FlexLM Help
 

Ive read a lot of tutorials on it, but iam stuck in one part maybe somebody can read here and help:

Fixed using _l_sg() method, with calcseed.

-Peter

Still Wrong :(, anybody can help me with this ?

*edit 2*

now i have it working, i changed on a hunch license behavoir to 7.0, now should i assume all license in that format are 7.0 ? or is there a way i can tell how its being handled, thanks.

Well atleast with Fluent that is the case, even i have observed.

up 7.0 ,the license mybe ok !!

I think there is a way to find the version of the license, by checking the disassembly, or real time trace for the lc_set_attr call.
The function is defined as:
lm_extern int API_ENTRY lc_set_attr lm_args((LM_HANDLE_PTR job, int key,
LM_A_VAL_TYPE value));
The second arg will indicate the license version, for example, in the tracing of the code:


00478026 |. 8B4424 34 MOV EAX,DWORD PTR SS:[ESP+34]
0047802A |. 6A 00 PUSH 0
0047802C |. 6A 4C PUSH 4C
0047802E |. 50 PUSH EAX
0047802F |. E8 BCBFFBFF CALL <_lc_set_attr>

You will find the second arg is 0x4c, and look back to the lm_attr.h, there is the following def, 76 is the 0x4c in Dec. :

#define LM_A_CKOUT_INSTALL_LIC 76 /* (int) true if BEH_V7+, else false */

So you must use behavior V7.

good luck.

typedef struct vendorcode7 {
short type; /* Type of structure */
unsigned long data[2]; /* 64-bit code */
unsigned long keys[4];
short flexlm_version;
short flexlm_revision;
char flexlm_patch[2];
char behavior_ver[LM_MAX_BEH_VER + 1];
unsigned long crokeys[2];
int signs; /* number of entries in pubkeyinfo */
int strength;
int sign_level;
LM_VENDORCODE_PUBKEYINFO pubkeyinfo[LM_MAXSIGNS];
} VENDORCODE7, *VENDORCODE_PTR;

#define LM_BEHAVIOR_V2 "02.0"
#define LM_BEHAVIOR_V3 "03.0"
#define LM_BEHAVIOR_V4 "04.0"
#define LM_BEHAVIOR_V5 "05.0"
#define LM_BEHAVIOR_V5_1 "05.1"
#define LM_BEHAVIOR_V6 "06.0"
#define LM_BEHAVIOR_V7 "07.0"
#define LM_BEHAVIOR_V7_1 "07.1"
#define LM_BEHAVIOR_V8 "08.0"
#define LM_BEHAVIOR_V8_1 "08.1"
#define LM_BEHAVIOR_V8_2 "08.2"
#define LM_BEHAVIOR_V8_3 "08.3"
#define LM_BEHAVIOR_V9 "09.0"

the vendorcode struct is used by lc_init

outputs of 2 call to signed32 in l_string_key are seed1 and seed2.
after finding the flexversion and seeds you can use lmcryptgui to generate lmcrypt.


toro

peter, did you solve your problem.
if not, please describe more detail!

hi szy111

for creation of lmcrypt with lmcryptgui you must supply vendorname, behaviour and 2 enc seed.
the l_string_key is a function that generate licensekey for every feature. you can trace it to see the proc of licensekey generation or the result of it and create license.
another way is grabing 2 seed from output of 2 signed32 call in l_string_key and create lmcrypt with lmcryptgui.


toro.

hi toro:
thanks for your replay. my question is :i can not set breakpoint at l_string_key in my target . why? what's signed32 ?

hi szy111

depend on flexlm version and its behaviour there are more than one l_string_key. if your question is that you set breakpoint but programs not break, the answer is you must set breakpoint in every of them.

find your target flexlm version with lmtools then open target in olly and scan object file with lmgr.lib or lmgrd.lib and then set breakpoint on every l_string_key. in middle of everyl_string_key you will see 2 call to signed32.

toro.

sorry, my mean is that i can not find l_string_key breakpoint in my target, it report symbol not found !!!

my target is unix program , not win'program , so can not use olly .

hi szy111

in windows if have not proper .lib, i serach this sequence of commands for l_string_key.

MOV DWORD PTR SS:[EBP-0B0],8
MOV DWORD PTR SS:[EBP-114],5
MOV DWORD PTR SS:[EBP-20],0A

toro

toro:
thank you very much . i am sorry i can not find l_string_key , i attach it , can you find where it is ?

hi szy111

41a1f5
41ea7d
441478
451e08
4870c9
48024c

this is not test.exe. the vendor is "Hamp-Russ" !!!!!! please don't ask me to generate license for you!!!!.

toro

hi toro:
thank you again. i know the vendor name , but it is my first target for crack on win. so i rename it to test . i will set breakpoint at l_string_key , then trace in and watch the value at the adress where call 424410 , it maybe seeds. right? i got the value 00a1b3e8 and 00a19ee8 , it's wrong !!!

hi szy111

the function at address 424410 is l_getattr, the address of signed32 is 4422cf. it must be call from l_string_key.

toro

hi toro:
thank you again . but in middle of every l_string_key , i can not find 4422cf , why ? only 2 call 424410 !!!

hi toro:
please hlep me !!
i do not know why the address of signed32 is 4422cf ? can you give me detailed information ? thank you .

Anybody used lmcryptgui from Crackz tutorial page?
I create generator, but it dont't work and terminate with exception :(

hi szy111

at least can you see the correct sign that created in end of l_string key for every feature?

toro.

hi toro:
i set breakpoint at 41a1f5 in olly (F2). then F7 ,but it stop at next point !!! how to trace ? please tell me step by step . i begin to use olly .

give me the seed and license.dat , l make it for you !!!!

there are many tut on internet

toro

I haven't seed while, but I search it for autodesk inventor 8
(FlexLm 8.3a).
I haven't SDK for this version, so I want use lmcryptgui, if is it possible.
And another question: can I use SDK not 8.3a version and what changes need made for it.
---------------------------------------------------
AAAAA!!! I am stupid man :(.
I run lmcryptgui without parameter!!!
Now it work, but lmcryptgui can generate license for FlexLm 8.3a ?

Thanks.

run lmcryptgui with seeds and vendor ,then create a exe file ,run exe with license.dat , you will be well .but you must need seeds !!

O.K. I found seed, vendor and successfully made working license
for autodesk inventor 8. It's easier that crack C-Dilla :)

Thank you for advise.

Acutually, the call to signed32 will depend on the behavior of the Flexlm. For example, if the crypt filter is used, the code will skip the call to signed32. They have improved the security in a way, and does not provide compatibility in this special case.
On the other hand, it is a better idea to recover the seed from the job structure, which envolves identify the call to l_sg and record the memory contents. There has been essay's and calc tools to make this very easy. Most important is all the behavior can be defeated in this way. Of course, we are not talking about the ECC.
If you have identified the l_string_key code, you will be able to found the license key information by just looking at the return point of this function. There will be a call to atox, which convert and format the license key in ASCII format, just check the return value in EAX, do a reference to the memory, and dump the key. It is automatically generated for you. There is a easy signature of the atox function, there is a long string 0123456789ABCDEF defined there. Do a search on the code, you will find it easily. Then you can trace back to the point for the key generation. There is no need to recovery seeds, no need to run license generation.

Guys thanks for the info, iam back to viewing flexlm apps, i did manage to solve my license problem and thanks :) iam now using the method for l_sg, at all my targets, however i found one target it doenst work for! maybe i maked a mistake, maybe not, anybody can view and see ?

i view the app:
*removed by request*

I got the following information:
Seed1: 38aa43fa
Seed2: 95845bd5
Vendor: Pxxxx

however, putting these into lmcryptgui, and resigning the license file, still results in -8 (Bad Auth)

Any ideas ?

Thanks.

@Peter[Pan]:
I just had a quick look at your target and it seems that your seeds are wrong!

I found this:
encseed[0]=6bxxxx58
encseed[1]=9cxxxx2e

You might want to recheck the byte-order of your calcseed-inputs ;)

Dirk

gona view straight away! thnx :)

*edit*, yea it guess i was using Jobx04 ++, isnted of Jobx08++

anways i recorded the job, data and vendor name before, and after the call to n36buff

gives me:
data[0]: 00290091
data[1]: 2C86993F
Vendor: Pxxxx
job+0x08: 0x9C63C202
job+0x0c: 0x3802D9C0
job+0x10: 0x2F0FB6E5
XOR VAL: 0x2fc0d99c
Enc1: 0x2fe9d90d
Enc2: 0x034640a3

still doesnt match yours, maybe iam going wrong somewhere... :/

p.s thanks for the help its really appreciated :)

Ah, I see your mistake.
You're confusing job- and vendorcode-structure!
The vendor-struct is the block you marked JOB and vice-versa.

Your data is consistent with my encseeds :D

Dirk

omg *me dies* thanks man!, worked like a charm, what a silly mistake, my 1000 sorrys :)

JMI, if any of the previous posts need editing for something removing plz do! or just tell me and i will, sorry to waste peoples time :)

hehe another day, another problem :)

today i try to build lmcrypt for my own amusement, so i edit lm_code.h with:

(i got it from lmv8gen)
now i go to C:\Program Files\FLEXlm\v9.2\i86_n3 in a dos promt and run:
"Build", i get the following:

no matter how i change lm_code.h, i always get -44, anybody any ideas about this one ?, this is first time i use lmcrypt.c, i always have used lmcryptgui, thanks!

First thing to do is RTFM.

-44
LM_BADKEYDATA

"Invalid key data supplied."
Invalid FLEXnet Licensing key data was supplied to the lc_new_job() call. Some FLEXnet Licensing functions will be disabled.

Seems your VENDOR_KEYx and/or CRO_KEYn are not correct for vendor "testabc"

Tom

tom: sorry i shoulda said that i did read thru, it and i knew what -44 was.

how would one generate such vendor keys then ?

Thanks.

Hi again!

As you should probably know vendor-keys are changing with each major revision of flexlm. And what does this tell us:If you want to play with CRO either get a v8.x SDK or investigate v9.x CRO-key generation...

Dirk

yea i understand they change, and i have 0 intrest in playing with the cro versions atm, however i did try lmv8gen, found at CrackZ website, on v7, v8, v9.2 of the sdk's with differnt vendor names, all report back -44 during build time, again iam prolly missing something silly.

*edit* got v7.2 SDK working, by using PGC FlexLM Vendor Kegen, must be the lmv8gen, that just didnt worked for me in the 8+ SDK.

Thanks as always.

-Peter