Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page flexlm and VENDOR_KEY5
Register Forum Rules FAQ Calendar

Notices

Reply
Page 2 of 2 1 2
 
Thread Tools Display Modes
  #16  
Old 05-08-2007, 18:28
yalcm
 
Posts: n/a
Quote:
Now the thing i do not understand fully, is VENDOR_KEY5 generated out of
key1-4 and vendor? or how can i find that? thanks
yes, it is derived from key1-4. Its function is used to hide the encode seeds1-2 before version 7.0. But it is now (after version 7.0) useless. The new role is replaced by a dynamic derived number from vendor name, timer, salt,...etc. That dynamic number once before stored inside somewhere of the job structure. Now it moves into an extended area but still inside the job structure. To recover that encode seeds1-2, norland's tutor is still the best up to now. Go to Crackz site to search for it.

Keys1-4 and vendor name are used to derived an original plain key in which stores the keys expired date, supported functions enabled, supported hw-dongles types, and the keys1-4 integrity checksum.

crokeys1-2(trlkeys1-2) are only used for enabling TRL options and the integrity checksum of itself. It has nothing to do with the SIGNx generation.
Reply With Quote
  #17  
Old 02-08-2009, 21:34
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
  
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 295
Rept. Given: 52
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 46
Thanks Rcvd at 193 Times in 63 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
to get ES1 ES2 VK5 is really easy, you dont need any tools, just locate the l_sg() function where the seeds are uncovered

Code:
00417043  |. 8D8D 80FDFFFF  LEA ECX,DWORD PTR SS:[EBP-280]
00417049  |. 51             PUSH ECX                                 ; /Arg3
0041704A  |. 8B95 6CFDFFFF  MOV EDX,DWORD PTR SS:[EBP-294]           ; |
00417050  |. 81C2 0C030000  ADD EDX,30C                              ; |
00417056  |. 52             PUSH EDX                                 ; |Arg2
00417057  |. 8B85 6CFDFFFF  MOV EAX,DWORD PTR SS:[EBP-294]           ; |
0041705D  |. 50             PUSH EAX                                 ; |Arg1
0041705E  |. E8 27040100    CALL thinkflx.0042748A                   ;  <-- Call l_sg() \thinkflx.0042748A
00417063  |. 83C4 0C        ADD ESP,0C
00417066  |. 81BD 84FDFFFF >CMP DWORD PTR SS:[EBP-27C],87654321
00417070  |. 74 0C          JE SHORT thinkflx.0041707E
00417072  |. 81BD 88FDFFFF >CMP DWORD PTR SS:[EBP-278],12345678
after the call you can locate in [ebp-27c] and [ebp-278] ES1 and ES2, and inside the procedure the correct value of VK5
Reply With Quote
  #18  
Old 02-09-2009, 03:59
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
  
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 295
Rept. Given: 52
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 46
Thanks Rcvd at 193 Times in 63 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Quote:
Originally Posted by swork3 View Post
hi, i searched around but i have not found an answer, i have an app useing
flexlm 9.x, i followed some tutorial and found VENDOR_KEY1-4 and vc.data[0]
and vc.data[1] (the time() and xor table thing) i got ENCRYPTION_SEED1 and 2,
i tested that 3 times - got the same seed1 and 2, so that is correct.
Now the thing i do not understand fully, is VENDOR_KEY5 generated out of
key1-4 and vendor? or how can i find that? thanks
You dont need any tools to find out ES1 ES2 and VK5. Just locate the l_sg() procedure as you can see here:

Code:
00417043  |. 8D8D 80FDFFFF  LEA ECX,DWORD PTR SS:[EBP-280]
00417049  |. 51             PUSH ECX                                 
0041704A  |. 8B95 6CFDFFFF  MOV EDX,DWORD PTR SS:[EBP-294]           
00417050  |. 81C2 0C030000  ADD EDX,30C                              
00417056  |. 52             PUSH EDX                                 
00417057  |. 8B85 6CFDFFFF  MOV EAX,DWORD PTR SS:[EBP-294]           
0041705D  |. 50             PUSH EAX                                 
0041705E  |. E8 27040100    CALL xxx.0042748A                   
00417063  |. 83C4 0C        ADD ESP,0C
00417066  |. 81BD 84FDFFFF >CMP DWORD PTR SS:[EBP-27C],87654321
00417070  |. 74 0C          JE SHORT xxx.0041707E
00417072  |. 81BD 88FDFFFF >CMP DWORD PTR SS:[EBP-278],12345678

inside 0042748A
...
00427563  |. 3355 F4        XOR EDX,DWORD PTR SS:[EBP-C]
00427566  |. 3355 E0        XOR EDX,DWORD PTR SS:[EBP-20]
00427569  |. 3355 E4        XOR EDX,DWORD PTR SS:[EBP-1C]
0042756C  |. 8B4D 10        MOV ECX,DWORD PTR SS:[EBP+10]
0042756F  |. 8B41 04        MOV EAX,DWORD PTR DS:[ECX+4]
00427572  |. 33C2           XOR EAX,EDX -> ES1 xored by VK5 = real ES1
...
00427596  |. 334D F4        XOR ECX,DWORD PTR SS:[EBP-C]
00427599  |. 334D E0        XOR ECX,DWORD PTR SS:[EBP-20]
0042759C  |. 334D E4        XOR ECX,DWORD PTR SS:[EBP-1C]
0042759F  |. 8B45 10        MOV EAX,DWORD PTR SS:[EBP+10]
004275A2  |. 8B50 08        MOV EDX,DWORD PTR DS:[EAX+8]
004275A5  |. 33D1           XOR EDX,ECX -> ES2 xored by VK5 = real ES2
Reply With Quote
Reply
Page 2 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SDK 11.x How to find Vendor_Name and Vendor_Key5 in application !! Gede General Discussion 25 09-02-2023 17:28
Flexlm 7.2 LIC file use on Flexlm 9.2 display error -73 ? hanzi General Discussion 9 07-05-2006 18:51


All times are GMT +8. The time now is 23:19.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )