Results 1 to 11 of 11

Thread: FLEXLM SETTING BP (EXTRACTION SEEDS)

  1. #1

    FLEXLM SETTING BP (EXTRACTION SEEDS)

    I am learning this stuff but i have a problem. Debugger not stop in _l_n36_buff funtion.

    Flexlm version: FLEXnet Licensing version v10.8.9.0 build 73735 i86_n3

    My steps are:

    1. Create dummy license.

    SERVER COMPUTERNAME ANY
    VENDOR LICPIFT
    USE_SERVER
    INCREMENT test LICPIFT 1 1-jun-2020 1 0123456789AB

    2. My daemon are two files: lmgrd.exe and LICPIFT.exe.

    I load lmgdr.exe in ollydbg with -t computer_name 4 –c dummy.dat arguments

    3. Search all 6F7330B8 values constants. I got two refences.

    a)48225E adress with this code

    004811D0 /$ 55 PUSH EBP
    004811D1 |. 8BEC MOV EBP,ESP
    004811D3 |. 83EC 24 SUB ESP,24
    004811D6 |. C645 F0 00 MOV BYTE PTR SS:[EBP-10],0
    004811DA |. 33C0 XOR EAX,EAX
    004811DC |. 66:8945 F1 MOV WORD PTR SS:[EBP-F],AX
    004811E0 |. 8845 F3 MOV BYTE PTR SS:[EBP-D],AL
    004811E3 |. C745 FC B8307>MOV DWORD PTR SS:[EBP-4],6F7330B8
    004811EA |. C745 F4 00000>MOV DWORD PTR SS:[EBP-C],0
    004811F1 |. C745 DC 00000>MOV DWORD PTR SS:[EBP-24],0
    004811F8 |. C745 F8 03000>MOV DWORD PTR SS:[EBP-8],3
    004811FF |. 68 00100000 PUSH 1000
    00481204 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
    00481207 |. 51 PUSH ECX
    00481208 |. E8 63A9FFFF CALL 0047BB70
    0048120D |. 83C4 08 ADD ESP,8
    00481210 |. 85C0 TEST EAX,EAX
    00481212 |. 74 54 JE SHORT 00481268
    00481214 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
    00481217 |. 8B82 A0010000 MOV EAX,DWORD PTR DS:[EDX+1A0]
    0048121D |. 8B88 F81C0000 MOV ECX,DWORD PTR DS:[EAX+1CF8]
    00481223 |. 83B9 24050000>CMP DWORD PTR DS:[ECX+524],0
    0048122A |. 74 3C JE SHORT 00481268
    0048122C |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
    0048122F |. 52 PUSH EDX
    00481230 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
    00481233 |. 50 PUSH EAX
    00481234 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
    00481237 |. 8B91 A0010000 MOV EDX,DWORD PTR DS:[ECX+1A0]
    0048123D |. 8B82 F81C0000 MOV EAX,DWORD PTR DS:[EDX+1CF8]
    00481243 |. 05 28050000 ADD EAX,528
    00481248 |. 50 PUSH EAX
    00481249 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
    0048124C |. 8B91 A0010000 MOV EDX,DWORD PTR DS:[ECX+1A0]
    00481252 |. 8B82 F81C0000 MOV EAX,DWORD PTR DS:[EDX+1CF8]
    00481258 |. 8B88 24050000 MOV ECX,DWORD PTR DS:[EAX+524]
    0048125E |. FFD1 CALL ECX <-----_l_n36_buff FUNTION
    00481260 |. 83C4 0C ADD ESP,0C
    00481263 |. E9 0F010000 JMP 00481377
    ..................
    ..................


    Set breakpoint in _l_n36_buff funtion

    Name:  flexlm.jpg
Views: 845
Size:  50.4 KB

    BUT NEVER THE _l_n36_buff FUNTION IS CALLED IN 0048125E ADDRESS.

    b)481260 adress with this code

    00481380 /. 55 PUSH EBP
    00481381 |. 8BEC MOV EBP,ESP
    00481383 |. 83EC 20 SUB ESP,20
    00481386 |. C745 E0 00000>MOV DWORD PTR SS:[EBP-20],0
    0048138D |. C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],0
    00481394 |. C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
    0048139B |. C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
    004813A2 |. C745 F4 00000>MOV DWORD PTR SS:[EBP-C],0
    004813A9 |. C645 F0 00 MOV BYTE PTR SS:[EBP-10],0
    004813AD |. 33C0 XOR EAX,EAX
    004813AF |. 66:8945 F1 MOV WORD PTR SS:[EBP-F],AX
    004813B3 |. 8845 F3 MOV BYTE PTR SS:[EBP-D],AL
    004813B6 |. C745 FC B8307>MOV DWORD PTR SS:[EBP-4],6F7330B8
    004813BD |. C745 F8 03000>MOV DWORD PTR SS:[EBP-8],3
    004813C4 |. 6A 04 PUSH 4 ; /Arg4 = 00000004
    004813C6 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] ; |
    004813C9 |. 51 PUSH ECX ; |Arg3
    004813CA |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C] ; |
    004813CD |. 83C2 0C ADD EDX,0C ; |
    004813D0 |. 52 PUSH EDX ; |Arg2
    004813D1 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
    004813D4 |. 50 PUSH EAX ; |Arg1
    004813D5 |. E8 C6B00300 CALL 004BC4A0 ; \lmgrd.004BC4A0
    004813DA |. 83C4 10 ADD ESP,10
    004813DD |. C645 F3 00 MOV BYTE PTR SS:[EBP-D],0
    004813E1 |. 8A4D F3 MOV CL,BYTE PTR SS:[EBP-D]
    004813E4 |. 884D F2 MOV BYTE PTR SS:[EBP-E],CL
    004813E7 |. 8A55 F2 MOV DL,BYTE PTR SS:[EBP-E]
    004813EA |. 8855 F1 MOV BYTE PTR SS:[EBP-F],DL
    004813ED |. 8A45 F1 MOV AL,BYTE PTR SS:[EBP-F]
    004813F0 |. 8845 F0 MOV BYTE PTR SS:[EBP-10],AL
    .......................
    ......................

    Conclusion:

    breakpoint # 1 never is called.

    I don´t find the problem ¿What I can be doing wrong?

    Target daemon attachments:http://www.4shared.com/file/RGabNwfK/DAEMONDUMMY.html

  2. #2
    you're debugging the wrong executable

    A picture is worth a thousand words:


    cheers,

    dirkmill
    Last edited by dirkmill; October 5th, 2010 at 15:04. Reason: censored vendor name according to board rules - sry !

  3. #3
    @dirkmill

    Thanks for your reply,

    ¿Can you post your dummy license?
    Last edited by besoeso; October 5th, 2010 at 12:25.

  4. #4
    i was actually using your file, signed version below
    Code:
    SERVER this_host ANY
    VENDOR dgdgdfdf
    INCREMENT test DgDgDfDf  1 1-jun-2020 1 1D5137D2161D
    cheers,

    dirkmill
    Last edited by dirkmill; October 5th, 2010 at 15:09. Reason: censored vendor name according to board rules - sry !

  5. #5
    @dirkmill

    yes, working now.. i got seed 1 and seed 2 uncripted.

    I am looking features names now.
    Last edited by besoeso; October 6th, 2010 at 12:39.

  6. #6
    PM each other.

    We try to teach/learn here, not give out the answers.

    Woodmann
    Learn Or Die.

  7. #7
    @besoeso:
    while i won't give you any direct pointers regarding feature-names i advise you to just (re)read the excellent articles hosted in crackz sub-site right here, you're up to a good start already...

    @woodmann
    i value your role as our host here immensely, but i have to disagree with the implied statement of your last post.
    i didn't give the op any recipe, he knew his way around already as can be seen from statements in his first post. he was just misguided in thinking that lmgrd (the host-process for vendor daemons) was a isv supplied file and of interest.
    feel free to delete my post or this whole thread if you really disagree with that or still believe that me trying to point a new member in the right direction was "giving out the answers".

    cheers,
    dirkmill

    p.s. all relevant hex-values were already censored in the very first version of my reply here

  8. #8
    @Woodmann

    Of your words:

    I understand I must show show in the thread the learned and not in private messages.
    Last edited by besoeso; October 6th, 2010 at 12:39.

  9. #9
    i follow the advice Woodmann member.

    I explain how I got seed doing this:

    Locate the call to _l_n36_buff (inside _l_sg )& set breakpoint #1.

    Set a breakpoint # 2 at the ret of _l_n36_buff

    Run the program & let it break. (@ 1st breakpoint)

    Single step into the _l_n36_buff call (one step only!)

    Locate the EB09 jmp

    Set breakpoint #3, and Run the program & let it break.

    Check the memory address inside ecx or edx(follow in dump).One of them will contain the location of
    the job structure. ( note that this new Job structure starts with 00 00 00 00 instead of 66 00 00 00)

    Delete the 16 random bytes inside the job structure, (starting @ job+04 and ending @ job+13), and replace with “00”

    Run the program & let it break at BP#2 (“Break on RET”, after returning from the call to _l_n36_buff)

    Now Look at the following stack locations: (follow in dump)
    o ESP+04: Pointer to vendor name (name of vendor daemon)
    o ESP+08: Pointer to vendor code (which now will contain the clean seed 1 and 2)
    o VC+04 = Seed1
    o VC+08 = Seed2

    Thanks friend dirkmill for you help.
    Last edited by besoeso; October 6th, 2010 at 14:32.

  10. #10
    Find feature names.

    I know:

    lc_checkout ((LM_HANDLE_PTR job, const LM_CHAR_PTR feature, const LM_CHAR_PTR version, int nlic, int flag, const VENDORCODE_PTR key,int dup));

    I am looking for feature and version here

    I to use the same dummy license and load daemon in olly with -t computer_name 4 –c dummy.dat

    I search for lm_checkout funtion.

    I have find in 004838DF address. You can see here:

    Name:  flex_2.jpg
Views: 560
Size:  31.9 KB

    Set breakpoint in call lc_checkout but not stop in this.

    ¿What can do wrong?
    Last edited by besoeso; October 6th, 2010 at 14:31.

  11. #11
    Howdy,

    It was only a warning. So relax , all is good.

    Woodmann
    Learn Or Die.

Similar Threads

  1. FLEXLM 10.8.0.2 Need Help
    By amel9 in forum The Newbie Forum
    Replies: 9
    Last Post: February 20th, 2014, 03:47
  2. HELP FLEXLM 6.1
    By jedysat in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: August 29th, 2012, 04:09
  3. FLEXLM: How can i found Seed3 and Seed4?
    By flexlm in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 19th, 2003, 21:42
  4. I have found a mistake in CALCSEED for FLEXLM.
    By redsk_y in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: June 2nd, 2002, 14:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •