SDK 11.x How to find Vendor_Name and Vendor_Key5 in application !!
Hi all,
After 2weeks of playing with the SDK 11.14 and Demo App. and more than a few night shifts of internet surfing :eek::confused: I am trying to find some info on a old EOL 15 year old Application. The company that sold it is gone with the wind after 3 or 4 take overs. How can one find the Vendor_Name and Vendor_Key5 in an Application developed with .NET and FLEXNET 11 implemented ? Or can one calculate the Vendor_Key5 and Vendor_Name with the recovered information I found so far : ES1, ES2, TRL1, TRL2, 239BIT VK1, VK2, VK3, VK4 VN "mips" ? FN "Complete" ? ES1: FEFC2E17 FEFC2E17 >> ES1 >>>> .textidx:100A43BB mov ecx, [edx+4] B7794E11 >> ES2 >>>> 8Bytes down in MEM ES2: B7794E11 TRL1: 0F63E683 0F63E683 TRL1 >>>> .text:100084D3 add edx, eax TRL2: A22D254C A22D254C >> TRL2 >>>> .textidx:100D9A96 mov edx, [ecx+eax*4] 4x LOOP for the 4 keys VK1: F793BF1F F793BF1F >> VK1>>>> .textidx:100C340A mov eax, [esi+eax*4+0Ch] VK2: F9633543 F9633543 >> VK2 >>>> .textidx:100C340A mov eax, [esi+eax*4+0Ch] VK3: 8E0FEF44 8E0FEF44 >> VK3 >>>> .textidx:100C340A mov eax, [esi+eax*4+0Ch] VK4: 44F6D202 44F6D202 >> VK4 >>>> .textidx:100C340A mov eax, [esi+eax*4+0Ch] ******************************************************************************************* Update >>> found possible VN "mips" >>>>> using this in the LONG tools doesn't give me the found VendorKeys !!!!!!!! App can be found at : https://web.archive.org/web/20080908052838/http://www.fs2.com/fpgaview_download/ Possible FEATURE NAME "Complete" found with ORCA in MSI after extracting it from the EXE file "C:\Program Files (x86)\Fs2\FPGAView\Bin\FPGAView.exe" A altera tla "C:\Program Files (x86)\Fs2\FPGAView\Bin\FPGAView.exe" X xilinx tla "C:\Program Files (x86)\Fs2\FPGAView\Bin\FPGAView.exe" AV altera mso "C:\Program Files (x86)\Fs2\FPGAView\Bin\FPGAView.exe" XV xilinx mso ******************************************************************************************* [Any suggestions or hints ?? And YES these values have been confirmed by a 3th party .....will be named later. Avi Extra Info: ******************************************************************************************** Code:
textidx:100C33F8 loc_100C33F8: ; CODE XREF: sub_100C33BF+2E↑j HTML Code:
Breakpoints used: HTML Code:
Enable all breakpoints as per file. Exept lc_init... app crashes. ------------------------------------------- For Cooking one needs ingredients.:rolleyes: |
bp at so called l_n36_buf (usually the longest (or one of) routines in binary)
@10001090 in this case on return you can see vn in arg0, vcode in arg4 or alike. just play with it. features are "altera" and "xilinx" at 1st sight. though it's really your fun to learn it all yourself. |
Late Night Shift
@Ketan
Nice tip, I should have seen that one coming. There are shortcut links named like that. Also in the official LIC Request web page they asked about what version ? http://web.archive.org/web/200802281...avieweval.html >>>> Vendor FS2 was taken over bij "mips". http://web.archive.org/web/200811200...ols/tektronix/ Will do some late night deep debugging........... ------------------------------------------- For Cooking one needs ingredients.:rolleyes: |
I'm working with Gede on this project.
I also came across the l_n36_buf function. Contains a lot of noise, calculating some constants... And then in between stuff like this: Xref Line Column Pseudocode line r 1099 12 else if ( buf ) w 1230 6 buf[8] = 0; w 1341 6 buf[7] = byte_10149020; w 1354 6 buf[3] = 's'; w 1371 6 buf[2] = 'p'; w 1462 6 buf[4] = byte_10149120; w 1747 6 buf[1] = 'i'; w 1772 6 buf[5] = byte_10148D7C; w 1829 7 *buf = 'm'; w 1924 6 buf[6] = byte_10148DDC; w 1991 6 buf[10] = byte_10148AFC; w 2082 6 buf[9] = byte_10148B20; What I also did was attaching windbg to the binary, set breakpoints in the lmgr module: bm lmgr11!* and with using .dump /ma <to a file location>.dmp and then analyze this minidump in IDA Pro. The advantage is that it is more easy to look and annotate the values in the idb. For example looking at the dotNet code using dotPeek one of the classes handling the license has the vendorcode embedded: debug097:07971788 CLicenseObj dd offset aNoSuchFeatureE ; dword0 ; "No such feature exists" ... debug097:07971788 dd offset aLicense ; gap4 debug097:07971788 db 'tla altera',0,'DIR=C:\altera_lite\' ; field_8 debug097:07971788 db '2.00000000' ; version debug097:07971788 db 0 ; field_30 debug097:07971788 db 73h ; field_31 debug097:07971788 dw 735Ch ; field_32 debug097:07971788 dd 7973F38h ; a_cIniNm debug097:07971788 dd 0 ; conxtype debug097:07971788 dd 2AB6D90h ; field_3C Vendor code struct starts here debug097:07971788 dw 4 ; vendor_code.type debug097:07971788 db 0, 0 debug097:07971788 dd 0FEFC2E17h, 0B7794E11h ; vendor_code.data debug097:07971788 dd 0F793BF1Fh, 0F9633543h, 8E0FEF44h, 44F6D202h ; vendor_code.keys debug097:07971788 dw 0Bh ; vendor_code.flexlm_version debug097:07971788 dw 4 ; vendor_code.flexlm_revision debug097:07971788 db 0, 0 ; vendor_code.flexlm_patch debug097:07971788 db 31h, 31h, 2Eh, 30h, 0 ; vendor_code.behavior_ver debug097:07971788 db 0 debug097:07971788 dd 0F63E683h, 0A22D254Ch ; vendor_code.trlkeys debug097:07971788 dd 0 ; vendor_code.signs debug097:07971788 dd 4 ; vendor_code.strength debug097:07971788 dd 1 ; vendor_code.sign_level debug097:07971788 dd 10h, 16h, 1Fh ; vendor_code.pubkeyinfo.pubkeysize debug097:07971788 db 6Fh, 98h, 0F7h, 2Ch, 0ACh, 0E2h, 89h, 0E6h, 0F6h, 0Bh, 0Eh, 87h, 74h; vendor_code.pubkeyinfo.pubkey debug097:07971788 db 0C7h, 42h, 20h, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; vendor_code.pubkeyinfo.pubkey debug097:07971788 db 0, 0, 0, 0, 0, 0, 6Fh, 98h, 0C4h, 8Ch, 0Ch, 0D8h, 42h, 5Fh, 2Ch, 0D9h; vendor_code.pubkeyinfo.pubkey debug097:07971788 db 19h, 0E9h, 34h, 60h, 0B7h, 10h, 73h, 0ECh, 0D3h, 52h, 37h, 34h, 0, 0; vendor_code.pubkeyinfo.pubkey debug097:07971788 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 70h, 0E5h, 0C1h, 5Bh; vendor_code.pubkeyinfo.pubkey debug097:07971788 db 0ECh, 63h, 4Ch, 22h, 0Fh, 0A8h, 3Fh, 0F3h, 0D2h, 17h, 0D0h, 7Ah, 47h; vendor_code.pubkeyinfo.pubkey debug097:07971788 db 0Ah, 0CFh, 8, 85h, 31h, 89h, 8Dh, 98h, 62h, 0EFh, 3Dh, 88h, 0A0h, 9Bh; vendor_code.pubkeyinfo.pubkey debug097:07971788 db 0, 0, 0, 0, 0, 0, 0, 0, 0 ; vendor_code.pubkeyinfo.pubkey debug097:07971788 dd offset pubkey_fptr ; vendor_code.pubkeyinfo.pubkey_fptr [some zeroed out...] debug097:07971788 dd offset my_lm_handle ; lm_handle_ptr_ptr The lm_handle_ptr_ptr points to the lm_handle. debug085:02AB6DA8 my_lm_handle dd 66h ; type debug085:02AB6DA8 ; DATA XREF: debug085:my_lm_handle↓o debug085:02AB6DA8 ; debug097:CLicenseObj↓o debug085:02AB6DA8 dw 0Bh ; version.version.major ; debug085:02AB6DA8 dw 4 ; version.version.minor debug085:02AB6DA8 dw 0 ; version.subMinor debug085:02AB6DA8 dw 0 ; version.patch debug085:02AB6DA8 dd 0 ; version.build debug085:02AB6DA8 dw 0 ; version.beta debug085:02AB6DA8 db 0, 0 ; version.patchStr debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0 ; version.verString debug085:02AB6DA8 dd offset my_lm_handle ; first_job debug085:02AB6DA8 dd 0 ; next debug085:02AB6DA8 dd 0FFFFFFFBh ; err_info.maj_errno debug085:02AB6DA8 dd 165h ; err_info.min_errno debug085:02AB6DA8 dd 0 ; err_info.sys_errno debug085:02AB6DA8 dd 0 ; err_info.act_errno debug085:02AB6DA8 dd 0 ; err_info.lic_files debug085:02AB6DA8 db 'tla',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 ; err_info.feature debug085:02AB6DA8 db 0 debug085:02AB6DA8 dd 0 ; err_info.context debug085:02AB6DA8 dd 0 ; err_info.short_err_descr debug085:02AB6DA8 dd 0 ; err_info.long_err_descr debug085:02AB6DA8 dd offset unk_5B4DE0 ; err_info.sys_err_descr debug085:02AB6DA8 dd 0 ; err_info.errstring debug085:02AB6DA8 dd 0 ; err_info.warn debug085:02AB6DA8 dw 0FFh ; err_info.mask debug085:02AB6DA8 db 0 ; err_info.flags debug085:02AB6DA8 db 0 debug085:02AB6DA8 dd offset my_lm_handle.internalData ; daemon debug085:02AB6DA8 dd offset off_2AB6FA8 ; options debug085:02AB6DA8 dd 0 ; redirect debug085:02AB6DA8 dd offset stru_14374A50 ; line debug085:02AB6DA8 dd 0 ; packages debug085:02AB6DA8 dd offset off_7971AE0 ; lic_files debug085:02AB6DA8 dd 0 ; lfptr debug085:02AB6DA8 dd 1 ; lm_numlf debug085:02AB6DA8 dd offset off_143741E0 ; license_file_pointers debug085:02AB6DA8 dd offset aJIdaTlaFpgavie ; lic_file_strings debug085:02AB6DA8 db 'mips',0,0,0,0,0,0,0 ; vendor debug085:02AB6DA8 db 0,0,0,0,0,0,0,0,0,0,0 ; alt_vendor debug085:02AB6DA8 db 0, 0 debug085:02AB6DA8 dd 0 ; conf It seems to me that a license key should look something like this: FEATURE tla mips 2.000 etc. FEATURE altera mips 2.000 etc FEATURE xilinx mips 2.000 etc. The problem however is that in the SDK 11.14 the size of the lm_handle is 0x1B0 while in the actual code 0x1A0 is allocated. Which means that the 11.14 for the LM_INTERNAL part it is slightly larger than for 11.4 SDK. If anyone has the 11.4 SDK please let me know where to find it... Or al least the header files in machind. I got to tell, this is fun! |
@FoxB
@FoxB
Hi I found an old link to SDK11.4 but link is dead. HTML Code:
FLEXLM SDK 11.4 Empty Re: FLEXLM SDK 11.4 ------------------------------------------- For Cooking one needs ingredients.:rolleyes: |
|
@FoxB
@FoxB
Thanks, some ingredients for cooking experiments. By any chance the full SDK with x86 and the server setups !!! It turns out you have a nice collection.:) Code:
BfoX For Cooking one needs ingredients.:rolleyes: |
Quote:
If you still have 11.4 for x86 and you can share that would be great. Avi. |
TestApp-02_x64
Hi,
all that are following this thread. A small TestAPP for playing and poking around. :D It was a small challenge to produce this one in 11.9.1.0 x64. https://mega.nz/file/duxjSJbA#F2S4iYl3ykNVr0syQFmMQ8dtq4pFhNZzGqfuvYQMJkY Update: TestApp-03_x86_11.4.0.0 HTML Code:
https://mega.nz/file/Z7R0CA6B#f23JfPtQ_RfvfqeigqfMidryKW_GO463maWoC3shm7M HTML Code:
https://mega.nz/file/J6BADYwb#WmDPK4d5NuXwzRxGIos99zZLIGCdutYbYRwrH65XjFI ------------------------------------------- For Cooking one needs ingredients.:rolleyes: |
Fundemental big difference SDK11.4 and SDK 11.9.1
@FoxB
@Ketan Have been playing peeking and poking around in FPGAView. I am only able to find ES1 ES2 VK1 VK2 VK3 VK4 TRL1 TRL2 and some XX values. Code:
.text:10001763 mov dword_1014875C, eax SDK 11.9.1 is more sophisticated than SDK11.4 procedures are way different. Am in need of SDK11.4 for further study. So if one of you has it please provide mega link. :o @Ketan Do you have an other tip so that I can go foreward ?:( I also came accros a few names that at this time have no meaning to me. PDS 504453 534450 PLC 504C43 434C50 XKC 584B43 434B58 tla 746C61 616C74 >>> Meaningfull altera ?? NOT FOUND YET ! xilinx ?? NOT FOUND YET ! mso ?? NOT FOUND YET ! Any usefull TIP is welcome !!:cool: ------------------------------------------- For Cooking one needs ingredients.:rolleyes: |
From fpgaview:
.rdata:0053A5C8 aTla db 'TLA',0 .rdata:0053A5CC aXilinx db 'xilinx',0 .rdata:0053A5D3 db 0 .rdata:0053A5D4 aAltera db 'altera',0 .rdata:0053A5DB db 0 .rdata:0053A5DC db 28h ; ( .rdata:0053A5DD db 0 .rdata:0053A5DE db 0 .rdata:0053A5DF db 0 .rdata:0053A5E0 aMso db 'MSO',0 Some CLR strings: .rdata:00574260 aC08bgaakopkLic db '??_C@_08BGAAKOPK@License?4?$AA@',0 .rdata:00574280 aC0lBicicnlj240 db '??_C@_0L@BICICNLJ@2?400000000?$AA@',0 .rdata:005742A3 aC04jiooidodTla db '??_C@_04JIOOIDOD@tla?5?$AA@',0 .rdata:005742BF aC04phpkbmndMso db '??_C@_04PHPKBMND@mso?5?$AA@',0 .rdata:005742DB aC0cdIblhjeggLm db '??_C@_0CD@IBLHJEGG@LM_A_VENDOR_ID_DECLARE?5FAILED?$CIMS@',0 .rdata:0057000C aC03kdglcpgTlaA db '??_C@_03KDGLCPG@TLA?$AA@',0 .rdata:00570025 aC06cnkmnheoXil db '??_C@_06CNKMNHEO@xilinx?$AA@',0 .rdata:00570042 aC06blfnapbhAlt db '??_C@_06BLFNAPBH@altera?$AA@',0 |
Flex is boring.
Anyway, there's no universal way to find features requested. In most cases you just bp @lc_checkout and trace params (feature, version requested). Sometimes they are checked in implicit way (via lc_feat_list, lc_next_conf etc). Here they are in main exe, plain text. I don't think there is any sense in generating garbage like this every decade. Check old fravia and crackz e.g. archives to not reinvent a bicycle. |
If there is anyone to help Gede and me getting the 11.4 SDK, please. This will help us to get to the next level.
I think I've figured out the Features. @ketan l understand your sentiment about reinventing the bicycle again and I've skimmed through the crackz on archive.org. |
OK, hope this is enough at last:
https://www22.zippyshare.com/v/JzPHZumq/file.html |
Some Test Apps for playing NO-TRL, TRL113, TRL163, TRL239
For those who like to play with this stuff.
Some Apps with NO-TRL, TRL113, TRL163, TRL239 and a .NET experiment with all the above variants. HTML Code:
https://mega.nz/file/U2AQzaoZ#wrktpv7lw-lxADAxijI0fg5sXfrTmr5fMJVurjINd6s FLEXlm_Universal_VB_.NET_11.4.0.0_x86.rar TestApp_NO_TRL_11.4.0.0_x86.rar TestApp_TRL113BIT_11.4.0.0_x86.rar TestApp_TRL163BIT_11.4.0.0_x86.rar TestApp_TRL239BIT_11.4.0.0_x86.rar ------------------------------------------- For Cooking one needs ingredients.:rolleyes: |
All times are GMT +8. The time now is 16:23. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX