Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: Need some help for hardware protection

  1. #1

    Need some help for hardware protection

    Hi all
    Before everything I should say this is my first test for cracking a program that
    uses hardware locks.
    My program uses Sentinel+Flexlm protection.But the big problem is that I don't
    have hardware dongle of sentinel and no license structure for Flexlm.This program
    first tests existance of dongle,then go for Flexlm license,Then if there is no dongle
    that never goes for checking the license.
    I found a jump that prevent checking license when there is no dongle,But now
    i'm in flexlm checking routine that there is no license structure.
    my problems:
    1-How I can find the version of Flexlm used in program?(Strange but I don't know
    how to find it!)
    2-I read some tutorials from CrackZ,but in most of them we know licenses structure
    ,what should I do when I have nothing about it?(My last error is ERR_FILE_NOT_FOUND !)
    3-I don't know why,but none of sentinel signature that I get for IDA is not working
    and find no functions in body,why?(I test it least 5 deferent Signatures that I found
    for sentinel.

    If somebody know any tutorial for when we should crack program with Flexlm except
    making license for it,please tell me.

    sorry for this questions,this is my first Hardware dongle and Flexlm protection bypassing
    then I need some help.

    sincerely yours
    I should look out my posts,Or JMI will get mad at me! ;)

  2. #2
    Hero, here are my answers to your questions:

    1 - the simple way to find out what version of FlexLM you have, is to just search through your target for FlexLM, normally they proclaim the version number loudly, and proudly within their code.

    2 - 99% of the people who use Flex use the same format, so, just copy any license file, and change the necessary bits, (product name, company name), and see if you can get it to the point where it's just complaining about your code not being correct.

    3 - The only answer I have for this one, is that it's a different version that the one that you're dealing with.

    CrackZ has some great tutorials, but if they don't apply 100% to your target, you have to take what you can from them, and fill in the gaps with your own experience.

  3. #3

    As Above

    1. Go to macrovision site. Download lmutils.exe. Run it and it will ask you for a file. Select the .dll or .ocx. or .exe files that you think (better to select all files one by one in the directory of the app) and it will show you which version of Flexlm

    If you can bypass Sentinel dongle check, then you don't need any other information to break the Flexlm protection apart from the dummy license file with feature names and their versions.

    Have Phun
    Blame Microsoft, get l337 !!

  4. #4
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750

    Flexlm

    Aimless is refering to the ECC patch - easy to find info on, most targets that use FlexLM can use a dongle or other piece of hardware, the dongle is not a necessity, some even allow HostID=ANY, the Important thing to learn is the lic. structure and the feature names, that info along with the ECC patch may get you going. If you want to have some fun try and find the seeds and with the vendor ID you can generate a valid lic. using any one of several tools - Flexgen for older versions - EFA licgen for newer versions and a few other tools.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  5. #5
    Thanks for help.
    I now have more information about my problem.The program uses Flexlm 6.1a
    that using a server and there is no dll(such as lmg*.dll).
    There is only a server for Flexlm named vlg_lmd.
    This Flexlm uses an Rainbow Sentinel dongel for all of its programs(for example
    the program HOSTID.EXE will not work without that dongle)
    But I still need some help:
    1-The VENDORNAME that is send to _lc_init is the vendor name of product,isn't
    it?Then why the Srever name(vlg_lmd) is sent to it?
    2-There is no demo Flexlm license for this application(because when there is no
    dongle,there is no test for license file),Then where is the best place for finding
    out the structure of license file?(I followed the program and find out some parts
    of this file,but I still have problem with it)
    3-I can't find any help for this version of Flexlm routines or it's SDK,Is there anybody
    who know where I can find it?(All that I found is for newer versions)
    4-What is the best why for bypassing dongle in this mode?Do you know any tutorials
    that is similar to my problem?(an Flexlm license generating without any data for its
    license file structure that uses an sentinel dongle too without having dongle)

    Perhaps this will be simple for you but that isn't for me in first time.
    I attached my uncompeleted license file that I figure out,If you know something
    that I should add to it(normally will found with this problem) please tell me.

    sincerely yours
    Attached Files Attached Files
    Last edited by Hero; January 28th, 2005 at 13:07.
    I should look out my posts,Or JMI will get mad at me! ;)

  6. #6
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    If it requires a dongle for lic. check, (unusual!), there is an emulator available that emulates both ver 7.x and 6.x, PM me and I can either get it to you or point you where to look, your license is missing the encrypted info, even with the ECC patch it needs to be there, the feature line needs to be formated correctly, have you been able to locate the seeds? Maybe generating a valid lic. would be easier, I'll get chastised for this but, in a single feature situation, sometimes disabling the l_checkout or lc_checkout will allow the target to function without a lic. One way to do this is to replace the sub-routine with XOR EAX, EAX followed by a RTN - 33 C0 C3. The problem with this approach is occaisionally it appears to work and all of a sudden the feature disappears will running the tartget.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  7. #7
    Thanks for quick reply.
    But I should say that I never get to lc_checkout in my tracing to disable it!

    In addition thanks for emulator suggestion,I get it,and now I should test it!
    sincerely yours
    Last edited by Hero; January 28th, 2005 at 14:06.
    I should look out my posts,Or JMI will get mad at me! ;)

  8. #8
    Hiya,

    You sound very confused. If there is no lmg*.dll try searching the binaries for the static lmgr.lib, use lmtools available all over the web and check the main executables/dll's. vlg_lmd.exe is the vendor daemon and has the same name as the vendor, thats how FLEXlm works (its not unusual), else people could name their vendor daemons the same and problems would ensue.

    The FLEXlm licensing layer has no way to force use a dongle, the dongle routines are only called if it detects the FLEXID= in the license string, the only possibility is that the vendor makes a check of his own before calling FLEXlm, this ought to be trivial to verify and you NEED to do this as a priority.

    You need a FLEXlm SDK, but you need to know which version your dealing with first (catch 22). Someone suggested an ECC patch, if this is v6.1a FLEXlm the format of your license is absolutely fine, ECC wasn't conceived at this time.

    On your next post please try to state.

    1. What version of FLEXlm it definitely is (as reported by lmtools), and the files that are protected.
    2. What you have done to locate the FLEXlm and/or Sentinel routines, i.e. we'll need to know whether you reach _lc_checkout() or not, or what part of the dongle routines you are struggling with.
    3. Some code illustrating 2. would most likely be useful.

    Regards

    CrackZ.

  9. #9
    Hi CrackZ
    Before everything I should thank for your IDA signature of Flexlm That I found
    in you site,That helped me too much for tracing program.(I downloaded all of
    your site with wget! )

    To answer your question I should say:
    1-As I said my program uses Flexlm v6.1a,because lmtools says:
    --------- Version ---------
    FLEXlm 6.1a (liblmgr.a), Copyright (C) 1988-1998 Globetrotter Software, Inc.
    In addtion all .exe files in program main directory and only 1 DLL uses this version
    of Flexlm too.
    2-It was strange for me,but I can't get to _lc_checkout,Is it depend on correctance
    of my license file structure?In most of tutorials that I saw they use this function
    but I can't reach it.
    3-My major attemp to now was making the correct structure for license file,I don't
    know it's better to work on something else or not.
    4-I can't find this versions SDK,and don't know where to get it.(perhaps somebody
    can help for this. )
    5-For making correct license file,I trace out program and see that the first line
    of license is that I write(SERVER this_host \),But when I get to _l_get_one_id
    for the second line,this function returns an error code that I don't know why.
    6-As I find out mine program uses an .lib file that compiled with program,becuase
    using IDA Flair on main program will show up Flexlm functions.
    Edited:7-Don't believe everything that I write in that license.because Its only for test,
    For example I get VENDORNAME from lc_init() and it should be correct,But I don't
    know that my feature names are correct or not.

    sinecerly yours
    Last edited by Hero; January 29th, 2005 at 00:52.
    I should look out my posts,Or JMI will get mad at me! ;)

  10. #10
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Of course CrackZ is absolutely right about the ECC patch - that doesn't apply till later versions, Thanx for correcting me - It was early when I posted -LOL- new rule 2 cups of coffee before posting.

    Thanx again

    SiGiNT

    Later thought: You know the vendor code and you have the feature name, all you need to do is find the seeds and generating a valid lic using flexgen would be an option rather than patching.
    Last edited by SiGiNT; January 28th, 2005 at 19:21. Reason: addition
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  11. #11
    Hiya again ;-).

    1. Fine.

    2. This is your main problem; If you can't reach _lc_checkout() you MUST figure out why the code isn't getting there; I suggest also you paste to us what you think is _lc_checkout() so we can verify your looking in the right place.

    3. Not having a valid license file format usually has absolutely nothing to do with _lc_checkout() not being executed, its a waste of time to tinker pointlessly with your fake license file thats never going to be accessed (from what I saw the formats fine anyway, you can worry about features when you get to _lc_checkout() ;-)). See 2. _lc_checkout() is the encapsulating routine responsible for finding, validating and checking out your license, it has to execute.

    4. Once you know why, I can provide you a SDK ;-).

    5. I see no point you having a SERVER or VENDOR entry in your license file unless you are going to attack/use the vendor daemon.

    6/7. Your problem is getting _lc_checkout() to execute, the rest are details to solve AFTER. The vendor name is correct, if you have a vendor daemon of the same name.

    Note to sigint33 - Sorry if I came off as some kind of asshole in that last post ;-), I'm more for tea though ;P.

    Regards

    CrackZ.

  12. #12
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    CrackZ,

    No offense taken! With my less than thimble-full of knowledge regarding Dongle cracking, I expect some flames, I'm just trying to be of some help, I'm sure you are going to continue to be a valuable resource, and I'd really not like to get on your shitlist!

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  13. #13
    Hi again
    1-Bad NEWS:I can't reach _lc_checkout() yet!
    I suggest also you paste to us what you think is _lc_checkout() so we can verify your looking in the right place.
    I don't get exactly what do you mean by that,by the way I think what is shown
    by IDA Flirt as _lc_checkout() is _lc_checkout() !
    2-Good NEWS:I can find out a place that prevent reaching _lc_checkout(),And
    it is depend on existance of license file.Look at this:

    *******
    .text:00547A46 lea eax, [edi+2] ; switch 5 cases <----This switchs between feature types.
    .text:00547A49 cmp eax, 4
    .text:00547A4C ja short loc_547A88 ; default
    .text:00547A4E jmp dsff_547A9C[eax*4] ; switch jump
    .text:00547A55
    .text:00547A55 loc_547A55: ; DATA XREF: .textff_547A9Co
    .text:00547A55 mov al, byte_61ED00 ; case 0x2
    .text:00547A5A test al, al
    .text:00547A5C jnz short loc_547A8F ; case -0x2<---If there is no license file this jump will not happen.
    .text:00547A5E push offset aNoFeatureAvail ; "No feature available in license file.\n"
    .text:00547A63 push offset byte_61ED00
    .text:00547A68 call ds:sprintf
    .text:00547A6E mov ecx, [esp+28h+arg_0]
    .text:00547A72 mov dword_61D5F4, 0FFFFFFFBh
    .text:00547A7C add esp, 8
    .text:00547A7F mov [ecx], edi
    .text:00547A81 pop edi
    .text:00547A82 pop esi
    .text:00547A83 pop ebp
    .text:00547A84 add esp, 14h
    .text:00547A87 retn
    *******

    Is there any idea for finding out the place of needed _lc_checkout()?(except tracing
    all the program that I doing it now! )

    In addtion I attach the wingraph32 result for xrefs to _lc_checkout(),perhaps be usefull.

    sincerely yours
    Attached Files Attached Files
    I should look out my posts,Or JMI will get mad at me! ;)

  14. #14
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Just a thought, you've made a license of sorts, is it located where the target is looking for it, is there an env. variable, or a reg. entry that needs to point to it?

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  15. #15

    why can't i get the correct seed ?

    the version of the target is flexlm 6.1 on solaris .i know the seed on windows , but i can't get it on solaris . i have only one question : where is thr breakpoint ?
    Last edited by jb1968; January 31st, 2005 at 10:44.

Similar Threads

  1. hardware breakpoints
    By 5aLIVE in forum OllyDbg Support Forums
    Replies: 1
    Last Post: August 19th, 2005, 09:28
  2. About hardware breakpoints
    By thomasantony in forum Bugs
    Replies: 16
    Last Post: February 18th, 2005, 12:16
  3. hardware bp
    By naceur in forum OllyDbg Support Forums
    Replies: 5
    Last Post: January 18th, 2004, 07:12
  4. hardware lock
    By leca in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: May 7th, 2001, 12:03
  5. CD copying hardware protection?
    By dELTA in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: November 20th, 2000, 06:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •