tomee
October 7th, 2006, 08:19
Hi,
I am trying to RevEng a program that comes as Win32 and Linux binaries. It is protected with FlexLM v9.2.0 (at least lmutil says so).
First, I compiled the Linux lmgr.a and plugged the library and the ELF binary into IDA 5, but the signature associations generated by FLIRT were very poor with no key functions included.
So I switched to the Win32 binary, examined the code carefully and located what I suppose are: l_sg, l_good_lic_key, lm_start_real, l_checkout and lm_checkout.
I prepared a fake license (with a 12-char sign, though the original program uses 30-char signatures OR 12-char signatures from a parent bundle license). The binary fails on inconsistent license error (-8), so far so good.
Then I loaded the binary into OllyDbg and set a bpx at 0x005FB118 (presumed l_sg). The break hits, and I see that argument 2 gets decoded to ascii vendor name which I knew from a valid license. However, the other two arguments which are supposed to hold vendorcode and job structures are more confusing to me. Specifically, I don't know how to extract the data from there. These are pointers, and I dunno how to set a correct memory watch point to trace the injection of correct seeds.
I am a newbie when it comes to Windows debuggers, the set I am used to is gdb and debugging symbols intact
I am trying to RevEng a program that comes as Win32 and Linux binaries. It is protected with FlexLM v9.2.0 (at least lmutil says so).
First, I compiled the Linux lmgr.a and plugged the library and the ELF binary into IDA 5, but the signature associations generated by FLIRT were very poor with no key functions included.
So I switched to the Win32 binary, examined the code carefully and located what I suppose are: l_sg, l_good_lic_key, lm_start_real, l_checkout and lm_checkout.
I prepared a fake license (with a 12-char sign, though the original program uses 30-char signatures OR 12-char signatures from a parent bundle license). The binary fails on inconsistent license error (-8), so far so good.
Then I loaded the binary into OllyDbg and set a bpx at 0x005FB118 (presumed l_sg). The break hits, and I see that argument 2 gets decoded to ascii vendor name which I knew from a valid license. However, the other two arguments which are supposed to hold vendorcode and job structures are more confusing to me. Specifically, I don't know how to extract the data from there. These are pointers, and I dunno how to set a correct memory watch point to trace the injection of correct seeds.
I am a newbie when it comes to Windows debuggers, the set I am used to is gdb and debugging symbols intact
