View Full Version : Flexlm and encryption seeds

March 27th, 2008, 13:42

I have a target protected with Flexlm 7.2i + four Sentinel LPT Dongle (flexID6) and license file. I haven't dissassembly experience with IDA but I try to do that with CrackZ and Nolan Blender tutorials. But without any success.
I read about flexlm and try generate license with HOSTID=ANY. Orginal license is "permanent uncounted HOSTID=FLEXID=6-1234abcd"
I know all lic features, VendorID so I can generate Vendor Keys using keygen. But I need also encryption seeds to put everythiung into 'lm_code.h' from FlexSDK and generate license. I also try to find encryption seeds with Ollydbg and Haldir Flexlm 7.2 script but Ollydbg generated error and close. Several times I analyze above mentioned tutorials. Loaded program in IDA apply flexlm signatures and finally I can't find l_sg function. Maybe there are some easier way to find this seeds with orginal dongle and license file.

License has old style:
FEATURE feat vendor_daemon 1.0 permanent uncounted 123456789012 VENDOR_STRING=AABBCCDD HOSTID=FLEXID=6-abcd1234

there are no SIGN, CRO keys so no ECC patching is needed. I also try to emulate dongle using edge solver and Sentinel Emulator 2007. Unfortunately under this emu I can only load 1 dng file. I need to load all 4 .dng files and emulate in the same time.

I'm confiused. Are there any solution for this problem, any suggestion are welcome.

Thanks in advance for any help.



March 27th, 2008, 17:42

Quick potential solutions regarding seed recovery.

i). Do you have the vendor daemon?. It won't care about whether there is a FLEXID present in the license file so would be a good place to dig them out of without playing with dongle emulators etc, etc.

ii). I'm surprised the license file you are using with the application cares much about the FLEXID string either, however I'm not ruling it out completely as a possibility.

Your problem however might actually be that you just can't dig the seeds out *period*. The tutorials out there are pretty clear on how to do this, you might just need to go back over them.



March 28th, 2008, 01:58
As always CrackZ - is spot on -

With a target that old you are wasting your time worrying about the FLEXID Dongle, most from that era will accept either HOSTID=ANY or will accept the hard drive serial number, (I can't remember the exact syntax but that is easily researchable).


March 28th, 2008, 03:52

This is simply license as example bellow:

FEATURE feat1 dmn 2003 01-jan-0000 uncounted 123456789012 VENDOR_STRING=vendor HOSTID=FLEXID=6-a6300001
FEATURE feat2 dmn 2003 01-jan-0000 uncounted 123456789013 VENDOR_STRING=vendor HOSTID=FLEXID=6-a6300002
FEATURE feat3 dmn 2003 01-jan-0000 uncounted 123456789014 VENDOR_STRING=vendor HOSTID=FLEXID=6-a6300003
FEATURE feat4 dmn 2003 01-jan-0000 uncounted 123456789015 VENDOR_STRING=vendor HOSTID=FLEXID=6-a6300004
FEATURE feat5 dmn 2003 01-jan-0000 uncounted 123456789016 VENDOR_STRING=vendor HOSTID=FLEXID=6-a6300001

only such a lines is inside. Total 16 lines. I think that should be possible to generate license locked to one flexID or to HOSTID=ANY. This is an old soft from 2001 or 2002 year. I try to do that with tutorial about "Imaris Bitplane v4.0.3" license is this same. But till now no luck. Maybe try to search for 3D4DA1D6h pattern?


You are right. Because this is flexlm and old one 7.2. No patching is needed for application and should be working with other hostid. ANY is the best solution. I install FlexlmSDK 7.2 and after put values to 'lm_code.h' file I can generate license witch exactly the same syntax like orginal one. The only problem is with encryption seeds that I insert wrong.


March 28th, 2008, 05:17

This is l_sg from v7.2i, taken straight out of lmgr.lib.

.text:00003378 push ebp
.text:00003379 mov ebp, esp
.text:0000337B sub esp, 30h
.text:0000337E mov [ebp+var_10], 7648B98Eh
.text:00003385 mov [ebp+var_14], 3
.text:0000338C mov eax, [ebp+arg_0]
.text:0000338F mov ecx, [eax+6Ch]
.text:00003392 mov edx, [ecx+1D4h]
.text:00003398 and edx, 8000h
.text:0000339E test edx, edx
.text:000033A0 jz short loc_33C5
.text:000033A2 cmp dword ptr ds:_l_n36_buff, 0
.text:000033A9 jz short loc_33C5
.text:000033AB mov eax, [ebp+arg_8]
.text:000033AE push eax
.text:000033AF mov ecx, [ebp+arg_4]
.text:000033B2 push ecx
.text:000033B3 mov edx, [ebp+arg_0]
.text:000033B6 push edx
.text:000033B7 call dword ptr ds:_l_n36_buff
.text:000033BD add esp, 0Ch
.text:000033C0 jmp loc_34D8

Searching for that 7648B98Eh constant in a hex editor ought to be easy enough to find you this code. Then you can use the existing tutorials to recover the seeds.

If you have any further difficulties privmsg me the vendor name (I've got about 600 vendors in my archives) and I'll see if I can help.



March 28th, 2008, 21:06

Seeds are 0x0000ab93 & 0x000045bc.

Nothing else to see here, its vanilla FLEXlm.

Close the thread ;-).