Thread: flexlm and VENDOR_KEY5
View Single Post
  #17  
Old 02-08-2009, 21:34
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
  
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 295
Rept. Given: 52
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 46
Thanks Rcvd at 193 Times in 63 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
to get ES1 ES2 VK5 is really easy, you dont need any tools, just locate the l_sg() function where the seeds are uncovered

Code:
00417043  |. 8D8D 80FDFFFF  LEA ECX,DWORD PTR SS:[EBP-280]
00417049  |. 51             PUSH ECX                                 ; /Arg3
0041704A  |. 8B95 6CFDFFFF  MOV EDX,DWORD PTR SS:[EBP-294]           ; |
00417050  |. 81C2 0C030000  ADD EDX,30C                              ; |
00417056  |. 52             PUSH EDX                                 ; |Arg2
00417057  |. 8B85 6CFDFFFF  MOV EAX,DWORD PTR SS:[EBP-294]           ; |
0041705D  |. 50             PUSH EAX                                 ; |Arg1
0041705E  |. E8 27040100    CALL thinkflx.0042748A                   ;  <-- Call l_sg() \thinkflx.0042748A
00417063  |. 83C4 0C        ADD ESP,0C
00417066  |. 81BD 84FDFFFF >CMP DWORD PTR SS:[EBP-27C],87654321
00417070  |. 74 0C          JE SHORT thinkflx.0041707E
00417072  |. 81BD 88FDFFFF >CMP DWORD PTR SS:[EBP-278],12345678
after the call you can locate in [ebp-27c] and [ebp-278] ES1 and ES2, and inside the procedure the correct value of VK5
Reply With Quote