Hi Everybody !

Now we have a lot to do, RSA is also included.
But generally its difficult to get the SDK since
Globetrotter has taken it from their FTP.
Some tools may be found at __CrackZ place:
h**p://zencrack2.cjb.net/
He has already updated to 7.2, Let the games begin .
I have made a public MySpace Folder just for sharing
all FlexLM stuff. You may find the 7.2 SDK there, also
FlexGen 2003 with source code (VB).
Please have a look:
h**p://www.myspace.com/Folders/1773963/
Password: freecad
You can also upload, if you think its worth.
Best Regards

PadsPCB

/* Version 7 keys */
#define VENDOR_KEY1 0xaa3b525b
#define VENDOR_KEY2 0x1d751d8a
#define VENDOR_KEY3 0x868b0015
#define VENDOR_KEY4 0x0ee5a4d2
#define VENDOR_KEY5 0x7041ae99
#define CRO_KEY1 0xae1b5053
#define CRO_KEY2 0x5b577f0c

#define VENDOR_NAME "blenderd"

Have fun.

Thank you Nolan!

Are you ready to share some new insights ;->

x

I have done some minor research on the latest version of FLEXlm,
but not as much as is required to really figure it out, as I have
real life events which preclude my spending time on this project.

As far as I can tell, if you use the "standard" version of FLEXlm
only encryption seeds 1 and 2 are used to generate the licenses -
changing the values of encryption seeds 3 and 4 do not appear to
affect the standard key values. Encryption seeds 3 and 4 appear to
be used to generate the public and private keys which are passed into
the Security Builder routines which the new FLEXlm is linked against.

I have only examined one target using the "new" flexlm, but it used
the default security mode rather than the counterfeit resistant option
mode. It appears as though CRO must be purchased seperately.
Globetrotter has improved the seed hiding, so it is no longer possible
to get the seeds out simply by passing a null pointer to the job
structure into the lm_new routines. This is an improvement over the
previous version which should never had that security hole coded
into it in the first place.

The CRO appears to be enabled on a per platform basis by individual
bits turned on in the decoded CRO_KEY1 and CRO_KEY2.

Hi Everybody !
Thanx for your interest Nolan !
First: You're right! Seeds 1 & 2 are used in the old ways, to generate the encrypted code. As this is still a version 7, it uses the old glseed = 0x788f71d2. SIGN= is encripted altogether as an ISSUER or other sring. Checksums work the same.
Second:Seeds 3 & 4 are used to scramble the SIGN, and probably scramble also the feature and the version number.
In a sample dump from lmcrypt we have:
: on entry eax, some value. Normaly enters with 0 (old seed)
: so calculations result in 0x788F71D2 ...
:00428253 neg eax ;glseed=0x00000000, CFLAG=1
:00428255 sbb eax, eax ;glseed=0xFFFFFFFF
:00428257 and eax, D0E83B58 ; glseed=0xD0E83B58
:0042825C add eax, 788F71D2 ; glseed=0x4977ad2a
So it may use this new seed to make SIGN !

I've seen in Tranlogic's HDL Entry, that the software passes along with the feature request, the value of the Prime(Q) and the Module(N), so it is easy to get the Private Exp(D). See the dump
0x00DC4F30 d8 94 a7 00 00 00 97 00 cc 7d e0 00 10 9f a7 00 .........}......
0x00DC4F40 c4 94 a7 00 a7 5f 5e 00 28 fe a7 00 00 00 00 00 ....._^.(.......
0x00DC4F50 30 32 43 56 00 00 00 00 00 00 00 00 00 00 00 00 02CV............
0x00DC5010 dc 05 ca 00 0c 60 dc 00 42 32 46 36 31 45 42 38 .....`..B2F61EB8
0x00DC5020 37 45 30 45 00 00 00 00 20 00 00 00 21 00 00 00 7E0E.... ...!...
0x00DC5030 39 43 35 41 41 33 38 33 45 45 38 45 38 43 45 41 9C5AA383EE8E8CEA
0x00DC5040 43 39 37 36 00 00 00 00 00 00 00 00 00 00 00 00 C976............
So, using RSA tool from TMG we have:
Prime(P) B2F61EB87E0E
Modulus(N): 9C5AA383EE8E8CEAC976
Private Exp(D): 447F09756FD7C51D191EEC828BDB678F

After getting Seeds 3 & 4 it should be easy to make lmcrypt using this key.
Lets find how SIGN is encrypted.

Ah.! And hope we can get a new LmRecode, with GUI now ?

Best Regards

Pads

Well, seeds 3 and 4 shouldn't be available in a correct public
key implementation. I haven't examined it that closely, but
I have a hard time believing that Globetrotter would be so
stupid as to do that.

Examination of lmrand2.obj has revealed some interesting things.

I might do GUI based versions of the FLEX tools, but they are
used so seldom that the DOS versions seem good enough.

Yes, it's possible that the seeds 3 and 4 may be derived from
the daemon in version 7.2 flexlm. lmrecode and lmvkey are no
longer publicly supported, although I'm sure it would be not much
work to make them work for later versions.

Two new constants for vendor keys generation and different ctlarr[0] and [1] in nbl_crogen routine for v8.1. That is all.

Tom

Deleted

Whoever can't find those values by himself will not make any progress in cracking Flex*LM. I suggest deleting them ...

Tom

.

SeanC,

I do not think you question was stupid. I just want to prevent GT from learning too much from this MB.


roil, CPCP and others : let's switch to e-mail messages.

Tom

Deleted

is anyone forward to me ? thanks yorkiny@163.net

how about me? whyIII@hotmail.com

How about... checking the date on post before replying to them?


dELTA

LOL, I suppose a year late is better than never at all tho'

Still, if anyone wants the SDK, head over to crackz....