Hi Guys,
I'm trying out a flexlm seed finding technique as per below and I find everything fine but then when i look at the console on the right ECX addresses a RAM location that does not exist and EDX = 00000000, see below:

My Steps are as so:

Create Dummy file:
SERVER [Computer's Name] ANY
VENDOR [Vendor Name]
USE_SERVER
INCREMENT test [Vendor Name] 1.0 1-jun-2020 1 0123456789AB

BP#1:
0041DB4C - FF15 B4C24C00 | CALL DWORD PTR DS:[4CC2B4] <----- (_l_n36_buff start?)

BP#2:
Not 100% sure on this? But I believe it is:
0041DC70 - C3 | RETN <----- (_l_n36_buff return?)

BP#3:
00444203 - EB 09 | JMP SHORT 0044420E <----- (Inside _l_n36_buff? Seems a bit far out to me...)

As I trace over BP#3 these values change:

From:
ECX: 0012FC85
EDX: 00000000

(On 4th click of Trace they change) To:
ECX: 002F4319
EDX: 00000000

Can anyone tel me what I'm doing wrong?
I'm looking for the Vendor Code and Job Location but so far I just get those addresses,

Daemon&Dummy:
http://www.megaupload.com/?d=N6VB0AF6

Appreciate any help!
Cheers!

your first BP is in the correct overall vicinity.

try not to use besoeso's rather contrived technique and return to the classic writeup by Nolan Blender "Zendenc FLEXlm 7.2 cracking information" ("http://www.woodmann.com/crackz/Tutorials/Nolflex3.htm") hosted on this very site on Crackz's flexlm page.

so forget about BP#2 and BP#3 and instead have a look at the relevant code (from 9.2 source leak, but general structure still applies up to the current 11.9)


you should be all set now

cheers,
dirkmill

Thanks very much dirkmill,

I will try that now,
One or two questions if you don't mind?

Do I have to use IDA or will Ollydbg follow the same steps as I am more comfortable with the Ollydbg interface, I ask because this line:


A search is done for a routine that does many calls to _time"

I have tried many times in Ollydbg to find _time but without any luck, does Olly actually dissassemble the code the same as IDA because IDA takes much longer to do (what seems to me like) the same operation...



After the program loads and breaks at the entry point, a breakpoint is then set at 439019, and the stack examined at that point - I use dd esp to do that.

Is this "dd esp" a component inside of IDA?
Can the same be achieved in Olly?

Cheers!
tEh

EDIT:
Seem to have found the error of my ways, I have found arg_0, arg_4 and arg_8 the only one that has a value however is arg_4...

arg_0 dd offset unk_2F8248 <-- no idea what this means
arg_4 dd offset /*censored*/ ;/*censored*/ <-- shows vendor name where /*censored*/ is
arg_8 dd offset var_C4 <-- don't know what this is either

At the moment I'm just using the application included with the instructions on crackZ page once i get that down i will try with my own daemon,

Im debugging using IDA and the dummy license included but I can't for the life of me identify where Nolan Blender finds:

302B70 - ptr to job structure
302CBC - ptr to vendor name
12CF98 - ptr to vendorcode structure

Apparently these live in ESP,ESP+4 and ESP+8 respectively I have tried everything but can't find these,
Do I REALLY need to use SoftICE to recover these?

Cheers

In answer to your questions.

i). Either IDA/Ollydbg will suffice for debugging purposes. I assume you are running the daemon using lmgrd and trust you aren't having a problem setting the appropriate breakpoint.

ii). IDA's FLIRT would be better if you want to explicitly identify _time.

iii). "dd esp" is a SoftICE command, or it is in the context of Nolan Blenders essay, it is used to show pointers on the stack. You can view similar information in any debugger.

iv). The address you are interested in is 41DB4C if you want to recover said pointers, at that point (before you trace over _l_n36_buff()) ECX points at the vendor code structure, I think EDX was the vendor name & EAX the job structure (double check those tho ;-)).

v). The seeds are 0x69xxxx61 & 0x14xxxx22.

Regards, CrackZ.

Wow!

Thanks very much CrackZ I never expected you to lend a hand, Thanks for the great run-down, thank you for the seeds (I am going to work towards finding these values myself so I will know for future).

One thing I can't work out @ 41DB4C:
EAX = 002F4008 <- job structure
ECX = 0012CB2C <- vendorcode
EDX = ASCII "[VENDORNAME]"

EDIT:I'm an idiot, just read Nolan's article again I need to run dd (0012DB2C+4) and dd (0012DB2C+8) to get data[0] and data[1] respectively, I'm now searching for how to do run dd(XXXXXXXX+X) in IDA to obtain data[0] and data[1].

I also need to run:
002F4008+8 :
002F4008+c :
002F4008+10 :

EDIT:
Nevermind!
It generated sucessfully!
Thanks very much CrackZ
Had to use lmcryptgui.exe as I didn't have the SDK.

Thanks again!
tEh

damn me if i wrong, but this phrase is so crazy (thus fun)..
do you feel lights!?
this will graEt for FAQ..


never mind, our forum so unique, can give SEEDs out