|
|
#1
10-17-2006, 18:19
|
|||
|
|||
|
problem with seeds ( FLEXnet v10.8.0.1 )
Hi!
Have a problem in finding seeds for program protected with this version of flexnety. havein a pack of 5 daemons, i found that one of them protected with FLEXnet Licensing v10.8.0.1 build 18846. So, for other 4 daemon i successfully calculated all necessary data and seed. For this: Vendor keys does not match to calculated with vkey10.exe (from CrackZ's site) Code:
.text:0054949F jz short loc_5494DB .text:005494A1 mov edx, [ebp+arg_8]; vendor struct .text:005494A4 push edx .text:005494A5 mov eax, [ebp+arg_4]; vendor name .text:005494A8 push eax .text:005494A9 mov ecx, [ebp+arg_0];empty before (AND after call at .005494CD..) ;whats this??? .text:005494AC mov edx, [ecx+198h] .text:005494B2 mov eax, [edx+1CDCh] .text:005494B8 add eax, 528h .text:005494BD push eax .text:005494BE mov ecx, [ebp+arg_0] .text:005494C1 mov edx, [ecx+198h] .text:005494C7 mov eax, [edx+1CDCh] ;seems this is a decrypting routine .text:005494CD call dword ptr [eax+524h] .text:005494D3 add esp, 0Ch .text:005494D6 jmp loc_5495EE License hase this format: (NO sign1 or sign2) SERVER myhost ANY VENDOR mydaemon mydaemon INCREMENT MY_FEATURE my daemon 2005.00 31-dec-2006 1 \ xxxxxxxxxxxxxxxxxxxx VENDOR_STRING=xxxx SS \ ISSUED=01-jan-2006 ck=200 SN=CC:1111-1:111111 \ START=01-jan-2006 xxxxxxxxxxxxxxxxxxxx - signature as in normal license file. ************************ ADD *************************** Finally, i derived the seeds, simply small shift the stack patameters: .text:005494A9 mov ecx, [ebp+arg_0]; .text:005494AC mov edx, [ecx+198h] .text:005494B2 mov eax, [edx+1CDCh] .text:005494B8 add eax, 528h and now eax points to job[] structure, as was in 7.x..9.x version. Second question is: can lmcryptgui be used for making the lmcryptxxxx for version >9.x ? seems using the behaviour 10.0 and 10.8 i got incorrect results. I checked the seeds by caclulating them again and again, and as a result - they are idential at all stages, so seems they correct. Any ideas? Please, can anyone build the lmcrypt based on my seeds and vendor name, for version 10.0 (Flexnet 10.8.0.1).? Thanks! Last edited by souz; 10-17-2006 at 23:18. 
|
|
#2
10-18-2006, 06:09
|
|||
|
|||
|
Hiya souz,
Not sure what you mean by vendor keys not matching, most of the vendor key generators generate fully functional vendor keys for a given vendor name, this has been discussed before, vendor keys incorporate things like expiry dates for the vendor, naturally Macrovision seldom generate *full* keys for their customers ;-). This new FLEXNet code I also ran into about 4 weeks ago, as far as I can tell its just a very slightly modified _l_sg(), the 3 parameters are exactly the same as previous versions and the seeds can be recovered using exactly the same techniques. Lmcryptgui was built using I think v8.x of the SDK, at least what you get from it is a modified v8 lmcrypt.exe, there isn't any support therefore for any different behaviour, since the SIGN= signature is v7.x and remains supported I don't see why it wouldn't work with basic FLEXNet signatures as well. Regards CrackZ.
|
|
#3
10-18-2006, 14:47
|
|||
|
|||
|
Thanks. I just put obtained seeds and vendor info and compiled the SDK 10.8.0.6.
Lmcrypt.exe signes my license. Cause in old license file there is not CRO(TRL) ECC, so i decided to: #define LM_STRENGTH LM_STRENGTH_DEFAULT #define LM_SEED1 seed1 #define LM_SEED2 seed2 #define LM_SEED3 random seed //cause i dont use the TRL #define TRL_KEY1 0x0 #define TRL_KEY2 0x0 original expired license has 20 chars signature. so i set it to zero and sign with compiled lmcrypt. new signature is 12 chars long as normally, but daemon does not accept the license. Is it possible to make 20-chars long signature to test the lmcrypt? ***************************************************** CrackZ, now i make some tests: i generate the daemon and lmcrypt with same name as original vendor name and look in debugger: generated VENDOR_KEY1 VENDOR_KEY2 VENDOR_KEY3 VENDOR_KEY4 VENDOR_KEY5 in my daemon is identical to generated with vkey10.exe but for the SAME name in ORIGINAL daemonm, all these code are different! that what i mean 'difference' Last edited by souz; 10-18-2006 at 16:32.
|
 |
|
|
Linear Mode
