Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: FlexLM v8.x - Problem while trying to retrieve both encryption seeds

  1. #1
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5

    FlexLM v8.x - Problem while trying to retrieve both encryption seeds

    Hi,

    currently I'm having problems with an Application which is protected with FlexLM v8.x. Usually I have a very simple and to detect the encryption seeds manually, but for this target it does not work.

    Because it is not allowed to post links, i just want to ask whether somebody is able to obtain the seeds. I'm not interested in the seed values directly more in the way you extract it from this application.

    If somebody want to try it, please send me a PM. I will send you the download link from the vendor.

    Regards,
    OHPen.
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  2. #2
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    PM to me

  3. #3
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    You got a pm
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  4. #4
    PM to me
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Hi,

    OHPen: I had a quick look into this app. It's indeed a bit weird. I think it's a
    modified version of flexlm (don't know if this is even possible). Or they have
    some sort of additional custom license checking.
    Anyway none of the simple ways of finding encryption_seed1/2 seems to
    work.
    My approach was :

    1. find l_sg() and retrieve the seeds out of the vendore code structure before/after the first call to l_sg() -> not working
    2. searching for 3D4DA1D6h in the app and set a breakpoint on every spot, because this is the default magic value to clear the seeds -> not working
    This is a bit strange, the app checks out a default trial license on startup if
    no valid license is available. But this version of flexlm behaves different in hiding the seeds as other versions I know off.
    3. set a breakpoint on l_private_key which should generate/check the real signature. I got some signatures but nothing seems to work.

    Well I hadn't enough time digging deeper to solve this one. Maybe someone else has more luck/time

    tr1stan

  6. #6
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    That was exactly me problem. I agree with you that it seems to be a somehow modified version of flexlm. Never saw a version like this.

    I will try to dig deeper...
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  7. #7
    Registered User
    Join Date
    Nov 2008
    Location
    China
    Posts
    12
    It is very interesting, please PM me.

  8. #8
    Ah I forgot another "note":

    If you start the app it will show in the startup splash screen something like "demo mode" or "demo version".
    I patched l_checkout to always return 0 which seems to work. The splash screen didn't show demo anymore.
    But it simply crashed a few seconds later. As it's not the best way to crack this one it could be quick solution patching l_checkout and any additional checks
    to have a working copy.

    tr1stan

  9. #9
    PM me as well.

    I recall that more recently built FLEXlm targets (I'm thinking of stuff like Geoslope.GEOStudio off the top of my head) won't ever perform the old style checkout without patches.

    Even after patching I remember the seeds 1 & 2 I recovered were actually the same (it felt almost like the old checkout was never intended to be executed), I didn't dig into it much past that but you have re-awakened my interest.

    Regards,

    CrackZ.

  10. #10
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Now everyone of you guys have a PM. Looking forward on your opinion regarding the target.

    PS: Sorry for the size of the download == 160 MB, but the application consists of many modules with dependancies, so you will have to download the application in order to study it.

    PSS: I recommend to install the applciation in a virtual machine because it can be difficult to remove it, just a recommendation AND NO its not a virus, its a commercial applicartion

    Regards,
    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  11. #11
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    This is a coumouflaged license file of the application. Usually i would say there must be a vendor daemon called XXX.EXE but there isn't

    Is it possible to use a vendor daemon with a different name that specified in the license file ?

    VENDOR XXX
    PACKAGE Blah XXX 1.000 COMPONENTS="XXXNg_Base:1.000 \
    XXXNg_YYYYProject:1.000" OPTIONS=SUITE SIGN=0000000000
    INCREMENT BlahProTrial XXX 1.000 permanent uncounted HOSTID=ANY \
    SIGN=0000000000


    Regards,
    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  12. #12
    Hi OHPen,

    can you PM me a link as well

    Regards

    RCER

  13. #13
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    done
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  14. #14
    I haven't looked much further but my guess is if you chose the activation via fax you have to enter the signature and a custom serial string.
    I guess the app builds a license line in a temp buffer like:

    INCREMENT BBBPro XXX 1.000 permanent uncounted VENDOR_STRING="your serial" HOSTID=(ANY or your host id) SIGN="your activation signature".

    It could be the path to reverse the actual license generation/checking...

    tr1stan

  15. #15
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    VENDOR_STRING="049-12-34567890-xyz" - number is phone number, ascii im dont known - may be checksum, etc.

Similar Threads

  1. Getting seeds for FlexLM 9.5
    By vic in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: July 15th, 2010, 22:33
  2. FlexLM 11.4 Problem after ecc patch
    By LaBBa in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: June 14th, 2010, 15:50
  3. Flexlm and encryption seeds
    By Doctor2k in forum The Newbie Forum
    Replies: 5
    Last Post: March 28th, 2008, 21:06
  4. Question about extracting seeds (FlexLM)
    By tomee in forum The Newbie Forum
    Replies: 6
    Last Post: October 9th, 2006, 00:18
  5. Nolan: encryption seeds 3 and 4 in flexlm 7.2
    By abccba in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: February 14th, 2001, 01:47

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •