FlexLM.ECC.Generic.Patcher-Flexlm targets (x86/x64 up to version 11.9.x)

**darsy** · 2015-04-27, 05:31 PM

"In fact suggested for patching function check_ signature and all others are located exactly in this .dll, at least for 2013-1, not in the lictest.exe."

Public key (RSA Sign) is checked with check_signature. You can extract all this funstion from libmmlibs.dll. I wrote about in christmas time... If you patch this functions on the right place, vendor_info string is no more checked ;-)

Big thank to kometata, istigatore and all together for successful cooperation.

Darsy

**kometata** · 2015-04-28, 01:55 PM

I uploaded the first part of a simple tut here:
http://www.finetopix.com/showthread....eo-tutorial%29

**Aleksej** · 2015-04-28, 11:26 PM

Originally Posted by kometata

I receive the following massage: "Could not obtain license for feature "FEP_GPGPU" of FEP+".

Does "FEATURE FEP_GPGPU" present in your license file?

mayby you are using license with ISSUER=Boot32

**kometata** · 2015-04-30, 07:13 AM

No, it was not present Aleksej. I don't have any other license, only the boot32. However, after patching the check_signature function I added it to the license file and indeed it work. I tested it.

**synkro** · 2015-04-30, 09:46 AM

Originally Posted by kometata

No, it was not present Aleksej. I don't have any other license, only the boot32. However, after patching the check_signature function I added it to the license file and indeed it work. I tested it.

Once you patch check_signature and l_pubkey_verify, you can edit the license, add features and change expirations as you like.

**kometata** · 2015-04-30, 01:54 PM

Originally Posted by synkro

Once you patch check_signature and l_pubkey_verify, you can edit the license, add features and change expirations as you like.

@synkro I have probably elementary question. Whether the check_signature is always presents or this is only in RSA defence case?
I saw targets, under Linux, that seems to use only ECC protection but the check_signature is present (not explicitly) too.

**synkro** · 2015-05-01, 11:14 AM

Originally Posted by kometata

@synkro I have probably elementary question. Whether the check_signature is always presents or this is only in RSA defence case?
I saw targets, under Linux, that seems to use only ECC protection but the check_signature is present (not explicitly) too.

I've only encountered ECC in flexnet targets, this one is an exception (for me at least). In fact, some of its binaries contain ECC, or RSA or both at the same time. One quick and easy way is to look for the text string "BEGIN PUBLIC KEY", you'll be 100% sure there's a check_signature function in it.

**kometata** · 2015-05-19, 08:31 AM

Hi friends,
Something interesting

Last week a new version was released of above discussed target. The defence is the same, no problem at all. However, a new very interesting product has been included - O..P..L...S..3. Even when I removed both the check and ECC I receive this one:

No FFLD_O..P..L..S..2008_PRINT license found.
Forcefield parameters will not be revealed.
Force field: .....m.a.c.r.o.m.o.d.e.l-v108010/bin/Linux-x86_64/../../data/f16.fld

It works (probably just "tell" us that we can't see the FF parameters and this is normal..) but I was wondering from where is this "No license found", any ideas

? I have this feature in the license file. Indeed I will try to check in IDA/Olly to what is connected this message (don't think that will find that) but started to wonder is it possible individual/separate licenses to exist

?

BR

**darsy** · 2015-05-19, 08:25 PM

Hi kometata,

can you generate increment for FFLD_O..P..L..S..2008_PRINT ?

maybe another daemon or Version?

#
#
INCREMENT FFLD_O..P..L..S..2008_PRINT ...
#
#
#

Regards

**kometata** · 2015-05-20, 11:43 PM

Originally Posted by darsy

Hi kometata,
can you generate increment for FFLD_O..P..L..S..2008_PRINT ?
maybe another daemon or Version?

Hi Darsy,
Yes I can. It seems that this very expensive feature (o.p.l.s 2.1=3) works but I still wonder about this message. The error message is implemented only in the m.a.c.r.o.model/bin/Windows64/b.min.exe, which is protected but seems to not have some general defence role. Here is the output from an example and IDA.
Probably I have just to patch this subroutine and that's all? What actually is the idea of this feature PRINT?

.text:00000000004CF76C ; ---------------------------------------------------------------------------
.text:00000000004CF76C
.text:00000000004CF76C loc_4CF76C: ; CODE XREF: bmin_read_ffld_+236j
.text:00000000004CF76C movsxd r9, dword ptr [r12]
.text:00000000004CF770 shl r9, 4
.text:00000000004CF774
.text:00000000004CF774 loc_4CF774: ; CODE XREF: bmin_read_ffld_+1F8j
.text:00000000004CF774 mov rax, cs:ffield__ptr
.text:00000000004CF77B mov dword ptr ds:loc_966800[rax], 0
.text:00000000004CF785
.text:00000000004CF785 loc_4CF785: ; CODE XREF: bmin_read_ffld_+3EFj
.text:00000000004CF785 ; bmin_read_ffld_+40Aj
.text:00000000004CF785 cmp ecx, 10h
.text:00000000004CF788 jz loc_4D0177
.text:00000000004CF78E
.text:00000000004CF78E loc_4CF78E: ; CODE XREF: bmin_read_ffld_+E1Fj
......................
.....................
.text:00000000004D0177 loc_4D0177: ; CODE XREF: bmin_read_ffld_+428j
.text:00000000004D0177 cmp [rsp+178h+var_C0], 1 (?)
.text:00000000004D017F jz loc_4CF78E
.text:00000000004D0185 mov rax, cs:ioasc__ptr
.text:00000000004D018C lea rdi, [rsp+178h+var_A8]
.text:00000000004D0194 mov r10, cs:ffield__ptr
.text:00000000004D019B mov rdx, 1208384FF00h
.text:00000000004D01A5 lea rcx, __STRLITPACK_6629_0_51
.text:00000000004D01AC lea r8, [rsp+178h+var_138]
.text:00000000004D01B1 mov esi, [rax]
.text:00000000004D01B3 xor eax, eax
.text:00000000004D01B5 lea r11, __STRLITPACK_6587 ; "No FFLD_OPLS2008_PRINT license found. "
.text:00000000004D01BC mov dword ptr [r10+966810h], 0
.text:00000000004D01C7 mov [rsp+178h+var_A8], 0
.text:00000000004D01D3 mov [rsp+178h+var_138], 26h
.text:00000000004D01DC mov [rsp+178h+var_130], r11
.text:00000000004D01E1 mov [rsp+178h+var_178], r9
.text:00000000004D01E5 call _for_write_seq_lis
.text:00000000004D01EA lea rsi, __STRLITPACK_6630_0_51
.text:00000000004D01F1 lea rdi, [rsp+178h+var_A8]
.text:00000000004D01F9 lea rdx, [rsp+178h+var_128]
.text:00000000004D01FE lea rax, __STRLITPACK_6586 ; "Forcefield parameters will not be revea"...
.text:00000000004D0205 mov [rsp+178h+var_128], 2Bh
.text:00000000004D020E mov [rsp+178h+var_120], rax
.text:00000000004D0213 call _for_write_seq_lis_xmit
.text:00000000004D0218 mov r9, [rsp+178h+var_178]
.text:00000000004D021C jmp loc_4CF78E
--------------------------------------------------------

However, it is inside one routine and all trivial patches lead to crash.