oyang2002
May 31st, 2002, 05:56
I was studying a target protected by Flexlm7.2 some time ago,here is something interesting
1. In _l_ckout_string_key,you can sniffer the real license keys
(just as indicated by a new posted paper on woodmann's
website). And you can sniffer real encryption seed1 and seed2
here too,so vendor key5 can be got too.
2.There is a pointer at the offset of 6C of a job structure,
and *pointer[1D8] holds a dword standing for the type of
license key:
289BEB8A: long key including start date(20 digits)
66D8B337:short key(12 digits)
The document of Flexlm said there was key which is 16 digits
long,I haven't seen that:-(
3. For a long key,No 2,4,6,8 digits standing for the start date,
I don't konw how it was caculated:-(
4.Flexlm will complain if you set back your system clock.How can
it? It checks the time stamp of some files in specified directories
such as windows system dir,the installation dir of you target,
the root dir of the drive where your target resided.
I forgot the detail,so just trace _l_bad_date everything will be
clear! you can write a program to correct it.
5.When your license is bound to a dongle,eg
HOSTID=FlexID=6-12345678
'6' above stands for dongle vendor(Rainbow) IMOP;-) What is
that '12345678'? For SentinelSuperPro,it is a combination of
DeveloperID(Cell 1) and Dongle SerialNumber(Cell 0),the Flexlm
guys didn't use the dongle's advanced function at all!
Here are my questions:
1.When I read the lmcodes.h of SDK,I found encryption seed3
and seed4. What's that? I can't find where they are used in
the document?
2.I downloaded FlexLM 8.0C from CrackZ's archive,but I have no
something protected with that,so I have no vendor keys.
Who can give me some clues?
1. In _l_ckout_string_key,you can sniffer the real license keys
(just as indicated by a new posted paper on woodmann's
website). And you can sniffer real encryption seed1 and seed2
here too,so vendor key5 can be got too.
2.There is a pointer at the offset of 6C of a job structure,
and *pointer[1D8] holds a dword standing for the type of
license key:
289BEB8A: long key including start date(20 digits)
66D8B337:short key(12 digits)
The document of Flexlm said there was key which is 16 digits
long,I haven't seen that:-(
3. For a long key,No 2,4,6,8 digits standing for the start date,
I don't konw how it was caculated:-(
4.Flexlm will complain if you set back your system clock.How can
it? It checks the time stamp of some files in specified directories
such as windows system dir,the installation dir of you target,
the root dir of the drive where your target resided.
I forgot the detail,so just trace _l_bad_date everything will be
clear! you can write a program to correct it.
5.When your license is bound to a dongle,eg
HOSTID=FlexID=6-12345678
'6' above stands for dongle vendor(Rainbow) IMOP;-) What is
that '12345678'? For SentinelSuperPro,it is a combination of
DeveloperID(Cell 1) and Dongle SerialNumber(Cell 0),the Flexlm
guys didn't use the dongle's advanced function at all!
Here are my questions:
1.When I read the lmcodes.h of SDK,I found encryption seed3
and seed4. What's that? I can't find where they are used in
the document?
2.I downloaded FlexLM 8.0C from CrackZ's archive,but I have no
something protected with that,so I have no vendor keys.
Who can give me some clues?