PDA

View Full Version : Flexlm 11.9 in java target


mrvanity
October 23rd, 2014, 05:45
Hello.

I have a java app using Flexlm 11.9 ( i can see the version in FlexlmConstants.class)
After install the application a demo license is automatically created.
The license has a 10 day limit along with some reduce functionality of the application.
The licanse file is that (i removed vendor name because i think it is not allowed here)
Code:
INCREMENT build.DM6 vendorname1.1 01-nov-2014 uncounted HOSTID=ANY \
ISSUER="SomeVendorname" NOTICE="Demonstration \
Version" SN=DEMO START=08-May-2014 SIGN="1B43 3A58 F925 4C40 \
AB4F 76A3 3181 6EF3 5284 E6F6 DD79 1663 514F 3EC0 3B3F 017B \
4B91 D9A3 ADD2 6222 BBFB 6EFC CB03 BFA8 FB24 E81E FE93 C87A \
3795 FCE5"
INCREMENT features.DM6 vendorname 1.1 01-nov-2014 uncounted \
VENDOR_STRING=permit_1stoption=UserControl;permit_2ndoption=UserControl;permit_3rdoption=UserControl \
HOSTID=ANY ISSUER="Meridian Technique Limited" \
NOTICE="Demonstration Version" SN=DEMO START=08-May-2014 \
SIGN="08E7 3928 F04B 5E6F 28CA 6F96 A296 7EDB D4BA F89B 8295 \
D33D 7B8D EF35 5C02 1EDB 2C5A E577 ACDB 1D08 1295 EDFE A322 \
91DA 033C E137 D827 9E6A 5D3A 2523"


LicenseInfo.class that contains vendorname and keys is obfuscated.After deobfuscation i see the vendorname in clear text along the FlexlmPublicKeys.
I also see Encryption,Vendor and Cro keys but the are in decimal.Not Hex. Some keys have a minus symbol in front.
I think CRO is enabled but taking a look at VentorInfo.class i see the following
Code:
{
String str = getVendorName();
int[] arrayOfInt1 = decodeVendorKeys(false);
int i = arrayOfInt1[3] ^ 0xA3EF0000;
i >>= 16;
i &= 65535;
i -= (arrayOfInt1[3] & 0xFFFF);
int j = arrayOfInt1[1] & 0x7F;
arrayOfInt1[1] &= -128;
if ((i != 0) || (j != l_c(arrayOfInt1)))
throw new FlexlmException(-44, 7004);
if ((arrayOfInt1[0] & 0x100000) == 0)
{
int k = arrayOfInt1[3] & 0xFFFF;
FlexlmDate localFlexlmDate = new FlexlmDate(k);
if (localFlexlmDate.isPast())
throw new FlexlmException(-50, 7005);
}
if ((arrayOfInt1[2] & 0x800) == 0)
throw new FlexlmException(-48, 7006);
int[] arrayOfInt2 = getCroKeys();
if (str.equals("demo")
{
this.croEnabled = true;
return;
}
if ((arrayOfInt2[0] == 0) || (arrayOfInt2[1] == 0))
return;
arrayOfInt1 = decodeVendorKeys(true);
i = 0;
for (int m = 1; m < 4; m++)
i ^= arrayOfInt1[1] >> m * 8;
for (m = 0; m < 4; m++)
i ^= arrayOfInt1[2] >> m * 8;
if ((i & 0x7F) != (arrayOfInt1[1] & 0x7F))
throw new FlexlmException(-44, 7007);
this.croEnabled = true;
}


The part that intrigues me is this:
Code:
if (str.equals("demo")
{
this.croEnabled = true;
return;

Is cro enabled or disabled bepending on the license?

I have read other topics about patching pubkeyVerify function to always return "true" or the value of "2" to use old license scheme.
This function exists in PriKey.class.

Code:
package com.macrovision.flexlm.lictext;

import com.certicom.ecc.jcae.Certicom;
import com.certicom.ecc.scheme.ECDSA;
import com.certicom.ecc.system.SystemConfig;
import com.certicom.ecc.util.Conversion;
import com.macrovision.flexlm.FlexlmConstants;
import com.macrovision.flexlm.FlexlmException;
import com.macrovision.flexlm.VendorInfo;
import java.io.PrintStream;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import javax.security.spec.ECRawPublicKeySpec;
import javax.security.spec.F2mParameterSpec;

public class PriKey
implements FlexlmConstants
{
static final String CVSId = "$Id";
protected static String certicomName;
protected static final String signatureAlgorithmName = "ECDSA";

public static boolean pubkeyVerify(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, VendorInfo paramVendorInfo, int paramInt)
throws FlexlmException
{
System.setProperty("JDK_1_3_Compatibility", "YES";
String str1 = initCerticom();
if (str1 == null)
throw new FlexlmException(-514, 4026);
SystemConfig localSystemConfig = SystemConfig.getConfig();
localSystemConfig.setConformance(16);
localSystemConfig.setPtCompression(2);
localSystemConfig.setFormat(10);
switch (paramInt)
{
case 2:
break;
case 3:
localSystemConfig.setCurve("sect163k1";
break;
case 4:
localSystemConfig.setCurve("sect239k1";
break;
default:
throw new FlexlmException(-515, 4027);
}
PublicKey localPublicKey1 = paramVendorInfo.getPublicKey(paramInt);
if (localPublicKey1 == null)
throw new FlexlmException(-515, 4028);
byte[] arrayOfByte = localPublicKey1.getEncoded();
PublicKey localPublicKey2 = null;
ECRawPublicKeySpec localECRawPublicKeySpec = null;
X509EncodedKeySpec localX509EncodedKeySpec = null;
boolean bool;
try
{
KeyFactory localKeyFactory = KeyFactory.getInstance("ECDSA";
if (paramInt == 2)
{
ECDSA.setThreadOldHashTruncate(true);
int[] arrayOfInt = { 9 };
String str2 = "1.3.132.0.4";
F2mParameterSpec localF2mParameterSpec = new F2mParameterSpec(Conversion.HexString2OS("3088250ca6e7c7fe649ce85820f7", Conversion.HexString2OS("e8bee4d3e2260744188be0e9c723", Conversion.HexString2OS("10e723ab14d696e6768756151756febf8fcb49a9", Conversion.HexString2OS("9d73616f35f4ab1407d73562c10f", Conversion.HexString2OS("a52830277958ee84d1315ed31886", Conversion.HexString2OS("100000000000000d9ccec8a39e56f", 2, 113, arrayOfInt, str2);
localECRawPublicKeySpec = new ECRawPublicKeySpec(arrayOfByte, localF2mParameterSpec);
localPublicKey2 = localKeyFactory.generatePublic(localECRawPublicKeySpec);
}
else
{
localX509EncodedKeySpec = new X509EncodedKeySpec(arrayOfByte);
localPublicKey2 = localKeyFactory.generatePublic(localX509EncodedKeySpec);
}
Signature localSignature = Signature.getInstance("ECDSA", str1);
localSignature.initVerify(localPublicKey2);
localSignature.update(paramArrayOfByte1);
bool = localSignature.verify(paramArrayOfByte2);
}
catch (NoSuchAlgorithmException localNoSuchAlgorithmException)
{
throw new FlexlmException(-515, 4029);
}
catch (InvalidKeySpecException localInvalidKeySpecException)
{
throw new FlexlmException(-515, 4030);
}
catch (InvalidKeyException localInvalidKeyException)
{
throw new FlexlmException(-515, 4031);
}
catch (NoSuchProviderException localNoSuchProviderException)
{
throw new FlexlmException(-515, 4032);
}
catch (SignatureException localSignatureException)
{
throw new FlexlmException(-515, 4033);
}
return bool;
}

protected static String initCerticom()
{
if (certicomName != null)
return certicomName;
Certicom localCerticom = new Certicom();
if (Security.addProvider(localCerticom) < 0);
certicomName = localCerticom.getName();
return certicomName;
}

public static void printBytes(byte[] paramArrayOfByte)
{
for (int i = 0; i < paramArrayOfByte.length; i++)
{
System.out.print(Integer.toString(paramArrayOfByte[I] & 0xFF, 16));
System.out.print(" ";
}
}

public static void printBytes(String paramString, byte[] paramArrayOfByte)
{
System.out.print(paramString + " = { ";
printBytes(paramArrayOfByte);
System.out.println(" }";
}


How do i patch that damn thing?
I also read that i can patch the target to validate any license regarding of if sign is correct or not.
Also that it is possible to remove all calls to Flexlm in java.

My previous experience with Flexlm was in a C# application that i noped the call to flexlm, and the application loaded without license verification.

Can you give me a hint on how to proceed?

My best regards.

(is it normal that i cannot find the daemon of flexlm)?