Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 39

Thread: how to generat "1" instead of "uncounted" license

  1. #16
    To CrackZ&tedshred,

    After study related document, I get that counted license must have 'SERVER line', with long time try, I added it in the keygen and generate the license succesfully.

    As tedshred said, 'this software vendor used "permutation tables" in the license generation process', I study Nolan Blender's essay on Crypt Filters, and finally got the xor and permutation tables, then generate lmcrypt for the right license.

    Although I can generate the license with both "SSS" feature and other features now, but I still don't understand how SSS feature generated(keygen is ok, but I only modify it, not fully understand the method), here I want to ask what's encryption method used for this SSS feature? More direct question is 'what encyption method is related with "VENDOR_STRING" '? Is there any essay can be referenced for further study?

    INCREMENT SSS daemon 1.0 31-dec-2020 1 6D9EC78249D7B1526C91 \
    VENDOR_STRING="da2b6 85c22 8ef06 ef1b6 2e26b b451f b16a6 94ec6 \
    17e02 062" HOSTID=006625c160ca ISSUER=TEST NOTICE="Licensed for \
    study [PLEASE DO NOT DELETE THIS SSS KEY]" SN=RK:0:0:0 \
    START=1-jan-2006

    Thanks,
    Joyung

  2. #17
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    try to monitor attribute tags [lc_set_attr(lm_job,...)] in your client app, not in daemon snpslmd.exe

    may be 'lm_attr.h' from your favorite FlexLM SDK help you...

  3. #18
    Quote Originally Posted by FoxB View Post
    try to monitor attribute tags [lc_set_attr(lm_job,...)] in your client app, not in daemon snpslmd.exe

    may be 'lm_attr.h' from your favorite FlexLM SDK help you...
    Hi FoxB,

    Thank you so much for your instruction, that give me the right direction to go on study, maybe I work on the wrong way.

    May I ask some more questions?
    <1> Does the file 'sssverify' contain the encryption also? The client app is too big, if debug 'sssverify', that will be more convenient.
    <2> Does this encryption use "vendor defined checkout filters" similiar as Amante4's essay below of "vendor defined checkout filters"?
    http://www.reteam.org/ID-RIP/database/essays/amante/flexlm2.htm
    <3>I still feel confused about 'not in daemon snpslmd.exe', for I add fake(but still with right xor and permutation tables) SSS feature in the licesen file, when start license with lmgrd, it reports 'The SSS features are garbled', whether that means this version 'snpslmd' include the encryption method also?

    Thanks again,
    Joyung
    Last edited by joyung; June 3rd, 2011 at 21:27.

  4. #19

    Question

    (Since long time past, I want to open a new thread for this question, but it's locked, I'm not sure whether caused by cross post.)

    2011-6-2

    * Re-opened to ask for help on 'VENDOR_STRING' encryption method.

    Can anyone help to check this 'VENDOR_STRING' encryption method? Many thanks!

  5. #20
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    yes, i'm wrong. have the old vendor daemon file without "SSS". new have this:

    .004338EA: 53 push ebx
    .004338EB: E80A030000 call .000433BFA --1
    .004338F0: 59 pop ecx
    .004338F1: 59 pop ecx
    .004338F2: 47 inc edi
    .004338F3: 3B7D08 cmp edi,[ebp][8]
    .004338F6: 7CDB jl .0004338D3 --2
    .004338F8: 53 push ebx
    .004338F9: E88B030000 call .000433C89 --3
    .004338FE: 85C0 test eax,eax
    .00433900: 59 pop ecx
    .00433901: 7F0A jg .00043390D --4
    .00433903: 6850035F00 push 0005F0350 ;'The SSS features are garbled'
    .00433908: E9D1000000 jmp .0004339DE --6
    .0043390D: 53 4push ebx

  6. #21
    Thanks, FoxB, then do you know which technology used for this SSS license with 'VENDOR_STRING' ?

  7. #22
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    try to break at
    .text:004337AD sub_4337AD proc near ; CODE XREF: sub_401EB4+255

    or on string

    .rdata:005F0344 ; char aSsst[]
    .rdata:005F0344 aSsst db 'SSST',0 ; DATA XREF: sub_4337AD+1C2o
    .rdata:005F0344 ; sub_435FA7+15Co ...

    .rdata:005F034C ; char aSss[]
    .rdata:005F034C aSss db 'SSS',0 ; DATA XREF: sub_4337AD+17Do
    .rdata:005F034C ; sub_435FA7+14Bo ...


    the daemon use:

    43258D: found sparse constants for MD5
    432D62: found sparse constants for MD4
    48AFA2: found sparse constants for SHA-1
    4AF4F4: found sparse constants for SHA-1
    4AF824: found sparse constants for MD4
    5EF170: found const array Blowfish_p_init (used in Blowfish)
    5EF170: found sparse constants for HAVAL
    5EF190: found const array HAVAL_mc2 (used in HAVAL)
    5EF1B8: found const array Blowfish_s_init (used in Blowfish)
    5EF210: found const array HAVAL_mc3 (used in HAVAL)
    5EF290: found const array HAVAL_mc4 (used in HAVAL)
    5EF310: found const array HAVAL_mc5 (used in HAVAL)
    618428: found const array DES_ip (used in DES)
    618468: found const array DES_fp (used in DES)
    6184A8: found const array DES_pc1 (used in DES)
    6184F0: found const array DES_pc2 (used in DES)
    618520: found const array DES_sbox (used in DES)
    618720: found const array DES_p32i (used in DES)
    61DBA8: found const array MD2_S (used in MD2)
    622FC8: found const array CRC32_m_tab (used in CRC32)
    623490: found const array Blowfish_p_init (used in Blowfish)
    623490: found sparse constants for HAVAL
    6234B0: found const array HAVAL_mc2 (used in HAVAL)
    6234D8: found const array Blowfish_s_init (used in Blowfish)
    623530: found const array HAVAL_mc3 (used in HAVAL)
    6235B0: found const array HAVAL_mc4 (used in HAVAL)
    623630: found const array HAVAL_mc5 (used in HAVAL)
    Found 27 known constant arrays in total.

    vendor string for SSS feature can be hash value from the host/SN/ISSUER/version/exp date. i'm dont known

    add:
    .textidx:00550A90 lm_set_attr
    and
    .textidx:0055EA80 lm_get_attr
    Last edited by FoxB; March 22nd, 2012 at 12:04.

  8. #23
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    i'm try to change VENDOR_STRING from "bd... to "ad... and re-sign license. all OK

    13:49:34 (snpslmd) FLEXnet Licensing version v11.6.1.6 build 77180 i86_n3
    13:49:36 (snpslmd) Synopsys Corporate Licensing (SCL) Release: version SCL_11.1
    13:49:36 (snpslmd) Server started on 12345678 for: SSS
    13:49:36 (snpslmd)
    13:49:36 (snpslmd) Licenses are case sensitive for TE_CATS
    13:49:36 (snpslmd)
    13:49:36 (snpslmd) EXTERNAL FILTERS are OFF

    SERVER 12345678 008048264d90 1700
    DAEMON snpslmd daemon.exe
    USE_SERVER
    INCREMENT SSS snpslmd 1.0 28-jul-2020 1 49D455A5BFEA \
    VENDOR_STRING="ad....fd 05c" \
    ISSUER="Synopsys Inc." NOTICE="[PLEASE DO NOT \
    DELETE THIS SSS KEY]" SN=RK:0:0:891808

    add: VS have 24 byte of length and used in BlowFish cipher
    Last edited by FoxB; March 22nd, 2012 at 13:38.

  9. #24
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    next im try to debug the Check.exe from synopsys

    initial string for MD5 hash inside sub_4173DE:
    ripped from ISSUER="" and NOTICE="" context and 2 dword.

    [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80

    .text:00417566 lea eax, [ebp+hash]
    .text:00417569 push eax
    .text:0041756A call sub_4173DE

    i'm dont known about last 2 dword.
    hash it and got:

    8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76

    next used in BlowFish Init:
    .text:00417576 lea ecx, [ebp+hash]
    .text:00417579 push ecx
    .text:0041757A push eax ; BF init table
    .text:0041757E call Blowfish_init

    and use VENDOR_STRING for the blow_fish cipher:
    .text:00417595 push eax ; vendor_string lendth 0x18
    .text:00417596 push edi ; vendor_string
    ; DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5
    .text:00417597 push [ebp+var_24] ; after BlowFish init table
    .text:0041759A call BlowFish_Cipher

    .text:004175A2 cmp byte ptr [edi], 0F0h
    .text:004175A5 jnz loc_41777D
    .text:004175AB cmp byte ptr [edi+1], 0Dh
    .text:004175AF jnz loc_41777D
    .text:004175B5 mov al, [edi+2]
    .text:004175B8 mov ebx, ds:__imp_ntohs
    .text:004175BE mov byte ptr [ebp+netlong], al
    .text:004175C1 mov al, [edi+3]
    .text:004175C4 mov byte ptr [ebp+netlong+1], al
    .text:004175C7 push dword ptr [ebp+netlong] ; netshort
    .text:004175CA call ebx ; __imp_ntohs
    ................

    final - im not have valid vendor_string for my PC and cant research next...
    Last edited by FoxB; March 22nd, 2012 at 14:19.

  10. #25
    Quote Originally Posted by FoxB View Post

    final - im not have valid vendor_string for my PC and cant research next...
    Dear FoxB,

    I send you a pm to provide more message, would you have a look?

    Thank you so much for your help, it's valuable for me to study.

  11. #26
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    check my answer in PM

  12. #27
    Thanks, FoxB, now, I know 'VENDOR_STRING' may use blowfish, I'll go on study.

    Anyone can give more help is still be welcome and be very appreciated.

  13. #28
    The question I mostly want to ask is: if blowfish alalgorithm used to generate the 'VENDOR_STRING', how the length of 'VENDOR_STRING' be controlled?

    ex.

    If want to output 'VENDOR_STRING' with length=48, how to realize on blowfish alalgorithm?
    If want to output 'VENDOR_STRING' with length=568, how to realize on blowfish alalgorithm?
    Last edited by joyung; March 24th, 2012 at 01:57.

  14. #29
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    length is param no.3 in the blowfish cipher call

  15. #30
    Quote Originally Posted by FoxB View Post
    length is param no.3 in the blowfish cipher call
    Dear FoxB,

    Based on your check, I study blowfish algorithm and want to understand the 'VENDOR_STRING' generation, but still failed for knowledge limit.

    May I ask more help from you, I just send you a PM, would you help have a look?

    Thanks a lot!
    Last edited by joyung; March 25th, 2012 at 23:28.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. Replies: 4
    Last Post: May 28th, 2009, 13:02
  3. Replies: 1
    Last Post: December 14th, 2007, 13:35
  4. Can't "Step" after "Pause
    By Lena in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 5th, 2004, 21:14
  5. Setting up a broadcast socket in a LAN as "license server"
    By DakienDX in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: February 17th, 2001, 08:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •