|
Need some help on this flexlm target
Hi everybody,
I'm trying to generate a licence for a popular EDA tool that uses flexlm 9.2. In the past, I've been quite successful in recovering seeds 1 & 2 as outlined in n CrackZ's essay based on Nolan Blender's seed recovery technique i.e. place a break point on _l_sg() tracing through and examing the values of the job structure and the vendor structure. The problem I'm facing with this particular target is that the breakpoint hits _l_sg() and the vendor structure has values in it but the job structure never gets populated, its remains exactly as it was when the breakpoint for _l_sg() hit i.e 66 followed by 0's I can trace the rest of the flexlm routines and i can see when the features are checked out with _lc_checkout() and can see the error being set. Going back, I traced the sequence of calls is as follows lc_init()->_l_init()->_l_sg() After the first _l_sg() being hit, it never hits again. I know I'm being really sparse on information here but if anybody has anything in specific that will help, please let me know and I will post it here. Thanks Sailor |
hi sailor!
if your main concern is getting the seeds you might want to try the following trick courtesy of crackz (hxxp://www.woodmann.com/crackz/Flexlm.htm): Quote:
good luck to you, dirk |
Hi Dirkmill,
thanks for the suggestion but I already tried that. I also tried following the techniques outlined in the wondeful essay "On Software Reverse Engineering - Flexlm, IMSL". The main problem seems to be that _l_sg() never gets called again from lc_checkout(). I think my best bet is L_UNIQ_KEY5_FUNC is getting set in lc_init() but I may not have identified the flags (as in CrackZ's Flexlm2004 essay) correctly so its doing the ecc check instead of the old style check. Anyways, I'll keep on trying. Thanks Sailor |
Hiya,
The real clue here would be the value lc_checkout() actually returns, and also which version of the FLEXlm library the target uses. I've seen a few targets recently where HOSTID=ANY is expressly rejected by a local checkout filter, alternatively it could be the format of the fake license is incorrect, either way the return from lc_checkout() should give a starting point. Most of the targets using the Certicom routines still should call l_sg() the 2nd time, the seeds however won't be recovered. I'm sure you already knew this all anyway but if you've got something I can look at I'd be interested. Regards CrackZ. |
Hi CrackZ,
I've tried playing with the license file but I don't think it is having much effect but I could be wrong. I'm playing with the default eval license that you get when you download the app from the companies site. I'll pm you the details. lc_checkout() returns 0xfffffffb which translates to "No such feature exists" So I'm a little confused because I know the feature is used and is there in the license file. Thanks Sailor |
hi
see my posts at Quote:
|
Hi Toro,
So I tried setting a breakpoint on _l_string_key (actually it was called l_ckout_string_key. In v9.2 sources that I have, in file, lm_ckout.c #define l_string_key l_ckout_string_key) However the breakpoint never hit on this function. I'm thinking there might be something wrong with my fake license at this point and thats why it may be working. Anyways thanks for this tip, I'm sure your method will come in handy at some point in the future. Sailor Quote:
|
| All times are GMT +8. The time now is 18:43. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX