PDA

View Full Version : Help on FlexLM 11.9.1 integrated in .dll, finding seed's


Freakster235
October 13th, 2013, 17:35
Hello Community,

i try to generate a license for an Application that ist protected with FlexLM 11.9.1 the FlexLM protection is implemented to a .dll file.
It is a node locked license, i have a working demo license for the application.

I found a nice pdf about FlexLM encryption seed recovery, but i stuck at finding the seed's.
I loaded the licenser.dll into olly dbg, and find the constant "6F7330B8" for _l_sg and then i tried to find
the call into the _l_n36 buff function but i have no luck with that, i dont found a FF 90 call like mentioned in the PDF.
There are only two calls in the _l_sg function in this .dll so i put on both call's a breakpoint and tried to start debugging
but ollydbg terminates the debuging of the dll way before i reache the breakpoint's.

How can i debug a for seed's when FlexLM routine are integrated into an .dll?

I have aleady red a lot of threads about FlexLM license gernation and i think i know that i have to patch the .dll to accept old style license
file (ECC patch) is that right?


If the Software is needed i can send a Name, downloadlink via PM.

Thank You all fo your help.

Freakster

FoxB
October 14th, 2013, 06:41
just tell us the daemon vendore name

Freakster235
October 14th, 2013, 12:23
The deamon vendor Name is "KNX"

Thanks!

istigatore
October 27th, 2013, 13:47
Freakster235, if the program use the ecc protection and long SIGN, you need to patch the dll..
If not, you can patch the license checkout without waste time to fish the seeds to use the program without license... Is not hard, you need only to find the right hole....

Freakster235
October 28th, 2013, 07:19
Quote:
[Originally Posted by istigatore;95622]Freakster235, if the program use the ecc protection and long SIGN, you need to patch the dll..
If not, you can patch the license checkout without waste time to fish the seeds to use the program without license... Is not hard, you need only to find the right hole....


Hallo istigatore,

there are a couple more problems i think. If i patch the dll with the generic ECC patcher, what work perfect, the program wouldn't run anymore,
i found out that the program is developed with .Net Framework and uses die "Strong Name" Feature for all components, so if i patch the dll the executable
would not accept the dll anymore.
So i deactivate the StrongName Feature with the .Net SDK, but there is also a Signature check feature implemented in the executable, and i have no clue
how to reverse the executable to remove the license checking or the internal signature check.

Thanks

istigatore
October 28th, 2013, 11:02
Freakster235, the "Strong Name" Feature can easly defeated by patching the mscoree dll;
and maybe "Signature check" feature is an integrity ckeck.. You need to debug the exe/dll inside a .net debugger.. TRy reflector

Freakster235
October 28th, 2013, 16:37
Quote:
[Originally Posted by istigatore;95632]Freakster235, the "Strong Name" Feature can easly defeated by patching the mscoree dll;
and maybe "Signature check" feature is an integrity ckeck.. You need to debug the exe/dll inside a .net debugger.. TRy reflector


Hello istigatore,

thanks for your advice with the .Net Debugger. I have downloaded and tried reflector, i thought i found the checksums in the executeable but it seems that i was wrong.
I think i have way to less experience with Debugging to get this stuff working.

But the other Thing for my understanding is, i have patched the dll, but i still Need the seed and vendor Name to generate a working license without SIGN or not?

Thanks!

istigatore
October 30th, 2013, 10:40
If you have patched the ecc protection inside the dll, you need only to make a fake crypter with a fake seeds...
If the program does not use ECC you need to recover the seeds to make a full working license(or patch the checkout to use the program without license)
If the program use ECC, you can patch the 2 flags(in some programs/flexlm version is only 1)to force the program to use the standard SIGN: in this case you need to recover the seeds
I suggest you to study the flexlm protection to find the holes.. The study of the flexlm sdk is a good approach, also some articles present in the web are very good to learn..
Good luck...

Freakster235
November 6th, 2013, 17:02
Hi istigatore,

iam not sure that i understand the Thing with the fake license. I have patched the dll with the generic ecc patcher. What Information do i Need for a fake license, the vendor?
But you talk about two different ways to patch the ECC function or the flags.
I tried to disassembe the .dll with IDA Pro but i cannot find the needed FlexLM functions. I also tried to load the FLIRT signatures into IDA Pro, no success.
There are different tutorials for FlexLm an holes in the protection, but i didnt find any tutorial for newer FlexLM Versions.

Thanks!