Target: h**p://164.109.49.29/files/products/together/controlcenter/1340/windows/together.exe(53MB, written in Java)

This one either needs a 15-day Eval license file named "eval_license.lic", which will be mailed to you after u register on their site for downloading, or FlexLM license server(v7.2d), according to "flexlm.config".

Here is my eval_license.lic:
FEATURE TogetherControlCenterEval together 5.0204 23-may-2001 \
uncounted BBFE2D15F78F HOSTID=DEMO

I have checked C:\Together5.0\lib\misclib.zip. It contains a package named "flexlm", which seems to be the Java implementation of FlexLM(I have decompiled the whole package). But I can't locate the place where this package is referenced, coz there are too many *.class files. (I have decompressed C:\Together5.0\lib\together.jar and searched in this jar for "flexlm", but no useful info)

So my question is: How to locate the 15-day check?
If so we can patch it or make a valid license file.

Thx for your help.

I only have one experience with FlexLM using Java. If you found the folder flexlm, extract the file 'license.class'. Decompile it with JAD and there should be a function named 'checkout()', modify it to just return 0; and recompile and put it back to the jar file. This is just a hint based on other target. Wish this helps.

EVC_ViPeR

Thank you for your guidance?B I will try it.

BTW: Many ppl think highly of this UML tool. They compare it with Rational Rose.

Hmm.
Decompiling with jad gives a file named 'zx.jad' where you can find the following:

========================================================

public zs j() // starting at line 551
{

// ...

aj = new zah(af, x, y, ab, ac, ad, ae);
ao = an;

// ...

int j1 = 1;
int k1 = aj.a(1, al, am, j1, c(ao));

// ...

if(k1 == 0)
{
// good guy :-)
// ...
} else
{
// bad guy :-(
// ...

bb = aj.c();
IdeMessageManagerAccess.getMessageManager().getDefaultPage().printMessage(3, " License checkout failed: " + e());
if(n)
System.out.println(a(true) + " License checkout failed: " + e());
aj = null;
return null;
}

// ...
}

public static final int a = 30; // starting at line 1164
public static final int b = 6;
public static final int c = 30;
public static final int d = 8;
public static final double e = 1.25D;
public static final int f = 1;
public static final boolean g = true;
public static String h = "Cannot connect to license server";
public static String i = "

Together will not start without a valid license key AND proper license
management configuration. If you do not yet have a license key, click
Get License to request an Evaluation key at the TogetherSoft website.

Please write togethersoft.com if you need further assistance.
";
public static final int j = 1;
public static final int k = 2;
public static final int l = -1;
public static int m = -1;
public static boolean n = false;
public static boolean o = false;
public static String p = "flexlm.config";
public static final String q = "gubed.mlxelf";
public static final String r = "gubedlluf.mlxelf";
public static String s = "esnecil.dlo";
public static String t = null;
public static String u = " Together License Management";
public static String v = "oisoft/util/ui/plaf/windows/icons/Error.gif";
public static String w = "oisoft/util/ui/plaf/windows/icons/Question.gif";
public static int x = 0x13deeaac;
public static int y = 0xb0c8d383;
public static int z = 0xa2a1a978;
public static int aa = 0x10806c1;
public static int ab = 0x5d5e5687;
public static int ac = 0xbc9a61d6;
public static int ad = 0xa450a0eb;
public static int ae = 0xc420010c;
public static String af = "uphfuifs";
public String ag[] = {
"GpsJoufsobmVtf", "for internal use", "UphfuifsDpouspmDfoufs", "controlcenter", "UphfuifsXijufCpbse", "whiteboard", "UphfuifsFoufsqsjtf", "enterprise", "UphfuifsTpmp", "solo",
"UphfuifsDpnnvojuz", "community", "UphfuifsEfwfmpqfs", "developer"
};

// ...

========================================================

Thx crkr!

I patched "zx.class" and bypassed the initial check, but after I changed the sys date to year 2002 it tried to connect to a license server, even if I patched
zah.a(int j, String s, String s1, int k, String s2).
Need further digging.

Thx again.

If you are familiar with FlexLM you should be able to build a valid license file using the information provided.

I am sure someone is releasing a ready made solution soon ...

I recommend reversing the Flexlm Server, well it is 7.2d, but it's still more easy than reversing the java code

I didn't succeed in breaking the protection this way... anyone else had any luck?

I'm currently writing a diploma work about java applications and security, and one of my test-objects was together. you can use my findings to start this great development tool called together ... cheers, plastiko

WORK

flexlm.config:
flexlm.feature = TogetherControlCenterEval
flexlm.licensePath = eval_license.lic
flexlm.debug=gubed.mlxelf
flexlm.fulldebug=gubedlluf.mlxelf

NOTES:
1) last two lines only enable tracing informations and are optional - tracing informations are really useful for hacking
2) first line is not evaluated at all
3) second line is the name of the lic-file to use, most important entry

eval_license.lic:
FEATURE TogetherControlCenterEval together 5.5 permanent uncounted \
E6F3D618C7CF HOSTID=ANY

NOTES:
1) optimal values taken from src-code, correctnes of feature important

additional directory
open "together.bat" and choose one of the directories before the misclic.zip file. mkdir "flexlm" and save the attached "license.class" into.

RUNNING
.exe or .bat or anything you want.

TEST
- date set to 2002
- working with a big project
- changes to default and project configuration entries

... works fine!


ps: the values displayed in a previous post are not the content of the vendor-structure; these are the encrypted values of the vendor structure, so not usable with flex-tools

ps: this msg-board rules!

here are some updated links
windows
h**p://a1612.g.akamai.net/f/600/1325/9d/www.togethersoft.com/files/products/together/controlcenter/1534v3/windows/vm/together_1534v3.exe

hpux
h**p://a1612.g.akamai.net/f/600/1325/9d/www.togethersoft.com/files/products/together/controlcenter/1534v3/unix/others/together_1534v3_others.bin

solaris
h**p://a1612.g.akamai.net/f/600/1325/9d/www.togethersoft.com/files/products/together/controlcenter/1534v3/unix/solaris/together_1534v3_solaris.bin

linux
h**p://a1612.g.akamai.net/f/600/1325/9d/www.togethersoft.com/files/products/together/controlcenter/1534v3/unix/linux/together_1534v3_linux.bin

enjoy,
jomamameister

plastiko,
please realize that by disassembling and patching a few java apps you do *not* prove the insecurity of java per se. remember this when you write your diploma thesis :-)

any comments from more experienced authorities on this?

also realize that there is absolutely *no* need to patch anything here. a valid license file can be generated using the information provided by the disassembled file containing the encrypted seeds and by using your eyes and your brain, hehe.
just browse through the file, find some bit operations regarding the encrypted seeds that obviously do some encoding tricks, decode the encrypted values and feed those values into your beloved flextools and make your own license file.
yes, you *can* use the well known flextools :-)

i wonder why nobody has released a ready made solution yet. any comments from more experienced authorities on this?

as plastiko has pointed out, it is very important to keep the flexlm.config and license file concise.

open your eyes and your mind!

good luck,
crkr

don't worry about my work, you don't know the content ...

ORIGINAL
int ar = 0x17deeaab;
int as = 0xb4c8d384;
int at = 0xa2a1a978;
int au = 0x1080480;
int av = 0x5d5e5687;
int aw = 0xfc9841d8;
int ax = 0xc07286a2;
int ay = 0xa0424122;

DECRYPTING
av = ~av;
aw++;
ax ^= at;
ay |= au;

TOSTRING
these are the values passed to the public license(vendor, d1, d2, k1, k2, k3, k4) constructor, from left to right:

together
17deeaab
-4b372c7c
-5d5e5688
-367be27
62d32fda
-5eb5ba5e

FINALLY
values printed with an Integer.toString(value, 16) after "decrypting". maybe someone would like to feed some tools and try to find out the seeds ... and finally build the correct and long awaited valid license key. I reached my "goal" after one hour and I stopped, cuz no time to invest in the study of this protection (out of scope). maybe later, if not too late ...

cheers, plastiko