Hello.

I have found the keys and all for generating licenses, but the software uses lc_set_attr to set a proprietary string in the vendor_string, which stops me from running the software. It goes something like this:

INCREMENT feature vendor 1.0 1-jan-00 1 CC4CF188435DE4BF334F \
VENDOR_STRING="some special string and numbers"\
ISSUED=22-jan-2001

I have found the part where lc_set_attr pushes 02D onto the stack for setting the LM_A_CHECKOUTFILTER.

Is it possible to set breakpoints somewhere to actually read the correct checkoutfilter, giving me the correct vendor_string?

/Sebbe_sabb

Since a pointer to the function is passed into lc_set_attr for LM_A_CHECKOUTFILTER, you can see where the function is by looking at the stack during that call to lc_set_attr.

Once you know the address, you can probably find out more by gnawing on the program with IDA. This is something that I haven't done much with though, but I remember seeing some essays on it on tsehp's site.

--nb

Hello Mr Blender,

I think there is an essay about a lm_a_checkoutfilter, where the target used lm_a_user_crypt, which returns the actual license-key. I think I understand that one, but since I dont have Softice, I cannot set a breakpoint on the actual dialogbox, which points out that local checkout-filter rejected the checkout. This dialogbox appear right after a lc_perror.

My old IDA begins to read the target, but doesnt read the lmgrxxx.dll because "it cannot be accepted ax lmgrxxx.dll " so the target gets disassembled without these imports. I have never encountered this error before.

I think I have seen some signatrues for flex floating around, but I cannot seem to remember where. Perhaps those helps?

/Sebbe sabb

Just a quick note... checkout filters and crypt filters are two different beasts. Crypt filters are rather nasty things that only work with the license string. Checkout filters I think can play with pretty much anything else in the license struct. Generally they're used to verify things like your VENDOR_STRING, etc. I would suggest just grabbing a copy of OllyDbg. It's a good little debugger for when you don't have Softice handy.
For your specific case, the address of the function is probably pushed as the parameter for lc_set_attr. Use IDA to run through all the references to that function and see where the value LM_A_CHECKOUTFILTER gets pushed. Chances are the parameter pushed before that is the address of your filter.

Also, maybe it's just me, but I've never had any luck using signatures for FlexLM. The subtle changes between minor versions (like 6.1f to 6.1g) will throw them off, so you can really only use them on a target of that exact version. I've just learned to use other tip offs to identify functions. There are nice strings and other good reference points all over inside the FlexLM code

n w32dasm, there is a passage like this:


:005874D4 8B15B4760F02 mov eax, eax, dword ptr [020F76B4]
:005874DA 6890785800 push 00587890
:005874DF 6A2D push 0000002D
:005874E1 52 push edx

* Reference to LMGR326B.lc_set_attr, Ord_003Dh
|
:005874E2 E8FB6C2800 Call 0080E1E2

02D in hex=45.
In lm_attr.h we see that lm_a_checkoutfilter also has this value.

from the manual:
status=lm_set_attr(job,key,(LM_a_val_type)value)

I get:
value=2D
key=00587890
job=dword ptr [020F76B4]

Since I am no programmer, I would like to know If I have understood this correctly.
1. is the push 00587890 a reference to a memory location? Should I go to 00587890? When I do, It does not make any sence however.
2. I must run the program and halt it via breakpoints to be able to see any values or are they there all the time?
3. An example of vendorstring is "fv every +3243549988". I think the numbers certify the feature "fv" with the option "every".

What is my next step?

I appreciate your help.

/Sebbe_Sabb

Ok - the job structure is probably in EDX when it gets pushed.
2D is indeed LM_A_CHECKOUTFILTER
587890 is certainly a good place to look for the checkout filter

At 00587890, w32dasm says:

[0058787C] - ff3744c6 .D7.
[00587880] - c35e5f00 ._^.
[00587884] - 90909090 ....
[00587888] - 90909090 ....
[0058788C] - 90909090 ....
[00587890] - 0814ec81 ....
[00587894] - 05c60000 ....
[00587898] - 01cc92e8 ....
[0058789C] - 8b575600 .VW.
[005878A0] - 082024bc .$ .
[005878A4] - ff850000 ....

I dont understand this.
I give up. It takes a programmer to defeat this one.

The seeds were easy, just bp at lc_init in the actual programfile.

Another question for you guys:

When it comes to the daemon (in this case), there are no actual calls to the lmgrdxxx.dll any more (v6.1). Are there any other ASCII-strings to look for which points me to the vendor-key structure?


/Sebbe_Sabb

You might want to try disasssembling from where the supplied
address is. . .


Perhaps you can share with us the name of the program, or where to get it too.

Thanks.


--nb.

Hello again.

The target is a post-processor for CFD called FieldView. It is however not downloadable from their website, which you guys will find through a search on the net.
The target is 9.5 Mb large, and I dont have a site to put it up on.
I think it is the target who wants the checkout-filter, since the supplied daemon starts with the seeds I found, so you wont succeed with the daemon only.

I appreciate your help, but since the software is not very exciting (I am no CFD-guy) I think I let it drop.

/Sebbe_Sabb