Hi
i wanted to know if there is a way to fake the HOST ID of flexLM so if i have a licence i will be able to run it on some other machine ..

If i can't fake it so what can i do to crack it so the lic i have will work ?

BTW :
if i reinstall the windows on the host that the application worked on does it cause a change to my host id (that flexLM computes)?

Hi LaBBa,

no it doen't. The FlexLM-HostID is nothing more than the MAC-Address of the first ethernet device.

If you don't use an emulator it won't change after a reinstallation of windows.

BTW., if you don't want to patch the target you can use such a MAC-Address-Emulator to emulate the FlexLM-HostID on any machine you want to use the application. This always works.

If you have no problem with patching you can also patch the SIGN verification routine and you will also not have any problem.

Regards,
OHPen

Thanks !
I have tried to fake my MAC address using the SMAC application and the FlexLm report that my nodeID is not the same as for the license ..

i guess the host ID is more then just MAC Address...

since this is flexLM-net how can i patch the ECC ? i need to patch the server application for this ?

I'm pretty sure that the HOSTID is the mac address. At least for FlexLM versions till v9.x, dunno what version your target is protected with.

If you are dealing with an old FlexLM target that the ECC patch is nothing more than:

xor eax, eax
retn

I have to expericence with FlexLM from v10.x and higher.

Regards,
OHPen

PS: Probably your emulator is not working regularly or it is a bug.

what emulator are you using for this ?

btw:

this is a flexNet v11 with a license server that works on 127.0.0.1.
I have installed the OS again and before installing the OS i have change in the BIOS the time and date to the correct position.
the HOST ID is the same and the license status is valid but if i look in the log i see that it detects that the clock is set back ..
i found this : http://71.6.196.237/fravia/tsehp_safecast.htm
macrovision used to do this kind of things way back ..
now i'm investigating how can i do it without low level format..
any advices ?

Last I recall, v11 writes to your MBR (fuzzy, but I think that could be it).

Have Phun

i just got a PM that for v11.4 i can't patch the ECC and i got v11.4 :-(

What mean you can't patch the ecc ?

As long as the program is able to run as long you patch it to hell

It's just a matter of time. Nothing more.

Can't you give us more detail about the why you cannot patch the ecc on a v11.4 flexnet target ?

Regards,
OHPen

the ecc "implementation" on v9 of Flexlm was not proper. The ecc patch exploited that and HENCE it could be patched. The guys have long since overcome the weakness in "implementation" of ecc and as such, it no longer works (the patch does modify, but it has no effect). Hope that helps.

Have PHun

so the only thing left for me before i will need a low level format is to find how it gives the NodeID/HostID to my computer so i will be able to duplicate it to a VM.
i know already that its not only the mac address because my vm was configured with same mac address
I also know that the computer name is not relevent because i got the same host id with 2 diffrent computer names.

any ideas of what can i do ? or anyone have information about how flexNet v11.4 create a node id?

I have swaped old HD with new HD to make sure if the nodeID/HostID is changed and guess what ... FlexNet v11.4 uses the HD parameters as apart of the NodeID/HostID...

i will need to look into the nodeid.dll to see how it computes the ID

Macrovision FlexNet DRM is very hard to reverse they use a polymorphic code like viruses that makes the reverse of it allot harder .
I will keep try my best to figure how the host id is calculated and also to figure out how does it recognize that it was already expired even after format.

Regards,
LaBBa.

A target that i was able to generate full license for actually ran 11.5 and wrote for trial a registry key in software/classes/clid/D0DD...something with a key named "apartment" and stored there the harddisk serial. Also wrote to MBR, but i havent figured out what it writes. My approach to trial is to find where trial license is created then change the parameters like hostid=any and the feature right before the call that generates the keys, copy them to c:\flexlm\license.dat and add isserver=1 in the proper registry key.

Always worked for me

There are at least 2 alternatives to the old ECC patch that can accomplish the same thing, do some research! the HOSTID can be any number of things, most often the MAC address, but it can also be your IP address, disk serial number, (never used these days), of course also a dongle ID, and there are versions that will only accept a floating license. FlexLM or NET is still defeatable if you research the target and related info. I have only seen the illegal writes to below the MBR in trial versions - and since it really screws up partition tables, I don't think M@crovision is using it, but they have licensed it to @lladin.

SiGiNT

@Sigint: You are right my target does not use MBR, after further research i found that the trial keys are issued only if:

1) The registry key software\classes\clsid\d00d...\apartment is not present
2) The last byte in a specific file is NOT decimal value 1

If all above are true, then my target creates the keys for a trial feature that will expire after 15 days for that machine using hd serial number (im sure cos i changed it and the challenge code changed too). Nothing more easy to modify right before the creation of the signs. (feature and hostid=any and no expiration).

Dunno if other targets used this approach.

Thanks.

I'm impressed! As you see here many times, your brain is the best reversing tool that you can get - personally I think I misplaced mine a while back!! Damn it has to be around here somewhere!

SiGiNT

1. if i changed the HD on my lic computer the host ID is changed and lic doesn't work any more then i know that they do use it

2. i have done a format and it still recognized that the time was set back what do you think ? i know this is an MBR ..

BTW:
i just found that Sys-Internals have an application to spoof HD ID i will let you know if that helped

Regards,
LaBBa.

Yea !! good news !!

The FlexNet v11.4 uses for NodeID/HostID the first network card mac address and the serial number of the HDD
i have used vmware features to config and set the mac address to a static mac address and i have used the sysinternal volumeID to set a new ID to the VM HDD and i got the same NodeID/HostID !!!!

hope this will help more ppl in the future..

Regards,
LaBBa.

I see, this means that if we have a proper license on one machine we can use it on a second one by changing the MAC address of the NIC and by changing the HDD serial number, am I right?
But what if I want to reset the 30 days in order to generate a new license after the trial expired? Is it possible?

you will need to do a low level format and then reinstall all ..
i havn't found yet the sectors it save the trial counter...

Look for a very old post by Tesla - he describes it in detail. Look here - http://www.woodmann.com/forum/showthread.php?t=7462


iGiNT

thanks sigint !!! that was a very good thread ! i will test this on my application and will report soon as i can..

Regards,
LaBBa.

Ultimate boot CD should clean up any drive and make it fresh.

I like to overwrite the hard drive. Even the quick option takes hours .
Clear MBR.
Format.
Partition.

Woodmann