00 3F 54 64 BF 42 41 55 20
009C1C70 01 95 E0 3A F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
9th break @ _l_crypt_private
009C1C60 66 00 00 00 0E 00 00 00 FA 91 A1 7A 87 84 90 E5
009C1C70 C4 50 25 FF F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
10th break @ _real_crypt_1
009C1C60 66 00 00 00 0E 00 00 00 FA 91 A1 7A 87 84 90 E5
009C1C70 C4 50 25 FF F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
11th break @ _real_crypt_1
009C1C60 66 00 00 00 0E 00 00 00 FA 91 A1 7A 87 84 90 E5
009C1C70 C4 50 25 FF F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
program terminates
009C1C60 66 00 00 00 0E 00 00 00 FA 91 A1 7A 87 84 90 E5
009C1C70 C4 50 25 FF F8 FF FF FF 82 00 00 00 00 00 00 00
009C1CF0 04 00 00 00 19 C5 DA 14 36 2B DA 14 E8 D0 1C 89
009C1D00 CD 2B 88 95 C3 D1 84 C4 40 6D C0 7D 00 00 00 00
Looking at the breakpoint you will notice that the program doesn't break at _l_real_crypt() and _l_ckout_string_key The later I think is required to get the correct vendor code and job structure values for the correct seeds.
Going back and forward through the dead listing in IDA, I can find xrefs between _l_real_crypt() and _l_ckout_string_key() but no Xrefs between _real_crypt_1() and _l_ckout_string_key()
Plugging the values from the 4rd break @ _l_crypt_private
into calcseed (with vendorname l....v )gives me the following seed values:
encseed [0] f48e8726
encseed [1] f48e6909
However as mentioned before they change on every run.
Can anybody give me some clues to point me in the right direction
regards
RCER
