Thanks Thanks:  113
Page 5 of 8 FirstFirst ... 34567 ... LastLast
Showing results 41 to 50 of 71

Thread: FLEXNET: HOW TO build your own lmcrypt

  1. #41
    Member Reputation: 96
    Join Date
    2015-03-07
    Location
    EU
    Posts
    57


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Hi carlitos and bilbobaggins,
    yes I found that. For me even only patching the .dll file in this way for version 7.7 is ok. I will post the output from the FLEXLM_DIAGNOSTICS=3.

    An question for bilbobaggins and all other members. Is there a general way, as such it was shown above for the l_prikey and l_pubkey, for finding the check_signature function or it relatives? This is what I most interesting now..

  2. Thanks sam4288 thanked for this post
  3. #42
    Member Reputation: 32
    Join Date
    2014-01-24
    Posts
    42


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    I have not try this kometata.
    the question is: why this solution not work in our case?

  4. #43
    Member Reputation: 32
    Join Date
    2014-01-24
    Posts
    42


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Quote Originally Posted by istigatore View Post
    i already patched the program to work without any license file...
    And to make working the program maybe is necessary to patch 2 files...

    istigatore following your tips I have found 6 files with "@(#) FlexNet" and only 2 of them were patched in previous version. if I patch the same in these 2 files (it is supposed no need license file) the app crash and seems that it is expecting check the license file (lmgrd), so I understand that I need to patch something more.

    Any help please?

  5. #44
    Member Reputation: 16
    Join Date
    2015-04-20
    Posts
    8


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Hi bilbobaggins,
    Yes, those constants are very useful to identify pubkey/prikey function. However, I find that asm code of some constants are not in function region(flexlm 11.7 linux daemon), what's the latest version to use those values in your experience? e.g. 10533-10545 should be in l_prikey_verify per 9.2 source code, but they are located in some text area(IDA), and not belong to any function.


    dx:00530CA4 68 30 29 00 00 push 2930h

    // l_prikey.c
    if ((returnValue = sb_ecdsaVerifyEnd( m->global_data, &m->publicKey,
    &ecc_sig, &verifyContext, &verificationResult)) != SB_SUCCESS)
    {
    l_pubkey_err(job, 10544, returnValue); // 10544 = 0x2930
    ret = LM_PUBKEY_ERR;
    goto exit_verify;
    }



    Thanks

  6. #45
    Member Reputation: 17
    Join Date
    2013-11-18
    Posts
    12


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    dionysosww,The latest version ? 11.13.x.x , if you really mean oldest version, then from memory it goes back to when they added CRO keys.. Version 8 or 9 ? It's been a long time, so I may be off a wee bit.I "play" with windoze, Linux and Macosx, and have found those constants in all three. I'd like to look at your flexlm 11.7 daemon, ( could you up load it ?) There are always exceptions. As for IDA showing it in the.text area ? I'm not sure that I really understand, as executable code can reside or be hidden for that matter, in practically any .section ? ( I suppose it really depends on what flags are set) These routines typically reside in .text or .textidx sections. In a linux daemon I'm currently looking at , _l_check_keylock is located in the .text section , while most of the "juicy" bits are in .textidx section. As for no references, without looking at the specific daemon it's hard to comment, but calls can be dynamically assigned ( for example call eax , where eax was loaded previously with a function address) or hidden and IDA may or may not identify references. There are times when IDA doesn't even identify functions and needs a little help identifying them. If I've misunderstood your question(s), then my apologies.For me the biggest help in identifying key functions has come from using IDA on Macosx daemons. ( MATLAB2015a for MACosx Flexlm 11.12.x.x for example ) . 90% or more of the function names are not obfuscated .. they are plaintext and nicely named for us to follow.You can quickly identify structures and patterns and you quickly get to know what lc_checkout looks like or our old favorite _l_sg. and you get a feel for operational flow. ( using either Bochs or x64debug ) Then when you open a windoze daemon in IDA the names and even having to find/make .map / signature files for each new version becomes less important. Linux daemons are similar but I've found that a few more obfuscated functions than with the MAcosx versions If you're already aware of this , then great, it's just a suggestion cheers SB7
    Last edited by bilbobaggins; 2015-05-08 at 11:21 AM

  7. #46
    Member Reputation: 32
    Join Date
    2014-01-24
    Posts
    42


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    hi again.
    I have patched ECC in my target
    I also have make a new license file with lmcrypt (I dont know if it is OK)

    Log file seems Ok (lmgrd and vendor deamon)
    But I have this error message and the app crashes:

    FlexNet Licensing checkout error: Local checkout filter rejected request.
    Feature: xxx_FEATURE_xxx_x_x_x
    License path: C:\xxxxx\Applications\xxxxxx\xxxxxx\xxxx\license-management\license.dat;
    FlexNet Licensing error:-73,125

    any help?
    Last edited by carlitos; 2015-05-08 at 11:33 AM

  8. #47
    Member Reputation: 17
    Join Date
    2013-11-18
    Posts
    12


    1 out of 1 members found this post helpful.

    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Hi Carlitos,

    I'm away from my main PC. If I remember correctly that error is related to the vendor_info string not being correct in the license ... ( that's where I left off when I had a few minutes to look at it yesterday)
    _l_local_verify_conf @ D4290. Have you tried patching that routine to return 0 ? ( Related to _l_checkout_borrow -> _l_ckout_ok)
    Last edited by bilbobaggins; 2015-05-08 at 12:43 PM

  9. Thanks carlitos thanked for this post
  10. #48
    Member Reputation: 16
    Join Date
    2015-04-20
    Posts
    8


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Hi bilbobaggins,
    Thanks for the detail explanation, it's really helpful.
    In my understanding 0x2930 like constant should be located in prikey/pubkey proc, in my 2 trial they are found in pubkey, but prikey seems to be wrong in IDA(6.6 version), maybe IDA failed to identify prikey proc due to some reason like your comment, please help check this daemon. I find this behavior in 2 daemon, one is 9.5v, the other is 11.7. I have been able to bypass ecc with "xor eax,eax", but want to look at the detail picture of function call. What do you mean a little help to identify function for IDA? Please help share some light.
    MATLAB2015a for MACosx case is very interesting, I checked matlab2013a win version, the proc are obfuscated, I'll try the osx version you mentioned. Do you know if there is other such case in windoze? Play with non-obfuscated program is helpful to get whole pictures for newbie like me.


    from cdslmd(flexlm 11.7), IDA failed to identify proc from 080BE8C6.


    .text:080BE8C2 pop esi
    .text:080BE8C3 pop edi
    .text:080BE8C4 pop ebp
    .text:080BE8C5 retn
    .text:080BE8C5 sub_80BE865 endp
    .text:080BE8C5
    .text:080BE8C6 ; ---------------------------------------------------------------------------
    .text:080BE8C6 push ebp
    .text:080BE8C7 mov ebp, esp
    .text:080BE8C9 push edi
    .text:080BE8CA push esi
    .text:080BE8CB push ebx
    .text:080BE8CC sub esp, 3Ch
    .text:080BE8CF mov dword ptr [ebp-10h], 0
    .....................................
    .....................................
    code from cdslm:
    .text:080BEC73
    .text:080BEC73 loc_80BEC73: ; CODE XREF: .text:080BEC66j
    .text:080BEC73 lea ebx, [ebp-150h]
    .text:080BEC79 push ebx
    .text:080BEC7A push dword ptr [ebp-1C0h]
    .text:080BEC80 call sub_80CCDA8
    .text:080BEC85 pop esi
    .text:080BEC86 test eax, eax
    .text:080BEC88 pop edx
    .text:080BEC89 jz short loc_80BEC96
    .text:080BEC8B push eax
    .text:080BEC8C push 292Fh
    .text:080BEC91 jmp loc_80BEDE9
    .text:080BEC96 ; ---------------------------------------------------------------------------
    .text:080BEC96
    .text:080BEC96 loc_80BEC96: ; CODE XREF: .text:080BEC89j
    .text:080BEC96 push ebx
    .text:080BEC97 push dword ptr [ebp+0Ch]
    .text:080BEC9A push dword ptr [ebp+10h]
    .text:080BEC9D push dword ptr [ebp-1C0h]
    .text:080BECA3 call sub_80CCDED
    .text:080BECA8 add esp, 10h
    .text:080BECAB test eax, eax
    .text:080BECAD jz short loc_80BECBA
    .text:080BECAF push eax
    .text:080BECB0 push 2930h
    .text:080BECB5 jmp loc_80BEDE9
    .text:080BECBA ; ---------------------------------------------------------------------------
    .text:080BECBA
    .text:080BECBA loc_80BECBA: ; CODE XREF: .text:080BECADj
    .text:080BECBA lea eax, [ebp-1B8h]
    .text:080BECC0 push eax
    .text:080BECC1 push dword ptr [ebp-1C0h]
    .text:080BECC7 call sub_80CCEE4
    .text:080BECCC pop edx
    .text:080BECCD test eax, eax
    .text:080BECCF pop ecx
    .text:080BECD0 setnz al
    .text:080BECD3 movzx eax, al
    .text:080BECD6 test eax, eax
    .text:080BECD8 jz short loc_80BECE5
    .text:080BECDA push eax
    .text:080BECDB push 2926h
    .text:080BECE0 jmp loc_80BEDE9
    .text:080BECE5 ; ---------------------------------------------------------------------------
    .text:080BECE5
    .text:080BECE5 loc_80BECE5: ; CODE XREF: .text:080BECD8j
    .text:080BECE5 lea eax, [ebp-2Ch]
    .text:080BECE8 push eax
    .text:080BECE9 push ebx
    .text:080BECEA push dword ptr [ebp-1C0h]
    .text:080BECF0 call sub_80CCE62
    .text:080BECF5 add esp, 0Ch
    .text:080BECF8 test eax, eax
    .text:080BECFA jz short loc_80BED07
    .text:080BECFC push eax
    .text:080BECFD push 2931h
    .text:080BED02 jmp loc_80BEDE9
    .....................................
    .....................................
    .text:080BEFC7 lea esp, [ebp-0Ch]
    .text:080BEFCA mov eax, ebx
    .text:080BEFCC pop ebx
    .text:080BEFCD pop esi
    .text:080BEFCE pop edi
    .text:080BEFCF pop ebp
    .text:080BEFD0 retn
    .text:080BEFD1
    .text:080BEFD1 ; =============== S U B R O U T I N E =======================================
    .text:080BEFD1
    .text:080BEFD1 ; Attributes: bp-based frame
    .text:080BEFD1
    .text:080BEFD1 sub_80BEFD1 proc near ; CODE XREF: .text:080BF3FAp
    .text:080BEFD1 ; .text:080BF409p ...


    Thanks
    Attached Files Attached Files
    Last edited by dionysosww; 2015-05-08 at 02:25 PM

  11. #49
    Junior Member Reputation: 12
    Join Date
    2014-08-05
    Posts
    18


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Quote Originally Posted by carlitos View Post
    hi again.
    I have patched ECC in my target
    I also have make a new license file with lmcrypt (I dont know if it is OK)

    Log file seems Ok (lmgrd and vendor deamon)
    But I have this error message and the app crashes:

    FlexNet Licensing checkout error: Local checkout filter rejected request.
    Feature: xxx_FEATURE_xxx_x_x_x
    License path: C:\xxxxx\Applications\xxxxxx\xxxxxx\xxxx\license-management\license.dat;
    FlexNet Licensing error:-73,125

    any help?
    I have the exact same problem you have after ECC patching. And I'm sure that in my case the vendor_info string is OK in the license file, since I have original lic. I just wanted to make a permanent license. My target is 11.12. I'll have to dig more I guess

  12. Thanks carlitos thanked for this post
  13. #50
    Member Reputation: 17
    Join Date
    2013-11-18
    Posts
    12


    Default Re: FLEXNET: HOW TO build your own lmcrypt

    Hi dionysosww,

    I can't download your attachment ( don't have enough rep points yet), but from what you've posted, that IS _l_prikey_sign. No doubt about it. It has 0x2926, 0x2931 etc, I'll bet it has 0x218.
    By helping IDA, I mean that as there are no references found, IDA probably didn't traverse through that code, so it doesn't have a context to format it into a function. Therefore, you have to help IDA identify it as a function. ( This is actually quite common with IDA, it's not an AI , it can only do so much) So find the constant or whatever you use to identify what you know or believe is the function. find it's start, "push ebp etc" for example . Normally IDA will tag the start with an "align xx" ( It's seeing the CC CC CC's or similar the compiler added to set alignment on segment boundaries. ( The segment boundaries and alignment bytes are based on the compiler setting OS type, etc) Right click on the "push ebp" and select "create function" . Now _l_prikey_sign will "magically" appear and you can "graphview" and start your analysis.

    Regarding Matlab2013 windoze version , in general , no matter what application , the windoze versions are fully obfuscated and have been for some time. However linux and macosx generally are not. I should add that as Flexlm is Flexlm, you can still learn a lot about flexlm by studying any linux or macosx protected app and that info will prove extremely useful no matter what windoze application you are researching.

    Hope this helps
    Last edited by bilbobaggins; 2015-05-09 at 07:35 AM

  14. Thanks dionysosww thanked for this post

Tags for this Thread

Bookmarks

Bookmarks

Posting Rules

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •