Results 1 to 12 of 12

Thread: snpslmd on solaris...

  1. #1
    netman
    Guest

    snpslmd on solaris...

    I tried to crack snpslmd on Solaris using SDK v6.1 and adb.
    snpslmd implemented user crypt filter, so Nolan Blender's latest essay is a big help in this.
    After two-day work, I go xor values and permutation table. (of course, lm_code.h is ready).
    But lmcrypt I built just don't generate correct key.
    I modified lm_code.h, lmkeyfil.c, lmappfil.c and all mentioned in NB's essay.
    So help!!!
    If it helps, I could post all info I got (xor/table/seeds).
    Or someone out there who already have experience for snpslmd could help to check my extracted info?
    Maybe I missed something tricky?
    Anyway, thanks in advanced.

    ----
    netman
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    nblender
    Guest
    Post what you got so far and I'll have a look.

    --nb.

    Does anyone know a good place to store temporary files?

    I have the 6.1 Solaris FLEXlm SDK here, and there's
    enough people interested that it would be nice
    if it was available.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    netman
    Guest
    thanks, NB!!!!
    ...
    code:
    .
    .
    .
    VENDOR_KEY4 0xdf0ab4f1
    VENDOR_KEY5 0x74f2127a
    ...
    XOR:
    0x3c, 0x31, 0x20, 0x2a,
    .
    .
    .
    0x38, 0x22, 0x21, 0x37
    ...
    table:
    {5,0,1,7,6,3,4,2}, /* idx 00 */
    .
    .
    .
    {3,6,4,2,0,7,1,5}, /* idx 15 */
    .
    .
    .
    {7,5,4,1,2,6,3,0}, /* idx 19 */

    ---
    netman
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    nblender
    Guest
    netman (03-30-2001 16:17):
    thanks, NB!!!!
    ...
    code:
    ENCRYPTION_SEED1 0x987d844e
    ENCRYPTION_SEED2 0xf43dc726

    netman
    The tables you have for the user filter is OK,
    but the encryption seeds that you have are incorrect.

    11d215b5 7d9256dd are the values that I got.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    netman
    Guest
    NB, big thanks for your help.
    lmcrypt works now.
    I will check my seeds more carefully. Thanks again...

    [NOTE: I removed some info from my previous post. It contained all info to easy crack snpslmd. Need any help just mail me. ]
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    nblender
    Guest
    netman (03-30-2001 18:55):
    NB, big thanks for your help.
    lmcrypt works now.
    I will check my seeds more carefully. Thanks again...

    [NOTE: I removed some info from my previous post. It contained all info to easy crack snpslmd. Need any help just mail me. ]
    You're welcome.

    FYI, arguments in slowlaris are passed in registers, so you have to set the register
    corrseponding to the leftmost argument to zero
    in order to get a null pointer passed in as the job ptr.

    This also doesn't work on 7.2 and later versions.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Paul
    Guest
    nblender (03-30-2001 22:10):
    netman (03-30-2001 18:55):
    NB, big thanks for your help.
    lmcrypt works now.
    I will check my seeds more carefully. Thanks again...

    [NOTE: I removed some info from my previous post. It contained all info to easy crack snpslmd. Need any help just mail me. ]
    You're welcome.

    FYI, arguments in slowlaris are passed in registers, so you have to set the register
    corrseponding to the leftmost argument to zero
    in order to get a null pointer passed in as the job ptr.

    This also doesn't work on 7.2 and later versions.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Paul Lee
    Guest
    Sorry, I am mistake!!

    How can get correct seed in flexlm 7.1 or higher!
    I have read the lm_new.c file of v6.1 and v7.2a:

    In v6.1, if the job is null, the set the memery zero, so I can get the correct seeds
    if (job)
    {
    .
    .
    .
    }
    else
    {
    memset(t2.a, 0, sizeof(t2.a));
    }

    But in v7.2a, if the job is null, it return directly, so I can't get the correct seeds:

    if (job)
    {
    .
    .
    .
    }
    else
    {
    return;
    }

    Thanks for any help!!!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    nblender
    Guest
    In order to get the seeds out with later
    versions, you have to recombine information
    from the job structure and the vendorcode
    structure.

    As it turns out, the algorithms used to distribute the data between the
    VENDORCODE and the job structures are quite simple and based only on the first
    character of the vendorname. Since lm_new.c is generated by lmrand2, it is
    possible to totally reverse engineer how the seeds are extracted, then write a
    program to recombine the data from the job structure and the vendorcode
    structure, and recover the seeds this way. The essay nol_flex.htm contains a
    detailed description of this.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Paul Lee
    Guest
    nblender (03-31-2001 10:18):
    In order to get the seeds out with later
    versions, you have to recombine information
    from the job structure and the vendorcode
    structure.

    As it turns out, the algorithms used to distribute the data between the
    VENDORCODE and the job structures are quite simple and based only on the first
    character of the vendorname. Since lm_new.c is generated by lmrand2, it is
    possible to totally reverse engineer how the seeds are extracted, then write a
    program to recombine the data from the job structure and the vendorcode
    structure, and recover the seeds this way. The essay nol_flex.htm contains a
    detailed description of this.
    Thanks Nblender.
    Is this essay's title "Information Hiding Methods used by FlexLM Targets
    An Explanation of the FlexLM Seed Hiding System" ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    ic_ray
    Guest

    dear netman

    dear netman and nblender,
    Can you mail me permutation table of snpslmd ,I also want to try it and study it. Thank you
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    nblender
    Guest

    Some initial hints

    I sent you the first 4 entries of the xortable and the permutation
    table. This is enough to get you started, but I don't think it is
    appropriate for me to send you a full solution.

    --nb
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. flexlm on solaris
    By hsym in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: June 11th, 2003, 00:10
  2. 'snpslmd' XOR and Permutation Tables
    By roli in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: July 16th, 2001, 08:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •