HappyWolf
March 23rd, 2001, 09:12
Inspired by thes articles on Zencrack2.cjb.net, I want to crack
Flexlm 6.1 on Solaris. But after two weeks' hard work, I gained
nothing but the two encrypted seeds and the five vendor keys.
My target is SUN C++ Workshop 5.0 whose license is administrated
by Flexlm 6.1. I haven't Flexlm 6.1 SDK on Solaris, but I have it
on Windows. I want to get the license for Sun Workshop 5.0 with
Flexlm SDK 6.1 on Windows. My step as following:
1) I found two files which located in /etc/opt/licenses and whose
names are "lmgrd.ste" and "sunwlicd" respectively. From the
license.dat, I think the sunwlicd is the vendor daemon and the lmgrd
is the the license daemon. I debuged the sunwlicd with adb debugger.
As a result, I can't find the lc_init and lc_checkout symbols which
were used to get the Vendor String, the two encrypted seeds and the
four vendor keys on Windows in the past. At last, I had to debug
lmgrd.ste with adb. I found the above two symbols. With the help of Pilgrim's
essay, I found the vendor string called "lmgrd". I were confused that
why the two symbols appear in the licenses daemon. What's more, I think
the vendor string should be "sunwlicd", but I found there wasn't "sunwlicd"
but "lmgrd" in the lc_init's argument list.
2) From Vyacheslav's essay, I tried to find the snippset as following
ld [%fp - 60], %o0
sethi %hi(0x9e000), %o1
or %o1, 0x244, %o1 ! vendorkeys
call
nop
st %o0, [%fp - 52]
ld [%fp - 48], %i2
ld [%i2 + 4], %i3
ld [%fp - 52], %i4
xor %i3, %i4, %i5
st %i5, [%fp - 40]
ld [%fp - 48], %o0
ld [%o0 + 8], %o1
ld [%fp - 52], %o2
xor %o1, %o2, %o3
st %o3, [%fp - 36]
But I failed. So I tried another way to get the two unencrypted seeds and key5.
Firstly according to Dan's essay, I think the calling sequence in lc_new_job() is
lc_new_job {
call lm_new.unpackage(vname,&vc) (unpackage vendorcode,vendor name)
call lm_new.unpackage(0,0)
call lc_init {
...
call l_sg (alt seed flag not set - return old style vc.d^vk5)
compare seeds to default 12345678 and 87654321
...
}
set alt seed flag
}
and the calling sequence in lc_checkout() is
lc_checkout {
...
good_lic_key {
...
l_sg {
alt seed flag set so,
lm_new.decrypt(job,name,vc) (decrypt and RANDOMIZE!!)
}
extract_date
l_ckout_crypt / -8 test
...
}
...
}
So I set breakpoints on lc_init(), l_sg(), lc_checkout() in lmgrd.ste file. I was very
suprised that the program couldn't stop at lc_checkout and exited directly after l_sg().
If the lc_checkout wasn't executed, where to identify whether the license is right or not?
Of course I hadn't got the two unencrypted seeds and key5 using Dan's methods. Could you
indicate where to find them? Thanks in advance.
3) At last, I used the flextool called lmrecode.exe and the two encrypted seeds and the four
vendor keys which I found in lc_init breakpoint to get the two uncrypted seeds and key5. Then
I modified the lm_code.h on windows and compiled to get the lmcrypt.exe. I used lmcrypt.exe and
the demo license to get license.dat. The result isn't right. I can't explain the case. Could you
give me some advice.
Regards,
Tony
Flexlm 6.1 on Solaris. But after two weeks' hard work, I gained
nothing but the two encrypted seeds and the five vendor keys.
My target is SUN C++ Workshop 5.0 whose license is administrated
by Flexlm 6.1. I haven't Flexlm 6.1 SDK on Solaris, but I have it
on Windows. I want to get the license for Sun Workshop 5.0 with
Flexlm SDK 6.1 on Windows. My step as following:
1) I found two files which located in /etc/opt/licenses and whose
names are "lmgrd.ste" and "sunwlicd" respectively. From the
license.dat, I think the sunwlicd is the vendor daemon and the lmgrd
is the the license daemon. I debuged the sunwlicd with adb debugger.
As a result, I can't find the lc_init and lc_checkout symbols which
were used to get the Vendor String, the two encrypted seeds and the
four vendor keys on Windows in the past. At last, I had to debug
lmgrd.ste with adb. I found the above two symbols. With the help of Pilgrim's
essay, I found the vendor string called "lmgrd". I were confused that
why the two symbols appear in the licenses daemon. What's more, I think
the vendor string should be "sunwlicd", but I found there wasn't "sunwlicd"
but "lmgrd" in the lc_init's argument list.
2) From Vyacheslav's essay, I tried to find the snippset as following
ld [%fp - 60], %o0
sethi %hi(0x9e000), %o1
or %o1, 0x244, %o1 ! vendorkeys
call
nop
st %o0, [%fp - 52]
ld [%fp - 48], %i2
ld [%i2 + 4], %i3
ld [%fp - 52], %i4
xor %i3, %i4, %i5
st %i5, [%fp - 40]
ld [%fp - 48], %o0
ld [%o0 + 8], %o1
ld [%fp - 52], %o2
xor %o1, %o2, %o3
st %o3, [%fp - 36]
But I failed. So I tried another way to get the two unencrypted seeds and key5.
Firstly according to Dan's essay, I think the calling sequence in lc_new_job() is
lc_new_job {
call lm_new.unpackage(vname,&vc) (unpackage vendorcode,vendor name)
call lm_new.unpackage(0,0)
call lc_init {
...
call l_sg (alt seed flag not set - return old style vc.d^vk5)
compare seeds to default 12345678 and 87654321
...
}
set alt seed flag
}
and the calling sequence in lc_checkout() is
lc_checkout {
...
good_lic_key {
...
l_sg {
alt seed flag set so,
lm_new.decrypt(job,name,vc) (decrypt and RANDOMIZE!!)
}
extract_date
l_ckout_crypt / -8 test
...
}
...
}
So I set breakpoints on lc_init(), l_sg(), lc_checkout() in lmgrd.ste file. I was very
suprised that the program couldn't stop at lc_checkout and exited directly after l_sg().
If the lc_checkout wasn't executed, where to identify whether the license is right or not?
Of course I hadn't got the two unencrypted seeds and key5 using Dan's methods. Could you
indicate where to find them? Thanks in advance.
3) At last, I used the flextool called lmrecode.exe and the two encrypted seeds and the four
vendor keys which I found in lc_init breakpoint to get the two uncrypted seeds and key5. Then
I modified the lm_code.h on windows and compiled to get the lmcrypt.exe. I used lmcrypt.exe and
the demo license to get license.dat. The result isn't right. I can't explain the case. Could you
give me some advice.
Regards,
Tony