Flexlm Stepped Walkthrough

[kometata]

The last edition of the schrodinger vendor is not obfucated.. So You can easly fish the seeds.. I done this job in less than 4 minutes with olly and ida..

Btw can someone just clarify whether the seeds recovery procedure for the higher versions is absolutely the same as in the old versions (Git manual?)? I still can't extract above mentioned seeds, could istigatore or someone other share how made this?

For instance, for M..O..E 2012 and actually each program above 11.9 I can't reach the _l_n36_buff EB09 and stop to I/O command ..ED. Could someone explain why?

[rohank]

Kometata procedure is exactly same for newer version of 32 bit vendors. I have recovered seeds for 11.11 using the same methos

[carlitos]

kometata check your pm, I'm sending you the seeds found with the standard procedure

[kometata]

Thanks rohank and carlitos! There is something wrong in my 3 PCs but I can't figure out what..I can't reproduce my own tutorial on any higher target. Rohank you use win7? Carlitos succeeded using the same approach. Changed this issue to corresponding topic:
http://www.finetopix.com/showthread....757#post236757

I will be glad if we continue discussion here with the long "vendor_info" problem..

[sumenwang]

thanks very much! brother

ok, lets go.
1. Use Flexlm Vendor Key Generator 3.0 to create vendor keys.
I selected 11 version in the options and put the server name in the Vendor Name slot.
the result looks like this:

/* Version 11 keys */
#define VENDOR_KEY1 0x54ca9326
#define VENDOR_KEY2 0xed82e159
#define VENDOR_KEY3 0xf67b305a
#define VENDOR_KEY4 0x0605a63d
#define VENDOR_KEY5 0x191657c4
#define TRL_KEY1 0x1f1abe22
#define TRL_KEY2 0x508f8593

#define VENDOR_NAME "vega"

2. Following docslide-net_flexlm7x-114seedextraction.pdf instructions I created I dummy.dat file using notepad and inside it I wrote these

SERVER VEGA ANY
VENDOR adskflex
USE_SERVER
INCREMENT test adskflex 1.000 20-mar-2015 1 0123456789AB

3. Continuing to follow the above instructions I downloaded the ollydbg 2.0 and now I am going to use it to extract the seed1 and seed2

[rohank]

Thanks rohank and carlitos! There is something wrong in my 3 PCs but I can't figure out what..I can't reproduce my own tutorial on any higher target. Rohank you use win7? Carlitos succeeded using the same approach. Changed this issue to corresponding topic:
http://www.finetopix.com/showthread....757#post236757

I will be glad if we continue discussion here with the long "vendor_info" problem..

I use win 8.1 but I dont think procedure changes from windows. there is some other problem you are having

[kometata]

Can someone please help me to patch this file:
https://mega.co.nz/#!alMkCSwI!Y6Xh1-...8Tb_4xH6Em-6mA

The l_pubkey_verify is not a problem to be patched but I can't find/sure where to patch the Public key ( vendor info keys) ?

The Pubkey was linked with an instance and I try to change this Jz but without effect:
--------------------------------------------------------------------------------
.text:000000014001BF9F jz short $+2 (here changed to 00, probably had to be jmp)
.text:000000014001BFA1
.text:000000014001BFA1 loc_14001BFA1: ; CODE XREF: sub_14001BEE0+BFj
.text:000000014001BFA1 db 66h, 66h, 66h, 66h, 66h, 66h
.text:000000014001BFA1 nop word ptr [rax+rax+00000000h]
.......
.......
.......
.text:000000014001C002 loc_14001C002: ; CODE XREF: sub_14001BEE0+68j
.text:000000014001C002 lea rcx, [rsp+1138h+var_1018] ; Dst
.text:000000014001C00A lea rdx, Src ; "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk"...(pubkey was linked to 1BF9F)
.text:000000014001C011 mov r8d, 1C3h ; Size
.text:000000014001C017 call memcpy
------------------------------------------------------------
OR the magic is here?

------------------------------------------------------------
.textidx:0000000140093C2D jz short loc_140093CA8
.textidx:0000000140093C2F mov r8, [rsp+4A8h+arg_20]
.textidx:0000000140093C37 lea rdx, aSlmpubkey_h ; "%slmpubkey.h"
.textidx:0000000140093C3E lea rcx, [rsp+4A8h+Dest] ; Dest
.textidx:0000000140093C46 call sprintf
.textidx:0000000140093C4B call __iob_func
.textidx:0000000140093C50 add rax, 30h
.textidx:0000000140093C54 lea r8, [rsp+4A8h+Dest]
.textidx:0000000140093C5C lea rdx, aGeneratingHe_0 ; "Generating header file %s\n"
.textidx:0000000140093C63 mov rcx, rax ; File
.textidx:0000000140093C66 call fprintf
.textidx:0000000140093C6B lea rdx, aW_0 ; "w"
.textidx:0000000140093C72 lea rcx, [rsp+4A8h+Dest] ; Filename
.textidx:0000000140093C7A call fopen
.textidx:0000000140093C7F mov [rsp+4A8h+File], rax
.textidx:0000000140093C87 cmp [rsp+4A8h+File], 0
.textidx:0000000140093C90 jnz short loc_140093CA8
.textidx:0000000140093C92 lea rcx, aCanTOpenLmpubk ; "Can't open lmpubkey.h for writing, exit"...
.textidx:0000000140093C99 call perror
.textidx:0000000140093C9E mov ecx, 1 ; Code
.textidx:0000000140093CA3 call exit
------------------------------------------------

Please give me some direction

[kometata]

@darsy, @istigatore PLEASE help me. I did what was suggested but doing something wrong. I changed the topic here:
http://www.finetopix.com/showthread....968#post236968
I found the function that calls the PUBLIC key, patched it, as described above, patched the ECC, but the program not "eat" the @boot32 license..way? I follow the same procedure that has been already described. What could be the problem?

[dionysosww]

Hi kometata,

I'm also trying daemon with OD, the target is to trace pubkey manually. if I input below in cmd window, daemon will complain about communication error with lmgrd, how is your case? I doubt this because I find that the traced pubkey is not matched with correct one.

testlmd.exe -app -T local 4 -z -c "C:\a.lic"


15:59:12 (testlmd) FLEXlm version 9.2
15:59:12 (testlmd) Server started on local for: f2
15:59:13 (testlmd) Vendor daemon can't talk to lmgrd (Cannot connect to license server (-15,10:10061 "WinSock: Connection refused"))

Thanks.

[kometata]

Hi dionysosww,
I am trying to find out why I had problems in some cases, and still have, and then will write you. Probably later today.

BR