Hi all, I would like to share my experience in creating a flexlm license file by describing all the necessary steps.
I have not yet found a complete walkthrough so I hope this helps future users.
People that are more experienced can comment and help to enrich the procedure.

My flexlm version is 11.12 lets find out if we can create a lic.txt
For this I have already downloaded flexlm sdk 11.9 86 and 64 versions.

I am going to start with my server today, keep in touch.

ok, lets go.
1. Use Flexlm Vendor Key Generator 3.0 to create vendor keys.
I selected 11 version in the options and put the server name in the Vendor Name slot.
the result looks like this:

/* Version 11 keys */
#define VENDOR_KEY1 0x54ca9326
#define VENDOR_KEY2 0xed82e159
#define VENDOR_KEY3 0xf67b305a
#define VENDOR_KEY4 0x0605a63d
#define VENDOR_KEY5 0x191657c4
#define TRL_KEY1 0x1f1abe22
#define TRL_KEY2 0x508f8593

#define VENDOR_NAME "vega"

2. Following docslide-net_flexlm7x-114seedextraction.pdf instructions I created I dummy.dat file using notepad and inside it I wrote these

SERVER VEGA ANY
VENDOR adskflex
USE_SERVER
INCREMENT test adskflex 1.000 20-mar-2015 1 0123456789AB

3. Continuing to follow the above instructions I downloaded the ollydbg 2.0 and now I am going to use it to extract the seed1 and seed2

ollydbg does not work with 64 bit systems, gonna try downloading another one.
IDA, Immunitysec, windbg I am going to try with these ones.

I installed x64_dbg and now trying to figure out how it works.

@BinaryRay

If you;re looking for a good example, start with Nolan Blender's Zendenc.
It uses an old version of flexlm but gives a nice example how it works.

try to practice on a 32bit target if you're a beginner.

Ok, what is the step 4? :) For me this topic is really interesting. Did you extract the seeds by ollydbg 2.0? Please share your experience.

fishing the seed on x64 targets is a little bit different from the x86... Use IDA and the correct sig...

When I am trying to find the seeds by both script/manually in Olly or W32Dasm all my demons.exe crash with the massage in a box "Flexible License Manager:...daemon name...can't initialize". These demons are 32bits and I used 32 bit winXP VS.
How to solve the problem, where is my mistake?

Flexlm does not like virtual machines.. Only the last versions, starting from the v11.10.. You need to use a working partion...

Hi,
Thanks for the replay. My mistake seems to be not linked to VS because I tried these examples on also both win 7 32 and 64 bit. I will upload some example but the error is that:
http://s17.postimg.org/a4mnej3mj/flex_lm.jpg (http://postimg.org/image/a4mnej3mj/)

Any other suggestions? :confused:

This the above simple example:
https://mega.co.nz/#!qw8AyJ5a!8rBdQgJ1vjKWn-1KDQq-_JLRi46kTyCgQxrDIvBNz3g
and this is my real target:
https://mega.co.nz/#!qkNEFICQ!iYLHVw37lAcArvczHQSDio2G1hcGCz87xc2FFlZ4RrM

Hi Kometata,

This is old very old daemon. Try to find seeds in default folder of flexlm:

C:\flexlm\...

Put your daemon.exe, lic.lic and olly or w32dasm files in same folder and load your daemon with standard Parametars:

Daemon.exe -T Z -4 c:\flexlm\lic.lic

I'm not sure i think this is syntax. The best way read Git papers for e. s. generation....

;-)

Hi Darsy,
Thanks for your comments!

Yes, I know that the bruker is old but I am trying to learn the approach before to try the real target, SC..HR..OD, if it is possible at all. I have some questions.
I extracted the seeds from the bruker_ls example by Olly and the Flexlm Seedfinder 7.2+. However, I was able to do that if I only use this option:

-app -T this_host 4 -z -c c:\flexlm\license.dat

if I use "-t this_host -c c:\flexlm\license.dat", which seems to be "standard" it not works. On the other hand, the bruker_ls is version 9.5 but when I tried M..O..E 2009, which is version 9.2, this approach not works. Thus I released that both the option and the dummy license is an important factor.
Thus if for the bruker_ls the dummy license was:


SERVER this_host ANY 001A92E2313F 1700
DAEMON bruker_ls C:\Bruker\bruker_ls.exe
USE_SERVER
FEATURE TOPSPIN2 bruker_ls 0.0 7-aug-2024 50 AB9E40017F6C081A44CC
FEATURE TOPSPIN_1D bruker_ls 0.0 7-aug-2024 50 EB1E20C1A1F0A2A1D348
FEATURE TOPSPIN_2D bruker_ls 0.0 7-aug-2024 50 CBFE3091A6FDA2A4C645
FEATURE XWINPLOT bruker_ls 0.0 7-aug-2024 50 BB8EC01158E130B13522

what would be for this case? :

FEATURE m..o..e ch..em..com..pd 2010.12 31-dec-2025 uncounted F782780B5A27 \
HOSTID=ANY ISSUER=Lz0 TS_OK

or mainly in this difficult case?:

SERVER this_host ANY
VENDOR SCHROD
USE_SERVER
#
# ...............
#
FEATURE ................ 2013.1 31-dec-2015 uncounted HOSTID=ANY \
vendor_info="jAt6CnIt ny7cHVEC EIfuTjR2 5nCEnk3C ciRb5K9Y \
fkOSeWdC VprQM2Z2 PUOFGnaV gH9tqbTr zoNFVdJp p27CUJE+ qfvYTBnc \
W9zZtuA7 cEk3SLrM ncoNmfAg sqi0bvMY rFsOmqEZ 5Kbrgwvw stSoB+3e \
RFoOwqfT SdorDA6E g3pV7dPo c2Ed5+pe cprZqrgz GAsyebQm W1EqaAeY \
P73drC/c G7WtpdIU 9xJnGTFh eOZ7hQzJ WWOzy30F VP30kjnp E2IdndGC \
gDigIKDt 01jnmSEz jAogyHdB GadKEkkv 4hNH8BVK rxjrHqAE hwzP8yPV \
UK1ZyigG 35L4/v0L k4KxNg==" ISSUER=....... ISSUED=09-jun-2013 \
START=09-jun-2013 SIGN= \SIGN2=

Do you know also whether Flexlm Seedfinder works for version up to 11.11 or it should be rewritten?

I tried also your nice video tutorial with W32dsm but the daemon always crash, with above message, as in olley .
Can you please help a bit and guide me how to proceed and where is my mistake ?
I hope that this will be helpful for the other beginners too because above mentioned old materials are really old and difficult to understand, not as yours nice video!

EDIT1: Ok, I extracted the seeds also from M..O..E 2010 (hope to be correct) by this dummy lic:


SERVER this_host ANY BCAEC53CDE00 1700
DAEMON che..mco...mpd C:\Bruker\chemcompd.exe
USE_SERVER
FEATURE m..o..e che...mco...mpd 2010.12 31-dec-2045 uncounted AB9E40017F6C \

and -T localhost -11 -c c:\flexlm\license.dat

but not from the new one with SING ...

m..o..e che...mco...mpd 2012.10 31-dec-2099 uncounted HOSTID=DEMO TS_OK \
SIGN="03A9 99A7 4338 992E E1F2 BD2D 4CF4 A6D6 4B13 74FE 3603 \
2A50 0F9D 8435 EA6D B85C E35B 046E 0A7A 7937 3E02"

Above give me the error No features to serve, existing
existing due to signal 27 Exit reason 4

I will try also by W32dsm using your approach.

P.S. For those interesting I attach the seedfinder that can be at least used as a ground for feature improvements.

kometata, if you apply manually the script with olly or ida, you can recover easly the seeds to any target x86 and x64.. For shrodinger, try to patch the ecc and the buiild your customized vendor...

http://www.finetopix.com/images/statusicon/user-offline.png

Thanks istigatore! I supposed that the customized vendor is the only elegant solution.I will be tankful if you guide me with some advices! Do you think that after creating the customized vendor it is trivial to inject the new pubkey or it will be no so easy? I mean that in shrodinger the pubkey is present in an available/visible form and it looks trivial. I am also a bit worry and about the long vendor info (here is a bit foggy for me) or you think this is not the problem?
And finally, I was not able to extract the seeds from shrodinger, this is not important for the discussed case but just wonder. Did you extract the seeds from shrodinger?

The last edition of the schrodinger vendor is not obfucated.. So You can easly fish the seeds.. I done this job in less than 4 minutes with olly and ida.. And i made my customized vendor..
The long "vendor_info" is the only problem with schodinger.. And you can easly patch the check instead to waiste time to recover or change the pubkey in the dll...

Hi
It's not need to recovery encryptions seeds for schrodinger.
You can see in your lic file is only sign/sign2 key. Standard key 12 or longkey 20 long code is missed.
Sign key is generated with cro/trl keys only and standard key with encryption seeds only.
You need to build your lmcrypt with any encryption seeds and your vendor code can you also generate with
Vedor key generator 3.0 from zementmischer. Thats all.
After that you need to patch your target files and vendor daemon.
Public key ( vendor info keys) and also l_pubkey_verify (flexnet standard check for sign keys)

darcy, you wrong..!!!! If you want inject your pubkey or make a standard license, by patching the 2 flags, you need to recover the encryption seed...!!!!!!!!!
Only if you patch the ecc, you can make a fake vendor.. But for this target(schrodinger) is not enough because it have the long "vendor_info"..

And you can easly patch the check instead to waiste time to recover or change the pubkey in the dll...

Hi all, by patch the check you mean that I will not need of any license?
I ask because my problem are the new features that missing in the old generated licenses..

If you patch the ckeck, the license will be valid with any "vendor_info" filling...!!!!!
To use the program without license you need to patch the ckeckout verify...

If you patch the ckeck, the license will be valid with any "vendor_info" filling...!!!!!


By ckeck you mean the check function or the lictest.exe file? And what about SING's? Can I ask you or someone else to send me the lictest patched file for some version Please? I am not asking you to make me solution or for tutorial, just the file to find out/learn myself how to do that?

Thanks in advance!

The last edition of the schrodinger vendor is not obfucated.. So You can easly fish the seeds.. I done this job in less than 4 minutes with olly and ida..

Btw can someone just clarify whether the seeds recovery procedure for the higher versions is absolutely the same as in the old versions (Git manual?)? I still can't extract above mentioned seeds, could istigatore (http://www.finetopix.com/member.php?95492-istigatore) or someone other share how made this?

For instance, for M..O..E 2012 and actually each program above 11.9 I can't reach the _l_n36_buff EB09 and stop to I/O command ..ED. Could someone explain why?

http://s15.postimg.org/pyzzacfuj/seeds.png

Kometata procedure is exactly same for newer version of 32 bit vendors. I have recovered seeds for 11.11 using the same methos

kometata check your pm, I'm sending you the seeds found with the standard procedure

Thanks rohank and carlitos! There is something wrong in my 3 PCs but I can't figure out what..I can't reproduce my own tutorial on any higher target. Rohank you use win7? Carlitos succeeded using the same approach. Changed this issue to corresponding topic:
http://www.finetopix.com/showthread.php?41860-Seeds-recovering-by-Olly-debugger&p=236757#post236757

I will be glad if we continue discussion here with the long "vendor_info" problem..

thanks very much! brother

ok, lets go.
1. Use Flexlm Vendor Key Generator 3.0 to create vendor keys.
I selected 11 version in the options and put the server name in the Vendor Name slot.
the result looks like this:

/* Version 11 keys */
#define VENDOR_KEY1 0x54ca9326
#define VENDOR_KEY2 0xed82e159
#define VENDOR_KEY3 0xf67b305a
#define VENDOR_KEY4 0x0605a63d
#define VENDOR_KEY5 0x191657c4
#define TRL_KEY1 0x1f1abe22
#define TRL_KEY2 0x508f8593

#define VENDOR_NAME "vega"

2. Following docslide-net_flexlm7x-114seedextraction.pdf instructions I created I dummy.dat file using notepad and inside it I wrote these

SERVER VEGA ANY
VENDOR adskflex
USE_SERVER
INCREMENT test adskflex 1.000 20-mar-2015 1 0123456789AB

3. Continuing to follow the above instructions I downloaded the ollydbg 2.0 and now I am going to use it to extract the seed1 and seed2

Thanks rohank and carlitos! There is something wrong in my 3 PCs but I can't figure out what..I can't reproduce my own tutorial on any higher target. Rohank you use win7? Carlitos succeeded using the same approach. Changed this issue to corresponding topic:
http://www.finetopix.com/showthread.php?41860-Seeds-recovering-by-Olly-debugger&p=236757#post236757

I will be glad if we continue discussion here with the long "vendor_info" problem..
I use win 8.1 but I dont think procedure changes from windows. there is some other problem you are having

Can someone please help me to patch this file:
https://mega.co.nz/#!alMkCSwI!Y6Xh1-aQ-D1PZ35-w02vtzTs3k8Az8Tb_4xH6Em-6mA

The l_pubkey_verify is not a problem to be patched but I can't find/sure where to patch the Public key ( vendor info keys) ?

The Pubkey was linked with an instance and I try to change this Jz but without effect:
--------------------------------------------------------------------------------
.text:000000014001BF9F jz short $+2 (here changed to 00, probably had to be jmp)
.text:000000014001BFA1
.text:000000014001BFA1 loc_14001BFA1: ; CODE XREF: sub_14001BEE0+BFj
.text:000000014001BFA1 db 66h, 66h, 66h, 66h, 66h, 66h
.text:000000014001BFA1 nop word ptr [rax+rax+00000000h]
.......
.......
.......
.text:000000014001C002 loc_14001C002: ; CODE XREF: sub_14001BEE0+68j
.text:000000014001C002 lea rcx, [rsp+1138h+var_1018] ; Dst
.text:000000014001C00A lea rdx, Src ; "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk"...(pubkey was linked to 1BF9F)
.text:000000014001C011 mov r8d, 1C3h ; Size
.text:000000014001C017 call memcpy
------------------------------------------------------------
OR the magic is here?

------------------------------------------------------------
.textidx:0000000140093C2D jz short loc_140093CA8
.textidx:0000000140093C2F mov r8, [rsp+4A8h+arg_20]
.textidx:0000000140093C37 lea rdx, aSlmpubkey_h ; "%slmpubkey.h"
.textidx:0000000140093C3E lea rcx, [rsp+4A8h+Dest] ; Dest
.textidx:0000000140093C46 call sprintf
.textidx:0000000140093C4B call __iob_func
.textidx:0000000140093C50 add rax, 30h
.textidx:0000000140093C54 lea r8, [rsp+4A8h+Dest]
.textidx:0000000140093C5C lea rdx, aGeneratingHe_0 ; "Generating header file %s\n"
.textidx:0000000140093C63 mov rcx, rax ; File
.textidx:0000000140093C66 call fprintf
.textidx:0000000140093C6B lea rdx, aW_0 ; "w"
.textidx:0000000140093C72 lea rcx, [rsp+4A8h+Dest] ; Filename
.textidx:0000000140093C7A call fopen
.textidx:0000000140093C7F mov [rsp+4A8h+File], rax
.textidx:0000000140093C87 cmp [rsp+4A8h+File], 0
.textidx:0000000140093C90 jnz short loc_140093CA8
.textidx:0000000140093C92 lea rcx, aCanTOpenLmpubk ; "Can't open lmpubkey.h for writing, exit"...
.textidx:0000000140093C99 call perror
.textidx:0000000140093C9E mov ecx, 1 ; Code
.textidx:0000000140093CA3 call exit
------------------------------------------------

Please give me some direction :)

@darsy, @istigatore PLEASE help me. I did what was suggested but doing something wrong. I changed the topic here:
http://www.finetopix.com/showthread.php?34233-FlexLM-ECC-Generic-Patcher-Flexlm-targets-%28x86-x64-up-to-version-11-9-x%29&p=236968#post236968
I found the function that calls the PUBLIC key, patched it, as described above, patched the ECC, but the program not "eat" the @boot32 license..way? I follow the same procedure that has been already described. What could be the problem?

Hi kometata (http://www.finetopix.com/member.php?106409-kometata),

I'm also trying daemon with OD, the target is to trace pubkey manually. if I input below in cmd window, daemon will complain about communication error with lmgrd, how is your case? I doubt this because I find that the traced pubkey is not matched with correct one.

testlmd.exe -app -T local 4 -z -c "C:\a.lic"


15:59:12 (testlmd) FLEXlm version 9.2
15:59:12 (testlmd) Server started on local for: f2
15:59:13 (testlmd) Vendor daemon can't talk to lmgrd (Cannot connect to license server (-15,10:10061 "WinSock: Connection refused"))

Thanks.

Hi dionysosww,
I am trying to find out why I had problems in some cases, and still have, and then will write you. Probably later today.

BR

Hi Kometata,
Finally, I figure out that it's becuase my .lic file format is not correct. To fish seed, it's better to use license with 12 bits keys without sign/sign2. To find out l_pubkey_verify, it's better to use SIGN= or SIGN2= lic. The sign number can be wrong, but format should be right, otherwise the daemon may go other other brances and error directly. testlmd.exe -T local 4 -z -c "C:\a.lic" is correct to debug daemon, I have tried this in both windows and linux. "Vendor daemon can't talk to lmgrd" will be there but it doesn't matter for debug.

SERVER local ANY 5280
DAEMON cdslmd cdslmd.exe
FEATURE 100 cdslmd 16.5 permanent 999 1E6C738E41D8 HOSTID=ANY

Thansk,

this very great discussion and lot of usefull kwnolge