Log in

View Full Version : Vintage FlexLM Question

Dwayn
April 12th, 2013, 18:49
I've found a old (flex v6.0i) application I'd like to make some license for.

I thought it would be rather simple venture that I could do on my own. So I ignored all of the previous literature on the subject, and I've been reading through it using IDA. I like to think of myself as an ok static reverser.

In the main application I was surprised to see that the main application loading was very odd. It seems to load normally then it gets lost inside a dll somewhere. Its rather annoying.

I still think it should be relatively easy task because:

0) The protection is at least 10+ years old. (I've been coding longer than that!)

1) When I run "lmutil.exe lmhostid" I get the worlds easiest machine id, my mac address. On some occasions I've been able to get a host id of 'FFFFFFFFFFFF'
Code:


lmutil - Copyright (C) 1989-1998 Globetrotter Software, Inc.

The FLEXlm host ID of this machine is "ethernet-mac-address-here"


1.1) When I run "lmutil.exe lmver lmutil.exe" I get back "FLEXlm 6.0i (liblmgr.a)"

2) I've found a few license.dat files in the wild for this product that seem to contain information that will be useful later.

3) FlexGen exists, and giants have walked before me.


tldr; My normal approach of doing it on my own isn't working well with this one. I've scowerd this form and others, and have been reading up on FlexGen and am going to get serious about it in the next few days. Any wisdom on a good starting location. This is one of the amazing cases where there is so much on the subject I dont know where to start.

Thanks

edit: updated flexlm version
Woodmann
April 12th, 2013, 20:38
Have you read this: http://www.woodmann.com/crackz/Flexlm.htm

Woodmann
Dwayn
April 12th, 2013, 21:41
I've read it. I haven't made it through all of the tutorials yet :|

I've been lazy and have jumped right into using the FlexGen tool. I'm able to generate a license file, however I'm getting a odd error when I launch the exe.

Code:
Invalid (inconsistent) license key

 The license-key and data for the feature do no match.

 This usually happens when a license file has been altered

Feature: ...

License path:  ...

FLEXlm error: -8,103


I also get different vendor keys depending on which generator I use (FlexGen vs Flexvkg) but that doesn't seem to change my error message.

I think my Next step is to look at and compare my lmgr326a.dll and the FlexGen lmgr326a.dll.
Then I'll read the rest of the tutorials.

Thanks for the encouragement.
FoxB
April 13th, 2013, 11:00
upload your vendor daemon file
tedshred
April 13th, 2013, 15:17
With regard to the the problem of resolving your mac address, FlexLM version 6 will have a problem on newer Windows operating systems. To solve this problem on Windows XP, I added the the IPX/SPX protocol per the instructions at http://www.3drealms.com/tech/ipx.html. The local ethernet connection on your computer needs to be active as well.

The TCP/IP NetBIOS Helper service installed as a result of adding the IPX/SPX protocol might introduce a security problem if you have other computers connected locally, I'm not certain of this. I have this service on manual control and have it disabled when I'm not using it.
Dwayn
April 13th, 2013, 15:31
I've found another executable from the same vendor, and can generate keys using flexgen for that system with no problems. It interestingly shares exactly the same lmgr326a.dll as the other.

FoxB, as requested i've attached the daemon 2746 in this case its just a dll.

I've decoded the main exe and it essentially does the following:

Code:
    

dolicensecheck()

{

    //...//

    if ( lp_checkout(&FlexStruct, 0x201, "FEATURE1", "1.4", 1, 0, &returnedValue) )

    {

      if ( lp_checkout(&FlexStruct, 0x201, "FEATURE2", "1.4", 1, 0, &returnedValue) )

      {

        AfxMessageBox(lp_errstring(returnedValue, 0, 0), blab, bla);

        exit(-100);

      }

      // Set preferences

      // ... //

      lp_checkin(returnedValue);

    }

    else

    {

      // Set preferences

      // ... //

    }

    lp_checkin(returnedValue);

    if ( !lp_checkout(&FlexStruct, 0x201, "FEATURENAME3", "1.4", 1, 0, &returnedValue) )

      // Set preferences

      // ... //



}


From what I've found out lp_checkout() should return 0 on success.

Interestingly lp_checkout(FEATURE1) returns true, and lp_checkout(FEATURE2) returns true. Then I get the message


Code:


Invalid (inconsistent) license key

 The license-key and data for the feature do no match.

 This usually happens when a license file has been altered

Feature: FEATURE2

License path:  ...

FLEXlm error: -8,103


It is possible these errors are because I'm using FlexGen and not using lmcrypt?

Note: FEATURE names have been changed to protect the innocent. Also, after reading as much as I could on Flex I'm starting to enjoy it.
Dwayn
April 13th, 2013, 16:09
Quote:
[Originally Posted by tedshred;94531]With regard to the the problem of resolving your mac address, FlexLM version 6 will have a problem on newer Windows operating systems...


I'd considering the 0xFFFF mac addresses a feature. IPX? That brings back memories. I wonder what havoc that would cause on a modern network.
tedshred
April 13th, 2013, 20:29
You may be able to bypass the mac address problem by generating licenses with "HOSTID=ANY".

FlexGen may not generate valid licenses if the vendor has implemented custom vendor hostid or a vendor checkout filter.

Show an example license feature line template.
Dwayn
April 13th, 2013, 22:55
The HostID=any worked for one of the applications. I'm not sure what is happening with my target at the moment.
Quote:
[Originally Posted by tedshred;94535]Show an example license feature line template.

I don't have a valid license key for the app yet. This is my sample line:
Code:
FEATURE FEATURE1 REAL_VENDOR 1.4 permanent uncounted B8FC9F080D06 \

	HOSTID=ANY ISSUER=Team-Rebels/1999

I have managed to find a SDK, and will work with that a little later. The SDK helped as I now know the second parameter 0x201 is really (LM_RETRY_RESTRICTIVE | LM_RESTRICTIVE).

I'm now at a branch, Do you use the SDK to make a key w/o Team-Rebels help, or do I look deeper. I think some beer and sleep are in order first.
Aimless
April 14th, 2013, 20:30
Hello.

Some idea about old time Flexlm. Or, Flexlm in general. Flexlm can be broken in 2 ways (there are as many as you wish, but prima facie, all methods belong to either of these 2 primal categories):

1. You break the APPLICATION that is using the Flexlm licensing feature, and hence can use ANY license you want.

2. You generate a PROPER LICENSE for the APPLICATION that is using Flexlm licensing feature. Difficult unless you know where to look and what to look for.

For both these ideas, you may decide to peruse the link WOODMANN has placed above.

For the first one, understand how to modify the function in flexlm library and/or application by reading the tuts, OR download and use a FLEXLM APPLICAION PATCHER that does this for you. Basically, all the patcher does, is ensure that the application function that checks the licenses, does so using the old method (using the 12 characters) and ANY characters are applicable.

For the second one, I am afraid, you will have to learn to fish the various ids and numbers --- again, check the tutorials.

My advice is --- learn up the basic ways to crack Flexlm by reading the tuts and practicing on applications and their versions outlined in the tuts therein. Then, you can decide the branch you wish to take.

Have Phun
Dwayn
April 15th, 2013, 03:11
Greetings Aimless,


Thanks for the reply. You've summarized the Flex problem very well.

I've decided upon my trajectory, I'm going to learn more about Flex and others in more detail. I was lucky to find a old SDK with some good documentation and utilities. The problem I was having was due to the FlexGen signatures. When I started using the official tools everything worked like a charm.


There is something satisfying about getting the application to run without modification. I'm interested in the Application Patcher is this a way to fix the ECC problem I've read about?

Thanks everyone for the help and encouragement.
FoxB
April 15th, 2013, 08:23
tell us the vendor name - this is simply =)