View Single Post
  #49  
Old 01-14-2014, 12:50
swlepus swlepus is offline
Friend
 
Join Date: Nov 2011
Posts: 23
Rept. Given: 6
Rept. Rcvd 5 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 5 Posts
swlepus Reputation: 5
Exclamation

Quote:
Originally Posted by nikkapedd View Post
gurandiL, you can build your vendor using lmseeds
lmseeds1= 0x11111111
lmseeds2= 0x22222222
lmseeds3= 0x33333333
then use your new build as base with the tool "PubKey_Replacer170_win".. But i tried 3, 4 times and the tool does not work..
Other way is to build your vendor, but recovering the handshake 4 seeds with ida.. Then use the PubKey_Replacer170_win only for the right pubkey...

Here is the body of the core that you have to find in the original vendor, then put the seeds in your new build
Code:
In the body of this function find code like this:
code
if ((l_6buff == l_var_3315) && ((l_func_3313 ^ 2296) & 0xff)) l_func_3313 ^= 2296;
if ((l_6buff == (l_var_3315 + 1)) && ((l_func_3313 ^ 7557) & 0xff)) l_func_3313 ^= 7557;
if ((l_6buff == (l_var_3315 + 3)) && ((l_func_3313 ^ 1789) & 0xff)) l_func_3313 ^= 1789;
if ((l_6buff == (l_var_3315 + 2)) && ((l_func_3313 ^ 6361) & 0xff)) l_func_3313 ^= 6361;

The values (not in hex) 2296, 7557, 1789 and 6361 are the 4 seeds for the handshake process.
Find this function in the original vendor daemon and get this values. Replace values
in your lm_new.c file with the values from original vendor daemon.
Tested and working by a master flexlm reverser...!!!!!!!
So in this method, we can generate a real key for the original vendor? Is that true?
as far as I know, this is not possible, case the orignal vendor code is not include priv key at all.
Can you explain some details?
Reply With Quote
The Following User Says Thank You to swlepus For This Useful Post:
Indigo (07-19-2019)