Hi all,

I currently have a damon on flexlm 11.3. I have flexlm 11.4 SDk and Ollydbg. I am trying to find the seeds but cannot.

Can anyone help?
Thanks.

upload the daemon file and (if have it) any sample license...

deamon location - http://rapidshare.com/files/256510864/daemon.zip.html

I need the seed 1,2,3

Thanks.

if you mean LM_SEED1/2/3 - not possible to able get it.

Thanks for the response.

How about the encryption seeds?

# SEED1 = 0xD48726FC
# SEED2 = 0xE8FF3A1F

/* Version 11 keys */
#define VENDOR_KEY1 0x54067127
#define VENDOR_KEY2 0x2182a625
#define VENDOR_KEY3 0x3a48e197
#define VENDOR_KEY4 0xf9361ebe
#define VENDOR_KEY5 0x656264f7
#define TRL_KEY1 0x1fd65c23
#define TRL_KEY2 0x9c8fc2ef

#define VENDOR_NAME "CITRIX"

Relationship between LM_SEEDs and ENCRYPTION_SEEDs is not solveable, but you don't need the LM_SEEDS. You can recover encryption seeds 1 & 2 using the vendor server/daemon, Ollydbg, and this procedure :

Git

Thanks all for the responses. Really appreciate.

I have used the following in lm_code.h
#define ENCRYPTION_SEED1 0xD48726FC
#define ENCRYPTION_SEED2 0xE8FF3A1F

#define VENDOR_KEY1 0x54067127
#define VENDOR_KEY2 0x2182a625
#define VENDOR_KEY3 0x3a48e197
#define VENDOR_KEY4 0xf9361ebe
#define VENDOR_KEY5 0x656264f7
#define TRL_KEY1 0x1fd65c23
#define TRL_KEY2 0x9c8fc2ef

#define VENDOR_NAME "CITRIX"

i then run a make and generate a license file from this. The SDK im using is 11.4. The daemon is on 11.3. When i try load the license on the daemon i get - Invalid license key (inconsistent authentication code)

Have i done anything wrong?

Apologies, i'm still a beginner in this.

check license syntax before...

license syntax is fine. no alterations in the license. running nmake which produces a new CITRIX.exe file (ver11.4). lmcrypt on this produces a new sign compatible with this new daemon. However, this new license is not compatible with original 11.3 daemon - produces the error Invalid license key (inconsistent authentication code)

This is my lm_code.h Please let me know if there's anything out of the ordinary.

#define ENCRYPTION_SEED1 0xD48726FC
#define ENCRYPTION_SEED2 0xE8FF3A1F

#define VENDOR_KEY1 0x54067127
#define VENDOR_KEY2 0x2182a625
#define VENDOR_KEY3 0x3a48e197
#define VENDOR_KEY4 0xf9361ebe
#define VENDOR_KEY5 0x656264f7

#define LM_SEED1 0x8a001ca0
#define LM_SEED2 0xbbd0c200
#define LM_SEED3 0xa1a9fd9d

#define LM_STRENGTH LM_STRENGTH_239BIT

#define TRL_KEY1 0x1fd65c23
#define TRL_KEY2 0x9c8fc2ef

1. what you get LM_SEED?

#define LM_SEED1 0x8a001ca0
#define LM_SEED2 0xbbd0c200
#define LM_SEED3 0xa1a9fd9d

#define LM_STRENGTH LM_STRENGTH_239BIT

2. RTFM about FLEXlm CRO option (ECC)

old license + old daemon
21:09:03 (CITRIX) FLEXnet Licensing version v11.3.0 build 28877
21:09:03 (CITRIX) lmgrd version 11.4, CITRIX version 11.3

21:09:03 (CITRIX) Server started on ROBERT-LAPTOP for: MPS_ENT_CCU
21:09:03 (CITRIX)
21:09:03 (CITRIX) Licenses are case sensitive for CITRIX
21:09:03 (CITRIX)
21:09:03 (CITRIX) Wrong hostid on SERVER line for license file:
21:09:03 (CITRIX) c:\33.lic
21:09:03 (CITRIX) SERVER line says HOSTNAME=xxxx, hostid is HOSTNAME=ROBERT-
LAPTOP
21:09:03 (CITRIX) Invalid hostid on SERVER line
21:09:03 (CITRIX) Disabling 20 licenses from feature MPS_ENT_CCU(187E AC2F 02DC
AE3A )

old license + new daemon
21:07:43 (lmgrd) FLEXnet Licensing (v11.4.0.0 build 31341) started on ROBERT-LAP
TOP (IBM PC) (7/16/2009)
21:07:43 (lmgrd) Copyright (c) 1988-2006 Macrovision Europe Ltd. and/or Macrovis
ion Corporation. All Rights Reserved.
21:07:43 (lmgrd) US Patents 5,390,297 and 5,671,412.
21:07:43 (lmgrd) World Wide Web: http://www.macrovision.com
21:07:43 (lmgrd) License file(s): c:\33.lic
21:07:43 (lmgrd) lmgrd tcp-port 27000
21:07:43 (lmgrd) Starting vendor daemons ...
21:07:43 (lmgrd) Started CITRIX (pid 6896)
21:07:43 (CITRIX) FLEXnet Licensing version v11.4.0.0 build 31341
21:07:43 (CITRIX) Invalid license key (inconsistent authentication code)
21:07:43 (CITRIX) ==>INCREMENT MPS_ENT_CCU CITRIX 2008.0405 permanent 20 \

VENDOR_STRING=;LT=Retail;GP=720;CL=ENT,ADV,STD,AST ;SA=1;ODP=0 \
DUP_GROUP=V ISSUED=25-Jul-2007 NOTICE="xxxxx" \

new license + old daemon
21:09:54 (lmgrd) License file(s): 1.lic
21:09:54 (lmgrd) lmgrd tcp-port 27000
21:09:54 (lmgrd) Starting vendor daemons ...
21:09:54 (lmgrd) Started CITRIX (pid 7084)
21:09:55 (CITRIX) FLEXnet Licensing version v11.3.0 build 28877
21:09:55 (CITRIX) lmgrd version 11.4, CITRIX version 11.3

21:09:55 (CITRIX) Invalid license key (inconsistent authentication code)
21:09:55 (CITRIX) ==>INCREMENT MPS_ENT_CCU CITRIX 2008.0405 permanent 200
\
VENDOR_STRING=;LT=Retail;GP=720;CL=ENT,ADV,STD,AST ;SA=1;ODP=0 \

new license + new daemon
20:58:03 (lmgrd) FLEXnet Licensing (v11.4.0.0 build 31341) started on ROBERT-LAP
TOP (IBM PC) (7/16/2009)
20:58:03 (lmgrd) Copyright (c) 1988-2006 Macrovision Europe Ltd. and/or Macrovis
ion Corporation. All Rights Reserved.
20:58:03 (lmgrd) US Patents 5,390,297 and 5,671,412.
20:58:03 (lmgrd) World Wide Web: http://www.macrovision.com
20:58:03 (lmgrd) License file(s): 1.lic
20:58:03 (lmgrd) lmgrd tcp-port 27000
20:58:03 (lmgrd) Starting vendor daemons ...
20:58:03 (lmgrd) Started CITRIX (pid 6656)
20:58:03 (CITRIX) FLEXnet Licensing version v11.4.0.0 build 31341
20:58:03 (CITRIX) Server started on ROBERT-LAPTOP for: MPS_ENT_CCU
20:58:03 (lmgrd) CITRIX using TCP-port 1989

Thanks for the response. Pardon me for my many questions, i am a beginner and have been going round in circles.

I have gone through documentation and it says that the CRO should be done by -

#define CRO_KEY1 0xxxxxx
#define CRO_KEY2 0xxx

and after you put
#define LM_STRENGTH {LM_STRENGTH_DEFAULT/113/163/239BIT}

i have tried to remove the LM_SEED1 - 3 vales in lm_code.h but it wont compile. Can you please post for me a full working lm_code.h which will work with the 11.4 SDK please. I will really appreciate.

Kind regards,
Robert.

Just make up random numbers for LM_SEEDs. You can't use 113/163/239BIT license strength or any of the CRO stuff. You have to patch the vendor code data in the exe's to accept old-style licenses with 12 or 20 digit SIGN values. Then you use LM_STRENGTH_DEFAULT and don't worry about the CRO/TRL key values. AT least, that is what you did to get round CRO/ECC up to V10.5. After 10.5 they closed that loophole and patching is a case by case basis.

Git

Looks like i have hit a dead end.

Thanks anyway.

Wait to see if Bfox has anything to add, he knows much more about the ECC side than I do.

Git

SERVER this_host ANY
VENDOR CITRIX
USE_SERVER
INCREMENT MPS_STD_SERVER CITRIX 2008.0405 05-apr-2010 1 631045657EED \
VENDOR_STRING=;LT=DE;CNL=2;GP=720;CL=STD;SA=0;ODP= 0;AP=ADMIN/LOGON/ALW:NONADMIN/LOGON/ALW \
ISSUER=BfoX ISSUED=17-Jul-2009 NOTICE="Xtech DG" \
SN=OR159955:899199 START=17-Jul-2009 SIGN=73E0FEB6D6BA
INCREMENT MPS_ADV_SERVER CITRIX 2008.0405 05-apr-2010 1 29687DFACB5E \
VENDOR_STRING=;LT=DE;CNL=2;GP=720;CL=ADV,STD;SA=0; ODP=0;AP=ADMIN/LOGON/ALW:NONADMIN/LOGON/ALW \
ISSUER=BfoX ISSUED=17-Jul-2009 NOTICE="Xtech DG" \
SN=OR159955:899199 START=17-Jul-2009 SIGN=BD388526C0A8
INCREMENT MPS_ENT_SERVER CITRIX 2008.0405 05-apr-2010 1 1CB76308C97F \
VENDOR_STRING=;LT=DE;CNL=2;GP=720;CL=ENT,ADV,STD,A ST;SA=0;ODP=0;AP=ADMIN/LOGON/ALW:NONADMIN/LOGON/ALW \
ISSUER=BfoX ISSUED=17-Jul-2009 NOTICE="Xtech DG" \
SN=OR159955:899199 START=17-Jul-2009 SIGN=968621707B02

Thanks for all your contributions.

BFox, can you please copy the lm_code.h on here. Will be highly appreciated.

@kiokorobert: it same as you...

my license is work?

Dear Git, I tryed to follow your procedure of seed recovery through OllyDbg. I am new and just started learning. After Last Break Point at RET. I could not understand ESP+04 and ESP+08. Where to look them. My Olly screenshot look like.

http://www.megaupload.com/?d=LDC0L394
Please Help
Vendor is xxxxxxxx

9skumar - Normally, you would see the struct in the bottom right window, but something has gone wrong with the procedure. Read it carefully and try again.

Git

..
Please Help
Vendor is arkclsld

simply upload the vendor daemon

I will definitely go through the procedure again and will show the results. Till FF90 & EB09 Everything was OK including edx 00 00 00 00. Perhaps something in the job editing ....

For Time being the Daemon is Here: http://www.megaupload.com/?d=SJI9O6IV

Thanks

[please don't comment to yourself, uyse the Edit button to add to your post]

Tryed Again. After BP09 the job structure inside ecx is all zero. So is it the right location of job structure. edx is 00 00 00 00.
Maybe i am still messing up something. New Screenshot is here

http://www.megaupload.com/?d=EIUQBTBY

Your EB 09 breakpoint should be at 0x0040D7B4. You will then find the job structure OK.

Git

0012CF24 04 00 00 00 87 3E 4E 66 ...‡>Nf
0012CF2C 7C 75 65 18 8B E0 BD BC |ue‹à½¼
0012CF34 0E 2B 1F DC 0B 4D 91 58 +ÜM‘X
0012CF3C 76 EF 8D 66 0B 00 04 00 vï�f..
0012CF44 00 00 31 31 2E 30 00 00 ..11.0..
0012CF4C 83 DE 81 3F 8D 25 ED 8F ƒÞ�?�%í�
0012CF54 00 00 00 00 04 00 00 00 .......
0012CF5C 01 00 00 00 10 00 00 00
......
0012CF64 16 00 00 00 1F 00 00 00 ......
0012CF6C 64 8F D9 99 F9 75 80 82 d�Ù™ùu€‚
0012CF74 7F 00 3F 21 AB E3 93 11 .?!«ã“
0012CF7C 00 00 00 00 00 00 00 00 ........
0012CF84 00 00 00 00 00 00 00 00 ........
0012CF8C 00 00 00 00 00 00 00 00 ........
0012CF94 64 95 AE 62 EE 62 2C 45 d•®bîb,E
0012CF9C DF 87 7E 41 34 72 F1 06 ߇~A4rñ
0012CFA4 3A 44 01 A1 7C B8 00 00 :D
¡|¸..
0012CFAC 00 00 00 00 00 00 00 00 ........
0012CFB4 00 00 00 00 00 00 00 00 ........
0012CFBC 63 EB DB 67 F0 FB E0 C9 cëÛgðûàÉ
0012CFC4 86 EB 72 38 C9 70 D4 3E †ër8ÉpÔ>
0012CFCC B5 60 88 25 55 D6 8E E7 µ`ˆ%UÖŽç
0012CFD4 3D 18 F8 D5 61 59 21 00 =øÕaY!.
0012CFDC 00 00 00 00 00 00 00 00 ........
0012CFE4 30 15 41 00 00 00 00 00 0A.....
0012CFEC 01 00 00 00 00 00 00 00
.......
0012CFF4 00 00 00 00 00 00 00 00 ........
0012CFFC 00 00 00 00 00 00 00 00 ........

@9skumar: u vendor daemon have activated ECC on board. imho seed1/2 not help you without some target patch...

Dear BfoX, I knew it has ECC. But the Seed1 & Seed2 should still be same. Please correct me if i am wrong as i am still learning. Can you throw some light how to locate _l_pubverify and patch ECC. Also how to extract all the feature names.

Search the forums first before asking for tutorials that already exist elsewhere please.

Git

#7
GIT,
Super thanks for shareing of flexlm_7.x-11.4_seed_extraction

Hello experts,
Some years ago, I learnt to find the seeds by the help of this forum & a certain Nblender. Initially, it was really easy, but in version later than 5 I needed to run the daemon to a dummy license file, which is the only way nowadays.

In my effort to regain my lost knowledge, I tried following the tips provided in above mention PDF on an old target which I knew what breakpoints to use, and my old method actually was using a breakpoint at the call to _l_n36_buff (inside _l_sg ).
But this (old) method set another bp (bp2) just after that call (i.e. add exp, 0000000c) & the method used watched the (encrypted) seeds being filled on between bp1 & bp2 at data adresses provided on the rows before the vendor daemon & after the vendor daemon. And after bp2 these addresses were filled with the job-struct & data-struct, which were put into a tool called calcseed.exe which derived the true seeds.

To summarize my findings, I can use the find text "6F7330B8" to set my old-school bp's at the call dword & the add exp, 0000000c just below the call dword, and after bp2, read the content of esp+00000000 & esp+00000008 for the job-struct & data-struct, and feed them into calcseed.

But I do not understand the new ways, which makes me kinda sad.

My old-school method, for daemons around version 7-8 using w32dasm:

1. search for ebp+10, look for pattern
mov ecx, dword ptr, ebp+10
push ecx
mov edx, dword ptr, ebp+0c
push edx
mov eax, dword ptr, ebp+08
push eax
call dword ptr [something]
add exp, 00000000c
(this method was a trial & error but a search for 6F7330B8 will get the correct ebp+10 every time!)
2. set bp's at call dword & the add exp,0000000c right below it
3. run target, wath for it to break on bp1
(using -t computername 4 -c license.dat as arguments)
4. watch for esp+00000004 to become the vendor daemon name, then is the correct bp's (remember I guessed prior to this new knowledge)
5. read value on esp+00000000 & esp+00000008 & write them into used adr1&2 (w32dasm syntax)
6. run to bp2 & watch the data addresses given at esp+00000000 & esp+00000008 become filled with the jobstruct & datastruct
7. put these into calcseed.exe for the true seeds
8. enter into lmcode.h & compile.
9. done

aha, I got further, I'm happy to inform.
I successfully combined tips from above mentioned PDF & my skills in w32dasm & the use of calcseed.exe to find the seeds in my v11.x target;

A) start w32dasm89.exe
B) load daemon
C) menu debug/load process/add optional command line -t computer_name 4 –c license.dat (I put the license.dat in c:\flexlm to avoid setting any env-variables)
D) search/find text/6F7330B8
E) at find of mov [ebp-oc], 6F7330B8 scroll down (approx 20 lines) until the call dword ptr [eax+00000524 is seen]
F) set 1st breakpoint on this call dwrod
G) set 2nd breakpoint on row below (add esp, 000000c)
H) run target
I) watch it break at 1st bp, esp+000000004 has the vendor daemon name, esp+00000000 has the pointer to the jobstruct, esp+00000008 has the pointer to the datastruct
J) read off the values of these pointers, add these to User addr 1 & user addr 2.
K) run target again, breaks at next line.
L) hit the UA1 button to read the jobstruct, UA2 for datastruct, in this sepcial case:
[00333FCC] - 00000000 ....
[00333FD0] - 00000000 ....
[00333FD4] - 00000000 ....
[00333FD8] - 00000001 ....
[00333FDC] - 0040d280 ..@.
[00333FE0] - 00000000 ....
[00333FE4] - 006e005b [.n.
[00333FE8] - f39d61df .a.. job+08
[00333FEC] - 0073f814 ..s. job+0c
[00333FF0] - 001b0000 .... job+10
[00333FF4] - 00000000 ....

[0012CF14] - 0001218a .!..
[0012CF18] - 00000000 ....
[0012CF1C] - 00000000 ....
[0012CF20] - 00000000 ....
[0012CF24] - 00000000 ....
[0012CF28] - 00000004 ....
[0012CF2C] - f197605a Z`.. data
[0012CF30] - 89d04498 .D.. data1
[0012CF34] - 6b01412c ,A.k
[0012CF38] - aaad8c10 ....
[0012CF3C] - d4f9aa13 ....
M) put these values into calcseed.exe together with daemon name to retrieve the encryption seeds
N) generate vendor keys with lmvgen8 or similair
O) modify lm_code.h appropriately
P) compile (nmake /i)
Q) done

But, I have currently not understood how the encryption_seed (2x & found above) is related to lm_seed (3x needed in v8 SDK and later) and cro-keys (2x needed) or the 4x encryption seeds used in SDK8.
The lm_code2.h tries to explain the mapping, but I didnt get it.

In this particular case, the daemon could be launched with a lic. generated in version5 syntax, all other (later) versions caused the license to be invalid. The software in turn needed a SIGN= to start.
I fiddled around and managed to compile using SDK8 using the following;
- set 5xvendorkeys & 2xencr.seeds into lm_code.h
- commented out the encr.seed 3 & 4 (what are these for?)
- defined crokeys as provided by LMV8GEN.EXE
- #define LM_VER_BEHAVIOR LM_BEHAVIOR_V5
& built using nmake /i to force lmcrypt.exe to build

with the v5 old-school licensekeys & the SIGN (which seemingly use the v8 format) both the daemon & the software started.

CAn any of you gurus explain how the encr.seed 3&4 are used?

#7
GIT,
Super thanks for shareing of flexlm_7.x-11.4_seed_extraction

Do not use them. They are wrong. Try do checkout and follow these stpes twice and you will get different numbers in vc+4 and vc+8 (ver 10.8 for sure).

G497RGT - no, what you mean is when YOU find them they are wrong. If minthus followed that document correctly then the seeds are 100% correct. I have used that method for a long time and never seen it fail. Even in V11+
. I am sure others here will testift likewise. I suggest you check your facts more carefully before jumping onto a forum where you are not known and tell people they are wrong when they are not.

Bad start.

Git

Sorry, my mistake. Steps are good. Thanks.

I see.
Anyway, the daemon started, the software needed SIGN= but also uses the stronger eliptic curve / public key stuff, so the program exe or dll's need to be patched in order to checkout old-school licenses.
I havent seen any tuts regarding patching to dll/exe in order to force the software to checkout old-school licenses. :(

I ended up with a daemon serving old-school licenses that the software do not checkout since it needs patching.

You need to patch the VendorCode struct in the data section. There is a single byte field that specifies the type of SIGN used. Change it to normal 12/20 digit.

Git

Approximately, thats what I have figured out.
I dloaded an exe called FlexECCPatch.exe that indeed found some sort of pattern inside the dll that I found keeps the flex calls.
But running FlexECCPatch.exe onto the dll didn't make it work, instead the software gave a huge error & exited.

Man, this is difficult.

FlexECCPatch.exe developed not for v11.x of the flexlm

Exactly what I also have read. In fact, supposodly, the patch is done but flex ignores it.
And my feeling is that what eccpatch does, is not exactly what I am supposed to do. Similair, probably.
Can someone of you really clever/talented guys give som more hints on how to proceed?
I cannot remember seeing any tuts on patching dll/exe to revert to regular sign-checking & avoid using the cro-stuff, on say 11.x v targets...

may be simply upload the vendor daemons file?

I just told you exactly what to do. There are other ways, but that is the easiest.

Git

I totally believe that I am the stupid one here.
I totally would like to wrap my head around this last step of patching.

I read up on what the flexeccpatch does and it patches _l_pubkey_verify() to always return "ok" (wild guess...) and this is not the way to get it to fall back to pre-sign checking, for this, I need to
a) find the data structure
b) and read up on what value inside this structure need to be changed from something to something else.

So, I applied my newly learned method combining stuff learnt from a certain PDF & using calcseed (this is replacing the patching method provided in the PDF) & inside my dll I do find the same two "6F7330B8" as inside the daemon, so I kinda understand what you were trying to explain to me Git. But not totally.

* I have found the point where I would put my two bp's inside the DLL if it was a daemon.
Q: Can the dll be patched without running it (by loading the exe that calls it in the disassembler) or should I read the PDF once more, using the explained-but-not-understood-method of patching to somehow patch the dll?

ssabb-

If you want to patch the dll, you need to load the dll in to Olly (assuming you are using Ollydbg) as your main module. However, you can load the target exe in to Olly and place comments inside of the dll's/calls (so that you can later use your comments to easily patch the dll) - any comments that you leave, even if they are outside of the main module, will save, regardless.

-G

Thanks for all the help youre trying to give me, but it's totally not understood on my part.

Can I ask these questions for you clever guys?

1. Is the thing I need to do to the target to get it to fall back to short non-cro sign actually handled by "patching the l_pubkey_verify" as done by flexeccpatcher? I know it is useless for later targets since the code has changed.
2. If ~yes on 1) the place I need to patch has a pattern that is searchable if I knew how, right? http://bitwixen.com/2009/08/flexlm-l-pubkey-verify.html tries to explain this pattern. Can this approach be used, searching for a specific pattern?
3. I've read that only "flag2" in l_n36_buf() need to be set to 1 instead of 0 to fall back to pre-cro, is this place only possible to find by loading target & running it in a live process?

[Please DO NOT quote whole messages, it is not needed]

Could you upload again the FlexeCCpatch.exe

Thank you,
Regards,

@bratek: FlexeCCpatch from CrackZ site maked for flexlm target v8.1 imho...

Thank you BfoX,
I've got it but seem not work with almost new software now...:confused:
if you have a new one (eccpatch.exe) please help.

Regards,

What prevents you take the original file and compare with the file, which is "fixed" by FlexECCPatch and make the same changes to the files that are protected version 11.3?

@WRP: no jet, can be differen. imho

@BfoX: The changes are minimal

@WRP: may be, im not use FlexECCPatch

@BfoX: I use a signature for IDA , which I did myself.

@ Gif, BfoX, WRP,... and any expert here!

Please help me to patch this one:
http://www.sendspace.com/file/v5172j

I've tried it so many time and many way but can not :confused: because I'm still lower knowledge for it....:confused:


_____________
SERVER PC1 Id-mac 27001
VENDOR osp
USE_SERVER
FEATURE OspAGXAdapter osp 200912.31 31-dec-2010 5 981E9B03B72F \
DUP_GROUP=U ck=113 SIGN="0213 6B83 432C 14B4 ABA0 4D83 8DEE \
743C FD0F 59F8 A502 7328 AFEF 8257 6E0C 0AD3 F0F3 3253 ADA1 \
E4CE 63A5"

_________
Please give any ideas for Osp.
I'm still waiting some helps from all of you.
Thanks all of you for your time.

Best regards,
Bratek

we have this way:

1 the target will be used old way of the licensing (non-SIGN)
you can use license without SIGN=....

2 the target will be used new way of the licensing (SING)
you make patch for daemon and target software, next can use license without SIGN=....

3 Buy for target vendor's valid license

Thank BfoX,
for two options (1,2) :) .

I will check and tell you.

Any idea please share.