Log in

View Full Version : Question about extracting seeds (FlexLM)


tomee
October 7th, 2006, 08:19
Hi,

I am trying to RevEng a program that comes as Win32 and Linux binaries. It is protected with FlexLM v9.2.0 (at least lmutil says so).
First, I compiled the Linux lmgr.a and plugged the library and the ELF binary into IDA 5, but the signature associations generated by FLIRT were very poor with no key functions included.

So I switched to the Win32 binary, examined the code carefully and located what I suppose are: l_sg, l_good_lic_key, lm_start_real, l_checkout and lm_checkout.
I prepared a fake license (with a 12-char sign, though the original program uses 30-char signatures OR 12-char signatures from a parent bundle license). The binary fails on inconsistent license error (-8), so far so good.
Then I loaded the binary into OllyDbg and set a bpx at 0x005FB118 (presumed l_sg). The break hits, and I see that argument 2 gets decoded to ascii vendor name which I knew from a valid license. However, the other two arguments which are supposed to hold vendorcode and job structures are more confusing to me. Specifically, I don't know how to extract the data from there. These are pointers, and I dunno how to set a correct memory watch point to trace the injection of correct seeds.

I am a newbie when it comes to Windows debuggers, the set I am used to is gdb and debugging symbols intact

h27
October 7th, 2006, 12:17
hi
just find l_n36_buff (in l_sg) and read lm_seeds and lm_keys and use lmv8gen to find correct keys and seeds.
regards

tomee
October 7th, 2006, 14:50
I found only one call instruction in my presumed l_sg, it's a call to a pointer. Is that correct, i.e. the way how l_n36_buff gets called?
Also, do you know where to look for the declaration of l_n36_buff? It's generated dynamically from what I understood, in Linux I would try grepping, but windows' CMD.exe is a bit uncomfortable to use...

tomee
October 8th, 2006, 09:20
I found a new function with lots and lots of references to time() (I don't remember if I labeled it as l_sg or n36_buff, it was past midnight ) but the traced job structure looked strange (value at job+c (IIRC) was a pointer to a function, and job+10 was just 00110000). Plugging the values derived from vendorcode+4, +8 and job to calcseed.exe produced a rejected license.

However, I managed to patch lc_checkout as a quick replacement to the licenses, and the program initializes. But I wanted to fully reverse FlexLM

h27
October 8th, 2006, 12:56
hi
I think that it is l_n36_buff you just need
vendor(daemon) name
Captured Seed1
Captured Seed2
Captured VendorKey1
Captured VendorKey2
Captured VendorKey3
Captured VendorKey4
Captured UniQ Key
Captured Order[0]
Captured Order[1]
Captured Order[2]
Captured Order[3]

and lmv8gen.exe and you don't need job
it is easier than job and calcseed.exe
regards

tomee
October 8th, 2006, 15:23
Hi, thanks for help.
Should I note these values before or after tracing over n36_buff?

h27
October 9th, 2006, 00:18
hi
just before call to l_n36_buff.
but you must find UniQ Key or X in first of it and Captured Orders in end of it.
regards