PDA

View Full Version : Find FLEXlm 11.9 Encrypted Seed

Sany
December 24th, 2012, 04:59
Hello Anybody,

I am new at this Board, i am not a Newbie ;-)

I need a little bit Help for a FLEXlm 11.9 protected target, i have for my target a valid original license file, but i will use the Program on my Laptop.
I searched on this Forum an found any Threads, I just do not know whether the information is still current, the following I have even found out with tutorials from Woodman and crackz.

My Licensefile has, a FEATURE, permanent uncounted, and is locked to a Host ID, and has One_TS_OK, with a SIGN. equals (128 Bit?)
The SDK that i have vom Flexlm is at moment 11.6, from my last Trial Periode.., but i don't find a newer Version from the SDK.

My Target has a Exe file, thats load a Licenser.dll, i traced over this, when loading this the Licensefile.

Okay, now i stuck on finding encrypted Seeds or i stupid or blind

Method #1

So, Quote from CrackZ's "The default value to clean the seeds variable is 3D4DA1D6h, A lot of vendors are lazy or foolish and don't change this default value. So, a very easy way is just search the pattern 3D4DA1D6h in disassembled codes"

I find the Variable "3D4DA1D6" in my Licenser.dll 8 times:
And when i Trace over this, i find the Vendorname in ASCII, but i don't see the seeds?

Code:


Search - References to constant 3D4DA1D6

597C708F  MOV DWORD PTR SS:[EBP-1A0],3D4DA1D6

597C726A  MOV DWORD PTR SS:[EBP-1A4],3D4DA1D6

597F04AF  MOV DWORD PTR SS:[EBP-1A0],3D4DA1D6

597F068A  MOV DWORD PTR SS:[EBP-1A4],3D4DA1D6

5981CA99  MOV DWORD PTR SS:[EBP-190],3D4DA1D6

5981CC78  MOV DWORD PTR SS:[EBP-194],3D4DA1D6

59848439  MOV DWORD PTR SS:[EBP-190],3D4DA1D6

59848618  MOV DWORD PTR SS:[EBP-194],3D4DA1D6


Is this Method to find Seed1 and Seed2 actually?

Method #2:
i located:
(5AA92503) _l_sg?! (C745 FC B830736F MOV DWORD PTR SS:[EBP-4],6F7330B8)

_l_n36_buff inside _l_sg :

5AA92578 |. 8B88 24050000 MOV ECX,DWORD PTR DS:[EAX+524]
5AA9257E |. FFD1 CALL ECX <= _l_n36_buff?
5AA92580 |. 83C4 0C ADD ESP,0C
5AA92583 |.- E9 0F010000 JMP 5AA92697


But i don't locate a EB09 Jump...

Thanks for help

Greets Sany
FoxB
December 24th, 2012, 07:42
if your target use long SIGN - ENCRYPTION_SEED1/2/3/4 not help you.

and LM_SEED1/2/3 you can't recovery.

you need make patch for the public key verify.
Sany
December 24th, 2012, 08:00
Quote:
[Originally Posted by FoxB;93907]if your target use long SIGN - ENCRYPTION_SEED1/2/3/4 not help you.

and LM_SEED1/2/3 you can't recovery.

you need make patch for the public key verify.


Hello FoxB,

Okay, how can i Recover LM_SEED1/2/3 for making a License? With the old known methods?

Now, the ECC Patch for the Licenser.dll patches 12 Bytes....

If my target use long Sign, i don't know... here is a sample from the original Demo License (censored)

Code:


FEATURE PKG_DEMO XXXX 1.0 permanent uncounted HOSTID=ANY \

	vendor_info="XXXX Demo License" NOTICE="XXXX User" ONE_TS_OK \

	SIGN="029A 26F3 6EC1 9A9E D841 38A3 24D0 EF1B ADA7 8014 2002 \

	D6E2 D220 D230 B13E 5808 7D17 8FB6 2B27 95FE 5733"


is this a Long Sign?
FoxB
December 24th, 2012, 08:53
SIGN="029A 26F3 6EC1 9A9E D841 38A3 24D0 EF1B ADA7 8014 2002 D6E2 D220 D230 B13E 5808 7D17 8FB6 2B27 95FE 5733" is long SIGN.
regarding lm_seed1/2/3 - you cant recovery 96 bits of the lm_seed1/2/3.
Sany
December 25th, 2012, 05:24
Quote:
[Originally Posted by FoxB;93909]SIGN="029A 26F3 6EC1 9A9E D841 38A3 24D0 EF1B ADA7 8014 2002 D6E2 D220 D230 B13E 5808 7D17 8FB6 2B27 95FE 5733" is long SIGN.
regarding lm_seed1/2/3 - you cant recovery 96 bits of the lm_seed1/2/3.


Hello, Thank you for this information.

How can i do now? Whats does the ECC Patcher? This Patches 12 bytes in my Licenser.dll...

Thank you
FoxB
December 25th, 2012, 07:33
first stage for you is http://www.woodmann.com/crackz/Flexlm.htm
Aimless
December 25th, 2012, 08:20
Before you look at Flexlm, you must decide what you seek. Here are 2 items that people generally want:

1. Recover the correct keys and work with them

2. Patch the Flexlm-ed program(s) so that the solution works.


If you seek option 1 - recover the correct keys and work with them, you should note that most of the time, this will not be successful. Especially with the later versions (11 and above). This is because of the concept of LONG keys and introduction of ECC circa Flexlm 9/10. However, under special circumstances, you CAN recover the keys. The circumstances are:-

1. The programmer has decided NOT to use ECC (yes, you can turn it on and off)
2. The programmer has decided to use SHORT KEYS instead of LONG KEYS.

Even then, you'd have a tough time navigating the code woods. A good idea, whether the programmer is using the SHORT key or LONG key is to open the EVALUATION license (assuming you have one) and checking the necessary. Like a said - Lots of heartache and lots of headache. Beware - trying to reverse engineer LONG keys with ECC protection is a surefire way to obtain divorce.... but let's not go there now


If you decide on the second option, namely patch the flexlm-ed program, you have a chance. Note that ALL flexlm versions can run (even the latest 11x version) with SHORT keys and LONG keys. When you PATCH a flexlm program, what you are doing is FORCING the program to assume that verification via SHORT KEYS is what the programmer has requested. Where do you patch this? Well, like FoxB said you'll have to check Crackz, tuts. THEN you can apply the ECC patch to get rid of the same in the packed file. Either way, the protection is defeated, BUT still using a patch. THEN, in the license file, you can simply put in any number 012345678912 works just fine.

Let us know where else you're getting stuck. If possible, we'll definitely guide you.

Have Phun