|
The Tiger won't give up
|
1 Attachment(s)
Exactly, that's why here is another interesting tool in attachment, most of time it's still working on traditional victims ;)
|
Hi @arlequim
your previous tools, only patch files win 32 You new tools patch files win 64, very good : ) test the tools friend, Thanks Regards |
Good discussion, and I learned a lot from here
|
Hi
As background information: - All my licenses and FlexNet FlexLM both, I made them with version 9.2. - patch ECC-protected files. - My Licenses worked. New software licenses are more complicated and no longer work my licenses. A friend told me that: - is not the same FlexLM and FlexNet. - The Tools for FlexLM, do not work for FlexNet. - New Tools are required If this is correct, can you give me feedback (Any subject matter expert of FlexLM and FlexNet): What are the differences between the previous version (FLEXlm) and the current version (FlexNet): 1. - In encryptadas seed vendor daemon? 2. - In patch, ECC-protected files? 3. - In the preparation of licenses? Thanks in advance Regards |
i try the xf-flexlm patcher ,it seems not work with v11.6.
|
Any hints how to get three public key from our lmcrypt ?
If we have got three public key from lmcrypt & use them to patch the daemon then should we also patch the return compare of the public key verify ? |
gurandiL, you can build your vendor using lmseeds
lmseeds1= 0x11111111 lmseeds2= 0x22222222 lmseeds3= 0x33333333 then use your new build as base with the tool "PubKey_Replacer170_win".. But i tried 3, 4 times and the tool does not work.. Other way is to build your vendor, but recovering the handshake 4 seeds with ida.. Then use the PubKey_Replacer170_win only for the right pubkey... Here is the body of the core that you have to find in the original vendor, then put the seeds in your new build Code:
In the body of this function find code like this:in your lm_new.c file with the values from original vendor daemon. Tested and working by a master flexlm reverser...!!!!!!! Quote:
|
Quote:
as far as I know, this is not possible, case the orignal vendor code is not include priv key at all. Can you explain some details? |
swlepus, I suggest you to read the readme file on the PubKey_Replacer170_win folder, and study the flexlm sdk. I already wrote that second way is working... You need only to know how to work ida pro and how to build the new vendor with VS2008/2010/2012...
Here another part of code from a v11.4 sdk Code:
if ((l_6counter == l_2086counter) && ((l_2082buff ^ 12052) & 0xff)) l_2082buff ^= 12052; |
Quote:
|
@bgptlmzyh: RTFM rule before asking =)
|
It seems that there are a lot of new things on Flexnet which I need study again.
|
Hi nikkapedd,
I know how to work IDA & Hexrays decompiler, and tried to locate similar code patterns on a couple of vendor deamons I have on file, but was unable to find anything. Do you have any tips for me? rgds rrer |
rcer, if you looking for the handskake seeds, you need the target with the correct signature.. Now load with ida and find the 4/5 references to "handshake". REmember the the values of the seeds are not in hex..
Does anyone know the new obfuscation schema in the new 11.12 fnp that hide the pub and the private key..??? thanks in advance.. Now i'm able to make full working licenses, by building a vendor with my seeds and injecting my pub key... |
nikkapedd, thanks, but I think that I don't fully understand your explanation, I have several original vendor daemons, and when I load them in IDA, then decompile the code with Hexrays decompiler and then try to locate the c - code snippets similar to the ones from your previous post I am unable to find any. What is it that am I doing wrong?
|
tell us name of the vendor daemon
|
Fox,
slbsls & scplmd |
rcer, Slbsls use the Common vendor technology and is packed with "Virtual protect" like the last version of the slb programs.. You need first to unpack the vendor...
For scplmd is very very easy.. Already can make full licenses with the scplmd vendor.. TRy to build the new vendor with the right seeds, then open the file lm_new.c in the "build" folder. You will see the magic "handshake function"..... Sorry but i do not put any "function" for those 2 vendors.... |
nikkapedd,
Thanks & I think I have finally grasped it!. Have a look at the PM I sent to you. Still have one question. which program do I need to use to unpack Slbsls? rgds rcer |
@rcer: you can use the dll inject for the online patch any info inside slbsls ;)
|
Hi @rcer
slbsls vendor daemon difficult. I think the most difficult I'm also trying to vendor daemon packed/encrypted/obfuscated Thanks for your feedback @nikkapedd and @FoxB |
Hi FoxB,
Thanks and can you please explain this in a little detail rgds rcer |
alekine322,
yes slbsls is a tough nut to crack, and we rookies need al the help we can get from the seasoned crackers in this forum |
Any chance to get the daemon ?
|
Hi
@nathan: Yes, please check you PM |
me to i want daemon to
|
Hi
@ultimax Force: Yes, please check you PM |
Quote:
In the previous version public keys not encrypted (for all three daemons: slbsls, slbfd and lmgrd.slb). In the new version public keys for slbsls daemon is encrypted and public keys for all demons from time to time pass integrity check. |
Boot64: you are boot32? ;) upload 2014 daemon, will see it.
|
Quote:
|
Quote:
static unsigned char lm_prikey[2][3][40] = {{{0x0, 0xb2, 0x45, 0x2c, 0xbc, 0x7e, 0x72, 0xc1, 0x3a, 0x39, 0x5e, 0x67, 0x25, 0xce, 0xd9}, {0x2, 0x1c, 0x8f, 0xa2, 0xe4, 0xb6, 0x4f, 0x7a, 0x2c, 0xd2, 0x6, 0x81, 0xb5, 0xd8, 0xf9, 0xf1, 0x81, 0x6, 0x4a, 0x8e, 0x17}, {0x3, 0xa0, 0x58, 0x89, 0xd2, 0x30, 0x22, 0xd8, 0xca, 0x5e, 0xac, 0x59, 0x33, 0xb3, 0x69, 0xdc, 0x30, 0x9b, 0xb6, 0x8d, 0x24, 0x56, 0x60, 0x23, 0xf0, 0x8c, 0x11, 0xb8, 0xc2, 0xba}} , {{0x0, 0x5b, 0xd9, 0xeb, 0xa1, 0xb8, 0x16, 0x1f, 0x95, 0xf5, 0x21, 0x5b, 0xf2, 0x2a, 0x68}, {0x1, 0x6f, 0x67, 0xae, 0x86, 0xe0, 0x58, 0x7e, 0x57, 0xd4, 0x85, 0x6f, 0xc8, 0xa9, 0xa1, 0x6e, 0x2b, 0x9, 0xd8, 0xed, 0xb2}, {0xb, 0x7b, 0x3d, 0x74, 0x37, 0x2, 0xc3, 0xf2, 0xbe, 0xa4, 0x2b, 0x7e, 0x45, 0x4d, 0xb, 0x71, 0x58, 0x4e, 0xc7, 0x6d, 0x95, 0xf, 0x34, 0x9c, 0x4, 0xa3, 0x67, 0x57, 0xa6, 0xd1}} }; |
Hi
for slbsls 2013 Licensing. how hard is to find the encrypted seed. With seeds found, generate my lmcrypt.exe, generate my license. patch files protected by ECC. License fine works thank you very much Boot64 (Boot32) you mention the following: for all three daemons: slbsls, slbfd and lmgrd.slb I've seen licenses with slbsls and slbfd, but never with lmgrd.slb, Application that uses it? these questions are for my studio Note: Boot64, Please upload deamon vendor for SLBLicensing 2014 for my studio Thanks in advance |
Quote:
#define LM_SEED1 0x11111111 #define LM_SEED2 0x22222222 #define LM_SEED3 0x33333333 Seems the private keys is related with the values LM_SEED1~3, but don't know the relationship, anyone can give some clue? |
You need only to change the public key not the private ..
Every time the program check the public key, then authenticate your sign according with the vendor's pubkeys.. But pay attention if the program use also vendor_info or vendor_String certificate to authenticate the license, patching only the pub key is not enough to make a working license... alekine322, patching only the vendor is not enough to make a working license.. You need to patch also the ECC in the exe/dll files |
Quote:
what's the relationship. #define LM_SEED1 0x11111111 #define LM_SEED2 0x22222222 #define LM_SEED3 0x33333333 |
Quote:
|
Quote:
What's the relation ship between "lmseeds1,2,3" and ecc public key/private key, how should I do in SDK setting if I want set my own private key? |
What difference Between Flex V.11.9 and 11.10?
Is this added new security protection? |
If you know how to deal with the protection , there is no difference
|
| All times are GMT +8. The time now is 17:28. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX