Hi,

I can't seem to find much help in the world of Solaris debugging/decrypting to recover Flexlm encryption seeds.
The target system is Intel based running solaris 10.
In the old days I would use a windows and IDA or OLLYDBG to recover V5 encryption seeds from the solaris APP but it seems now you must debug the application on the target solaris system.

I found this file of interest: liblicmgr.so
http://www.redhatjack.com/ftp/liblicmgr.so
I can open this file with IDA and in looking at it, it makes me think my version of of flex is 9.2.
My understanding is this file has the same function as lmgr9a.dll in windows which has the same function as lmcrypt. This makes me think this file is of no use for seed recovery...

My license is Node-Locked in the following format with only FEATURE lines:
FEATURE XYZ_FEATURE XYZVENDOR 1.000 01-Jan-0000 0 0123456789ABCDEF1234 HOSTID=12345678
This leads me to think I don't have a demaon file and that I need to debug to application.

I'm not looking for someone to hand over the seeds. I want to recover them myself. I'm looking for a good tutorial for seed recovery like "flexlm_7.x-11.4_seed_extraction.pdf" but for the Solaris 10.


Solaris 10 comes with MDB which I beleive replaced ADB, can it be used or do I need to install DDD or some other debuger?


Thanks, Jack

If you can determine what compiler was used to create your shared library, compile the Flexlm SDK 9.2 library on Solaris 10 Intel with the same compiler. Then create IDA FLIRT signatures for the Flexlm library. Then disassemble the your shared library with the signatures loaded and hope the Flexlm function locations can be located.

MDB replaced ADB starting with Solaris 9, try using that.

tedshred,

1) determine what compiler; I have know idea what compiler was used or where to start looking to find out. I installed a new OS "solaris 10 x86" on my backup system and installed studio 11 for the testing of Flexlm. My thoughts were to write a c program and link it to the .so file and call functions like lc_checkout and use MDB to debug.

2) compile the Flexlm SDK 9.2 library; I don't have a copy of Flexlm SDK 9.2 library for the solaris system only windows. If anyone has this please post...

3) IDA FLIRT signatures; I've never used FLIRT signatures before I can google this to get a better understanding. On windows I use IDA 5.2 64 bit, because it's the only thing I know I can use to look at .ELF files. Just to guess this would be used to find address/location info of functions that crossover and my be name some thing new like lc_checkout to whatever, and with this I would then know where to place breakpoints in MDB. (My guess is signatures are unique to the complier sense you didn't say v9.2 on wondows are the same as solaris v9.2)

-------01/02/11--------UPDATE-------11:31PM--------------------------------------------------------------------

Ok Using MDB to play with the .so file I get this:

>l_sg+0x11::dis
l_sg: pushl %ebp
l_sg+1: movl %esp,%ebp
l_sg+3: subl %0x14,%esp
skip a few
l_sg+0x11: movl $0x6f7330b8,%edi

I started MDB and set a breakpoint at l_sg+0x11 to see if it would break.
It did break this is what I got:
> :s
mdb: warning: librtld_db failed to initialize; shared library information will not be available
mdb: target stopped at:
0xfef82094: incl %ecx
>:s
mdb: target stopped at:
0xfef82095: addb (%eax),%al


This means i'm in the right file... Finding "6F7330B8" means i'm in the right area...
If this was on windows and ollydbg I would Locate the call to l_n36_buff (inside _l_sg ) & set breakpoint and so on. But it's not i'm on solaris using MDB. So any one have any ideas as to what i'm looking at and what steps i should take next?



Thanks Jack