yup eveybody,

so take back on flexlm,...???

i've a big pbm...
i've got the l_sg, because of the flair,..., i've got all of them in fact...but, where to find the vendor id, where to find the seeds...is it a joke...i've read all your papers, but, none of them gave me the soluce...

it's only a flex v7.0D...flexgen or efalicgen, i don't want them, i only want to reproduce the results...and to crack my target, of course...but, :

first:
between, wdasm and ida, there is a gap...
second:
your's tut only told me where to break, but what about the real basic...
it's true that it's not for beginners, but, three years i know the word flex...i've read them, read again and again...
say it slowly...bpx on "something", in order to find the vendor, next step, bpx on lsg, in order to find the call which call the good_lic_key...or something else,..., i need help...
i need help again...
i need help again...

so, it's a required...help me please...i can do many things, build a sdk, a map, a nms(i'm not too stupid, i think i hope),althought i'm only a "pseudo" student on mathematical modeling...

i don't want the soluce, i only want some help...

Howdy,

Have you looked at dans essay on CrackZ site?
search for danflex.htm.

Later, Woodmann

Hiya,

I'm going to be a bit terse here.

If you've found l_sg(), you've got all the information you need.

The vendor structure (contains vendor keys), and vendor name are all passed to the seed hiding function, all that remains is for you to dig them out with a debugger, unless of course your target is doing something fancy (which it sounds like it isn't), either way you dig the point.

I'm sorry to say I just don't believe you've really done the required research, but hey ;-), correct me if I'm wrong or post exactly what you can't dig out and I'll try and help from there, try to include code snippets.

Regards

CrackZ (cranky old bastard).

You can use the new flowchart feature on IDA to view the
global structure 1st then dive into the detail step by step .
Like the following picture show l_sg flow..
picture removed

yup,
and if it's a dll nor the exe who incorporeted the flex code, we don't care...???....

yup everibody,

i need U again...

in fact, it's flexlm v7.0d, with sign=ten characters...(strange for me)
if i understand well, this means that there are cro_keys...but, looking in the corresponding sdk, i don't find reference from them...so, i can't give it to him...
any help will be nice...

For cro, it's very hard.

Look into lmrand2.obj, libcrvs.lib, libsb.lib. And search Certicom's website for the ECC stuff(sect113r1 should be more simple).

Finally, bruteforcing it.

But the newest version is v8.3b, don't waste time on the old version.

SeanC

Hi friends

>in fact, it's flexlm v7.0d, with sign=ten characters
seems this is no cro, just strenght default, so all techniques apply.

As everybody says, bp on l_sg......, but what the heck is l_sg ??
l_sg is obviously lm_new.c so you got even the source code!!!
What does it do anyway?, Well, on crypting, time info was included in keys,
and it must be taken off. l_sg has a UNIQUE seed and time calls,
then it mounts 4dws on current jobs first dw and xors the keys.
After that is changes the ORDER of the keys, so they can be any
combination 0123,1032,3021 etc...
My recode takes vendord, keys, order and unique to get seeds 1 & 2.
If you need, send me email/pm

Now cro, there is some methods but basically you need to build the target with the sdk.
Unfortunatedly we dont have the lmnewgen.c BUT we have the object file with debug info.
Change your makefile to add /DEBUG to the LD variable
Build a target with faked seeds 3 & 4
Generate asm from lmnewgen.exe and you will understand what has to be done.

It generates the pri and pub keys (the headers)
Well, after it copies the expanded seeds 3 & 4 to a memory, it starts making the keys. Pri first then pub.
You must now compare the generated with the pub in daemon/sw
If not, change values and do again.
There is some math before, but important is to get concept.
For an old 8.1 target it can take up to 2 days.
But all vendors have received FREE the update to 8.3 so don't bother wasting your time in this.
Method for 8.3 is exactly the same, the only trouble is that now we have 3 seeds! so you can get 2^32 DAYS to get them....
Also routines are realy time consuming, some 100ms per loop
_sb_initialize
_sb_sha1Begin
_sb_sha1Hash
_sb_ecdsaSignBegin
_sb_sha1End
_sb_fipsRngOptionalInput
_sb_ecdsaSign
_sb_ecdsaSignEnd

So good luck

PS
How secure is this board anyway??
Dont u think more detailed talk should be in private??
All this cro stuff started due to essays like Dan's ...