Exetools - flexlm and VENDOR

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - flexlm and VENDOR_KEY5 (https://forum.exetools.com/showthread.php?t=10124)

Quote:

Now the thing i do not understand fully, is VENDOR_KEY5 generated out of
key1-4 and vendor? or how can i find that? thanks

yes, it is derived from key1-4. Its function is used to hide the encode seeds1-2 before version 7.0. But it is now (after version 7.0) useless. The new role is replaced by a dynamic derived number from vendor name, timer, salt,...etc. That dynamic number once before stored inside somewhere of the job structure. Now it moves into an extended area but still inside the job structure. To recover that encode seeds1-2, norland's tutor is still the best up to now. Go to Crackz site to search for it.

Keys1-4 and vendor name are used to derived an original plain key in which stores the keys expired date, supported functions enabled, supported hw-dongles types, and the keys1-4 integrity checksum.

crokeys1-2(trlkeys1-2) are only used for enabling TRL options and the integrity checksum of itself. It has nothing to do with the SIGNx generation.

to get ES1 ES2 VK5 is really easy, you dont need any tools, just locate the l_sg() function where the seeds are uncovered

Code:

00417043  |. 8D8D 80FDFFFF  LEA ECX,DWORD PTR SS:[EBP-280]

00417049  |. 51             PUSH ECX                                 ; /Arg3

0041704A  |. 8B95 6CFDFFFF  MOV EDX,DWORD PTR SS:[EBP-294]           ; |

00417050  |. 81C2 0C030000  ADD EDX,30C                              ; |

00417056  |. 52             PUSH EDX                                 ; |Arg2

00417057  |. 8B85 6CFDFFFF  MOV EAX,DWORD PTR SS:[EBP-294]           ; |

0041705D  |. 50             PUSH EAX                                 ; |Arg1

0041705E  |. E8 27040100    CALL thinkflx.0042748A                   ;  <-- Call l_sg() \thinkflx.0042748A

00417063  |. 83C4 0C        ADD ESP,0C

00417066  |. 81BD 84FDFFFF >CMP DWORD PTR SS:[EBP-27C],87654321

00417070  |. 74 0C          JE SHORT thinkflx.0041707E

00417072  |. 81BD 88FDFFFF >CMP DWORD PTR SS:[EBP-278],12345678

after the call you can locate in [ebp-27c] and [ebp-278] ES1 and ES2, and inside the procedure the correct value of VK5

Quote:

Originally Posted by swork3 (Post 52662)

hi, i searched around but i have not found an answer, i have an app useing
flexlm 9.x, i followed some tutorial and found VENDOR_KEY1-4 and vc.data[0]
and vc.data[1] (the time() and xor table thing) i got ENCRYPTION_SEED1 and 2,
i tested that 3 times - got the same seed1 and 2, so that is correct.
Now the thing i do not understand fully, is VENDOR_KEY5 generated out of
key1-4 and vendor? or how can i find that? thanks

You dont need any tools to find out ES1 ES2 and VK5. Just locate the l_sg() procedure as you can see here:

Code:

00417043  |. 8D8D 80FDFFFF  LEA ECX,DWORD PTR SS:[EBP-280]

00417049  |. 51             PUSH ECX                                 

0041704A  |. 8B95 6CFDFFFF  MOV EDX,DWORD PTR SS:[EBP-294]           

00417050  |. 81C2 0C030000  ADD EDX,30C                              

00417056  |. 52             PUSH EDX                                 

00417057  |. 8B85 6CFDFFFF  MOV EAX,DWORD PTR SS:[EBP-294]           

0041705D  |. 50             PUSH EAX                                 

0041705E  |. E8 27040100    CALL xxx.0042748A                   

00417063  |. 83C4 0C        ADD ESP,0C

00417066  |. 81BD 84FDFFFF >CMP DWORD PTR SS:[EBP-27C],87654321

00417070  |. 74 0C          JE SHORT xxx.0041707E

00417072  |. 81BD 88FDFFFF >CMP DWORD PTR SS:[EBP-278],12345678



inside 0042748A

...

00427563  |. 3355 F4        XOR EDX,DWORD PTR SS:[EBP-C]

00427566  |. 3355 E0        XOR EDX,DWORD PTR SS:[EBP-20]

00427569  |. 3355 E4        XOR EDX,DWORD PTR SS:[EBP-1C]

0042756C  |. 8B4D 10        MOV ECX,DWORD PTR SS:[EBP+10]

0042756F  |. 8B41 04        MOV EAX,DWORD PTR DS:[ECX+4]

00427572  |. 33C2           XOR EAX,EDX -> ES1 xored by VK5 = real ES1

...

00427596  |. 334D F4        XOR ECX,DWORD PTR SS:[EBP-C]

00427599  |. 334D E0        XOR ECX,DWORD PTR SS:[EBP-20]

0042759C  |. 334D E4        XOR ECX,DWORD PTR SS:[EBP-1C]

0042759F  |. 8B45 10        MOV EAX,DWORD PTR SS:[EBP+10]

004275A2  |. 8B50 08        MOV EDX,DWORD PTR DS:[EAX+8]

004275A5  |. 33D1           XOR EDX,ECX -> ES2 xored by VK5 = real ES2