PDA

View Full Version : Aldec HDL cracking ... Flexlm ... need some pointers ....


sailor
December 11th, 2000, 01:36
Hi,

I've been trying to crack Aldec HDL. It uses flexlm. I've read all the tutorials about flexlm cracking and whats different about Aldec HDL is that the flexlm routines are not used from the flexlm dll but rather are compiled into one of the target application dll's. I can identify 2 functions that seem similar to the function in the flexlm dll (ie. lc_init and lc_checkout) however they seem to have different arguments and I'm not sure if they work similarly.

I would ideally like to be able to extract the encryption keys so that I can make my own licenses but I've heard that globetrotter has made the encryption keys a little more difficult to extract in newer versions of flexlm. Incidentally, Aldec HDL 4.1 uses flexlm version 7.0d

I've been using wdasm 8.93 but its really not helpful in single stepping mode as it will just crashes after a little while. I would really like to use ida pro 4.14 but I cant seem to lay my hands on it. The flirt function recognition would really be handy.

I need pointers on how to proceed with this and anybody who has experience cracking flexlm would be invaluable. Please icq me 1979151.

Sailor

Nolan Blender
December 11th, 2000, 13:55
Read the essays on Tsehp's site, most notably Dan's essay
to get the seeds out - this one checks the vendor string,
so if you want to get a full license out of it, you're in
for a fair amount of work.

sailor
December 12th, 2000, 01:17
I read that essay and my problem is that my target does not call lc_init() or any of the other calls in lmgr3xx.dll. I may be grossy missing something but I'm at a dead end. The target has a dll that has a few similarly named function calls (most notably ahdl_init() and ahdl_checkout()) but I cant find too much similarity in between these functions and those in lmgr3xx.dll.

Any more pointers ?

Thanks in advance,

Sailor


Quote:
Nolan Blender (12-11-2000 02:55):
Read the essays on Tsehp's site, most notably Dan's essay
to get the seeds out - this one checks the vendor string,
so if you want to get a full license out of it, you're in
for a fair amount of work.

Nolan Blender
December 12th, 2000, 09:23
Quote:
sailor (12-11-2000 14:17):
I read that essay and my problem is that my target does not call lc_init() or any of the other calls in lmgr3xx.dll. I may be grossy missing something but I'm at a dead end. The target has a dll that has a few similarly named function calls (most notably ahdl_init() and ahdl_checkout())


The code could be in one of the dll's too.
If you use lmutil:

lmutil lmver filename

It will tell you which library has flexlm
stuff in it.

CrackZ
December 12th, 2000, 18:15
Hiya,

My first post on this godforsaken messageboard (damn inconvenient as it is to use), anyhow, this probably won't help you much but I've cracked a fair few versions of Aldec from v3.5 up to the neverending minor builds of 4.x.

I've personally tended to go after always the Sentinel protection, theres a diagnostic program included, and spront.dll is used as the basis (spro.. I'm sure you see it in the name ;-) ). Oh yes, theres also integrity checks on 7 of the files too ;p.

Regards (thanks for even reading this probably useless reply).

CrackZ.

sailor
December 12th, 2000, 18:19
Quote:
Nolan Blender (12-11-2000 22:23):
Quote:
sailor (12-11-2000 14:17):
I read that essay and my problem is that my target does not call lc_init() or any of the other calls in lmgr3xx.dll. I may be grossy missing something but I'm at a dead end. The target has a dll that has a few similarly named function calls (most notably ahdl_init() and ahdl_checkout())


The code could be in one of the dll's too.
If you use lmutil:

lmutil lmver filename

It will tell you which library has flexlm
stuff in it.


The code is in a dll and I've identified the dll.
If you disassemble the dll, it still does not have the lc_init() or lc_checkout() functions as given in the flexlm manual.
If possible, I would like to email the dll for you to examine, i.e. depending on your schedule.

I sincerely appreciate your help.

Sailor

sailor
December 12th, 2000, 18:27
Quote:
CrackZ (12-12-2000 07:15):
Hiya,

My first post on this godforsaken messageboard (damn inconvenient as it is to use), anyhow, this probably won't help you much but I've cracked a fair few versions of Aldec from v3.5 up to the neverending minor builds of 4.x.

I've personally tended to go after always the Sentinel protection, theres a diagnostic program included, and spront.dll is used as the basis (spro.. I'm sure you see it in the name ;-) ). Oh yes, theres also integrity checks on 7 of the files too ;p.

Regards (thanks for even reading this probably useless reply).

CrackZ.


Hi CrackZ,

first of all, I would like to thank you as you've provided me with a wealth of information on your reverse engineering page. Infact, almost all the information i have on flexlm is from your page.

There is indeed a file called spront.dll and like you mentioned, it is indeed used in managing the sentinel keys.

Like I've mentioned in my previous posts, I've identified the dll in the target that is contains the routines for checking the license file. However, I cant seem to connect the functions mentioned in the flexlm manual with the functions that are present in the aldec dll.
Also, AldecHDL does not seem to follow any of the methods given in the flexlm manual (trivial or simple api).

Any help will be sincerely appreciated.

Sailor

Nolan Blender
December 12th, 2000, 22:10
Look for lc_new_job(). Probably Crackz' approach is
better - I had always previously attacked the
FLEXlm part because I was more familiar with that, but
the Sentinel approach would probably be more straightforward now
that they've added some encryption crud to the
FLEXlm permanent licenses.

--nb.

goatass
December 13th, 2000, 09:24
Hi guys, I cracked the latest version of Aldec HDL which was a download from the web. That version DID NOT use either FlexLM or sspro eventho it seem like it did. There was only a couple small checks for a license but it was a registry key if I remeber correct. Try using FileMon to see if the program tries to access the License.dat file or any file resembling a license file. My version didn't, if I created the License.dat file there was no change, usually with FlexLM you will get a diffrent error message if something in the license file is wrong as apposed to the entire file not being there.
It wasn't very hard to crack. I can't remeber any RVAs to point u to sorry.

goatass

sailor
December 14th, 2000, 00:05
Quote:
goatass (12-12-2000 22:24):
Hi guys, I cracked the latest version of Aldec HDL which was a download from the web. That version DID NOT use either FlexLM or sspro eventho it seem like it did. There was only a couple small checks for a license but it was a registry key if I remeber correct. Try using FileMon to see if the program tries to access the License.dat file or any file resembling a license file. My version didn't, if I created the License.dat file there was no change, usually with FlexLM you will get a diffrent error message if something in the license file is wrong as apposed to the entire file not being there.
It wasn't very hard to crack. I can't remeber any RVAs to point u to sorry.

goatass



Yeah, the web version does not really access the license file and you are probably right about a registry key.
But inorder to make it reconize a license, aldec sent me a little proggie. I can forward you that if you are interested.
If you requested the CD version, it checks for license files by default.

thanks for your help,

Sailor

sailor
December 14th, 2000, 00:07
Quote:
Nolan Blender (12-12-2000 11:10):
Look for lc_new_job(). Probably Crackz' approach is
better - I had always previously attacked the
FLEXlm part because I was more familiar with that, but
the Sentinel approach would probably be more straightforward now
that they've added some encryption crud to the
FLEXlm permanent licenses.

--nb.


I tried that approach but I really didnt pursue it as I wasnt all too familiar with the sentinel licensing system.
Anyway, I downloaded flair from the link you posted and I'm interested in seeing if I can indeed view any of the routines in the target dll.

Thanks again,

Sailor