Handling of FlexNet/FlexLM

[java3ever]

Hello,

There is an application (written in C++/.NET/Java) that uses FlexLM.
I have a license file for the last-but-one version but I would like to adapt it to the current version.
I haven't been able to identify the parts where the license is handled, because the application is split up in many parts and I couldn't even find the part where the license file is read (ProcMon just shows the main application which launches some subprocesses).

Is there a way to generate the SIGN Parts of the license file?
Bruteforcing seems to be impossible, because I don't have the part checking the sign and the number of possibilites is just too big (36^12).

Thanks!

[sendersu]

It was possible to generate only so-called short SIGN
if it occupies a couple of lines - forget about it...

would be nice to show your lic as well

[ketan]

Why 36^12? If you mean short signature (12 hex digits) actually then there's no need to BF at all.

[java3ever]

Oh yeah, you are right, of course...
I forgot that this is hex and not A-Z + 0-9...

License is this:

Code:

#
# COMSOL CLIENT (LMCOMSOL) License File
#        TeAM SolidSQUAD-SSQ
#             26.04.2017
#
FEATURE SERIAL LMCOMSOL 5.3 permanent uncounted \
	VENDOR_STRING=L,FFFF7FFFFFFD3 HOSTID=ANY SN=6464555 TS_OK \
	SIGN=0F393BB299BA
#
# Generic Features
#
PACKAGE SSQ_0000 LMCOMSOL 5.3 COMPONENTS=" ACDC ACO ACOUSTICS \
	BATTERIESANDFUELCELLS CADIMPORT CADREADER CATIA5 CFD CHEM \
	CHEMFLOWSHEET CLIENTSERVER CLUSTERNODE COMSOL COMSOLGUI \
	COMSOLSERVER COMSOLUSER CORROSION DESIGN ECADIMPORT \
	ELECTRICALCIRCUITS ELECTROCHEMISTRY ELECTRODEPOSITION EM ES \
	FATIGUE GEOMECHANICS HEATTRANSFER HT LAYEREDSHELL LLAUTOCAD \
	LLCREOPARAMETRIC LLEXCEL LLINVENTOR LLMATLAB LLPROENGINEER \
	LLREVIT LLSOLIDEDGE LLSOLIDWORKS LLSPACECLAIM MATLIB MEM MEMS \
	MICROFLUIDICS MIXER MOLECULARFLOW MULTIBODYDYNAMICS \
	NONLINEARSTRUCTMATERIALS OPTICS OPTIMIZATION OPTLAB \
	PARTICLETRACING PIPEFLOW PLASMA RAYOPTICS REACTION RF \
	ROTORDYNAMICS SEMICONDUCTOR SME STRUCTURALMECHANICS \
	SUBSURFACEFLOW WAVEOPTICS" SIGN=606F9FF88036
INCREMENT SSQ_0000 LMCOMSOL 5.3 permanent uncounted HOSTID=ANY \
	ISSUER="Team SolidSQUAD" NOTICE="TeAM SolidSQUAD-SSQ" \
	START=01-jan-2016 TS_OK SIGN=61B8D94EC1D0

I'm not just interested in generating the license, but also understanding how the licensing system works.

Thank you!

[ketan]

Since the induction of ECC keys (>15 years ago!) almost nothing has changed in FlexLM core. So, you can use any tutorial of woodman/ravia/crackz/... archives eg.

BTW in this specific case (COMSOL) you have to reverse custom SN algo AFAIR.

[nikkapedd]

the COMSOL suite use standard flexnet licensing with short sign.
I dont know if the last version changed to ECC protection and long sign..
Debug the target with ida and yo'll find the flexnet routine.. If is an exe file you can easly fish the seeds and make a working license.
If the program has changed to ECC, the old trick to patch the 2 flags is not working anymore because flexnet developers covered this hole.. Patch directly the pubkey_verify and make a short standard license...
Or upload the target or the vendor to see if the protection is changed..

vendor: LMCOMSOL

seed1: Exxxxxx3
seed2: 7xxxxxx4

[nathan]

You may also want to check if some generic options are still accepted (i.e. ANY). Some may be disabled and even if you got the right patch the license may not work.