From playing around with FLEXlm v10.8 target lately, I just want to let you old FLEXlm hackers know, that a NEW memory area is used for _time obfuscation area in newer FLEXlm versions.

To get clear SEEDS revealed, as opposed to the OLD Job Structure area [ where you'd clear 4 random dwords generated by multiple _time calls in "l_n36_buff" ], the new area is noted in "_l_sg" like so:

-----------------------------

.text:00417F35 _l_sg proc near
.text:00417F35 push ebp
.text:00417F36 mov ebp, esp
.text:00417F38 sub esp, 24h
.text:00417F3B mov [ebp+var_14], 0
.text:00417F3F xor eax, eax
.text:00417F41 mov [ebp+var_13], ax
.text:00417F45 mov [ebp+var_11], al
.text:00417F48 mov [ebp+var_C], 6F7330B8h
.text:00417F4F mov [ebp+var_4], 0
.text:00417F56 mov [ebp+var_8], 0
.text:00417F5D mov [ebp+var_10], 3
.text:00417F64 push 1000h
.text:00417F69 mov ecx, [ebp+arg_0]
.text:00417F6C push ecx
.text:00417F6D call sub_42CF2D
.text:00417F72 add esp, 8
.text:00417F75 test eax, eax
.text:00417F77 jz short loc_417FCB
.text:00417F79 mov edx, [ebp+arg_0]
.text:00417F7C mov eax, [edx+198h]
.text:00417F82 mov ecx, [eax+1CDCh]
.text:00417F88 cmp dword ptr [ecx+524h], 0
.text:00417F8F jz short loc_417FCB
.text:00417F91 mov edx, [ebp+arg_8] <--- arg_2 - PTR to vendor structure
.text:00417F94 push edx
.text:00417F95 mov eax, [ebp+arg_4] <--- arg_1 - PTR to vendor name (Id.)
.text:00417F98 push eax
.text:00417F99 mov ecx, [ebp+arg_0] <--- PTR to legacy job structure
.text:00417F9C mov edx, [ecx+198h]
.text:00417FA2 mov eax, [edx+1CDCh]
.text:00417FA8 add eax, 528h
.text:00417FAD push eax <--- arg_0 - PTR to NEW _time obfuscation area
.text:00417FAE mov ecx, [ebp+arg_0]
.text:00417FB1 mov edx, [ecx+198h]
.text:00417FB7 mov eax, [edx+1CDCh]
.text:00417FBD call dword ptr [eax+524h] <- call _user_l_sg (l_n36_buff)
.text:00417FC3 add esp, 0Ch
.text:00417FC6 jmp loc_4180DE

-----------------------------------

In order to get clear de-obfuscated SEEDs , in _user_l_sg, just before Order/Unique XORs, clear the _time 3 rand dwords at offsets .+0x8, .+0xC, .+0x10 @ arg_0 PTR (new obfuscation area). Then, just as before, break on RETN to get clear seeds [from vendorcode struct .+0x4 & .+0x8] ...

Of course, all the above is ONLY relevant with non-ECC targets ...

Thanks for the info.

There is a large audience out there always searching for new information on FLEXlm subjects.

Regards,

You're welcome. However, since the ECC introduction FLEXlm reversal becomes less & less popular subject.

That would most likely be because "many" of those who were "reversing" FELXlm, were most frequently just using "cookie-cutter" tools which others had designed and implimented, without much real understanding of what was occurring behind the scenes or how it worked, or what they were actually doing.

Now that it might take some actual "work" or be more difficult, those folks tend to move on to "easier" subjects and target with other ready made "tools."

Real Reversers are always interested in "new" information, even if they only collect and read it and might not actually attempt to impliment the information in an actual reversing project. Learning new things and/or expanding one's knowledgebase is very useful to keep the brain functioning on an effective level for the rest of life.

Regards,

Ran into this quite a while back; however kudos to roli_bark for posting this method.

I found the seeds slightly differently using memory breakpoints (since the method of license construction obviously remains the same); As an aside, even though Macrovision have now obfuscated all non-essential link names you can still get a lot of recognition from the last unobfuscated lmgr.lib (FLEXlm v9.5).

Regards

CrackZ.

And if you have some good ready-made IDA signatures for that, you are of course very welcome to upload them to the already quite nice collection of dongle signatures in the CRCETL, at:

http://www.woodmann.com/collaborative/tools/index.php/Categoryongle_IDA_Signatures

I added a space to the link so that it wouldn't have a smilie face in the middle because of the ":" next to the "D" which produced a !

Regards,

Actually, I fixed the link (simply by activating the "Disable smilies in text" post option, which would rather be the more appropriate way of doing it, since it keeps the link going to the right place ) apparently right before you did that, so I've now restored it to working order again. Thanks for your concern as ever though.

True! That's probably the "more correct way."

But even with the added space in the link, it still defaulted to the "correct" listing, if one wanted to have both a link with an ":" followed immediately by a "D" and still have other smilies in the post.

But I realize the CRCETL of "your baby" and you want everything about it to be "perfect."
Which is, of course, not a "bad" thing to want.

Regards,