I am learning this stuff but i have a problem. Debugger not stop in _l_n36_buff funtion.

Flexlm version: FLEXnet Licensing version v10.8.9.0 build 73735 i86_n3

My steps are:

1. Create dummy license.

SERVER COMPUTERNAME ANY
VENDOR LICPIFT
USE_SERVER
INCREMENT test LICPIFT 1 1-jun-2020 1 0123456789AB

2. My daemon are two files: lmgrd.exe and LICPIFT.exe.

I load lmgdr.exe in ollydbg with -t computer_name 4 –c dummy.dat arguments

3. Search all 6F7330B8 values constants. I got two refences.

a)48225E adress with this code

004811D0 /$ 55 PUSH EBP
004811D1 |. 8BEC MOV EBP,ESP
004811D3 |. 83EC 24 SUB ESP,24
004811D6 |. C645 F0 00 MOV BYTE PTR SS:[EBP-10],0
004811DA |. 33C0 XOR EAX,EAX
004811DC |. 66:8945 F1 MOV WORD PTR SS:[EBP-F],AX
004811E0 |. 8845 F3 MOV BYTE PTR SS:[EBP-D],AL
004811E3 |. C745 FC B8307>MOV DWORD PTR SS:[EBP-4],6F7330B8
004811EA |. C745 F4 00000>MOV DWORD PTR SS:[EBP-C],0
004811F1 |. C745 DC 00000>MOV DWORD PTR SS:[EBP-24],0
004811F8 |. C745 F8 03000>MOV DWORD PTR SS:[EBP-8],3
004811FF |. 68 00100000 PUSH 1000
00481204 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00481207 |. 51 PUSH ECX
00481208 |. E8 63A9FFFF CALL 0047BB70
0048120D |. 83C4 08 ADD ESP,8
00481210 |. 85C0 TEST EAX,EAX
00481212 |. 74 54 JE SHORT 00481268
00481214 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00481217 |. 8B82 A0010000 MOV EAX,DWORD PTR DS:[EDX+1A0]
0048121D |. 8B88 F81C0000 MOV ECX,DWORD PTR DS:[EAX+1CF8]
00481223 |. 83B9 24050000>CMP DWORD PTR DS:[ECX+524],0
0048122A |. 74 3C JE SHORT 00481268
0048122C |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
0048122F |. 52 PUSH EDX
00481230 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00481233 |. 50 PUSH EAX
00481234 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00481237 |. 8B91 A0010000 MOV EDX,DWORD PTR DS:[ECX+1A0]
0048123D |. 8B82 F81C0000 MOV EAX,DWORD PTR DS:[EDX+1CF8]
00481243 |. 05 28050000 ADD EAX,528
00481248 |. 50 PUSH EAX
00481249 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0048124C |. 8B91 A0010000 MOV EDX,DWORD PTR DS:[ECX+1A0]
00481252 |. 8B82 F81C0000 MOV EAX,DWORD PTR DS:[EDX+1CF8]
00481258 |. 8B88 24050000 MOV ECX,DWORD PTR DS:[EAX+524]
0048125E |. FFD1 CALL ECX <-----_l_n36_buff FUNTION
00481260 |. 83C4 0C ADD ESP,0C
00481263 |. E9 0F010000 JMP 00481377
..................
..................


Set breakpoint in _l_n36_buff funtion

2346

BUT NEVER THE _l_n36_buff FUNTION IS CALLED IN 0048125E ADDRESS.

b)481260 adress with this code

00481380 /. 55 PUSH EBP
00481381 |. 8BEC MOV EBP,ESP
00481383 |. 83EC 20 SUB ESP,20
00481386 |. C745 E0 00000>MOV DWORD PTR SS:[EBP-20],0
0048138D |. C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],0
00481394 |. C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
0048139B |. C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
004813A2 |. C745 F4 00000>MOV DWORD PTR SS:[EBP-C],0
004813A9 |. C645 F0 00 MOV BYTE PTR SS:[EBP-10],0
004813AD |. 33C0 XOR EAX,EAX
004813AF |. 66:8945 F1 MOV WORD PTR SS:[EBP-F],AX
004813B3 |. 8845 F3 MOV BYTE PTR SS:[EBP-D],AL
004813B6 |. C745 FC B8307>MOV DWORD PTR SS:[EBP-4],6F7330B8
004813BD |. C745 F8 03000>MOV DWORD PTR SS:[EBP-8],3
004813C4 |. 6A 04 PUSH 4 ; /Arg4 = 00000004
004813C6 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] ; |
004813C9 |. 51 PUSH ECX ; |Arg3
004813CA |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C] ; |
004813CD |. 83C2 0C ADD EDX,0C ; |
004813D0 |. 52 PUSH EDX ; |Arg2
004813D1 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
004813D4 |. 50 PUSH EAX ; |Arg1
004813D5 |. E8 C6B00300 CALL 004BC4A0 ; \lmgrd.004BC4A0
004813DA |. 83C4 10 ADD ESP,10
004813DD |. C645 F3 00 MOV BYTE PTR SS:[EBP-D],0
004813E1 |. 8A4D F3 MOV CL,BYTE PTR SS:[EBP-D]
004813E4 |. 884D F2 MOV BYTE PTR SS:[EBP-E],CL
004813E7 |. 8A55 F2 MOV DL,BYTE PTR SS:[EBP-E]
004813EA |. 8855 F1 MOV BYTE PTR SS:[EBP-F],DL
004813ED |. 8A45 F1 MOV AL,BYTE PTR SS:[EBP-F]
004813F0 |. 8845 F0 MOV BYTE PTR SS:[EBP-10],AL
.......................
......................

Conclusion:

breakpoint # 1 never is called.

I don´t find the problem ¿What I can be doing wrong?

Target daemon attachments:http://www.4shared.com/file/RGabNwfK/DAEMONDUMMY.html ("http://www.4shared.com/file/RGabNwfK/DAEMONDUMMY.html")

you're debugging the wrong executable

A picture is worth a thousand words:
http://i54.tinypic.com/2mr6r0w.png

cheers,

dirkmill

@dirkmill

Thanks for your reply,

¿Can you post your dummy license?

i was actually using your file, signed version below


cheers,

dirkmill

@dirkmill

yes, working now.. i got seed 1 and seed 2 uncripted.

I am looking features names now.

PM each other.

We try to teach/learn here, not give out the answers.

Woodmann

@besoeso:
while i won't give you any direct pointers regarding feature-names i advise you to just (re)read the excellent articles hosted in crackz sub-site right here, you're up to a good start already...

@woodmann
i value your role as our host here immensely, but i have to disagree with the implied statement of your last post.
i didn't give the op any recipe, he knew his way around already as can be seen from statements in his first post. he was just misguided in thinking that lmgrd (the host-process for vendor daemons) was a isv supplied file and of interest.
feel free to delete my post or this whole thread if you really disagree with that or still believe that me trying to point a new member in the right direction was "giving out the answers".

cheers,
dirkmill

p.s. all relevant hex-values were already censored in the very first version of my reply here

@Woodmann

Of your words:

I understand I must show show in the thread the learned and not in private messages.

i follow the advice Woodmann member.

I explain how I got seed doing this:

Locate the call to _l_n36_buff (inside _l_sg )& set breakpoint #1.

Set a breakpoint # 2 at the ret of _l_n36_buff

Run the program & let it break. (@ 1st breakpoint)

Single step into the _l_n36_buff call (one step only!)

Locate the EB09 jmp

Set breakpoint #3, and Run the program & let it break.

Check the memory address inside ecx or edx(follow in dump).One of them will contain the location of
the job structure. ( note that this new Job structure starts with 00 00 00 00 instead of 66 00 00 00)

Delete the 16 random bytes inside the job structure, (starting @ job+04 and ending @ job+13), and replace with “00”

Run the program & let it break at BP#2 (“Break on RET”, after returning from the call to _l_n36_buff)

Now Look at the following stack locations: (follow in dump)
o ESP+04: Pointer to vendor name (name of vendor daemon)
o ESP+08: Pointer to vendor code (which now will contain the clean seed 1 and 2)
o VC+04 = Seed1
o VC+08 = Seed2

Thanks friend dirkmill for you help.

Find feature names.

I know:

lc_checkout ((LM_HANDLE_PTR job, const LM_CHAR_PTR feature, const LM_CHAR_PTR version, int nlic, int flag, const VENDORCODE_PTR key,int dup));

I am looking for feature and version here

I to use the same dummy license and load daemon in olly with -t computer_name 4 –c dummy.dat

I search for lm_checkout funtion.

I have find in 004838DF address. You can see here:

2347

Set breakpoint in call lc_checkout but not stop in this.

¿What can do wrong?

Howdy,

It was only a warning. So relax , all is good.

Woodmann