jedysat
August 28th, 2012, 07:55
Hi to all and thank for your job, it's a fantastic way to learn and study!
Now, I need some suggestion.
I spend a lot of time to study Flexlm, I have read a lot of essay & tutorial and so on...
After that, I take back a old software (running in winnt 4) with flexlm ver 6.1 security. The daemon is static linked.
I reverse it and I found some smart data...:
.text:004127E1 push edi ; int
.text:004127E2 push eax ; void * <-- Pointer a vendorcode
.text:004127E3 push offset aSag_med ; "Sxx_xxd" <-- Vendor ID
.text:004127E8 push 0 ; int
.text:004127EA mov word ptr [eax], 4
.text:004127EF mov dword ptr [ebx+18h], 0E8293DF9h <-- seed1 xor k5 ????
.text:004127F6 mov dword ptr [ebx+1Ch], 4F76879Dh <-- seed2 xor k5 ???
.text:004127FD mov dword ptr [ebx+20h], 5AEBF45Eh <-- k1 ???
.text:00412804 mov dword ptr [ebx+24h], 976B6433h <-- k2 ???
.text:0041280B mov dword ptr [ebx+28h], 0CBBECDE0h <-- k3 ???
.text:00412812 mov dword ptr [ebx+2Ch], 8D11A713h <-- k4 ???
.text:00412819 mov word ptr [ebx+30h], 6 <-- FLEXLM VERSION
.text:0041281F mov [ebx+32h], si <-- PATCH E B.
.text:00412823 call lc_init
I looked at pointer vendercode and I found the same data (00000004,0E8293DF9h,4F76879Dh....etc).
So, I tried cmp xxx, 87654321h and voil�:
text:0041B3A4 push eax
.text:0041B3A5 lea eax, [esi+9Ch]
.text:0041B3AB push eax
.text:0041B3AC push esi
.text:0041B3AD call _l_sg
.text:0041B3B2 add esp, 0Ch
.text:0041B3B5 cmp [ebp+var_34], 87654321h <-- -------- check seed1
.text:0041B3BC jz short loc_41B3C7
.text:0041B3BE cmp [ebp+var_30], 12345678h <-- ....seed 2
Ok, seems good: seed1=3EFE99B1 seed2=99A123D5.
Then:
3EFE99B1 xor E8293DF9=D6D7A448 =V_K5
99A123D5 xor 4F76879D=D6D7A448=V_K5
Ok, seed1 & seed2 are correct ...(may be..)
Thus, I take FLEXlm sdk 7.2 and with PGC Vendor generator I have 5 vendorkey for version 7.
Put in lm_code all and go to license.....too easy.....
IT DOES'T WORK !! License error, check for Flexid 8-xxxxxxxx bla bla
WHY???
Please, some suggestion, where is my error ??
Thank in advance.
Now, I need some suggestion.
I spend a lot of time to study Flexlm, I have read a lot of essay & tutorial and so on...
After that, I take back a old software (running in winnt 4) with flexlm ver 6.1 security. The daemon is static linked.
I reverse it and I found some smart data...:
.text:004127E1 push edi ; int
.text:004127E2 push eax ; void * <-- Pointer a vendorcode
.text:004127E3 push offset aSag_med ; "Sxx_xxd" <-- Vendor ID
.text:004127E8 push 0 ; int
.text:004127EA mov word ptr [eax], 4
.text:004127EF mov dword ptr [ebx+18h], 0E8293DF9h <-- seed1 xor k5 ????
.text:004127F6 mov dword ptr [ebx+1Ch], 4F76879Dh <-- seed2 xor k5 ???
.text:004127FD mov dword ptr [ebx+20h], 5AEBF45Eh <-- k1 ???
.text:00412804 mov dword ptr [ebx+24h], 976B6433h <-- k2 ???
.text:0041280B mov dword ptr [ebx+28h], 0CBBECDE0h <-- k3 ???
.text:00412812 mov dword ptr [ebx+2Ch], 8D11A713h <-- k4 ???
.text:00412819 mov word ptr [ebx+30h], 6 <-- FLEXLM VERSION
.text:0041281F mov [ebx+32h], si <-- PATCH E B.
.text:00412823 call lc_init
I looked at pointer vendercode and I found the same data (00000004,0E8293DF9h,4F76879Dh....etc).
So, I tried cmp xxx, 87654321h and voil�:
text:0041B3A4 push eax
.text:0041B3A5 lea eax, [esi+9Ch]
.text:0041B3AB push eax
.text:0041B3AC push esi
.text:0041B3AD call _l_sg
.text:0041B3B2 add esp, 0Ch
.text:0041B3B5 cmp [ebp+var_34], 87654321h <-- -------- check seed1
.text:0041B3BC jz short loc_41B3C7
.text:0041B3BE cmp [ebp+var_30], 12345678h <-- ....seed 2
Ok, seems good: seed1=3EFE99B1 seed2=99A123D5.
Then:
3EFE99B1 xor E8293DF9=D6D7A448 =V_K5
99A123D5 xor 4F76879D=D6D7A448=V_K5
Ok, seed1 & seed2 are correct ...(may be..)
Thus, I take FLEXlm sdk 7.2 and with PGC Vendor generator I have 5 vendorkey for version 7.
Put in lm_code all and go to license.....too easy.....
IT DOES'T WORK !! License error, check for Flexid 8-xxxxxxxx bla bla
WHY???
Please, some suggestion, where is my error ??
Thank in advance.