Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #46  
Old 11-19-2013, 11:00
xuehuge xuehuge is offline
Friend
 
Join Date: Sep 2012
Location: China
Posts: 27
Rept. Given: 1
Rept. Rcvd 17 Times in 11 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 3 Posts
xuehuge Reputation: 17
i try the xf-flexlm patcher ,it seems not work with v11.6.

Last edited by xuehuge; 11-19-2013 at 11:11.
Reply With Quote
The Following User Says Thank You to xuehuge For This Useful Post:
Indigo (07-19-2019)
  #47  
Old 01-11-2014, 00:43
^o8o^
 
Posts: n/a
Any hints how to get three public key from our lmcrypt ?
If we have got three public key from lmcrypt & use them to patch the daemon then should we also patch the return compare of the public key verify ?
Reply With Quote
  #48  
Old 01-14-2014, 00:15
nikkapedd nikkapedd is offline
VIP
 
Join Date: Mar 2011
Location: ::Bratva::
Posts: 276
Rept. Given: 275
Rept. Rcvd 151 Times in 65 Posts
Thanks Given: 205
Thanks Rcvd at 276 Times in 112 Posts
nikkapedd Reputation: 100-199 nikkapedd Reputation: 100-199
gurandiL, you can build your vendor using lmseeds
lmseeds1= 0x11111111
lmseeds2= 0x22222222
lmseeds3= 0x33333333
then use your new build as base with the tool "PubKey_Replacer170_win".. But i tried 3, 4 times and the tool does not work..
Other way is to build your vendor, but recovering the handshake 4 seeds with ida.. Then use the PubKey_Replacer170_win only for the right pubkey...

Here is the body of the core that you have to find in the original vendor, then put the seeds in your new build
Code:
In the body of this function find code like this:
code
if ((l_6buff == l_var_3315) && ((l_func_3313 ^ 2296) & 0xff)) l_func_3313 ^= 2296;
if ((l_6buff == (l_var_3315 + 1)) && ((l_func_3313 ^ 7557) & 0xff)) l_func_3313 ^= 7557;
if ((l_6buff == (l_var_3315 + 3)) && ((l_func_3313 ^ 1789) & 0xff)) l_func_3313 ^= 1789;
if ((l_6buff == (l_var_3315 + 2)) && ((l_func_3313 ^ 6361) & 0xff)) l_func_3313 ^= 6361;

The values (not in hex) 2296, 7557, 1789 and 6361 are the 4 seeds for the handshake process.
Find this function in the original vendor daemon and get this values. Replace values
in your lm_new.c file with the values from original vendor daemon.
Tested and working by a master flexlm reverser...!!!!!!!



Quote:
then should we also patch the return compare of the public key verify ?
this part is not necessary if you use your pubkey...
Reply With Quote
The Following 2 Users Say Thank You to nikkapedd For This Useful Post:
Indigo (07-19-2019), tonyweb (04-17-2017)
  #49  
Old 01-14-2014, 12:50
swlepus swlepus is offline
Friend
 
Join Date: Nov 2011
Posts: 23
Rept. Given: 6
Rept. Rcvd 5 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 5 Posts
swlepus Reputation: 5
Exclamation

Quote:
Originally Posted by nikkapedd View Post
gurandiL, you can build your vendor using lmseeds
lmseeds1= 0x11111111
lmseeds2= 0x22222222
lmseeds3= 0x33333333
then use your new build as base with the tool "PubKey_Replacer170_win".. But i tried 3, 4 times and the tool does not work..
Other way is to build your vendor, but recovering the handshake 4 seeds with ida.. Then use the PubKey_Replacer170_win only for the right pubkey...

Here is the body of the core that you have to find in the original vendor, then put the seeds in your new build
Code:
In the body of this function find code like this:
code
if ((l_6buff == l_var_3315) && ((l_func_3313 ^ 2296) & 0xff)) l_func_3313 ^= 2296;
if ((l_6buff == (l_var_3315 + 1)) && ((l_func_3313 ^ 7557) & 0xff)) l_func_3313 ^= 7557;
if ((l_6buff == (l_var_3315 + 3)) && ((l_func_3313 ^ 1789) & 0xff)) l_func_3313 ^= 1789;
if ((l_6buff == (l_var_3315 + 2)) && ((l_func_3313 ^ 6361) & 0xff)) l_func_3313 ^= 6361;

The values (not in hex) 2296, 7557, 1789 and 6361 are the 4 seeds for the handshake process.
Find this function in the original vendor daemon and get this values. Replace values
in your lm_new.c file with the values from original vendor daemon.
Tested and working by a master flexlm reverser...!!!!!!!
So in this method, we can generate a real key for the original vendor? Is that true?
as far as I know, this is not possible, case the orignal vendor code is not include priv key at all.
Can you explain some details?
Reply With Quote
The Following User Says Thank You to swlepus For This Useful Post:
Indigo (07-19-2019)
  #50  
Old 01-15-2014, 00:07
nikkapedd nikkapedd is offline
VIP
 
Join Date: Mar 2011
Location: ::Bratva::
Posts: 276
Rept. Given: 275
Rept. Rcvd 151 Times in 65 Posts
Thanks Given: 205
Thanks Rcvd at 276 Times in 112 Posts
nikkapedd Reputation: 100-199 nikkapedd Reputation: 100-199
swlepus, I suggest you to read the readme file on the PubKey_Replacer170_win folder, and study the flexlm sdk. I already wrote that second way is working... You need only to know how to work ida pro and how to build the new vendor with VS2008/2010/2012...
Here another part of code from a v11.4 sdk

Code:
		if ((l_6counter == l_2086counter) && ((l_2082buff ^ 12052) & 0xff)) l_2082buff ^= 12052;
		if ((l_6counter == (l_2086counter + 1)) && ((l_2082buff ^ 3205) & 0xff)) l_2082buff ^= 3205;
		if ((l_6counter == (l_2086counter + 3)) && ((l_2082buff ^ 8108) & 0xff)) l_2082buff ^= 8108;
		if ((l_6counter == (l_2086counter + 2)) && ((l_2082buff ^ 8083) & 0xff)) l_2082buff ^= 8083;

The values (not in hex) 12052, 3205, 8108 and 8083 are the 4 seeds for the handshake process.

Last edited by nikkapedd; 01-15-2014 at 00:15.
Reply With Quote
The Following User Says Thank You to nikkapedd For This Useful Post:
Indigo (07-19-2019)
  #51  
Old 03-16-2014, 09:15
flexlm
 
Posts: n/a
Quote:
Originally Posted by nathan View Post
In the perspective of digging deeper into the pubkey patch approach I would like to share few very useful information for those that intend to spend time on it.

Find attached the Generic pubkey replacer made by Tanker (win + linux). I tested the Win version on a couple of targets (v11.10 and v11.9.1) and it identifies the pubkey correctly (I double checked in the vendorcode struct in memory), however, I didn't manage to produce a working license, yet (work in progress as I may be missing something crucial in the generation).

Also I would like to recommend the follwing discussion which is quite informative IMHO:
http://bbs.pediy.com/showthread.php?t=152615

What am missing: reverse the obsucation algorithm used to store the pubkey in the client binary (any help is appreciated: CrackZ may be have something to say about ) (note: not the one the scramble it in memory).

Anyone who would like to join the challenge is more than welcome of course. Feel free to test the Pubkey Replacer and feed back with success/unsuccess stories.

Enjoy !

nathan
i cann't download it..
Reply With Quote
  #52  
Old 04-26-2014, 01:40
FoxB FoxB is online now
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 975
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 23
Thanks Rcvd at 714 Times in 298 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
@bgptlmzyh: RTFM rule before asking =)
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
Indigo (07-19-2019)
  #53  
Old 05-15-2014, 21:08
NoFlexlm NoFlexlm is offline
Friend
 
Join Date: Jan 2009
Posts: 23
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
NoFlexlm Reputation: 0
It seems that there are a lot of new things on Flexnet which I need study again.
Reply With Quote
The Following User Says Thank You to NoFlexlm For This Useful Post:
Indigo (07-19-2019)
  #54  
Old 05-19-2014, 18:59
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Hi nikkapedd,

I know how to work IDA & Hexrays decompiler, and tried to locate similar code patterns on a couple of vendor deamons I have on file, but was unable to find anything.

Do you have any tips for me?

rgds

rrer
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
Indigo (07-19-2019)
  #55  
Old 05-24-2014, 00:33
nikkapedd nikkapedd is offline
VIP
 
Join Date: Mar 2011
Location: ::Bratva::
Posts: 276
Rept. Given: 275
Rept. Rcvd 151 Times in 65 Posts
Thanks Given: 205
Thanks Rcvd at 276 Times in 112 Posts
nikkapedd Reputation: 100-199 nikkapedd Reputation: 100-199
rcer, if you looking for the handskake seeds, you need the target with the correct signature.. Now load with ida and find the 4/5 references to "handshake". REmember the the values of the seeds are not in hex..
Does anyone know the new obfuscation schema in the new 11.12 fnp that hide the pub and the private key..??? thanks in advance..
Now i'm able to make full working licenses, by building a vendor with my seeds and injecting my pub key...
Reply With Quote
The Following User Says Thank You to nikkapedd For This Useful Post:
Indigo (07-19-2019)
  #56  
Old 05-26-2014, 21:47
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
nikkapedd, thanks, but I think that I don't fully understand your explanation, I have several original vendor daemons, and when I load them in IDA, then decompile the code with Hexrays decompiler and then try to locate the c - code snippets similar to the ones from your previous post I am unable to find any. What is it that am I doing wrong?
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
Indigo (07-19-2019)
  #57  
Old 05-26-2014, 22:28
FoxB FoxB is online now
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 975
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 23
Thanks Rcvd at 714 Times in 298 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
tell us name of the vendor daemon
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
Indigo (07-19-2019)
  #58  
Old 05-27-2014, 20:45
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
Fox,

slbsls & scplmd
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
Indigo (07-19-2019)
  #59  
Old 05-28-2014, 02:32
nikkapedd nikkapedd is offline
VIP
 
Join Date: Mar 2011
Location: ::Bratva::
Posts: 276
Rept. Given: 275
Rept. Rcvd 151 Times in 65 Posts
Thanks Given: 205
Thanks Rcvd at 276 Times in 112 Posts
nikkapedd Reputation: 100-199 nikkapedd Reputation: 100-199
rcer, Slbsls use the Common vendor technology and is packed with "Virtual protect" like the last version of the slb programs.. You need first to unpack the vendor...
For scplmd is very very easy.. Already can make full licenses with the scplmd vendor..
TRy to build the new vendor with the right seeds, then open the file lm_new.c in the "build" folder. You will see the magic "handshake function".....
Sorry but i do not put any "function" for those 2 vendors....
Reply With Quote
The Following User Says Thank You to nikkapedd For This Useful Post:
Indigo (07-19-2019)
  #60  
Old 05-29-2014, 20:29
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 163
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 4
Thanks Rcvd at 24 Times in 20 Posts
rcer Reputation: 9
nikkapedd,

Thanks & I think I have finally grasped it!. Have a look at the PM I sent to you.

Still have one question. which program do I need to use to unpack Slbsls?

rgds

rcer
Reply With Quote
The Following User Says Thank You to rcer For This Useful Post:
Indigo (07-19-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Alternate Approach to FlexLM Brute-Force Windoze General Discussion 9 10-21-2020 19:23
Anti tamper methods - .Net msaly General Discussion 1 07-27-2020 05:27
Where are the Class methods? 5Alive General Discussion 0 07-28-2005 03:22
Different Detection Methods OHPen General Discussion 0 10-21-2003 10:11


All times are GMT +8. The time now is 14:51.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )