When cracking the ansys6.0 protected by Flexlm 7.2f,
I met a strange thing. After reading Nolan Blender's essay"Zendenc FLEXlm 7.2 cracking information", I succeeded in founding the right seed1 and seed2. I still can not generat the right license.dat for ansys6.0. WHY? I found that lc_set_attr was
called with the parameter: 38,4a,2d,4c. Here is the partial disassembling result:


_text:004081CD sbb eax, eax
_text:004081CF sbb eax, 0FFFFFFFFh
_text:004081D2
_text:004081D2 loc_0_4081D2: ; CODE XREF: sub_0_407B20+6ABj
_text:004081D2 test eax, eax
_text:004081D4 jz short loc_0_4081F0
_text:004081D6 lea eax, [ebp+var_1668]
_text:004081DC push eax
_text:004081DD push 38h
_text:004081DF mov ecx, [ebp+var_168C]
_text:004081E5 push ecx
_text:004081E6 call _lc_set_attr
_text:004081EB add esp, 0Ch
_text:004081EE jmp short loc_0_4081F6
_text:004081F0 ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ?
_text:004081F0
_text:004081F0 loc_0_4081F0: ; CODE XREF: sub_0_407B20+6B4j
_text:004081F0 mov eax, [ebp+var_17CC]
_text:004081F6
_text:004081F6 loc_0_4081F6: ; CODE XREF: sub_0_407B20+6CEj
_text:004081F6 test eax, eax
_text:004081F8 jnz loc_0_408349
_text:004081FE push offset loc_0_411F50
_text:00408203 push 4Ah
_text:00408205 mov edx, [ebp+var_168C]
_text:0040820B push edx
_text:0040820C call _lc_set_attr
_text:00408211 push offset sub_0_407890
_text:00408216 push 2Dh
_text:00408218 mov eax, [ebp+var_168C]
_text:0040821E push eax
_text:0040821F call _lc_set_attr
_text:00408224 push 0
_text:00408226 push 4Ch
_text:00408228 mov ecx, [ebp+var_168C]
_text:0040822E push ecx
_text:0040822F call _lc_set_attr
_text:00408234 add esp, 24h
_text:00408237 mov [ebp+var_4], 0
_text:0040823E mov eax, dword_0_4731D0
_text:00408243 test eax, eax
_text:00408245 mov esi, [ebp+arg_0]
_text:00408248 jz short loc_0_408261
_text:0040824A mov edx, dword_0_4680C4[esi*4]
_text:00408251 push edx
_text:00408252 lea eax, [ebp+var_174C]
_text:00408258 push eax
_text:00408259 call sub_0_407720
_text:0040825E add esp, 8
_text:00408261
_text:00408261 loc_0_408261: ; CODE XREF: sub_0_407B20+728j
After I got the seeds and keys, I generated
the license.dat. But the key is wrong. Could you give me some hints?

Hiya glopen

Why not attack the dongle interface? It is a lot easier in my newbie opinion.

MTB

I'm interesting the cracking of FLEXLM!

0x38 = LM_A_LICENSE_DEFAULT
0x4A = LM_A_USER_CRYPT_FILTER
0x2D = LM_A_CHECKOUTFILTER
0x4C = LM_A_CKOUT_INSTALL_LIC


Clearly there's more stuff than just the seeds you need to find
here - try and reverse the crypt filter, and also look at the
checkout filter and see what it's doing.

Where can i find those Nolan's Essay?.

Thanks.

Hello r00t !

You can find Nolan Blender's essay in CrackZ's archive.

Did you notice the difference between "Nolan Blender" and "nblender"? Yes, none.

One thing to try is rather than try to crack the installed target, try cracking the installer - usually the FlexLM license files aren't made until they are actually installed onto the user's machine.

I had some success using this approach with MatLab R12 - I don't know if this is true for Ansys, but in MatLab there is a flag mechanism that determines if a dongle is required, if it is an educational version & if it is a demo version. It is possible to turn all these flags off in the installer & the installed version of MatLab will run without a dongle or being cracked. Generally with FlexLM the install program makes the license file with a whole load of FEATURE or INCREMENT lines & fills in the checksum as 0, then [I think] the FlexLM library opens the file & fills in the checksums for the installer [given appropriate seeds & data, which should be in the installer anyhow]. Personally I find this a neater & easier way to go if it's possible.