Hi,

My target uses flexlm 6.1f. I identified lc_init, lc_checkout and I got the vendor keys and the seeds, at least I thought I did. After xoring the seeds with key 5 my flexlm sdk 6.1 did not generate a valid license.

The target does not use the dll's of flexlm, it uses the lib's. It does not uses it's own cryptroutine because there are no calls to lc_set_attr with the parameter 0Fh.

I don't know how to proceed from here. Maybe I extracted my seeds wrong but I don't think so.

I read something about lc_new_job and lc_sg but I cannot find those functions in the flexlm sdk 6.1. Does anyone know where they are located?

Ok,

I just found the l_sg and l_key functions, they were defined by Dan's paper, they are not defined by flexlm itself.

I'll try this way.

such as _l_sg and _l_key
is called and the lib information id strip out from the exe.

so use IDA and flex .sig to locate a function

How does it come that I cannot find the names l_sg and l_key in the flexlm sdk 6.1 for windows? Are they also stripped out by flexlm?

I also tried making a sig file with the flair tools but I could not get the sigs to work, I have to try again. It seems that only the main functions are identified by the sig and not the ones I named by myself in IDA.

Look for MANY subsequent calls to "_time". The start of that routine - is "_l_sg". Then follow Dan essay....

No, the function that contains all those calls to _time is actually l_n36_buff. In an app that uses lc_new_job, that is where you will find your seeds. l_sg is the function called from lc_init just before the check to see if the seeds are the default ones given in a demo sdk (87654321 & 12345678). l_n36_buff and l_key are called inside l_sg. Read Dan's essay and especially nolan blender's essay for how to work with lc_new_job targets.

l_key, l_sg, and a number of other functions are internal to flexlm, hence you won't find them in the docs or source at all, only the libs.

And I have found sigs rarely work on flexlm. There are always a number of builds for any given version, and functions may change just enough that IDA can't detect them with whatever sig you may have. There are better methods to identify functions that will always work without much effort. Look into the data reference to lc_init and you'll see what I mean.

Yes, you've got a good point - I've had pretty good luck with signatures for some routines, but others seem to change much more from version to version.

For the original poster, you can make DIY signatures if you have the flair381 kit for IDA - run pcf then sigmake on lmgr.lib, you may have to fix some exeptions though.

--nb

Hello NB:

Can you give me a copy of flair381 kit for IDA?
Thanks first.

allex02@163.com

In hxxp://www.anticrack.de - Downloasd/Tools section (you must register for downloads)

Thanks,I got it.

I have the .sig and .nms files if you still need them

Thanks for all above.
Also I have not found version 6.1f flexlm SDK. I try to search it using GOOGLE, but nothing I got.

What's the difference between 6.1f and 6.1g?



Thanks first.
allex