FlexLM Help

Ive read a lot of tutorials on it, but iam stuck in one part maybe somebody can read here and help:

Fixed using _l_sg() method, with calcseed.

-Peter

Still Wrong , anybody can help me with this ?

*edit 2*

now i have it working, i changed on a hunch license behavoir to 7.0, now should i assume all license in that format are 7.0 ? or is there a way i can tell how its being handled, thanks.

Quote:

Originally Posted by Peter[Pan]

Still Wrong , anybody can help me with this ?

*edit 2*

now i have it working, i changed on a hunch license behavoir to 7.0, now should i assume all license in that format are 7.0 ? or is there a way i can tell how its being handled, thanks.

Well atleast with Fluent that is the case, even i have observed.

up 7.0 ,the license mybe ok !!

I think there is a way to find the version of the license, by checking the disassembly, or real time trace for the lc_set_attr call.
The function is defined as:
lm_extern int API_ENTRY lc_set_attr lm_args((LM_HANDLE_PTR job, int key,
LM_A_VAL_TYPE value));
The second arg will indicate the license version, for example, in the tracing of the code:


00478026 |. 8B4424 34 MOV EAX,DWORD PTR SS:[ESP+34]
0047802A |. 6A 00 PUSH 0
0047802C |. 6A 4C PUSH 4C
0047802E |. 50 PUSH EAX
0047802F |. E8 BCBFFBFF CALL <_lc_set_attr>

You will find the second arg is 0x4c, and look back to the lm_attr.h, there is the following def, 76 is the 0x4c in Dec. :

#define LM_A_CKOUT_INSTALL_LIC 76 /* (int) true if BEH_V7+, else false */

So you must use behavior V7.

good luck.

[toro]

typedef struct vendorcode7 {
short type; /* Type of structure */
unsigned long data[2]; /* 64-bit code */
unsigned long keys[4];
short flexlm_version;
short flexlm_revision;
char flexlm_patch[2];
char behavior_ver[LM_MAX_BEH_VER + 1];
unsigned long crokeys[2];
int signs; /* number of entries in pubkeyinfo */
int strength;
int sign_level;
LM_VENDORCODE_PUBKEYINFO pubkeyinfo[LM_MAXSIGNS];
} VENDORCODE7, *VENDORCODE_PTR;

#define LM_BEHAVIOR_V2 "02.0"
#define LM_BEHAVIOR_V3 "03.0"
#define LM_BEHAVIOR_V4 "04.0"
#define LM_BEHAVIOR_V5 "05.0"
#define LM_BEHAVIOR_V5_1 "05.1"
#define LM_BEHAVIOR_V6 "06.0"
#define LM_BEHAVIOR_V7 "07.0"
#define LM_BEHAVIOR_V7_1 "07.1"
#define LM_BEHAVIOR_V8 "08.0"
#define LM_BEHAVIOR_V8_1 "08.1"
#define LM_BEHAVIOR_V8_2 "08.2"
#define LM_BEHAVIOR_V8_3 "08.3"
#define LM_BEHAVIOR_V9 "09.0"

the vendorcode struct is used by lc_init

outputs of 2 call to signed32 in l_string_key are seed1 and seed2.
after finding the flexversion and seeds you can use lmcryptgui to generate lmcrypt.


toro

peter, did you solve your problem.
if not, please describe more detail!

[toro]

hi szy111

for creation of lmcrypt with lmcryptgui you must supply vendorname, behaviour and 2 enc seed.
the l_string_key is a function that generate licensekey for every feature. you can trace it to see the proc of licensekey generation or the result of it and create license.
another way is grabing 2 seed from output of 2 signed32 call in l_string_key and create lmcrypt with lmcryptgui.


toro.

hi toro:
thanks for your replay. my question is :i can not set breakpoint at l_string_key in my target . why? what's signed32 ?

[toro]

hi szy111

depend on flexlm version and its behaviour there are more than one l_string_key. if your question is that you set breakpoint but programs not break, the answer is you must set breakpoint in every of them.

find your target flexlm version with lmtools then open target in olly and scan object file with lmgr.lib or lmgrd.lib and then set breakpoint on every l_string_key. in middle of everyl_string_key you will see 2 call to signed32.

toro.

sorry, my mean is that i can not find l_string_key breakpoint in my target, it report symbol not found !!!

my target is unix program , not win'program , so can not use olly .

[toro]

hi szy111

in windows if have not proper .lib, i serach this sequence of commands for l_string_key.

MOV DWORD PTR SS:[EBP-0B0],8
MOV DWORD PTR SS:[EBP-114],5
MOV DWORD PTR SS:[EBP-20],0A

toro

toro:
thank you very much . i am sorry i can not find l_string_key , i attach it , can you find where it is ?

[toro]

hi szy111

41a1f5
41ea7d
441478
451e08
4870c9
48024c

this is not test.exe. the vendor is "Hamp-Russ" !!!!!! please don't ask me to generate license for you!!!!.

toro

hi toro:
thank you again. i know the vendor name , but it is my first target for crack on win. so i rename it to test . i will set breakpoint at l_string_key , then trace in and watch the value at the adress where call 424410 , it maybe seeds. right? i got the value 00a1b3e8 and 00a19ee8 , it's wrong !!!