hi szy111

the function at address 424410 is l_getattr, the address of signed32 is 4422cf. it must be call from l_string_key.

toro

hi toro:
thank you again . but in middle of every l_string_key , i can not find 4422cf , why ? only 2 call 424410 !!!

hi toro:
please hlep me !!
i do not know why the address of signed32 is 4422cf ? can you give me detailed information ? thank you .

Anybody used lmcryptgui from Crackz tutorial page?
I create generator, but it dont't work and terminate with exception :(

hi szy111

at least can you see the correct sign that created in end of l_string key for every feature?

toro.

hi toro:
i set breakpoint at 41a1f5 in olly (F2). then F7 ,but it stop at next point !!! how to trace ? please tell me step by step . i begin to use olly .

give me the seed and license.dat , l make it for you !!!!

there are many tut on internet

toro

I haven't seed while, but I search it for autodesk inventor 8
(FlexLm 8.3a).
I haven't SDK for this version, so I want use lmcryptgui, if is it possible.
And another question: can I use SDK not 8.3a version and what changes need made for it.
---------------------------------------------------
AAAAA!!! I am stupid man :(.
I run lmcryptgui without parameter!!!
Now it work, but lmcryptgui can generate license for FlexLm 8.3a ?

Thanks.

run lmcryptgui with seeds and vendor ,then create a exe file ,run exe with license.dat , you will be well .but you must need seeds !!

O.K. I found seed, vendor and successfully made working license
for autodesk inventor 8. It's easier that crack C-Dilla :)

Thank you for advise.

Acutually, the call to signed32 will depend on the behavior of the Flexlm. For example, if the crypt filter is used, the code will skip the call to signed32. They have improved the security in a way, and does not provide compatibility in this special case.
On the other hand, it is a better idea to recover the seed from the job structure, which envolves identify the call to l_sg and record the memory contents. There has been essay's and calc tools to make this very easy. Most important is all the behavior can be defeated in this way. Of course, we are not talking about the ECC.
If you have identified the l_string_key code, you will be able to found the license key information by just looking at the return point of this function. There will be a call to atox, which convert and format the license key in ASCII format, just check the return value in EAX, do a reference to the memory, and dump the key. It is automatically generated for you. There is a easy signature of the atox function, there is a long string 0123456789ABCDEF defined there. Do a search on the code, you will find it easily. Then you can trace back to the point for the key generation. There is no need to recovery seeds, no need to run license generation.

Guys thanks for the info, iam back to viewing flexlm apps, i did manage to solve my license problem and thanks :) iam now using the method for l_sg, at all my targets, however i found one target it doenst work for! maybe i maked a mistake, maybe not, anybody can view and see ?

i view the app:
*removed by request*

I got the following information:
Seed1: 38aa43fa
Seed2: 95845bd5
Vendor: Pxxxx

however, putting these into lmcryptgui, and resigning the license file, still results in -8 (Bad Auth)

Any ideas ?

Thanks.

@Peter[Pan]:
I just had a quick look at your target and it seems that your seeds are wrong!

I found this:
encseed[0]=6bxxxx58
encseed[1]=9cxxxx2e

You might want to recheck the byte-order of your calcseed-inputs ;)

Dirk

gona view straight away! thnx :)

*edit*, yea it guess i was using Jobx04 ++, isnted of Jobx08++

anways i recorded the job, data and vendor name before, and after the call to n36buff

gives me:
data[0]: 00290091
data[1]: 2C86993F
Vendor: Pxxxx
job+0x08: 0x9C63C202
job+0x0c: 0x3802D9C0
job+0x10: 0x2F0FB6E5
XOR VAL: 0x2fc0d99c
Enc1: 0x2fe9d90d
Enc2: 0x034640a3

still doesnt match yours, maybe iam going wrong somewhere... :/

p.s thanks for the help its really appreciated :)