PDA

View Full Version : Need some help for hardware protection


Hero
January 26th, 2005, 00:10
Hi all
Before everything I should say this is my first test for cracking a program that
uses hardware locks.
My program uses Sentinel+Flexlm protection.But the big problem is that I don't
have hardware dongle of sentinel and no license structure for Flexlm.This program
first tests existance of dongle,then go for Flexlm license,Then if there is no dongle
that never goes for checking the license.
I found a jump that prevent checking license when there is no dongle,But now
i'm in flexlm checking routine that there is no license structure.
my problems:
1-How I can find the version of Flexlm used in program?(Strange but I don't know
how to find it!)
2-I read some tutorials from CrackZ,but in most of them we know licenses structure
,what should I do when I have nothing about it?(My last error is ERR_FILE_NOT_FOUND !)
3-I don't know why,but none of sentinel signature that I get for IDA is not working
and find no functions in body,why?(I test it least 5 deferent Signatures that I found
for sentinel.

If somebody know any tutorial for when we should crack program with Flexlm except
making license for it,please tell me.

sorry for this questions,this is my first Hardware dongle and Flexlm protection bypassing
then I need some help.

sincerely yours

FrankRizzo
January 26th, 2005, 08:53
Hero, here are my answers to your questions:

1 - the simple way to find out what version of FlexLM you have, is to just search through your target for FlexLM, normally they proclaim the version number loudly, and proudly within their code.

2 - 99% of the people who use Flex use the same format, so, just copy any license file, and change the necessary bits, (product name, company name), and see if you can get it to the point where it's just complaining about your code not being correct.

3 - The only answer I have for this one, is that it's a different version that the one that you're dealing with.

CrackZ has some great tutorials, but if they don't apply 100% to your target, you have to take what you can from them, and fill in the gaps with your own experience.

Aimless
January 26th, 2005, 11:15
1. Go to macrovision site. Download lmutils.exe. Run it and it will ask you for a file. Select the .dll or .ocx. or .exe files that you think (better to select all files one by one in the directory of the app) and it will show you which version of Flexlm

If you can bypass Sentinel dongle check, then you don't need any other information to break the Flexlm protection apart from the dummy license file with feature names and their versions.

Have Phun

SiGiNT
January 26th, 2005, 12:39
Aimless is refering to the ECC patch - easy to find info on, most targets that use FlexLM can use a dongle or other piece of hardware, the dongle is not a necessity, some even allow HostID=ANY, the Important thing to learn is the lic. structure and the feature names, that info along with the ECC patch may get you going. If you want to have some fun try and find the seeds and with the vendor ID you can generate a valid lic. using any one of several tools - Flexgen for older versions - EFA licgen for newer versions and a few other tools.

SiGiNT

Hero
January 28th, 2005, 07:34
Thanks for help.
I now have more information about my problem.The program uses Flexlm 6.1a
that using a server and there is no dll(such as lmg*.dll).
There is only a server for Flexlm named vlg_lmd.
This Flexlm uses an Rainbow Sentinel dongel for all of its programs(for example
the program HOSTID.EXE will not work without that dongle)
But I still need some help:
1-The VENDORNAME that is send to _lc_init is the vendor name of product,isn't
it?Then why the Srever name(vlg_lmd) is sent to it?
2-There is no demo Flexlm license for this application(because when there is no
dongle,there is no test for license file),Then where is the best place for finding
out the structure of license file?(I followed the program and find out some parts
of this file,but I still have problem with it)
3-I can't find any help for this version of Flexlm routines or it's SDK,Is there anybody
who know where I can find it?(All that I found is for newer versions)
4-What is the best why for bypassing dongle in this mode?Do you know any tutorials
that is similar to my problem?(an Flexlm license generating without any data for its
license file structure that uses an sentinel dongle too without having dongle)

Perhaps this will be simple for you but that isn't for me in first time.
I attached my uncompeleted license file that I figure out,If you know something
that I should add to it(normally will found with this problem) please tell me.

sincerely yours

SiGiNT
January 28th, 2005, 11:26
If it requires a dongle for lic. check, (unusual!), there is an emulator available that emulates both ver 7.x and 6.x, PM me and I can either get it to you or point you where to look, your license is missing the encrypted info, even with the ECC patch it needs to be there, the feature line needs to be formated correctly, have you been able to locate the seeds? Maybe generating a valid lic. would be easier, I'll get chastised for this but, in a single feature situation, sometimes disabling the l_checkout or lc_checkout will allow the target to function without a lic. One way to do this is to replace the sub-routine with XOR EAX, EAX followed by a RTN - 33 C0 C3. The problem with this approach is occaisionally it appears to work and all of a sudden the feature disappears will running the tartget.

SiGiNT

Hero
January 28th, 2005, 14:03
Thanks for quick reply.
But I should say that I never get to lc_checkout in my tracing to disable it!

In addition thanks for emulator suggestion,I get it,and now I should test it!
sincerely yours

CrackZ
January 28th, 2005, 14:44
Hiya,

You sound very confused. If there is no lmg*.dll try searching the binaries for the static lmgr.lib, use lmtools available all over the web and check the main executables/dll's. vlg_lmd.exe is the vendor daemon and has the same name as the vendor, thats how FLEXlm works (its not unusual), else people could name their vendor daemons the same and problems would ensue.

The FLEXlm licensing layer has no way to force use a dongle, the dongle routines are only called if it detects the FLEXID= in the license string, the only possibility is that the vendor makes a check of his own before calling FLEXlm, this ought to be trivial to verify and you NEED to do this as a priority.

You need a FLEXlm SDK, but you need to know which version your dealing with first (catch 22). Someone suggested an ECC patch, if this is v6.1a FLEXlm the format of your license is absolutely fine, ECC wasn't conceived at this time.

On your next post please try to state.

1. What version of FLEXlm it definitely is (as reported by lmtools), and the files that are protected.
2. What you have done to locate the FLEXlm and/or Sentinel routines, i.e. we'll need to know whether you reach _lc_checkout() or not, or what part of the dongle routines you are struggling with.
3. Some code illustrating 2. would most likely be useful.

Regards

CrackZ.

Hero
January 28th, 2005, 15:37
Hi CrackZ
Before everything I should thank for your IDA signature of Flexlm That I found
in you site,That helped me too much for tracing program.(I downloaded all of
your site with wget! )

To answer your question I should say:
1-As I said my program uses Flexlm v6.1a,because lmtools says:
Quote:
--------- Version ---------
FLEXlm 6.1a (liblmgr.a), Copyright (C) 1988-1998 Globetrotter Software, Inc.

In addtion all .exe files in program main directory and only 1 DLL uses this version
of Flexlm too.
2-It was strange for me,but I can't get to _lc_checkout,Is it depend on correctance
of my license file structure?In most of tutorials that I saw they use this function
but I can't reach it.
3-My major attemp to now was making the correct structure for license file,I don't
know it's better to work on something else or not.
4-I can't find this versions SDK,and don't know where to get it.(perhaps somebody
can help for this. )
5-For making correct license file,I trace out program and see that the first line
of license is that I write(SERVER this_host \),But when I get to _l_get_one_id
for the second line,this function returns an error code that I don't know why.
6-As I find out mine program uses an .lib file that compiled with program,becuase
using IDA Flair on main program will show up Flexlm functions.
Edited:7-Don't believe everything that I write in that license.because Its only for test,
For example I get VENDORNAME from lc_init() and it should be correct,But I don't
know that my feature names are correct or not.

sinecerly yours

SiGiNT
January 28th, 2005, 16:58
Of course CrackZ is absolutely right about the ECC patch - that doesn't apply till later versions, Thanx for correcting me - It was early when I posted -LOL- new rule 2 cups of coffee before posting.

Thanx again

SiGiNT

Later thought: You know the vendor code and you have the feature name, all you need to do is find the seeds and generating a valid lic using flexgen would be an option rather than patching.

CrackZ
January 29th, 2005, 09:30
Hiya again ;-).

1. Fine.

2. This is your main problem; If you can't reach _lc_checkout() you MUST figure out why the code isn't getting there; I suggest also you paste to us what you think is _lc_checkout() so we can verify your looking in the right place.

3. Not having a valid license file format usually has absolutely nothing to do with _lc_checkout() not being executed, its a waste of time to tinker pointlessly with your fake license file thats never going to be accessed (from what I saw the formats fine anyway, you can worry about features when you get to _lc_checkout() ;-)). See 2. _lc_checkout() is the encapsulating routine responsible for finding, validating and checking out your license, it has to execute.

4. Once you know why, I can provide you a SDK ;-).

5. I see no point you having a SERVER or VENDOR entry in your license file unless you are going to attack/use the vendor daemon.

6/7. Your problem is getting _lc_checkout() to execute, the rest are details to solve AFTER. The vendor name is correct, if you have a vendor daemon of the same name.

Note to sigint33 - Sorry if I came off as some kind of asshole in that last post ;-), I'm more for tea though ;P.

Regards

CrackZ.

SiGiNT
January 29th, 2005, 12:31
CrackZ,

No offense taken! With my less than thimble-full of knowledge regarding Dongle cracking, I expect some flames, I'm just trying to be of some help, I'm sure you are going to continue to be a valuable resource, and I'd really not like to get on your shitlist!

SiGiNT

Hero
January 30th, 2005, 11:42
Hi again
1-Bad NEWS:I can't reach _lc_checkout() yet!
Quote:
I suggest also you paste to us what you think is _lc_checkout() so we can verify your looking in the right place.

I don't get exactly what do you mean by that,by the way I think what is shown
by IDA Flirt as _lc_checkout() is _lc_checkout() !
2-Good NEWS:I can find out a place that prevent reaching _lc_checkout(),And
it is depend on existance of license file.Look at this:

*******
.text:00547A46 lea eax, [edi+2] ; switch 5 cases <----This switchs between feature types.
.text:00547A49 cmp eax, 4
.text:00547A4C ja short loc_547A88 ; default
.text:00547A4E jmp dsff_547A9C[eax*4] ; switch jump
.text:00547A55
.text:00547A55 loc_547A55: ; DATA XREF: .textff_547A9Co
.text:00547A55 mov al, byte_61ED00 ; case 0x2
.text:00547A5A test al, al
.text:00547A5C jnz short loc_547A8F ; case -0x2<---If there is no license file this jump will not happen.
.text:00547A5E push offset aNoFeatureAvail ; "No feature available in license file.\n"
.text:00547A63 push offset byte_61ED00
.text:00547A68 call ds:sprintf
.text:00547A6E mov ecx, [esp+28h+arg_0]
.text:00547A72 mov dword_61D5F4, 0FFFFFFFBh
.text:00547A7C add esp, 8
.text:00547A7F mov [ecx], edi
.text:00547A81 pop edi
.text:00547A82 pop esi
.text:00547A83 pop ebp
.text:00547A84 add esp, 14h
.text:00547A87 retn
*******

Is there any idea for finding out the place of needed _lc_checkout()?(except tracing
all the program that I doing it now! )

In addtion I attach the wingraph32 result for xrefs to _lc_checkout(),perhaps be usefull.

sincerely yours

SiGiNT
January 30th, 2005, 12:38
Just a thought, you've made a license of sorts, is it located where the target is looking for it, is there an env. variable, or a reg. entry that needs to point to it?

SiGiNT

jb1968
January 31st, 2005, 10:39
the version of the target is flexlm 6.1 on solaris .i know the seed on windows , but i can't get it on solaris . i have only one question : where is thr breakpoint ?

Aimless
February 2nd, 2005, 00:07
I'd suggest the following steps:

1. Download lmtools.exe from the web

2. Search the entire directory where you application is installed with, say, Ultraedit, for the words, FLEXLM (a good idea is to search for exe, dll and ocx)

3. Run lmtools.exe on all the binary files with the words FLEXLM in them and note their versions.

4. Use filemon while running the program to see which files above are involved when you initially execute your program. Remember, some crappy apps put the flexlm based application dlls in the WINDOWS directory. Hence filemon.

5. For each of those exe or dlls, find out where _lc_checkout() is. A good idea is to try and find it MANUALLY using Crackz 2004 muster (great tut Crackz!)

6. Run it through SOFTICE to see whether it breaks. If it breaks, follow on as usual. If it does not, then I'd suggest you look to see if there is any DONGLE checking code (not flexlm based, but as Crackz puts it, vendor based)

7. Hope you are not confused between _l_checkout and _lc_checkout

8. IMPORTANT: You will HAVE to find out correct feature name and feature version. Other things are all 'K not to have.

9. Prepare a dummy license file. See what happens. If the system is giving an error, complaining about the invalide license file, then you know that _lc_checkout() has been reached.

10. Try putting a BPM X instead of a BPX when you try to breakpoint in SoftICE.

11. Check out whether Crackz's sig file is applicable to 6.1 versions of Flexlm (hence better to do it manually as per pointers in his Muster 2004)

12. By the way, you'll have to find out whether the application is STATICALLY linked or DYNAMICALLY linked. Don't think applications will use only either exculsively. I have experienced ones that use BOTH static and dynamic at the same darn time, with ECC on it (Thx. Crackz)

13. I'm talking about windows here, of course. I have no exp on Solaris. But I guess the basics would remain the same (though wondering how you're gonna use ICE on Solaris? )

14. You will ultimately, have to perform two steps to break the application. Create a valid license file (valid as in feature and version only) AND patch the executable/dll containing the code (if statically linked) or the flexlm dll (if dynamically linked)

Let us know how you are progressing. We'll all try to assist you the best we can.

Crackz, 5 apps and still counting Thx.

Have Phun

jb1968
February 4th, 2005, 10:37
hi,Aimless:
i just want to know the method how to get the seed from the daemon on unix. Because on win , i had got it correctly .

Hero
February 4th, 2005, 10:52
Hi again
I came back with some good news now!
I finally find out feature names and feature versions but not with _lc_checkout()
because I didn't have an valid license.
First I should thanks CrackZ for SDK,After reading it I see that I can get features
from _lc_get_config().
With It,I find features(name and version from tracing),And by reading SDK documents
I finally build a valid license that get me to _lc_checkout() .
Now I get some confused on continue.
I reading this tutorial from CrackZ site for my problem:

hxxp://www.woodmann.com/crackz/Tutorials/Danflex.htm

But I get some obfuscated in some part of it:
Quote:
Part 6 - Seeds are uncovered - the answer
OK, back to l_sg. I bpx'ed lc_init, lc_checkout, and l_sg. I knew that it would be called in both routines, but I wanted to see it when it got into lc_checkout. This time l_sg took the jump to the vector!. I should have known. It would have saved me a lot of time to just break on this jump in the first place!. The first part of the vector code went like this :-

???
I didn't get why the jump to vector is happened this time.Perhaps I done something
wrong because I never reach that call to vector.
In addtion,What is the best way to find lc_new_job?I think that because the program
should test the seeds,I can find it with this trick,but it does not work:
As I read,the mask of seeds are as following:
Quote:
mask = vendorkey1 ^ vendorkey2 ^ dword const ^ vname hash ^ random
seed 1 = mask ^ vendorcode.data[0]
seed 2 = mask ^ vendorcode.data[1]

Then I can set a hardware breakpoint on accessing data[0] & data[1] in vendorcode,
then when the seed are calculated for checking they are correct,I can get the point of
testing mask.
But this is not good result for me,because I get somewhere that I can't imagine
the calculating the seeds.Is there any problem with my way?

sincerely yours

Hero
February 5th, 2005, 23:35
Hi all
Thanks for any help.
I finally generate the license successfully.

Sincerely yours