Log in

View Full Version : Help with flexlm 10.1 license


naragorn
February 6th, 2012, 21:57
Hey, ive read a lot lately, but havent found my type of license which goes like this(this is a cracked license i found on web):

FEATURE Urien_S2k MAPTEK 1.000 01-jan-2013 uncounted AC8FC346E630 \
VENDOR_STRING=2100000mk>j[FXWFGAEgTX_KA6G_qqBDR[CO?;EXK7BGM:PelqN6MF<V=WWjT`9CG2O8HVQbIXecfbm@a]HLN2Al2@00 \
HOSTID=ANY

So the questions are:

- How do i generate a license that contains Vendor:String,
- Is there a way to decrypt vendr string?

Another issue im having is that i cant find features, i know i can search for "lm_ckout" and then i find lc_checkout, but where exactly should i look to get the feature names. (Ive tried enabling FLExlm diagnostics, it doesnt work.

Hope someone can help me, thx in advance

CrackZ
February 7th, 2012, 08:49
Easy answers.

1. Lmcrypt will generate a license key with whatever information is in the license, so you can put whatever vendor_string you like and it will incorporate it into the license key.

2. Find lc_auth_data(). After license checkout success virtually a nailed on certainty that lc_auth_data() will be called to retrieve pointers to the various license fields, then simply a case of following your vendor_string to see how its encoded.

3. Feature name and version is passed through the stack as arguments to lc_checkout().

If you have the vendor daemon drop me a privmsg.

Regards,

CrackZ.

istigatore
February 7th, 2012, 16:14
The vendor_string is encripted with "3DES".....
And recover the seeds from this vendor is very easy... The hard is recover the features inside the "vendor_string"...
P.S: The license is not cracked, is a old "viewer" license
-----------------------------------------------------------------------------------------------------
FEATURE viewer MAPTEK 1.000 permanent uncounted xxxxxxxxxxxxxxxxxxxx \
VENDOR_STRING=2100000mk>j[FXWFGAEgTX_KA6G_qqBDR[CO?;EXK7BGM:PelqN6MF<V=WWjT`9CG2O8HVQbIXecfbm@a]HLN2Al2@00 \
HOSTID=ANY
--------------------------------------------------------------------------------------------------------

The features inside the vendor_string are decripted by the license administrator..As you see, you can change the name of the feature, but you can't modify the vendor_string.....
.......

FoxB
February 9th, 2012, 04:52
the vendor daemon not check a VENDOR_STRING. you need RE the main target (client side) and search the recovery sub.

naragorn
February 9th, 2012, 15:30
Quote:
[Originally Posted by istigatore;91826]The vendor_string is encripted with "3DES".....
And recover the seeds from this vendor is very easy... The hard is recover the features inside the "vendor_string"...
P.S: The license is not cracked, is a old "viewer" license
-----------------------------------------------------------------------------------------------------
FEATURE viewer MAPTEK 1.000 permanent uncounted xxxxxxxxxxxxxxxxxxxx \
VENDOR_STRING=2100000mk>j[FXWFGAEgTX_KA6G_qqBDR[CO?;EXK7BGM:PelqN6MF<V=WWjT`9CG2O8HVQbIXecfbm@a]HLN2Al2@00 \
HOSTID=ANY
--------------------------------------------------------------------------------------------------------

The features inside the vendor_string are decripted by the license administrator..As you see, you can change the name of the feature, but you can't modify the vendor_string.....
.......


i cant change the "Feature", it gives me "Invalid (Inconsistent) License Key", i generated a license thru lmcrypt , using flexlm 10.8 sdk, compiled by me, using the following data, hope you can tell me if these keys are the correct ones.

#define VENDOR_KEY1 0x52d1fe87
#define VENDOR_KEY2 0x3c84376a
#define VENDOR_KEY3 0x8bc3d020
#define VENDOR_KEY4 0x5aee1fa8
#define VENDOR_KEY5 0x677960f1
#define VENDOR_NAME "MAPTEK"
#define LM_SEED1 0x1903D0BF
#define LM_SEED2 0x6D6F88E7
#define LM_SEED3 0x6D6FD0BF
#define TRL_KEY1 0x613c728c
#define TRL_KEY2 0xd568c8f7

Also in lm_code.h it asks for PUBLISHER_ID, should i leave it at 1'?

So, is there no way to get the feature names?
or get the encryption key for the Vendor String?

FoxB
February 10th, 2012, 03:19
you need use
#define ENCRYPTION_SEED1 0xXXXXXXXX
#define ENCRYPTION_SEED2 0xXXXXXXXX

instead
#define LM_SEED1 0x1903D0BF
#define LM_SEED2 0x6D6F88E7
#define LM_SEED3 0x6D6FD0BF

your target use old type of the licensing

ps: you can share your target software?

naragorn
February 10th, 2012, 04:14
i could indeed, just tell me where to upload it

FoxB
February 10th, 2012, 04:49
rapidshare, sendspace, etc.

istigatore
February 10th, 2012, 06:23
FoxB
the vendors check only if the license is valid or not......
naragorn
The crypted routine of the vendor_string is present in the exe files(over 200) and in the license administrator....
To recover the routine you need to reverse the license administrator or the main exe file...
The license is old style, to build the vendor you need only the 2 encryption seeds.....
But is not enough to make working the program..
P.S: the protection is: dongle+ flexlm license.

good luck

FoxB
February 10th, 2012, 06:58
the vendor daemon has flexlm v8.0d as result - license can be locked at ANY hostid

naragorn
February 12th, 2012, 00:20
ive traced the decrypted vendor string, now, is there a way for me to encrypt the vendor string? so i can modify it and generate a new vendor string?

I know it uses dongle, ive already reversed that .