flexlm and VENDOR_KEY5
 

hi, i searched around but i have not found an answer, i have an app useing
flexlm 9.x, i followed some tutorial and found VENDOR_KEY1-4 and vc.data[0]
and vc.data[1] (the time() and xor table thing) i got ENCRYPTION_SEED1 and 2,
i tested that 3 times - got the same seed1 and 2, so that is correct.
Now the thing i do not understand fully, is VENDOR_KEY5 generated out of
key1-4 and vendor? or how can i find that? thanks

Hiya,

I have released today the source code to Nolan Blenders Lmkg which will allow anyone to generate FLEXlm vendor keys and CRO keys for any vendor name up to v9, (trivial modification of the constants should also enable generation of v10 keys as well but I'll leave that as an exercise ;-) ).

It is available at hxxp://www.woodmann.com/crackz/FLEXlm/Lmkg.zip

Regards

CrackZ.

Great!!! I wait it for long long time.

I want to know "CRO_KEY1 & CRO_KEY2" is also available for long license key?

Thanks.

To CrackZ.

Is there any hint for the var1 and var2 constant in nbl_keygen() ?
Are them just a rand number?

BR,

thanks CrackZ.
That is a useful tool for Flex. I'll try it

Search for glseed here.

Git

Thanks Git,

I found these val comes from l_key.c from SDK source.
But is there any way to get them from binary such as a deamon?
I mean how can I get the glseed via a lmgrd.exe or some other binary file.

Probably, but you don't need to. The two values are unique to a flexlm version and the same for everybody.

Git

is it possible that some customer has old keys and migrated them to a new version so that the output of lmkg is wrong (only for this specific case)?
thanks

4swork3:
As example, Synopsys range of daemon's have additional encryption over lc_set_attr(lm_job, LM_A_USER_CRYPT_FILTER_GEN,(LM_A_VAL_TYPE)user_crypt_filter_gen)

user_crypt_filter_gen() is your additional target.

WBR

ps: u can contact me by PM.

Thanks, but it seems I am too late for it and no mirrors are available atm. :(
I was and still am really curious to have a look at the source code as lmkg is definitely a very useful tool.

@atomix
here u are

CrackZ' site will be back soon. We are having some ongoing problems with our server and ISP for Woodmann.com and may have to move to another ISP to get them resolved. We still have all the materials and they will be back up as soon as we can get these issues sorted out.

Regards,

Thanks farzadfarzad, please check your PM for the source code requested.

JMI, that's great news - can't wait to see it back online. Keep up the excellent work! :)

Woodmann is already back online. See my Announcement in the Announcement Forum for the way to reach it until the DNS servers spin up with the new ISP.

Regards,

yes, it is derived from key1-4. Its function is used to hide the encode seeds1-2 before version 7.0. But it is now (after version 7.0) useless. The new role is replaced by a dynamic derived number from vendor name, timer, salt,...etc. That dynamic number once before stored inside somewhere of the job structure. Now it moves into an extended area but still inside the job structure. To recover that encode seeds1-2, norland's tutor is still the best up to now. Go to Crackz site to search for it.

Keys1-4 and vendor name are used to derived an original plain key in which stores the keys expired date, supported functions enabled, supported hw-dongles types, and the keys1-4 integrity checksum.

crokeys1-2(trlkeys1-2) are only used for enabling TRL options and the integrity checksum of itself. It has nothing to do with the SIGNx generation.

to get ES1 ES2 VK5 is really easy, you dont need any tools, just locate the l_sg() function where the seeds are uncovered

after the call you can locate in [ebp-27c] and [ebp-278] ES1 and ES2, and inside the procedure the correct value of VK5

You dont need any tools to find out ES1 ES2 and VK5. Just locate the l_sg() procedure as you can see here: