FlexNet 11.1 target [Archive] - RCE Messageboard's Regroupment

EB00

January 8th, 2010, 07:07

Good day

I'm quite a beginner regarding FlexLM/FlexNet targets, so please forgive me if I missed the obvious. I'm working on a FlexNet target that comes with lmutil.exe, lmgr.lib and of course the binary including the license file check. In addition to that I have a valid license file.

With lmutil I found out that it uses FlexNet v11.1. I'm in posession of the FlexNet 11.4 sdk. Using IDA on the binary I was able to locate _lc_init and got the vendor name and vendor code struct data.

First question: Using a public tool to generate vendor keys I found out that the calculated vendor keys 1-4 totally differ from the data I got from the vendor code struct. Is that possible or did I just find crap?

I managed to find lc_checkout too, because immediately after failing the checkout, the app shows a messagebox, telling me so, so I just got there by ordinary string search. I created a dummy license file with just one valid feature and version. I know it uses the 12digit sign from the valid license file. Along with the feature name, the feature version and the hardcoded parameters the same vendorcode structure as found for lc_init are passed to lc_checkout.

What I wanted to do next is to recover the encryption seeds. From cracks tutorials I know that these are hidden and it's no longer seed1 = data[0] ^ vc5. I decided to follow the same steps as Dan did in Danflex ("http://www.woodmann.com/crackz/Tutorials/Danflex.htm"). So i placed a memory breakpoint on data[0] and after some copying it took me here:

Code:





00412EAF  |> 0FBE55 D8                MOVSX EDX,[BYTE SS:EBP-28]

00412EB3  |. D1E2                     SHL EDX,1

00412EB5  |. 0FBE45 D9                MOVSX EAX,[BYTE SS:EBP-27]

00412EB9  |. 0BD0                     OR EDX,EAX

00412EBB  |. 0FBE4D DA                MOVSX ECX,[BYTE SS:EBP-26]

00412EBF  |. C1E1 03                  SHL ECX,3

00412EC2  |. 0BD1                     OR EDX,ECX

00412EC4  |. 0FBE45 DB                MOVSX EAX,[BYTE SS:EBP-25]

00412EC8  |. C1E0 02                  SHL EAX,2

00412ECB  |. 0BD0                     OR EDX,EAX

00412ECD  |. 8B4D D4                  MOV ECX,[DWORD SS:EBP-2C]

00412ED0  |. 0FB641 0C                MOVZX EAX,[BYTE DS:ECX+C]

00412ED4  |. 33D0                     XOR EDX,EAX

00412ED6  |. 8B4D D4                  MOV ECX,[DWORD SS:EBP-2C]

00412ED9  |. 0FB641 0B                MOVZX EAX,[BYTE DS:ECX+B]

00412EDD  |. C1E0 08                  SHL EAX,8

00412EE0  |. 33D0                     XOR EDX,EAX

00412EE2  |. 3355 FC                  XOR EDX,[DWORD SS:EBP-4]

00412EE5  |. 8B4D D4                  MOV ECX,[DWORD SS:EBP-2C]

00412EE8  |. 0FB641 10                MOVZX EAX,[BYTE DS:ECX+10]

00412EEC  |. C1E0 10                  SHL EAX,10

00412EEF  |. 33D0                     XOR EDX,EAX

00412EF1  |. 8B4D D4                  MOV ECX,[DWORD SS:EBP-2C]

00412EF4  |. 0FB641 11                MOVZX EAX,[BYTE DS:ECX+11]

00412EF8  |. C1E0 18                  SHL EAX,18

00412EFB  |. 33D0                     XOR EDX,EAX

00412EFD  |. 8B4D 10                  MOV ECX,[DWORD SS:EBP+10]		<-- Vendorcode struct

00412F00  |. 3351 10                  XOR EDX,[DWORD DS:ECX+10]

00412F03  |. 8B45 10                  MOV EAX,[DWORD SS:EBP+10]

00412F06  |. 3350 0C                  XOR EDX,[DWORD DS:EAX+C]

00412F09  |. 8B4D 10                  MOV ECX,[DWORD SS:EBP+10]

00412F0C  |. 3351 04                  XOR EDX,[DWORD DS:ECX+4]		<-- data[0]

00412F0F  |. 8B45 10                  MOV EAX,[DWORD SS:EBP+10]

00412F12  |. 8950 04                  MOV [DWORD DS:EAX+4],EDX         <-- data[0] replaced by calculated value

A similar calculation is performed for data[1]. I was quite excited here and thought I had recovered the encryption seeds. So I edited lm_code.h and put my "recovered seeds", the vendor name and the vendor keys I got from the vendor key maker in there. As my target is using the 12digit sign as said before I put LM_STRENGTH_DEFAULT in there too. Then I recompiled the sdk which worked fine (after editing the vendor name in "makefile" too).

I then signed my dummy license file using lmcrypt.exe which produced a signed license file. But, as you might can imagine, it didn't work. :P

Rechecking lm_code.h I realized that it uses THREE different seeds:

#define LM_SEED1 0x...
#define LM_SEED2 0x...
#define LM_SEED3 0x...

I checked the impact of LM_SEED3 on the license file and it differs if I change the value of LM_SEEED3.

Now I am totally confused.

Do I have to recover three different seeds?

Is the code snippet above even related to seed recovery?

Do the different vendor keys have any impact on calculation of the correct SIGN value? (I think I read in some tutorial that it just depends on the encryption seeds and the vendor keys just have to be valid to be allowed to execute the tools like lmcrypt.exe)

Looking forward to your answers

EB00

January 8th, 2010, 13:15

Okay, I have now learned that recovered seeds have to be put into lmseeds.h as lmcrypt.exe would look there for the encryption seeds. If the cro feature is not used, only the first two (ENCRYPTION_SEED1, ENCRYPTION_SEED2) seeds are used. Usually this file is generated by the sdk from the LM_SEEDX values in lm_code.h, right?

EB00

January 8th, 2010, 15:15

Hi Rose,

I thought it's the other way round: Doesn't lmcyrpt.exe read the seeds out of lmseeds.h to sign the license files?

EB00

January 8th, 2010, 15:53

I do now know that the code snippet I pasted above does NOT reveal the real encryption seeds. The values I get for data[0] and data[1] that are rewritten to the Vendor struct differ with each run. I'm feeling that I am close but looking at the wrong side of the code

The values for data[0] and data[1] in the Vendor struct that gets pushed for lc_checkout are always the same. the values that are inserted into the struct by the code snippet above do always differ.

Update: Reading Dan's Essay again I realized that I hit the exactly correct location. The code snippet I pasted above is the xor code which basically does (quoted from Dan's essay):

Quote:

mask = vendorkey1 ^ vendorkey2 ^ dword const ^ vname hash ^ random

seed 1 = mask ^ vendorcode.data[0]

seed 2 = mask ^ vendorcode.data[1]

where :-

dword const = constant in the code

random = a 32-bit value composed of bytes at offsets +0xb +0x8 +0x13 and +0x9 of job

vname hash = a function of a vendor name checksum

Now Dan writes to reveal the real seeds simply make the "random" part 0 and grab the seeds at the end of the procedure. That's what I did and I think I got the correct seeds now. Still, I did not manage to create a valid license using lmcrypt

I'm still not sure where to put the values (lm_code.h or lmseeds.h) and what to recompile and when. In addition to that I totally rely on lmkg11.exe to produce correct vendor codes for my vendorname (which is correct 100%).

EB00

January 8th, 2010, 17:45

I did it

After doing another board search I found out that I have to put the defines for ENCRYPTION_SEED1-ENCRYPTION_SEED4 into lm_code.h (I now do know what you mean Rose

) Recompiling the sdk leads to a lmcrypt.exe that successfully generates correct license files for my target.

Thanks for reading my stuff, probably it's nothing new to you guys. For me I think it was helpful to write down what I found out so far. While posting here, things got a lot clearer to me.