SDK 11.x How to find Vendor_Name and Vendor_Key5 in application !!

avics · #1 08-04-2022, 14:18

I'm working with Gede on this project.
I also came across the l_n36_buf function.
Contains a lot of noise, calculating some constants...
And then in between stuff like this:

Xref Line Column Pseudocode line
r 1099 12 else if ( buf )
w 1230 6 buf[8] = 0;
w 1341 6 buf[7] = byte_10149020;
w 1354 6 buf[3] = 's';
w 1371 6 buf[2] = 'p';
w 1462 6 buf[4] = byte_10149120;
w 1747 6 buf[1] = 'i';
w 1772 6 buf[5] = byte_10148D7C;
w 1829 7 *buf = 'm';
w 1924 6 buf[6] = byte_10148DDC;
w 1991 6 buf[10] = byte_10148AFC;
w 2082 6 buf[9] = byte_10148B20;

What I also did was attaching windbg to the binary, set breakpoints in the lmgr module:
bm lmgr11!*
and with using
.dump /ma <to a file location>.dmp
and then analyze this minidump in IDA Pro.

The advantage is that it is more easy to look and annotate the values in the idb.

For example looking at the dotNet code using dotPeek one of the classes handling the license has the vendorcode embedded:

debug097:07971788 CLicenseObj dd offset aNoSuchFeatureE ; dword0 ; "No such feature exists" ...
debug097:07971788 dd offset aLicense ; gap4
debug097:07971788 db 'tla altera',0,'DIR=C:\altera_lite\' ; field_8
debug097:07971788 db '2.00000000' ; version
debug097:07971788 db 0 ; field_30
debug097:07971788 db 73h ; field_31
debug097:07971788 dw 735Ch ; field_32
debug097:07971788 dd 7973F38h ; a_cIniNm
debug097:07971788 dd 0 ; conxtype
debug097:07971788 dd 2AB6D90h ; field_3C

Vendor code struct starts here
debug097:07971788 dw 4 ; vendor_code.type
debug097:07971788 db 0, 0
debug097:07971788 dd 0FEFC2E17h, 0B7794E11h ; vendor_code.data
debug097:07971788 dd 0F793BF1Fh, 0F9633543h, 8E0FEF44h, 44F6D202h ; vendor_code.keys
debug097:07971788 dw 0Bh ; vendor_code.flexlm_version
debug097:07971788 dw 4 ; vendor_code.flexlm_revision
debug097:07971788 db 0, 0 ; vendor_code.flexlm_patch
debug097:07971788 db 31h, 31h, 2Eh, 30h, 0 ; vendor_code.behavior_ver
debug097:07971788 db 0
debug097:07971788 dd 0F63E683h, 0A22D254Ch ; vendor_code.trlkeys
debug097:07971788 dd 0 ; vendor_code.signs
debug097:07971788 dd 4 ; vendor_code.strength
debug097:07971788 dd 1 ; vendor_code.sign_level
debug097:07971788 dd 10h, 16h, 1Fh ; vendor_code.pubkeyinfo.pubkeysize
debug097:07971788 db 6Fh, 98h, 0F7h, 2Ch, 0ACh, 0E2h, 89h, 0E6h, 0F6h, 0Bh, 0Eh, 87h, 74h; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0C7h, 42h, 20h, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0, 0, 0, 0, 0, 0, 6Fh, 98h, 0C4h, 8Ch, 0Ch, 0D8h, 42h, 5Fh, 2Ch, 0D9h; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 19h, 0E9h, 34h, 60h, 0B7h, 10h, 73h, 0ECh, 0D3h, 52h, 37h, 34h, 0, 0; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 70h, 0E5h, 0C1h, 5Bh; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0ECh, 63h, 4Ch, 22h, 0Fh, 0A8h, 3Fh, 0F3h, 0D2h, 17h, 0D0h, 7Ah, 47h; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0Ah, 0CFh, 8, 85h, 31h, 89h, 8Dh, 98h, 62h, 0EFh, 3Dh, 88h, 0A0h, 9Bh; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0, 0, 0, 0, 0, 0, 0, 0, 0 ; vendor_code.pubkeyinfo.pubkey
debug097:07971788 dd offset pubkey_fptr ; vendor_code.pubkeyinfo.pubkey_fptr

[some zeroed out...]

debug097:07971788 dd offset my_lm_handle ; lm_handle_ptr_ptr

The lm_handle_ptr_ptr points to the lm_handle.

debug085:02AB6DA8 my_lm_handle dd 66h ; type
debug085:02AB6DA8 ; DATA XREF: debug085:my_lm_handle↓o
debug085:02AB6DA8 ; debug097:CLicenseObj↓o
debug085:02AB6DA8 dw 0Bh ; version.version.major ;
debug085:02AB6DA8 dw 4 ; version.version.minor
debug085:02AB6DA8 dw 0 ; version.subMinor
debug085:02AB6DA8 dw 0 ; version.patch
debug085:02AB6DA8 dd 0 ; version.build
debug085:02AB6DA8 dw 0 ; version.beta
debug085:02AB6DA8 db 0, 0 ; version.patchStr
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0 ; version.verString
debug085:02AB6DA8 dd offset my_lm_handle ; first_job
debug085:02AB6DA8 dd 0 ; next
debug085:02AB6DA8 dd 0FFFFFFFBh ; err_info.maj_errno
debug085:02AB6DA8 dd 165h ; err_info.min_errno
debug085:02AB6DA8 dd 0 ; err_info.sys_errno
debug085:02AB6DA8 dd 0 ; err_info.act_errno
debug085:02AB6DA8 dd 0 ; err_info.lic_files
debug085:02AB6DA8 db 'tla',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 ; err_info.feature
debug085:02AB6DA8 db 0
debug085:02AB6DA8 dd 0 ; err_info.context
debug085:02AB6DA8 dd 0 ; err_info.short_err_descr
debug085:02AB6DA8 dd 0 ; err_info.long_err_descr
debug085:02AB6DA8 dd offset unk_5B4DE0 ; err_info.sys_err_descr
debug085:02AB6DA8 dd 0 ; err_info.errstring
debug085:02AB6DA8 dd 0 ; err_info.warn
debug085:02AB6DA8 dw 0FFh ; err_info.mask
debug085:02AB6DA8 db 0 ; err_info.flags
debug085:02AB6DA8 db 0
debug085:02AB6DA8 dd offset my_lm_handle.internalData ; daemon
debug085:02AB6DA8 dd offset off_2AB6FA8 ; options
debug085:02AB6DA8 dd 0 ; redirect
debug085:02AB6DA8 dd offset stru_14374A50 ; line
debug085:02AB6DA8 dd 0 ; packages
debug085:02AB6DA8 dd offset off_7971AE0 ; lic_files
debug085:02AB6DA8 dd 0 ; lfptr
debug085:02AB6DA8 dd 1 ; lm_numlf
debug085:02AB6DA8 dd offset off_143741E0 ; license_file_pointers
debug085:02AB6DA8 dd offset aJIdaTlaFpgavie ; lic_file_strings
debug085:02AB6DA8 db 'mips',0,0,0,0,0,0,0 ; vendor
debug085:02AB6DA8 db 0,0,0,0,0,0,0,0,0,0,0 ; alt_vendor
debug085:02AB6DA8 db 0, 0
debug085:02AB6DA8 dd 0 ; conf

It seems to me that a license key should look something like this:

FEATURE tla mips 2.000 etc.
FEATURE altera mips 2.000 etc
FEATURE xilinx mips 2.000 etc.

The problem however is that in the SDK 11.14 the size of the lm_handle is 0x1B0 while in the actual code 0x1A0 is allocated.
Which means that the 11.14 for the LM_INTERNAL part it is slightly larger than for 11.4 SDK.

If anyone has the 11.4 SDK please let me know where to find it... Or al least the header files in machind.

I got to tell, this is fun!

Gede · #2 08-04-2022, 23:46

@FoxB

Hi I found an old link to SDK11.4 but link is dead.

HTML Code:

FLEXLM SDK 11.4 Empty Re: FLEXLM SDK 11.4
Post by BfoX Sun Sep 29, 2019 11:16 am

11.9 multiplatform
_https://mega.nz/#F!uAo30QxK!_pkpl9akGpXV-vfTA54LkA

If you have SDK 11.4 and or SDK 11.9 could you provide a new link for download @ mega.nz

-------------------------------------------
For Cooking one needs ingredients.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
mac OS application protector	mcr4ck	General Discussion	9	03-20-2025 10:02
flexlm and VENDOR_KEY5	swork3	General Discussion	17	02-09-2009 03:59
Application invisibility	UncleV	General Discussion	4	03-08-2004 17:51

The Following User Says Thank You to avics For This Useful Post:
Gede (08-04-2022)