Results 1 to 7 of 7

Thread: Bday Attack on Flexlm's ECC?

  1. #1

    Bday Attack on Flexlm's ECC?


    I'm playing with Flexlm 11.4 and the CRO feature for some time now and I'm
    curious about how Flexlm generates the public and private key for the ECC.
    What I found out yet is that it is based on the 3 encryption seed LM_SEED1-3.
    So a question came to my mind, because I know LM_SEED1 and 2 from a
    target but not LM_SEED3. So is it possible to reveal LM_SEED3 by doing a
    birthday attack on the ECC implementation?
    I think of doing the following:
    1. generate 32bit random values and patch them into LM_CODE.H
    2. compile lmcrypt.exe
    3. sign a license with my version of lmcrypt
    4. compare the result with original license file

    Of course you need the vendor keys the cro keys and LM_SEED 1 and 2.
    All this information can be revealed aside from LM_SEED3.
    Is my assumption correct?
    If yes, then it would normaly takes around 2^16 random guesses to find LM_SEED3
    which is not really much even if you have to compile and sign a license in a loop.

  2. #2



    your assumption is incorrect, The seeds which you can recover from your target are encryption seed 1 and 2, and these are diferent from LM_SEED 1 and 2

    it seems that you need to do a little more homework


  3. #3
    hi rcer,

    you're right. After digging a little bit more I found the way how Flexlm
    generates encryption seed 1-4 based on LM_SEED1-3.
    They use LM_SEED1-3 as input to the FIPS186-2 RNG which generates
    a 256 bit random value and from this output they use the first 128 bit
    as the encryption seed.
    As Crackz meantioned it in one of his tutorials you would need 2^96
    brute force rounds to find the correct LM_SEEDs. But it is still possible
    to do a birthday attack on these seeds with around 2^48 rounds.
    I'm working on such a tool which looks promising so far.

    Any ideas are welcome of course


  4. #4
    Do you have a concept about 2^96?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    A birthday attack is meant to be used to find collisions; what you intend to do is find a preimage --- that should take about 2^(96-1) time.

    On a sidenote, doesn't FlexLM check for very large and very small values for each seed? I seem to remember only 24 bits were allowed, rendering it 2^72 instead.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Do you mean the lmseed.dat generated by lmseed?
    Can vendor use their own 96 bit seeds?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    @dongs: well i try to find a seed triple (with random guesses) which produce the same output as the original lm_seeds. It can be collision, even this is not
    realistic because the input is less than the output of the CSPRNG but anyway.
    You're right that Flexlm filters the lm_seeds. Only seeds between 0x00F00000-0xFFF00000 are allowed.

    @zhide1983: the vendor can choose the seeds or calculate it's own by using lmrand1.exe which comes with the SDK.

    Btw: using the Certicom's security builder for generating the encryption_seeds is really fast, so doing a some kind of a brute forcer is quite fast.
    Last edited by tr1stan; March 5th, 2009 at 13:20.

Similar Threads

  1. Flexlm 7.2 LIC file use on Flexlm 9.2 display error -73 ?
    By hanzi in forum Advanced Reversing and Programming
    Replies: 22
    Last Post: March 8th, 2013, 06:13
  2. Virtual Machine Attack
    By tHE mUTABLE in forum Off Topic
    Replies: 1
    Last Post: February 25th, 2008, 03:41
  3. No Point Of Attack
    By cisco in forum The Newbie Forum
    Replies: 3
    Last Post: February 10th, 2004, 00:54
  4. Under Protectors Attack
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 19
    Last Post: November 15th, 2001, 17:22


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts