#46
|
|||
|
|||
i try the xf-flexlm patcher ,it seems not work with v11.6.
Last edited by xuehuge; 11-19-2013 at 11:11. |
The Following User Says Thank You to xuehuge For This Useful Post: | ||
Indigo (07-19-2019) |
#47
|
|||
|
|||
Any hints how to get three public key from our lmcrypt ?
If we have got three public key from lmcrypt & use them to patch the daemon then should we also patch the return compare of the public key verify ? |
#48
|
|||
|
|||
gurandiL, you can build your vendor using lmseeds
lmseeds1= 0x11111111 lmseeds2= 0x22222222 lmseeds3= 0x33333333 then use your new build as base with the tool "PubKey_Replacer170_win".. But i tried 3, 4 times and the tool does not work.. Other way is to build your vendor, but recovering the handshake 4 seeds with ida.. Then use the PubKey_Replacer170_win only for the right pubkey... Here is the body of the core that you have to find in the original vendor, then put the seeds in your new build Code:
In the body of this function find code like this: code if ((l_6buff == l_var_3315) && ((l_func_3313 ^ 2296) & 0xff)) l_func_3313 ^= 2296; if ((l_6buff == (l_var_3315 + 1)) && ((l_func_3313 ^ 7557) & 0xff)) l_func_3313 ^= 7557; if ((l_6buff == (l_var_3315 + 3)) && ((l_func_3313 ^ 1789) & 0xff)) l_func_3313 ^= 1789; if ((l_6buff == (l_var_3315 + 2)) && ((l_func_3313 ^ 6361) & 0xff)) l_func_3313 ^= 6361; The values (not in hex) 2296, 7557, 1789 and 6361 are the 4 seeds for the handshake process. in your lm_new.c file with the values from original vendor daemon. Tested and working by a master flexlm reverser...!!!!!!! Quote:
|
#49
|
|||
|
|||
Quote:
as far as I know, this is not possible, case the orignal vendor code is not include priv key at all. Can you explain some details? |
The Following User Says Thank You to swlepus For This Useful Post: | ||
Indigo (07-19-2019) |
#50
|
|||
|
|||
swlepus, I suggest you to read the readme file on the PubKey_Replacer170_win folder, and study the flexlm sdk. I already wrote that second way is working... You need only to know how to work ida pro and how to build the new vendor with VS2008/2010/2012...
Here another part of code from a v11.4 sdk Code:
if ((l_6counter == l_2086counter) && ((l_2082buff ^ 12052) & 0xff)) l_2082buff ^= 12052; if ((l_6counter == (l_2086counter + 1)) && ((l_2082buff ^ 3205) & 0xff)) l_2082buff ^= 3205; if ((l_6counter == (l_2086counter + 3)) && ((l_2082buff ^ 8108) & 0xff)) l_2082buff ^= 8108; if ((l_6counter == (l_2086counter + 2)) && ((l_2082buff ^ 8083) & 0xff)) l_2082buff ^= 8083; The values (not in hex) 12052, 3205, 8108 and 8083 are the 4 seeds for the handshake process. Last edited by nikkapedd; 01-15-2014 at 00:15. |
The Following User Says Thank You to nikkapedd For This Useful Post: | ||
Indigo (07-19-2019) |
#51
|
|||
|
|||
Quote:
|
#53
|
|||
|
|||
It seems that there are a lot of new things on Flexnet which I need study again.
|
The Following User Says Thank You to NoFlexlm For This Useful Post: | ||
Indigo (07-19-2019) |
#54
|
|||
|
|||
Hi nikkapedd,
I know how to work IDA & Hexrays decompiler, and tried to locate similar code patterns on a couple of vendor deamons I have on file, but was unable to find anything. Do you have any tips for me? rgds rrer |
The Following User Says Thank You to rcer For This Useful Post: | ||
Indigo (07-19-2019) |
#55
|
|||
|
|||
rcer, if you looking for the handskake seeds, you need the target with the correct signature.. Now load with ida and find the 4/5 references to "handshake". REmember the the values of the seeds are not in hex..
Does anyone know the new obfuscation schema in the new 11.12 fnp that hide the pub and the private key..??? thanks in advance.. Now i'm able to make full working licenses, by building a vendor with my seeds and injecting my pub key... |
The Following User Says Thank You to nikkapedd For This Useful Post: | ||
Indigo (07-19-2019) |
#56
|
|||
|
|||
nikkapedd, thanks, but I think that I don't fully understand your explanation, I have several original vendor daemons, and when I load them in IDA, then decompile the code with Hexrays decompiler and then try to locate the c - code snippets similar to the ones from your previous post I am unable to find any. What is it that am I doing wrong?
|
The Following User Says Thank You to rcer For This Useful Post: | ||
Indigo (07-19-2019) |
#59
|
|||
|
|||
rcer, Slbsls use the Common vendor technology and is packed with "Virtual protect" like the last version of the slb programs.. You need first to unpack the vendor...
For scplmd is very very easy.. Already can make full licenses with the scplmd vendor.. TRy to build the new vendor with the right seeds, then open the file lm_new.c in the "build" folder. You will see the magic "handshake function"..... Sorry but i do not put any "function" for those 2 vendors.... |
The Following User Says Thank You to nikkapedd For This Useful Post: | ||
Indigo (07-19-2019) |
#60
|
|||
|
|||
nikkapedd,
Thanks & I think I have finally grasped it!. Have a look at the PM I sent to you. Still have one question. which program do I need to use to unpack Slbsls? rgds rcer |
The Following User Says Thank You to rcer For This Useful Post: | ||
Indigo (07-19-2019) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Alternate Approach to FlexLM Brute-Force | Windoze | General Discussion | 9 | 10-21-2020 19:23 |
Anti tamper methods - .Net | msaly | General Discussion | 1 | 07-27-2020 05:27 |
Where are the Class methods? | 5Alive | General Discussion | 0 | 07-28-2005 03:22 |
Different Detection Methods | OHPen | General Discussion | 0 | 10-21-2003 10:11 |