PDA

View Full Version : flexlm


pdz
January 16th, 2002, 14:19
Hello

I read "Zendenc FLEXLM 7.2 cracking information"

and I try to find the Seeds.

On my computer with :dd ESP, I find
006DCE10 - ptr to job structure
0080118C - ptr to vendor name
00801040 - ptr to vendorcode structure


Nolan Blenderd got these informations:
vendorcode+4 which is data[0] : DCE0A0A2
vendorcode+8 which is data[1] : FC58117B
job+8 : D3B4B0C2
job+c : 81042659
job+10 : D493C07C

With the Vendorcode 00801040+4=E0AAA4A0
00801040+4=C0121579

but for the Job; 006DCE10+8=00000000
+c=00000000
+10=00000000
Please,Could you explain me ,where is my error
My OS is Win98

CrackZ
January 16th, 2002, 16:14
Hiya,

Theres a pretty easy to answer to this question.

Before the call to the lm_new() routine take a note of the pointer to the vendor code structure and the pointer to the job structure, then trace *directly* over the call to the lm_new() routine and get the values from the structures then, the lm_new() routine will populate the empty job structure and randomize the 2 seeds in the vendor code structure.

Plug these values into calcseed.exe and you'll be able to derive the correct seeds ;-).

For definition, lm_new() is the function in l_sg() that performs the gronking of the seeds and job structure using the system time, you can isolate it easily in IDA by looking for lots of references to _time(), all described in the Zendenc essay anyway ;-).

Regards

CrackZ.

scorpie
January 19th, 2002, 10:08
Nice explanation CrackZ__.

This time gronking is explained in details in the "dan essay" found in the previous CrackZ__ site or Fravia.

Is there any comment about CRO CrackZ__ ? You mentioned something about CRO concerning Gauss, but no further details ?

I am learning how the "codes" concerning CRO in the FLEXlm are recovered, but have no success so far.