Log in

View Full Version : FlexLM v8.x - Problem while trying to retrieve both encryption seeds


OHPen
May 27th, 2009, 15:02
Hi,

currently I'm having problems with an Application which is protected with FlexLM v8.x. Usually I have a very simple and to detect the encryption seeds manually, but for this target it does not work.

Because it is not allowed to post links, i just want to ask whether somebody is able to obtain the seeds. I'm not interested in the seed values directly more in the way you extract it from this application.

If somebody want to try it, please send me a PM. I will send you the download link from the vendor.

Regards,
OHPen.

FoxB
May 28th, 2009, 13:33
PM to me

OHPen
May 28th, 2009, 16:47
You got a pm

flexlm
May 30th, 2009, 04:17
PM to me

tr1stan
May 30th, 2009, 08:06
Hi,

OHPen: I had a quick look into this app. It's indeed a bit weird. I think it's a
modified version of flexlm (don't know if this is even possible). Or they have
some sort of additional custom license checking.
Anyway none of the simple ways of finding encryption_seed1/2 seems to
work.
My approach was :

1. find l_sg() and retrieve the seeds out of the vendore code structure before/after the first call to l_sg() -> not working
2. searching for 3D4DA1D6h in the app and set a breakpoint on every spot, because this is the default magic value to clear the seeds -> not working
This is a bit strange, the app checks out a default trial license on startup if
no valid license is available. But this version of flexlm behaves different in hiding the seeds as other versions I know off.
3. set a breakpoint on l_private_key which should generate/check the real signature. I got some signatures but nothing seems to work.

Well I hadn't enough time digging deeper to solve this one. Maybe someone else has more luck/time

tr1stan

OHPen
May 30th, 2009, 08:16
That was exactly me problem. I agree with you that it seems to be a somehow modified version of flexlm. Never saw a version like this.

I will try to dig deeper...

NoFlexlm
May 31st, 2009, 21:32
It is very interesting, please PM me.

tr1stan
June 1st, 2009, 10:59
Ah I forgot another "note":

If you start the app it will show in the startup splash screen something like "demo mode" or "demo version".
I patched l_checkout to always return 0 which seems to work. The splash screen didn't show demo anymore.
But it simply crashed a few seconds later. As it's not the best way to crack this one it could be quick solution patching l_checkout and any additional checks
to have a working copy.

tr1stan

CrackZ
June 1st, 2009, 17:47
PM me as well.

I recall that more recently built FLEXlm targets (I'm thinking of stuff like Geoslope.GEOStudio off the top of my head) won't ever perform the old style checkout without patches.

Even after patching I remember the seeds 1 & 2 I recovered were actually the same (it felt almost like the old checkout was never intended to be executed), I didn't dig into it much past that but you have re-awakened my interest.

Regards,

CrackZ.

OHPen
June 2nd, 2009, 04:21
Now everyone of you guys have a PM. Looking forward on your opinion regarding the target.

PS: Sorry for the size of the download == 160 MB, but the application consists of many modules with dependancies, so you will have to download the application in order to study it.

PSS: I recommend to install the applciation in a virtual machine because it can be difficult to remove it, just a recommendation AND NO its not a virus, its a commercial applicartion

Regards,
OHPen

OHPen
June 2nd, 2009, 07:49
This is a coumouflaged license file of the application. Usually i would say there must be a vendor daemon called XXX.EXE but there isn't

Is it possible to use a vendor daemon with a different name that specified in the license file ?

VENDOR XXX
PACKAGE Blah XXX 1.000 COMPONENTS="XXXNg_Base:1.000 \
XXXNg_YYYYProject:1.000" OPTIONS=SUITE SIGN=0000000000
INCREMENT BlahProTrial XXX 1.000 permanent uncounted HOSTID=ANY \
SIGN=0000000000


Regards,
OHPen

RCER
June 2nd, 2009, 09:15
Hi OHPen,

can you PM me a link as well

Regards

RCER

OHPen
June 2nd, 2009, 10:23
done

tr1stan
June 2nd, 2009, 11:42
I haven't looked much further but my guess is if you chose the activation via fax you have to enter the signature and a custom serial string.
I guess the app builds a license line in a temp buffer like:

INCREMENT BBBPro XXX 1.000 permanent uncounted VENDOR_STRING="your serial" HOSTID=(ANY or your host id) SIGN="your activation signature".

It could be the path to reverse the actual license generation/checking...

tr1stan

FoxB
June 2nd, 2009, 12:46
VENDOR_STRING="049-12-34567890-xyz" - number is phone number, ascii im dont known - may be checksum, etc.

OHPen
June 3rd, 2009, 04:35
@tr1stan:

Probably you are right, but we should also be able to solve the problem by following the code from parsing a license file while trying to add a new feature by license file.
Very unlikly both licensing modes use different methods to check license....

OHPen
June 3rd, 2009, 18:13
Just finished a long session on the target...

I was able to patch the application. Now it is running in ProMode, but with any feature installed. Moreover there are seperate modules which seem to have additional flexlm checks.

I think that my current method is not very good. Probably i will miss a few checks, so I'm still searching for a better solution.

Tell me if you guys managed to fully deconstruct the flexlm license checking.

I will be in vacation for a week now, so don't worry about me not answering. Will be back in a few days.

Really an interesting target in my opinion, last 4 hours were gone that fast

Hope to see some of your results when I'm back,
Regards,
OHPen.

NoFlexlm
June 3rd, 2009, 23:40
I have got two right seeds. No strange thing here. It is just as other flexlm target.

But, you need update the *.lic files under %Program Files%\common files\EIBA sc\License, and remove INCREMENT line in *_demo.lic file. Then program will check your license now, you can get vc and job strucure.

Good Luck!

OHPen
June 10th, 2009, 07:42
Hey,

Finally I was able to extract all needed. This is a good moment to say thank you to all the people who helped me with that , Thanks a lot!

As mentioned before now it seems not to be a special application in terms of flexlm modification, but more in terms of a unusuall way of checking the licenses. Moreover the application has a own server installed which checks live whether licenses are remove, add or modified.

In my opinion a very bloaty measure to handle licenses, anyway.

Currently, a part of my working license looks like that:

Code:

VENDOR XXXX
FEATURE BlahBlahPro BLAHDAEMON 1.000 permanent uncounted VENDOR_STRING="LN \
000-00-00000000" HOSTID=DISK_SERIAL_NUM=XXXXXXXX \
SIGN=XXXXXXXXXXXX


I was not able to get any other type of license running. But this works for all features, if you add additional feature lines.

The Vendor-String seems to be more or less useless and is nothing more that customer watermarking a license line.

It was an interesting target Thank you all.

Regards,
OHPen