Thread: problem with seeds ( FLEXnet v10.8.0.1 )
View Single Post
  #1  
Old 10-17-2006, 18:19
souz souz is offline
Friend
  
Join Date: Jan 2005
Posts: 134
Rept. Given: 0
Rept. Rcvd 26 Times in 18 Posts
Thanks Given: 13
Thanks Rcvd at 86 Times in 35 Posts
souz Reputation: 26
problem with seeds ( FLEXnet v10.8.0.1 )
Hi!
Have a problem in finding seeds for program protected with this version of flexnety.

havein a pack of 5 daemons, i found that one of them protected with
FLEXnet Licensing v10.8.0.1 build 18846.

So, for other 4 daemon i successfully calculated all necessary data and seed.
For this:
Vendor keys does not match to calculated with vkey10.exe (from CrackZ's site)

Code:
.text:0054949F                 jz      short loc_5494DB
.text:005494A1                 mov     edx, [ebp+arg_8]; vendor struct
.text:005494A4                 push    edx
.text:005494A5                 mov     eax, [ebp+arg_4]; vendor name
.text:005494A8                 push    eax
.text:005494A9                 mov     ecx, [ebp+arg_0];empty before (AND after call at .005494CD..)

;whats this???
.text:005494AC                 mov     edx, [ecx+198h]
.text:005494B2                 mov     eax, [edx+1CDCh]
.text:005494B8                 add     eax, 528h
.text:005494BD                 push    eax
.text:005494BE                 mov     ecx, [ebp+arg_0]
.text:005494C1                 mov     edx, [ecx+198h]
.text:005494C7                 mov     eax, [edx+1CDCh]

;seems this is a decrypting routine
.text:005494CD                 call    dword ptr [eax+524h]
.text:005494D3                 add     esp, 0Ch
.text:005494D6                 jmp     loc_5495EE
Had anyone tried to find the seeds in flex10.8?

License hase this format: (NO sign1 or sign2)
SERVER myhost ANY
VENDOR mydaemon mydaemon
INCREMENT MY_FEATURE my daemon 2005.00 31-dec-2006 1 \
xxxxxxxxxxxxxxxxxxxx VENDOR_STRING=xxxx SS \
ISSUED=01-jan-2006 ck=200 SN=CC:1111-1:111111 \
START=01-jan-2006

xxxxxxxxxxxxxxxxxxxx - signature as in normal license file.

************************ ADD ***************************
Finally, i derived the seeds, simply small shift the stack patameters:
.text:005494A9 mov ecx, [ebp+arg_0];
.text:005494AC mov edx, [ecx+198h]
.text:005494B2 mov eax, [edx+1CDCh]
.text:005494B8 add eax, 528h

and now eax points to job[] structure, as was in 7.x..9.x version.

Second question is:
can lmcryptgui be used for making the lmcryptxxxx for version >9.x ?
seems using the behaviour 10.0 and 10.8 i got incorrect results.

I checked the seeds by caclulating them again and again, and as a result - they are idential at all stages, so seems they correct.

Any ideas?
Please, can anyone build the lmcrypt based on my seeds and vendor name, for version 10.0 (Flexnet 10.8.0.1).?

Thanks!
Last edited by souz; 10-17-2006 at 23:18.
Reply With Quote