daxgr
July 3rd, 2014, 02:46
Hi,
I am targeting a program that uses flexnet 11.10.1. Now I have read CrackZ's articles on the topic and some others but they are for old versions of flexlm. I also see in a post by arlequim that 11.10 has changed in regards to 11.9.
Now I already have a crack for this program (patched clients and license file (not patched vendor) ) but it is only for 4 executables (there are more protected by flexlm). I diffed the already cracked files and found a patched function that just returns 0.
I assume this is the pubkey verify function?
When I applied the same patch to a dll that gets loaded by 3 other protected EXEs the error chenged from "Bad encryption code" to this "ERROR: License check failed!
No licenses '%%CENSORED_FEATURE%%' available.
License file doesn't support this version.
Looking for version %%VERSION%%"
What should I do next? From what I have read I need the FlexLM SDK 11.10.1 but I don't know under what name it exists to ask google. Are there any essays on flexlm 11.10.1 I can read ?
EDIT: Ok I just changed the feature version and it accepted it. But now it throws invalid key error for other feature. This means the hex string next to the expire date? The license has long sign and sign2. I believe I have patched pubkey verify. Now I need encryption seed 1 and 2? Sorry for the questions, my first FlexLM .
EDIT2: I'm trying to debug with IDA and Olly but the vendor daemon keeps raising exceptions inside _l_sg before _l_n36_buf call.... I need help to bypass this. Is this anti-debugging trick by daemon?
I am targeting a program that uses flexnet 11.10.1. Now I have read CrackZ's articles on the topic and some others but they are for old versions of flexlm. I also see in a post by arlequim that 11.10 has changed in regards to 11.9.
Now I already have a crack for this program (patched clients and license file (not patched vendor) ) but it is only for 4 executables (there are more protected by flexlm). I diffed the already cracked files and found a patched function that just returns 0.
Code:
push ebp
.textidx:007AA7E1 mov ebp, esp
.textidx:007AA7E3 sub esp, 0FCh
.textidx:007AA7E9 mov eax, dword_8E36F0
.textidx:007AA7EE xor eax, ebp
.textidx:007AA7F0 mov [ebp+var_24], eax
.textidx:007AA7F3 mov [ebp+var_1C], 0
.textidx:007AA7FA mov eax, [ebp+arg_0]
.textidx:007AA7FD mov ecx, [eax+1A8h]
.textidx:007AA803 mov edx, [ecx+1D18h]
.textidx:007AA809 cmp dword ptr [edx+560h], 0
.textidx:007AA810 jz short loc_7AA82F
.textidx:007AA812 mov eax, [ebp+arg_0]
.textidx:007AA815 mov ecx, [eax+1A8h]
.textidx:007AA81B mov edx, [ecx+1D18h]
.textidx:007AA821 mov eax, [edx+560h]
.textidx:007AA827 mov [ebp+var_E8], eax
.textidx:007AA82D jmp short loc_7AA838
.textidx:007AA82F ; ---------------------------------------------------------------------------
.textidx:007AA82F
.textidx:007AA82F loc_7AA82F: ; CODE XREF: sub_7AA7E0+30j
.textidx:007AA82F mov ecx, [ebp+arg_1C]
.textidx:007AA832 mov [ebp+var_E8], ecx
.textidx:007AA838
.textidx:007AA838 loc_7AA838: ; CODE XREF: sub_7AA7E0+4Dj
.textidx:007AA838 mov edx, [ebp+var_E8]
.textidx:007AA83E mov [ebp+arg_1C], edx
.textidx:007AA841 push 14h
.textidx:007AA843 mov eax, [ebp+arg_0]
.textidx:007AA846 push eax
.textidx:007AA847 call sub_766FE0
.textidx:007AA84C add esp, 8
.textidx:007AA84F cmp eax, 2655h
.textidx:007AA854 jnz short loc_7AA8D3
.textidx:007AA856 push 1Eh
.textidx:007AA858 mov ecx, [ebp+arg_0]
.textidx:007AA85B push ecx
.textidx:007AA85C call sub_766FE0
.textidx:007AA861 add esp, 8
.textidx:007AA864 cmp eax, 0D30Fh
.textidx:007AA869 jz short loc_7AA8D3
.textidx:007AA86B cmp [ebp+arg_0], 0
.textidx:007AA86F jz short loc_7AA8C9
.textidx:007AA871 mov edx, [ebp+arg_0]
.textidx:007AA874 cmp dword ptr [edx+80h], 0
.textidx:007AA87B jz short loc_7AA892
.textidx:007AA87D xor eax, eax
.textidx:007AA87F jz short loc_7AA892
.textidx:007AA881 mov ecx, [ebp+arg_0]
.textidx:007AA884 mov edx, [ecx+80h]
.textidx:007AA88A mov [ebp+var_EC], edx
.textidx:007AA890 jmp short loc_7AA89C
.textidx:007AA892 ; ---------------------------------------------------------------------------
.textidx:007AA892
.textidx:007AA892 loc_7AA892: ; CODE XREF: sub_7AA7E0+9Bj
.textidx:007AA892 ; sub_7AA7E0+9Fj
.textidx:007AA892 mov [ebp+var_EC], 0FFFFFF8Ch
.textidx:007AA89C
.textidx:007AA89C loc_7AA89C: ; CODE XREF: sub_7AA7E0+B0j
.textidx:007AA89C mov eax, [ebp+arg_0]
.textidx:007AA89F mov ecx, [ebp+var_EC]
.textidx:007AA8A5 mov [eax+80h], ecx
.textidx:007AA8AB push 0
.textidx:007AA8AD push 0FFh ; __int16
.textidx:007AA8B2 push 0 ; char *
.textidx:007AA8B4 push 0 ; int
.textidx:007AA8B6 push 21Bh ; int
.textidx:007AA8BB push 0FFFFFF8Ch ; int
.textidx:007AA8BD mov edx, [ebp+arg_0]
.textidx:007AA8C0 push edx ; int
.textidx:007AA8C1 call sub_746400
.textidx:007AA8C6 add esp, 1Ch
I assume this is the pubkey verify function?
When I applied the same patch to a dll that gets loaded by 3 other protected EXEs the error chenged from "Bad encryption code" to this "ERROR: License check failed!
No licenses '%%CENSORED_FEATURE%%' available.
License file doesn't support this version.
Looking for version %%VERSION%%"
What should I do next? From what I have read I need the FlexLM SDK 11.10.1 but I don't know under what name it exists to ask google. Are there any essays on flexlm 11.10.1 I can read ?
EDIT: Ok I just changed the feature version and it accepted it. But now it throws invalid key error for other feature. This means the hex string next to the expire date? The license has long sign and sign2. I believe I have patched pubkey verify. Now I need encryption seed 1 and 2? Sorry for the questions, my first FlexLM .
EDIT2: I'm trying to debug with IDA and Olly but the vendor daemon keeps raising exceptions inside _l_sg before _l_n36_buf call.... I need help to bypass this. Is this anti-debugging trick by daemon?