FlexLM Help

Acutually, the call to signed32 will depend on the behavior of the Flexlm. For example, if the crypt filter is used, the code will skip the call to signed32. They have improved the security in a way, and does not provide compatibility in this special case.
On the other hand, it is a better idea to recover the seed from the job structure, which envolves identify the call to l_sg and record the memory contents. There has been essay's and calc tools to make this very easy. Most important is all the behavior can be defeated in this way. Of course, we are not talking about the ECC.
If you have identified the l_string_key code, you will be able to found the license key information by just looking at the return point of this function. There will be a call to atox, which convert and format the license key in ASCII format, just check the return value in EAX, do a reference to the memory, and dump the key. It is automatically generated for you. There is a easy signature of the atox function, there is a long string 0123456789ABCDEF defined there. Do a search on the code, you will find it easily. Then you can trace back to the point for the key generation. There is no need to recovery seeds, no need to run license generation.

Guys thanks for the info, iam back to viewing flexlm apps, i did manage to solve my license problem and thanks iam now using the method for l_sg, at all my targets, however i found one target it doenst work for! maybe i maked a mistake, maybe not, anybody can view and see ?

i view the app:
*removed by request*

I got the following information:
Seed1: 38aa43fa
Seed2: 95845bd5
Vendor: Pxxxx

however, putting these into lmcryptgui, and resigning the license file, still results in -8 (Bad Auth)

Any ideas ?

Thanks.

[dirkmill]

@Peter[Pan]:
I just had a quick look at your target and it seems that your seeds are wrong!

I found this:
encseed[0]=6bxxxx58
encseed[1]=9cxxxx2e

You might want to recheck the byte-order of your calcseed-inputs

Dirk

gona view straight away! thnx

*edit*, yea it guess i was using Jobx04 ++, isnted of Jobx08++

anways i recorded the job, data and vendor name before, and after the call to n36buff

Code:

[BEFORE]
VENDOR: ASCII "Pxxxx"
Name: DATA                               JOB
0x00: 66 00 00 00                       04 00 00 00
0x04: 00 00 00 00                       15 BB F2 4E 
0x08: 00 00 00 00                       63 4C 08 B9 
0x0C: 00 00 00 00                       C0 D9 02 38
0x10: 00 00 00 00                       E5 B6 0F 2F
0x14: 00 00 00 00                       EA 9B 6F 06 
0x18: 00 00 00 00                       B0 7E 2A 4C 
0x1C: 00 00 00 00                       09 00 02 00

[AFTER]
VENDOR: ASCII "Pxxxx"
Name: DATA                               JOB
0x00: 66 00 00 00                       04 00 00 00 
0x04: 91 00 29 00                       74 35 99 6B 
0x08: 3F 99 86 2C                       02 C2 63 9C 
0x0C: 5E 3D 1C 00                       C0 D9 02 38 
0x10: 00 00 73 00                       E5 B6 0F 2F 
0x14: 00 00 00 00                       EA 9B 6F 06 
0x18: 00 00 00 00                       B0 7E 2A 4C 
0x1C: 00 00 00 00                       09 00 02 00

gives me:
data[0]: 00290091
data[1]: 2C86993F
Vendor: Pxxxx
job+0x08: 0x9C63C202
job+0x0c: 0x3802D9C0
job+0x10: 0x2F0FB6E5
XOR VAL: 0x2fc0d99c
Enc1: 0x2fe9d90d
Enc2: 0x034640a3

still doesnt match yours, maybe iam going wrong somewhere... :/

p.s thanks for the help its really appreciated

[dirkmill]

Ah, I see your mistake.
You're confusing job- and vendorcode-structure!
The vendor-struct is the block you marked JOB and vice-versa.

Your data is consistent with my encseeds

Dirk

omg *me dies* thanks man!, worked like a charm, what a silly mistake, my 1000 sorrys

JMI, if any of the previous posts need editing for something removing plz do! or just tell me and i will, sorry to waste peoples time

hehe another day, another problem

today i try to build lmcrypt for my own amusement, so i edit lm_code.h with:

(i got it from lmv8gen)

Code:

#define VENDOR_KEY1 0x6cfe8c94
#define VENDOR_KEY2 0x2d430502
#define VENDOR_KEY3 0xe64b1485
#define VENDOR_KEY4 0x04858ac0
#define VENDOR_KEY5 0x7a7420d1
#define CRO_KEY1 0x367306ef
#define CRO_KEY2 0x54c60c79
#define VENDOR_NAME "testabc"

now i go to C:\Program Files\FLEXlm\v9.2\i86_n3 in a dos promt and run:
"Build", i get the following:

Code:

Microsoft (R) Program Maintenance Utility   Version 6.00.9782.0
Copyright (C) Microsoft Corp 1988-1998. All rights reserved.
        lmrand1 -i ..\machind\lsvendor.c
        cl /c /nologo /c  /I..\machind /I. /MT  -I../h lmcode.c
lmcode.c
        LINK /nologo /NODEFAULTLIB /OPT:NOREF  /subsystem:CONSOLE lmnewgen.obj l
mcode.obj  lmgr.lib libcrvs.lib libsb.lib oldnames.lib kernel32.lib user32.lib n
etapi32.lib  advapi32.lib  gdi32.lib comdlg32.lib  comctl32.lib wsock32.lib libc
mt.lib /out:lmnewgen.exe
        if exist lm_new.c del lm_new.c
        lmnewgen.exe testabc -o lm_new.c
v8.1+ FLEXlm, non-CRO
lc_init failed: Invalid FLEXlm key data supplied
FLEXlm error:  -44,49
For further information, refer to the FLEXlm End User Manual,
available at "www.macrovision.com".
NMAKE : fatal error U1077: 'lmnewgen.exe' : return code '0x1'
Stop.

no matter how i change lm_code.h, i always get -44, anybody any ideas about this one ?, this is first time i use lmcrypt.c, i always have used lmcryptgui, thanks!