Results 1 to 6 of 6

Thread: FlexLM on PA-Risc CPU ...

  1. #1

    Question FlexLM on PA-Risc CPU ...

    Hi all,

    I have some problem on HP-UX SOM for a PA-Risc CPU. On the binary program (disassembled with Ida) i have found this:

    "FLEXlm 6.0d (liblmgr.a), Copyright (C) 1988-1997 Globet"

    well I said to myself, a simple version to blow up . But this is not the case. For this CPU there is no signature of FlexLM for IDA, I sweating 7 shirts, but I found all (at least I think) the functions that relate FlexLM.

    The most interesting part:

    $CODE$:00579C2C 6B C2 3F D9                             stw             %rp, cur_rp(%sp)
    $CODE$:00579C30 37 DE 01 80                             ldo             0xC0(%sp), %sp
    $CODE$:00579C34 6B DA 3E 39                             stw             %r26, -0xC0+arg_24(%sp)
    $CODE$:00579C38 6B D9 3E 31                             stw             %r25, -0xC0+arg_28(%sp)
    $CODE$:00579C3C 6B D8 3E 29                             stw             %r24, -0xC0+arg_2C(%sp)
    $CODE$:00579C40 6B C0 3F 01                             stw             %r0, -0xC0+var_40(%sp)
    $CODE$:00579C44 4B D4 3E 39                             ldw             -0xC0+arg_24(%sp), %r20
    $CODE$:00579C48 36 9A 01 18                             ldo             0x8C(%r20), %r26
    $CODE$:00579C4C 4B D9 3E 29                             ldw             -0xC0+arg_2C(%sp), %r25
    $CODE$:00579C50 23 FD 50 0A                             ldil            loc_57A800, %r31
    $CODE$:00579C54 E7 E0 2F 98                             be,l            0x7CC(%sr4,%r31), %sr0, %r31 # l_svk
    $CODE$:00579C58 08 1F 02 42                             copy            %r31, %rp
    $CODE$:00579C5C 6B DC 3F 09                             stw             %r28, -0xC0+var_44(%sp)
    $CODE$:00579C60 37 DA 3E B1                             ldo             -0xC0+var_18(%sp), %r26
    $CODE$:00579C64 4B D9 3E 29                             ldw             -0xC0+arg_2C(%sp), %r25
    $CODE$:00579C68 34 18 00 50                             ldi             0x28, %r24
    $CODE$:00579C6C 23 E1 50 0A                             ldil            loc_542800, %r31
    $CODE$:00579C70 E7 E0 20 58                             be,l            0x2C(%sr4,%r31), %sr0, %r31 # memcpy
    $CODE$:00579C74 08 1F 02 42                             copy            %r31, %rp
    $CODE$:00579C78 4B D5 3E 29                             ldw             -0xC0+arg_2C(%sp), %r21
    $CODE$:00579C7C 4A B6 00 08                             ldw             4(%r21), %r22
    $CODE$:00579C80 4B C1 3F 09                             ldw             -0xC0+var_44(%sp), %r1
    $CODE$:00579C84 08 36 02 9F                             xor             %r22, %r1, %r31             # Clear Seed 1
    $CODE$:00579C88 6B DF 3E B9                             stw             %r31, -0xC0+var_1C(%sp)     # Seed 1
    $CODE$:00579C8C 4B D3 3E 29                             ldw             -0xC0+arg_2C(%sp), %r19
    $CODE$:00579C90 4A 74 00 10                             ldw             8(%r19), %r20
    $CODE$:00579C94 4B D5 3F 09                             ldw             -0xC0+var_44(%sp), %r21
    $CODE$:00579C98 0A B4 02 96                             xor             %r20, %r21, %r22            # Clear Seed 2
    $CODE$:00579C9C 6B D6 3E C1                             stw             %r22, -0xC0+var_20(%sp)     # Seed 2
    $CODE$:00579CA0 4B DA 3E 39                             ldw             -0xC0+arg_24(%sp), %r26
    $CODE$:00579CA4 4B C1 3E 31                             ldw             -0xC0+arg_28(%sp), %r1
    $CODE$:00579CA8 34 39 00 A8                             ldo             0x54(%r1), %r25
    $CODE$:00579CAC 23 E4 90 0A                             ldil            loc_588800, %r31
    $CODE$:00579CB0 E7 E0 2A 60                             be,l            0x530(%sr4,%r31), %sr0, %r31 # l_extract_date
    $CODE$:00579CB4 08 1F 02 42                             copy            %r31, %rp
    $CODE$:00579CB8 08 1C 02 58                             copy            %r28, %r24
    $CODE$:00579CBC 4B DA 3E 39                             ldw             -0xC0+arg_24(%sp), %r26
    $CODE$:00579CC0 4B D9 3E 31                             ldw             -0xC0+arg_28(%sp), %r25
    $CODE$:00579CC4 37 D7 3E B1                             ldo             -0xC0+var_18(%sp), %r23
    $CODE$:00579CC8 23 FD 60 0A                             ldil            loc_57B000, %r31
    $CODE$:00579CCC E7 E0 24 D8                             be,l            0x26C(%sr4,%r31), %sr0, %r31 # sub_57B26C
    $CODE$:00579CD0 08 1F 02 42                             copy            %r31, %rp
    Is the same routine for x86-based versions (FlexLM 6.0, lmgrd326a.dll) but in language PA-RISC. FlexLM is compiled for PA-RISC.

    At this point I entered data (vendor_key) in "FlexSeedGen.exe" and I got the vendor_key5. I tried with other programs obtaining the same result.
    I assumed that the key was right. I entered all the data in the older version of FlexLM SDK that I have, in my case 7.0d. I have compiled the program,
    but if I run "lmcrytstr.exe" I obtain an error:

    "lc_init failed: Invalid FLEXlm key data supplied FLEXlm error: -44,49."

    Would have been too simple.

    I thought that SDK FlexLM not accept the values placed then not having a 6.0 SDK, I tried with "FlexLM-Keygen" and on this
    program the "vendor_key" with "vendor_name" is declared valid, finding in turn also key5 (the same).

    This program permits the signature of feature, I tried a feature (that i have), but the signature generated is not the same. It must be the same ?

    I have replaced my original with that calculated but to be invalid.

    Someone can help me ? Someone have a FlexLM SDK 6.0d ?

    Someone knows an emulator for PA-RISC on x86 ?


    Last edited by kappasm; August 22nd, 2008 at 17:24.

  2. #2
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Show vendor daemon's name...

  3. #3
    Hi FoxB,

    thanks for your replay ...

    I'm waiting ...

    Last edited by kappasm; August 22nd, 2008 at 17:25.

  4. #4
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Decoded values[0] = 37ffbffe
    Decoded values[1] = 00008028
    Decoded values[2] = 40000000
    Decoded values[3] = 03eea001
    Expiry date: 1-jan-1980
    This date indicates no expiry.
    Key5: f5fa7864
    Encryption seed1: ed0f0e0b
    Encryption seed2: 69837101

  5. #5
    Thanks FoxB,

    are the same results that I got I am glad

    You can compile "lmcryptstr.exe" with these values using an SDK FlexLM 6.0d ?

    I have a working license calculated by those values, I can send in PM to check that keep the same values ?

    Thanks again.


  6. #6


    HI ,Kappa:
    I have the same problem with you! I have the seed1 & seed2 ,but when i
    use "lmcryptgui.exe" to make a lic ,it not work well. can you help me !

    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. FlexLM 8.2a how to
    By skippy in forum The Newbie Forum
    Replies: 8
    Last Post: April 20th, 2007, 16:00
  2. FlexLM 7.2i
    By GinFix in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: February 13th, 2004, 06:30
  3. FlexLM 7.2g
    By cillonzo in forum The Newbie Forum
    Replies: 3
    Last Post: November 4th, 2002, 09:28
  4. Need help w/ FlexLM 8.0...
    By c0rps3 in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: April 25th, 2002, 01:37
  5. Need Help - FlexLM
    By XeNoSiS in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: December 9th, 2001, 22:20


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts