Thanks Thanks:  113
Page 4 of 8 FirstFirst ... 23456 ... LastLast
Showing results 31 to 40 of 71

Thread: FLEXNET: HOW TO build your own lmcrypt

  1. #31
    Member Reputation: 33
    Join Date
    2014-05-02
    Posts
    28


    1 out of 1 members found this post helpful.

    Default Re: FLEXNET: HOW TO build your own lmcrypt

    carlitos,the holes with the ecc protection are the same, even with the last version.. And pay attention, this vendor need license to internet address hostid...
    i already patched the program to work without any license file....
    And to make working the program maybe is necessary to patch 2 files.. Use 010 editor, and search inside the folder with this string "@(#) FlexNet".. You will find all target files...
    Last edited by istigatore; 2015-05-03 at 11:11 PM

  2. Thanks carlitos thanked for this post
  3. #32
    Member Reputation: 32
    Join Date
    2014-01-24
    Posts
    42


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    istigatore that means:
    -i have to patch ecc in the files where is necessary (changing 558BEC>33C0C3 ?)
    - in the license file i have to write hostid and host if I use license file

    I dont know what patch to work without license (this is what i wanted )

    Now I will try to find "@(#) FlexNet"

    thanks for your new clues

  4. #33
    Member Reputation: 32
    Join Date
    2014-01-24
    Posts
    42


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    istigatore I have found 6 files looking for "@(#) FlexNet". I did the same with flexlmsearch08 with the same result.
    taking into account that it is 11.13 versión, I have to change 558BEC>33C0C3 or in this versión is different?

  5. #34
    Junior Member Reputation: 12
    Join Date
    2014-08-05
    Posts
    18


    1 out of 1 members found this post helpful.

    Default Re: FLEXNET: HOW TO build your own lmcrypt

    carlitos, I think you have to patch @offset 100c50e0 and 100c56af. And yes, 558BEC to 33C0C3.

  6. Thanks kometata, carlitos thanked for this post
  7. #35
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Quote Originally Posted by JonhB View Post
    carlitos, I think you have to patch @offset 100c50e0 and 100c56af. And yes, 558BEC to 33C0C3.
    Hi Jonh,
    Thanks for your suggestion! Yesterday I looked exactly into 100c50e0 but didn't know where to place the second patch because the program crash with Segment violation error. You suggest 100c56af but this is the end of 100C53D0. What to put there? If I patch the 100C53D0 + 100c50e0 it not help. You meant 100C56B0? The latter (in a hex format) is present at two places in all protected files but if I patch it, again no succeed.
    I was just wondering what is the hole? In the older version of this program there is no problem directly to patch the checkout but here the program crash and the hole is different. Somewhat there is a hole in the hole.
    Last edited by kometata; 2015-05-04 at 08:35 AM

  8. #36
    Member Reputation: 17
    Join Date
    2013-11-18
    Posts
    12


    3 out of 3 members found this post helpful.

    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Kometata,

    Identifying _l_pubkey_verify ( and other interesting routines ) is really quite easy when you know what to look for. I've copied a post I made ( a while ago) ...elsewhere...

    Use error codes ...that are .. well.. inherent to FLEXLM , whether they are present in all applications will depend entirely on what protection options are enabled by the developer. ( Ie Altera, Matlab Zuken etc)
    Some are not present in Xilinx / Vivado as the developer choose to enable only the most basic of protections. That just means we needed to look for the the license checkout and start from there.

    The nice thing about these simple constants is that they generally persist and have persisted across a wide array of flexlm versions and different OS's too when other commands / operands / structure based searches may not.
    So instead of searching for long byte "signatures" that can change from version to version, these are built into Flexlm and haven't' changed for as long as I can remember.

    l_pubkey_verify

    Windoze x86 68 1B 02 00 00 6A
    Windoze x64 B8 1B 02 00 00 BA
    Linux x64 BA 1B 02 00 00 BE
    MacOSX x64 BA 1B 02 00 00 BE

    l_prikey_sign

    Windoze x86 68 18 02 00 00 6A
    Windoze x64 B8 18 02 00 00 BA
    Linux x64 BA 18 02 00 00 BE
    MacOSX x64 BA 18 02 00 00 BE

    Another method to find both routines is to search for 0x2930 ... normally that only occurs in the same two routines. ( Yes, it could occur tons of times in any given app ( resource section etc..) , yet , surprisingly it very rarely does) Finding 0x2930 in l_pubkey_verify puts us right at the location that we would patch if we wanted to just patch the exit point ( as opposed to the full lobotomy approach , ie nuking the entire routine) Patch the jz right above 0x2930 and the jnz right below it. A nice thing about exit point patching is that it still allows us to use flexlm diag to help with license issues. A full lobotomy nukes the portion of the routine that enables diagnostics output to the diag/log file... ie if we set the variable FLEXLM_DIAGNOSTICS = 3 and use that spit out feature names)

    Windoze x86 68 30 29 00 00
    Windoze x64 BA 30 29 00 00
    Linux x64 BE 30 29 00 00
    MacOSX x64 BE 30 29 00 00

    It's not perfect , there are always exceptions, but it's a nice simple start.

    If a license fails and spits out an error code, it can be used as first step in targeting a solution. They are not the be all end all of how to patch flexlm , rather I arrived at using them as a an easy tool to help folks ( who do not normally fool around in side ) become a little more self sufficient , than waiting for the next patch to appear on the interweb.
    Searching for 0x21b for example accomplishes two things. a) it identifies l_pubkey_verify and b) is normally located very close to the start of the routine. This means with only a hex editor we can find and patch what's needed.

    I'm not saying that you need to patch _l_prikey_sign, but we will most certainly need to patch _l_pubkey_verify. I will say that nuking the entire routine by patching the entry point doesn't always work. It is , perhaps somewhat better to patch the exit point.
    Hence my mentioning 0x2930, as that is exactly where the exit patch would go. The jz ( jmp) above ( 0x0C5E7F) and the jnz (jmp) (0x0C5EA1) below. For most targets, it doesn't matter but for some ( Older Cadstar , for instance ) it does. I only mention it , so that you can add it to your list of potential patching options.

    JohnB may I ask what led you to wanting to patch 0x0C50E0 ? that's a genuine question, I'm alway interested in different approaches.

    Cheers

    Just some useless info that may help no one :-)
    Last edited by bilbobaggins; 2015-05-04 at 11:41 AM

  9. Thanks carlitos, kometata, rohank, istigatore, synkro, dionysosww thanked for this post
  10. #37
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    bilbobaggins,

    This is a great post and very useful guide!! I will try to use it in the current topic too. I don't interest of this software, just trying to help and to learn myself. In fact before few hours I read about 0x21b push and write this to @carlitos. This was exactly in the routines discussed above (100C53D0). Moreover, suggested by you patching the exit points instead at the start is interesting and might be in this way I will avoid observed crashing... I will test after few hours and will ask some more concrete questions. Thanks for your support in our efforts to learn the nature of the Flexlm holes!

    For instance, in this example, the actual patch will be to replace jz and jnz to jmp (EB), correct?

    .textidx:00000001405B35CD jz short loc_1405B35F0 (here to jmp, i.e. EB)
    .textidx:00000001405B35CF mov r8d, [rsp+178h+var_114]
    .textidx:00000001405B35D4 mov edx, 2930h
    .textidx:00000001405B35D9 mov rcx, [rsp+178h+Source]
    .textidx:00000001405B35E1 call sub_1405F3130
    .textidx:00000001405B35E6 mov eax, 0FFFFFF8Dh
    .textidx:00000001405B35EB jmp loc_1405B3698
    .textidx:00000001405B35F0 ; ---------------------------------------------------------------------------
    .textidx:00000001405B35F0
    .textidx:00000001405B35F0 loc_1405B35F0: ; CODE XREF: l_pubkey_verify+A7Dj
    .textidx:00000001405B35F0 cmp [rsp+178h+var_138], 0
    .textidx:00000001405B35F5 jnz loc_1405B3694 (here to jmp, i.e, EB)

    According to the specific case in the topic the corresponding functions are sub_100C56B0 (I_pubkey) and sub_100F1180 (signature), respectively. However, 0x2930 seems to be not used in signature subroutine (marked in red in IDA) and also looks different (pls see below):

    .textidx:100F16BD jz short loc_100F16E3
    .textidx:100F16BF mov ecx, [ebp-4]
    .textidx:100F16C2 push ecx
    .textidx:100F16C3 push 2930h
    .textidx:100F16C8 mov edx, [ebp+8]
    .textidx:100F16CB push edx
    .textidx:100F16CC call sub_100F1180
    .textidx:100F16D1 add esp, 0Ch
    .textidx:100F16D4 mov dword ptr [ebp-170h], 0FFFFFF8Dh
    .textidx:100F16DE jmp loc_100F193D
    .textidx:100F16E3 ; ---------------------------------------------------------------------------
    .textidx:100F16E3
    .textidx:100F16E3 loc_100F16E3: ; CODE XREF: .textidx:100F16BDj
    .textidx:100F16E3 lea eax, [ebp-1D8h]
    .textidx:100F16E9 push eax
    .textidx:100F16EA mov ecx, [ebp-1E0h]
    .textidx:100F16F0 push ecx
    .textidx:100F16F1 call sub_1016E410
    .textidx:100F16F6 add esp, 8
    .textidx:100F16F9 neg eax
    .textidx:100F16FB sbb eax, eax
    .textidx:100F16FD neg eax
    .textidx:100F16FF mov [ebp-4], eax
    .textidx:100F1702 jz short loc_100F1728
    ........

    I applied above patches but they not help (...can not check out AML license massage..). Thus is this a mater of not correct license format, or? Moreover, are there such nice rules (holes) for the checkout function which to make the program to not use any license?
    Last edited by kometata; 2015-05-04 at 07:53 PM

  11. #38
    Member Reputation: 17
    Join Date
    2013-11-18
    Posts
    12


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Kometata,

    I don't have the full AML installer , so I can't "play along" but I did see mention of the hostid having to be and internet based hostid. ( istigaore " this vendor need license to internet address hostid...")

    If it's possible to patch so that no license is required, then we could start by patching the lm_checkout routine @ 0x0D32C0. That's how to remove the license requirement from Vivado , for example. It will all depend on what the vendor expects from the routine. If it's just a simple yes or no answer then it will work, if however, it requires valid vendor strings etc, then we'll have to dig deeper.
    Have you set the FLEXLM_DIAGNOSTICS environment variable = 3 , and observed the error code produced ? That will give a clue and allow us to trace back to what it doesn't like in the license.

  12. Thanks carlitos, kometata thanked for this post
  13. #39
    Member Reputation: 32
    Join Date
    2014-01-24
    Posts
    42


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    bilbobaggins check your pm.
    thanks

  14. #40
    Member Reputation: 32
    Join Date
    2014-01-24
    Posts
    42


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    kometata, bilbobaggins,
    previous version of this App was patched and run well without license.
    I have found out that the patches were in 2 files: axxxxl.dll has 2 and sxxxxr.exe has 4 (74>EB). I have not seen that other files were patched, if Im not wrong.
    85C074328B15>85C0EB328B15
    85C07439A1>85C0EB39A1
    0000742D68>0000EB2D68
    0000742F68>0000EB2F68
    these patches try to bypass license checkout

    I have tried do the same but no success: axx-runtime.exe crash.

    Maybe there are more in the same files in this new version or in other files ...Im lost

Tags for this Thread

Bookmarks

Bookmarks

Posting Rules

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •