PDA

View Full Version : flexlm: general question


sebbe_sabb
January 30th, 2002, 12:01
Hello again.

Since the checkoutfilter seem to won my last battle with flex, I tried to regain some confidence by trying another target.
I downloaded a licensemanager from hXXp://software.actify.com/3dview/FloatingLicInstall.exe
which I guess contains a v7 daemon.

Since the lmgrd is not linked to the daemon in the old fashioned way (v5 and earlier) I am having troubles in setting the correct breakpoints.
Using IDA with signatures shows the calls, making this easier. But which call is now made to the actual vendorcode structure? I cannot find lc_init or lm_new_job.
Am I doing something wrong? Are there other ways of finding out where to look except using IDA with signatures?

/Sebbe_Sabb

Kythen
January 30th, 2002, 12:23
Yep, there are relatively easy ways to find FlexLM functions without an IDA sig. The basic method I use is to find the functions I want to identify in the flexlm .dll. There are strings in and around many of those functions that can help you figure out what they are. Then go back into your target and look for those same strings. They'll be in the same places (give or take a few instructions) as in the .dll Also, there is another function in the code of both the static .lib and the .dll that moves around the addresses of a lot of the flexlm functions. Once you find say, lc_init, jump to the data reference to it and you'll be at the function. Look in the .dll to see what addresses correspond to what function.

Hope that helps!
Kythen

sebbe_sabb
January 30th, 2002, 16:43
I checked the pattern inside a lmgr327 and found that some lines before the version printout (7.0f in this case) there was a function which was called two times in actifyd.XXX at:
00401b58
00426f86

bp at those addresses produced this listing in w32dasm:

00401b58 call 0040156a

[ebp-00000014] - 0048aae8 ..H.
[ebp-00000010] - 00000001 ....
[ebp-0000000C] - 00000000 ....
[ebp-00000008] - 81c7c8e4 ....
[ebp-00000004] - 005b0000 ..[.
[ebp+00000000] - 006bfb48 H.k.
[ebp+00000004] - 0044bace ..D.
[ebp+00000008] - 006bf7fc ..k. prevjob??
[ebp+0000000C] - 006bfb3c <.k. vendor_name "actifyd"
[ebp+00000010] - 009f0e90 .... &code??
[ebp+00000014] - 0048aae8 ..H. &job??

Am I on the right track?
It seems that one of the variables above at ebp+0000000c is the vendorname.
Where to go from now?

/Sebbe Sabb

Kythen
January 30th, 2002, 17:55
Yep, you are absolutely on the right track! Like I said before, you should be able to identify what function it is by comparing with the string references in the .dll What you listed from your bp's is one of the reasons I advise learning and using IDA. It automatically renames those offsets like [ebp+08] in the deadlisting into local variables or parameters/arguments. You can even rename them *and* the functions themselves. So when you identify a function as being lc_init, you can rename it as such in the deadlisting, and it's parameters accordingly. As far as actually cracking the FlexLM itself, take a look at the great essays by Dan and nolan blender. It really can't be explained much better than how they do it.

nblender
January 31st, 2002, 01:18
Well, the main trick is to locate l_sg

There are a couple of ways of doing this, but typically I apply
signatures and look for it that way, or if I don't have the exact
signature, I'll look for l_key, which is called from l_sg.

In any event here's where you should be looking.

.text:00408BAA cmp lmdecoder, 0 ; See if the ptr to the decoder is null
.text:00408BB1 jz loc_408BD1 ; Go elsewhere if it is
.text:00408BB7 mov eax, [ebp+vcode] ; Push encrypted vendorcode structure onto stack
.text:00408BBA push eax
.text:00408BBB mov eax, [ebp+vname] ; Push vendor name onto stack
.text:00408BBE push eax
.text:00408BBF mov eax, [ebp+job] ; Push job structure onto stack
.text:00408BC2 push eax
.text:00408BC3 call lmdecoder ; Decode the seeds into job and vendorcode structures
.text:00408BC9 add esp, 0Ch ; Restore stack ptr

lmdecoder is actually a dword in the data section - before this call
set the job pointer to null, and the vendorcode structure will
contain the appropriate seeds, In this case, the seeds don't
have any values above 9 for any hex digit, although most vendors
have clue enough to use the full range of values, not that it really
matters.

The technique I usually use is this.

Once I found the appropriate place to break, I'll load softice.
Then I'll use the symbol loader on the vendor daemon (in this
case, it's actifyd.exe) and set a breakpoint there.
I'll make a license with a fake entry in it - something like this.

SERVER this_host ANY
VENDOR actifyd
FEATURE f1 actifyd 1.0 permanent 20 123412341234

then try and start up the license server with

lmgrd -c license.dat

The program will then break at this point - if you're not passing
in a valid looking license, the daemon won't even bother to try
and decode the seeds.

At this point, the null pointer trick or the calcseed program should
give you useful results - how you proceed is up to you.

I should point out that you still have to dig the features out
of the program, and that the license.dat file has to reside in
the 3dview directory, should you want to actually get the program
to run. I'm sure it can be cracked through their seat activation
code as well.

cqfan
January 31st, 2002, 03:10
hi, nblender and other cracker

i have do hadto trace the a*cad2002 flex LM.

i trace and got a vendorcode structure like this.
--------------
00000004
CCEEEFD5
DDC81382
A3A37979
CC926A64
A1136749
F174A41F

adskflex
-----------------
I use a tool to make out the key5 3144AFBA and it is a V7 vendor name . so i have got the adskflex daemon vendor keys.

and i xor key5 with data1 and data2 and use it as seed1 and seed2.

i make a license.dat use genlic.exe but it is not work at all.

i wonder is the seed ok give me some hint to carry on.

---------------
the license manager is in the a*cad2002iso netsetup dir or
just pm to upload.

nblender
January 31st, 2002, 14:19
Later versions of Flexlm are immune to the xor with vendorkey 5
trick. Doing this gives FDAA406F EC8CBC38 which is incorrect.
The version of adskflex I have is 7.2d which is immune to the
null pointer trick. You'll have to look at the data in the job
structure and the vendorcode structure after the call. That's
probably why your generated keys don't work.

tsehp's site has the relevant essays.

--nb

sebbe_sabb
February 1st, 2002, 07:41
Back to actifyd...

I INSIST on using w32dasm (since that seems like the only program a stupid non-programmer guy like myself seem to understand).
Thanks no mr Nolan, I found the bp (not that hard when it is pointed out EXACTLY where) and halted the start of the daemon, and managed to get this out of w32dasm:

[ebp-00000014] - 00000007 ....
[ebp-00000010] - 7648b98e ..Hv
[ebp-0000000C] - 0012f550 P...
[ebp-00000008] - 00000007 ....
[ebp-00000004] - 77e83129 )1.w
[ebp+00000000] - 0012ed68 h...
[ebp+00000004] - 004555fc .UE.
[ebp+00000008] - 00a30360 `...
[ebp+0000000C] - 00a30428 (...
[ebp+00000010] - 0012ed30 0...
[ebp+00000014] - 77e83129 )1.w

Is any of this usable in the calcseed program?

I got kind of excited when the ebp+XX seem to make sense (i.e. +0c=vendorname) But the job and code structures are one line each in the listing above (+8 and +10 respectively). The calcseed proggy seem to want more from me, at least two inputs from the code struct, but I only have one line above.
I cannot seem to grasp this v7 stuff do I?


Sebbe "thick_skull" Sabb

cqfan
February 4th, 2002, 03:46
i locate the l_sg in acad.exe
and try use nblender hints to locate lm_new
but my target jmps at 94DB78 and not call at 94DB8F
so i can not got data to use calseed.


94DB50 push ebp ; this is l_sg(job,code,??) function
94DB51 mov ebp, esp
94DB53 sub esp, 30h
94DB56 mov [ebp+var_10], 7648B98Eh
94DB5D mov [ebp+var_14], 3
94DB64 mov eax, [ebp+job]
94DB67 mov ecx, [eax+6Ch]
94DB6A mov edx, [ecx+1D4h]
94DB70 and edx, 8000h
94DB76 test edx, edx
94DB78 * jmp occur * jz short loc_94DB9D
94DB7A cmp dword_B5DAC4, 0 ; bp here l_n_buf
94DB81 jz short loc_94DB9D
94DB83 mov eax, [ebp+code] ; Push encrypted vendorcode structure onto stack
94DB86 push eax
94DB87 mov ecx, [ebp+vendor] ; Push vendor name onto stack
94DB8A push ecx
94DB8B mov edx, [ebp+job] ; Push job structure onto stack
94DB8E push edx
94DB8F call dword_B5DAC4 ; Decode the seeds into job and vendorcode structures
94DB95 add esp, 0Ch ; use calseed tools
94DB98 jmp loc_94DCB0

94DB9D loc_94DB9D: ; CODE XREF: l_sg+28j
94DB9D push 4
94DB9F lea eax, [ebp+var_28]
94DBA2 push eax
94DBA3 mov ecx, [ebp+code]
94DBA6 add ecx, 0Ch
94DBA9 push ecx
94DBAA mov edx, [ebp+vendor]
94DBAD push edx
94DBAE call sub_965376 ; l_key(name,keys)
94DBB3 add esp, 10h

how can i do dig out the seed?

anyone help me!

nblender
February 4th, 2002, 10:55
Quote:
Originally posted by sebbe_sabb
Back to actifyd...

I INSIST on using w32dasm (since that seems like the only program a stupid non-programmer guy like myself seem to understand).
Thanks no mr Nolan, I found the bp (not that hard when it is pointed out EXACTLY where) and halted the start of the daemon, and managed to get this out of w32dasm:

[ebp-00000014] - 00000007 ....
[ebp-00000010] - 7648b98e ..Hv
[ebp-0000000C] - 0012f550 P...
[ebp-00000008] - 00000007 ....
[ebp-00000004] - 77e83129 )1.w
[ebp+00000000] - 0012ed68 h...
[ebp+00000004] - 004555fc .UE.
[ebp+00000008] - 00a30360 `...
[ebp+0000000C] - 00a30428 (...
[ebp+00000010] - 0012ed30 0...
[ebp+00000014] - 77e83129 )1.w

Is any of this usable in the calcseed program?

I got kind of excited when the ebp+XX seem to make sense (i.e. +0c=vendorname) But the job and code structures are one line each in the listing above (+8 and +10 respectively). The calcseed proggy seem to want more from me, at least two inputs from the code struct, but I only have one line above.
I cannot seem to grasp this v7 stuff do I?


Sebbe "thick_skull" Sabb



You can use wdasm to get the structures out easily enough (I do that sometimes, because w32dasm is much friendlier to IRC than softice) Remember the value of ESP just before the call to ptr, then look at the values dereferenced by esp, esp+4 and esp+8 - these match to the arguments passed into the call. Dereference these values after the call, and you'll have the data you need.

--nb.

nblender
February 4th, 2002, 11:02
Quote:
Originally posted by cqfan
i locate the l_sg in acad.exe
and try use nblender hints to locate lm_new
but my target jmps at 94DB78 and not call at 94DB8F
so i can not got data to use calseed.

how can i do dig out the seed?

anyone help me!


Make sure you have a fake license (one with all right values but wrong key) before trying to do this, and I'll bet you get further.

-nb.