Patching flexlm freebsd vendor file.

[xayide]

I have software that works on both windows and freebsd. I have patched the windows vendor and it does work but the patcher does not work on the freebsd one. The patterns do not exist even tho the vendor and the lmversion is the same. Is there a difference in the file structure that makes it incompatible to find patterns in freebsd. Do I maybe need to unpack it?

[xayide]

OK. I found out a bit more on the subject. The freebsd daemon is actualy running as a linux exec using elf linux lib.
I searched the daemon for signatures/patterns but none of the known ones could be found so I digged a bit deeper.
What I saw was that the vendor had not changed the crypto-salt so it was the default of.... 3D4DA1D6h .
I could not find public key in the file nor the l_pubkey_verify.


So I searched for a function that looked a lot like the place to patch and I found this:


.text:080D1F4D ; ---------------------------------------------------------------------------
.text:080D1F4D
.text:080D1F4D loc_80D1F4D: ; CODE XREF: sub_80D17C8+761j
.text:080D1F4D mov eax, [ebp+var_A0]
.text:080D1F53 test eax, eax
.text:080D1F55 jnz short loc_80D1F96
.text:080D1F57 cmp [ebp+arg_0], 0
.text:080D1F5B jz short loc_80D1F8A
.text:080D1F5D mov eax, [ebp+arg_0]
.text:080D1F60 mov dword ptr [eax+80h], 0FFFFFFF8h
.text:080D1F6A sub esp, 4
.text:080D1F6D push 0
.text:080D1F6F push 0FFh ; int
.text:080D1F74 push 0 ; src
.text:080D1F76 push 0 ; int
.text:080D1F78 push 214h ; int
.text:080D1F7D push 0FFFFFFF8h ; int
.text:080D1F7F push [ebp+arg_0] ; int
.text:080D1F82 call sub_80D8B14
.text:080D1F87 add esp, 20h
.text:080D1F8A
.text:080D1F8A loc_80D1F8A: ; CODE XREF: sub_80D17C8+793j
.text:080D1F8A mov [ebp+var_F0], 0FFFFFFF8h
.text:080D1F94 jmp short loc_80D1F9F
.text:080D1F96 ; ---------------------------------------------------------------------------
.text:080D1F96
.text:080D1F96 loc_80D1F96: ; CODE XREF: sub_80D17C8+78Dj
.text:080D1F96 mov eax, [ebp+var_30]
.text:080D1F99 mov [ebp+var_F0], eax
.text:080D1F9F
.text:080D1F9F loc_80D1F9F: ; CODE XREF: sub_80D17C8+C6j
.text:080D1F9F ; sub_80D17C8+118j ...
.text:080D1F9F mov eax, [ebp+var_F0]
.text:080D1FA5 lea esp, [ebp-0Ch]
.text:080D1FA8 pop ebx
.text:080D1FA9 pop esi
.text:080D1FAA pop edi
.text:080D1FAB leave
.text:080D1FAC retn
.text:080D1FAC sub_80D17C8 endp




I thought the pattern would be 57 56 53 81 EC FC 00 00. So I patched it with 33C0C3. Tried the license again but it still said incostistent authentication code.
Started over and tried to patch all places in the file where I found the above pattern still no go. The daemon runs and do not crash but still refuses to accept my trial license which I only changed date on.
Flexlmsearcher008 do find these files to be protected somehow So I guess I must have not found the right place tho. Anyone care to look at it I posted the files up to sendspace...
The same vendor could be patched on Windows without problems. But this linux vendor daemon proves tricky.


For you information it is running as a local daemon and not over network. So it does only look at hostname/mac and puts out a license to the local computer then shuts down until next reboot.


Vendor Daemon and lmgrd-files here: https://www.sendspace.com/file/9sxf2f

[JonhB]

Search in IDA for 2930h.
The first one is prikey, the second one is l_pubkey_verify.

[xayide]

Yeah I can find that. But the function seems a lot different from the "normal" flexlm on Windows.This is the same vendor daemon patched on Windows. Same version 11.12

.textidx:00485741 loc_485741: ; CODE XREF: sub_485470+12Cj
.textidx:00485741 mov ecx, [ebp+var_1C]
.textidx:00485744 xor ecx, ebp
.textidx:00485746 call @__security_check_cookie@4 ; __security_check_cookie(x)
.textidx:0048574B mov esp, ebp
.textidx:0048574D pop ebp
.textidx:0048574E retn
.textidx:0048574E sub_485470 endp
.textidx:0048574E
.textidx:0048574E ; ---------------------------------------------------------------------------
.textidx:0048574F align 10h
.textidx:00485750
.textidx:00485750 loc_485750: ; DATA XREF: sub_4020C0+6D8Bo
.textidx:00485750 xor eax, eax
.textidx:00485752 retn


The code I found on the freebsd is not at all anything like this. Do you have signature files or how did you come up with 2930h?
Would you mind test patching it for me?

[xayide]

I just don't come any further in this matter. Really need some help.