Thread: SDK 11.x How to find Vendor_Name and Vendor_Key5 in application !!
View Single Post
  #4  
Old 08-04-2022, 14:18
avics avics is offline
Friend
  
Join Date: Jul 2022
Location: The Netherlands
Posts: 6
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 6
Thanks Rcvd at 4 Times in 4 Posts
avics Reputation: 0
I'm working with Gede on this project.
I also came across the l_n36_buf function.
Contains a lot of noise, calculating some constants...
And then in between stuff like this:

Xref Line Column Pseudocode line
r 1099 12 else if ( buf )
w 1230 6 buf[8] = 0;
w 1341 6 buf[7] = byte_10149020;
w 1354 6 buf[3] = 's';
w 1371 6 buf[2] = 'p';
w 1462 6 buf[4] = byte_10149120;
w 1747 6 buf[1] = 'i';
w 1772 6 buf[5] = byte_10148D7C;
w 1829 7 *buf = 'm';
w 1924 6 buf[6] = byte_10148DDC;
w 1991 6 buf[10] = byte_10148AFC;
w 2082 6 buf[9] = byte_10148B20;

What I also did was attaching windbg to the binary, set breakpoints in the lmgr module:
bm lmgr11!*
and with using
.dump /ma <to a file location>.dmp
and then analyze this minidump in IDA Pro.

The advantage is that it is more easy to look and annotate the values in the idb.

For example looking at the dotNet code using dotPeek one of the classes handling the license has the vendorcode embedded:

debug097:07971788 CLicenseObj dd offset aNoSuchFeatureE ; dword0 ; "No such feature exists" ...
debug097:07971788 dd offset aLicense ; gap4
debug097:07971788 db 'tla altera',0,'DIR=C:\altera_lite\' ; field_8
debug097:07971788 db '2.00000000' ; version
debug097:07971788 db 0 ; field_30
debug097:07971788 db 73h ; field_31
debug097:07971788 dw 735Ch ; field_32
debug097:07971788 dd 7973F38h ; a_cIniNm
debug097:07971788 dd 0 ; conxtype
debug097:07971788 dd 2AB6D90h ; field_3C

Vendor code struct starts here
debug097:07971788 dw 4 ; vendor_code.type
debug097:07971788 db 0, 0
debug097:07971788 dd 0FEFC2E17h, 0B7794E11h ; vendor_code.data
debug097:07971788 dd 0F793BF1Fh, 0F9633543h, 8E0FEF44h, 44F6D202h ; vendor_code.keys
debug097:07971788 dw 0Bh ; vendor_code.flexlm_version
debug097:07971788 dw 4 ; vendor_code.flexlm_revision
debug097:07971788 db 0, 0 ; vendor_code.flexlm_patch
debug097:07971788 db 31h, 31h, 2Eh, 30h, 0 ; vendor_code.behavior_ver
debug097:07971788 db 0
debug097:07971788 dd 0F63E683h, 0A22D254Ch ; vendor_code.trlkeys
debug097:07971788 dd 0 ; vendor_code.signs
debug097:07971788 dd 4 ; vendor_code.strength
debug097:07971788 dd 1 ; vendor_code.sign_level
debug097:07971788 dd 10h, 16h, 1Fh ; vendor_code.pubkeyinfo.pubkeysize
debug097:07971788 db 6Fh, 98h, 0F7h, 2Ch, 0ACh, 0E2h, 89h, 0E6h, 0F6h, 0Bh, 0Eh, 87h, 74h; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0C7h, 42h, 20h, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0, 0, 0, 0, 0, 0, 6Fh, 98h, 0C4h, 8Ch, 0Ch, 0D8h, 42h, 5Fh, 2Ch, 0D9h; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 19h, 0E9h, 34h, 60h, 0B7h, 10h, 73h, 0ECh, 0D3h, 52h, 37h, 34h, 0, 0; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 70h, 0E5h, 0C1h, 5Bh; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0ECh, 63h, 4Ch, 22h, 0Fh, 0A8h, 3Fh, 0F3h, 0D2h, 17h, 0D0h, 7Ah, 47h; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0Ah, 0CFh, 8, 85h, 31h, 89h, 8Dh, 98h, 62h, 0EFh, 3Dh, 88h, 0A0h, 9Bh; vendor_code.pubkeyinfo.pubkey
debug097:07971788 db 0, 0, 0, 0, 0, 0, 0, 0, 0 ; vendor_code.pubkeyinfo.pubkey
debug097:07971788 dd offset pubkey_fptr ; vendor_code.pubkeyinfo.pubkey_fptr

[some zeroed out...]

debug097:07971788 dd offset my_lm_handle ; lm_handle_ptr_ptr


The lm_handle_ptr_ptr points to the lm_handle.

debug085:02AB6DA8 my_lm_handle dd 66h ; type
debug085:02AB6DA8 ; DATA XREF: debug085:my_lm_handle↓o
debug085:02AB6DA8 ; debug097:CLicenseObj↓o
debug085:02AB6DA8 dw 0Bh ; version.version.major ;
debug085:02AB6DA8 dw 4 ; version.version.minor
debug085:02AB6DA8 dw 0 ; version.subMinor
debug085:02AB6DA8 dw 0 ; version.patch
debug085:02AB6DA8 dd 0 ; version.build
debug085:02AB6DA8 dw 0 ; version.beta
debug085:02AB6DA8 db 0, 0 ; version.patchStr
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0; version.verString
debug085:02AB6DA8 db 0, 0, 0, 0, 0, 0, 0, 0 ; version.verString
debug085:02AB6DA8 dd offset my_lm_handle ; first_job
debug085:02AB6DA8 dd 0 ; next
debug085:02AB6DA8 dd 0FFFFFFFBh ; err_info.maj_errno
debug085:02AB6DA8 dd 165h ; err_info.min_errno
debug085:02AB6DA8 dd 0 ; err_info.sys_errno
debug085:02AB6DA8 dd 0 ; err_info.act_errno
debug085:02AB6DA8 dd 0 ; err_info.lic_files
debug085:02AB6DA8 db 'tla',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 ; err_info.feature
debug085:02AB6DA8 db 0
debug085:02AB6DA8 dd 0 ; err_info.context
debug085:02AB6DA8 dd 0 ; err_info.short_err_descr
debug085:02AB6DA8 dd 0 ; err_info.long_err_descr
debug085:02AB6DA8 dd offset unk_5B4DE0 ; err_info.sys_err_descr
debug085:02AB6DA8 dd 0 ; err_info.errstring
debug085:02AB6DA8 dd 0 ; err_info.warn
debug085:02AB6DA8 dw 0FFh ; err_info.mask
debug085:02AB6DA8 db 0 ; err_info.flags
debug085:02AB6DA8 db 0
debug085:02AB6DA8 dd offset my_lm_handle.internalData ; daemon
debug085:02AB6DA8 dd offset off_2AB6FA8 ; options
debug085:02AB6DA8 dd 0 ; redirect
debug085:02AB6DA8 dd offset stru_14374A50 ; line
debug085:02AB6DA8 dd 0 ; packages
debug085:02AB6DA8 dd offset off_7971AE0 ; lic_files
debug085:02AB6DA8 dd 0 ; lfptr
debug085:02AB6DA8 dd 1 ; lm_numlf
debug085:02AB6DA8 dd offset off_143741E0 ; license_file_pointers
debug085:02AB6DA8 dd offset aJIdaTlaFpgavie ; lic_file_strings
debug085:02AB6DA8 db 'mips',0,0,0,0,0,0,0 ; vendor
debug085:02AB6DA8 db 0,0,0,0,0,0,0,0,0,0,0 ; alt_vendor
debug085:02AB6DA8 db 0, 0
debug085:02AB6DA8 dd 0 ; conf

It seems to me that a license key should look something like this:

FEATURE tla mips 2.000 etc.
FEATURE altera mips 2.000 etc
FEATURE xilinx mips 2.000 etc.



The problem however is that in the SDK 11.14 the size of the lm_handle is 0x1B0 while in the actual code 0x1A0 is allocated.
Which means that the 11.14 for the LM_INTERNAL part it is slightly larger than for 11.4 SDK.

If anyone has the 11.4 SDK please let me know where to find it... Or al least the header files in machind.

I got to tell, this is fun!
Reply With Quote
The Following User Says Thank You to avics For This Useful Post:
Gede (08-04-2022)