Quote:
Originally Posted by swork3
hi, i searched around but i have not found an answer, i have an app useing
flexlm 9.x, i followed some tutorial and found VENDOR_KEY1-4 and vc.data[0]
and vc.data[1] (the time() and xor table thing) i got ENCRYPTION_SEED1 and 2,
i tested that 3 times - got the same seed1 and 2, so that is correct.
Now the thing i do not understand fully, is VENDOR_KEY5 generated out of
key1-4 and vendor? or how can i find that? thanks
|
You dont need any tools to find out ES1 ES2 and VK5. Just locate the l_sg() procedure as you can see here:
Code:
00417043 |. 8D8D 80FDFFFF LEA ECX,DWORD PTR SS:[EBP-280]
00417049 |. 51 PUSH ECX
0041704A |. 8B95 6CFDFFFF MOV EDX,DWORD PTR SS:[EBP-294]
00417050 |. 81C2 0C030000 ADD EDX,30C
00417056 |. 52 PUSH EDX
00417057 |. 8B85 6CFDFFFF MOV EAX,DWORD PTR SS:[EBP-294]
0041705D |. 50 PUSH EAX
0041705E |. E8 27040100 CALL xxx.0042748A
00417063 |. 83C4 0C ADD ESP,0C
00417066 |. 81BD 84FDFFFF >CMP DWORD PTR SS:[EBP-27C],87654321
00417070 |. 74 0C JE SHORT xxx.0041707E
00417072 |. 81BD 88FDFFFF >CMP DWORD PTR SS:[EBP-278],12345678
inside 0042748A
...
00427563 |. 3355 F4 XOR EDX,DWORD PTR SS:[EBP-C]
00427566 |. 3355 E0 XOR EDX,DWORD PTR SS:[EBP-20]
00427569 |. 3355 E4 XOR EDX,DWORD PTR SS:[EBP-1C]
0042756C |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0042756F |. 8B41 04 MOV EAX,DWORD PTR DS:[ECX+4]
00427572 |. 33C2 XOR EAX,EDX -> ES1 xored by VK5 = real ES1
...
00427596 |. 334D F4 XOR ECX,DWORD PTR SS:[EBP-C]
00427599 |. 334D E0 XOR ECX,DWORD PTR SS:[EBP-20]
0042759C |. 334D E4 XOR ECX,DWORD PTR SS:[EBP-1C]
0042759F |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
004275A2 |. 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
004275A5 |. 33D1 XOR EDX,ECX -> ES2 xored by VK5 = real ES2
02-09-2009, 03:59
Similar Threads
Threaded Mode