I search ASCII and replace "uncounted" to "1" in 'keygen', but the 20 chars(''5D9E4758BDE996583F0A " before "VENDOR_STRING" ) don't change accordingly, and generated license can't pass check, seems "uncounted" is hidden at other place.Anyone can give suggestion how to analysis?

......

2011-4-28

* Closed by Joyung at April 28th. Will follow CrackZ and tedshred's suggestion to learn and study from Flexlm basic. Thanks for all of your help. :-)

2011-6-2
* Re-opened to ask for help on 'VENDOR_STRING' encryption method.

Thanks,
Joyung

I haven't checked your file so this might not be the answer.

I'm assuming its an lmcrypt.exe that you have built.

If so why not just change the license count in the license you are using as a parameter to lmcrypt?.

If its some groups keygen you'll need to modify the license count passed to the structure used during the generation process.

Regards, CrackZ.

Dear CrackZ,

First, thanks a lot for giving reply.

The license file generated by the keygen, but it not the usual way as lmcrypt.exe runs, there is no way to give a license file as sample input file for lmcrypt.exe, it's hidden in 'keygen' itself instead.

This keygen is got from web that built by other guys, I'm novice on this, and this analysis is too diffiult for me, I just replace the ASCII 'uncounted' in keygen with '1', but obviously it doesn't works.

It will be very appreciated if you can have a check on the keygen file and help on the modification or suggestion.

Thanks again,
Joyung

So, yesterday you've got your request deleted and still don't get it?
We don't do things on demand here. Period.
We will gladly assist you in learning to do things on your own, but you haven't shown any effort so far (no, downloading someone's keygen from the web does not count).
Right now your posting is a mere crack-request.

You want to learn? Fine, show us you're willing and all will be well.

Regards

Hi Darkelf，

Sorry, I really don't know haven't follow the forum rule, I'll modify the post to ask suggestion instead of ask crack then.

Thanks for the trouble.

Joyung

Hi Darkelf，

I modify my post, would you help to have a check whether it is ok? If still break the rule， please help delete my post.

Thanks for the trouble,
Joyung

Howdy,

I will acquiesce to CrackZ on this one.

If I dont see a reply by him in the next 24,
it goes the way of all requests.

Woodmann

I've decided not to help you in the conventional sense as all you really want to do is modify a scene keygen for your own purposes. I will instead offer several suggestions and you can choose whether to take them or not.

1. This keygen links lmgr.lib from the v8.3b FLEXlm SDK and is in fact little more than a GUI on top of lmcrypt.

2. Knowing 1; you can either modify the keygen to utilise a counted license instead of an uncounted one (hint: you don't modify the 'uncounted' string), or you could recover the seeds from the keygen and build your own lmcrypt. I suggest the latter.

Without some evidence that you have done some elementary debugging or searching for a solution, I won't assist you any more than this.

Regards, CrackZ.

"lmcrypt" programs using FlexLM 6.1 for this software vendor used "permutation tables" in the license generation process. I do not know if this is for the case for the keygen program in question. If it is, you can search this forum for more info. It may be easier to modify the program using a debugger.

Checking my archives.

As tedshred says; this vendor uses its own defined encryption scheme so recovering the seeds and building lmcrypt will not be enough.

This is beyond you.

With the above in mind, you need to understand how the FLEXlm license buffer is constructed and what data is used for the license count, then modify it live in a debugger as tedshred suggests.

You've hit a brick wall.

Regards, CrackZ.

Hi CrackZ&tedshred,

Thank you so much for your checking and suggestion, although it is too difficult for me for lack of some basic knowledge, but I will follow your suggestion and study it by myself first instead of asking crack directly.

Also thanks woodman acquiesce to CrackZ on my case.

Thanks again,
Joyung

Hi tedshred,

Follow your suggestion, I search the forum and found someone recommend the essay below for study and understand Crypt Filters first.

Do you know whether there is "demonstration "blenderd" program" can be downloaded for reference and study?

Thanks in advance,
Joyung

I don't know of a blenderd.exe example daemon file available for download. If you can find/get a version 8 FlexLM SDK, you can use the source files for the demo.exe example daemon as a starting point for modification. I can't help you with finding the SDK.

Thanks, tedshred.

After set "memory break point" at '01284BDC' and long trace, I see codes below:

77C160C1 8917 MOV DWORD PTR DS:[EDI],EDX
77C160C3 83C7 04 ADD EDI,4
77C160C6 BA FFFEFE7E MOV EDX,7EFEFEFF
77C160CB 8B01 MOV EAX,DWORD PTR DS:[ECX]
77C160CD 03D0 ADD EDX,EAX
77C160CF 83F0 FF XOR EAX,FFFFFFFF
77C160D2 33C2 XOR EAX,EDX
77C160D4 8B11 MOV EDX,DWORD PTR DS:[ECX]
77C160D6 83C1 04 ADD ECX,4
77C160D9 A9 00010181 TEST EAX,81010100
77C160DE ^ 74 E1 JE SHORT msvcrt.77C160C1

It generate the 20 chars(before VENDOR_STRING, 4D6EE7EB79F91B901558 as default) here, but I don't know how to go on the analysis.

Although it maybe a long way for me, seems I'd better follow CrackZ and tedshred's suggestion to learn and study from the basic.

To CrackZ&tedshred,

After study related document, I get that counted license must have 'SERVER line', with long time try, I added it in the keygen and generate the license succesfully.

As tedshred said, 'this software vendor used "permutation tables" in the license generation process', I study Nolan Blender's essay on Crypt Filters, and finally got the xor and permutation tables, then generate lmcrypt for the right license.

Although I can generate the license with both "SSS" feature and other features now, but I still don't understand how SSS feature generated(keygen is ok, but I only modify it, not fully understand the method), here I want to ask what's encryption method used for this SSS feature? More direct question is 'what encyption method is related with "VENDOR_STRING" '? Is there any essay can be referenced for further study?

INCREMENT SSS daemon 1.0 31-dec-2020 1 6D9EC78249D7B1526C91 \
VENDOR_STRING="da2b6 85c22 8ef06 ef1b6 2e26b b451f b16a6 94ec6 \
17e02 062" HOSTID=006625c160ca ISSUER=TEST NOTICE="Licensed for \
study [PLEASE DO NOT DELETE THIS SSS KEY]" SN=RK:0:0:0 \
START=1-jan-2006

Thanks,
Joyung

try to monitor attribute tags [lc_set_attr(lm_job,...)] in your client app, not in daemon snpslmd.exe

may be 'lm_attr.h' from your favorite FlexLM SDK help you...

Hi FoxB,

Thank you so much for your instruction, that give me the right direction to go on study, maybe I work on the wrong way.

May I ask some more questions?
<1> Does the file 'sssverify' contain the encryption also? The client app is too big, if debug 'sssverify', that will be more convenient.
<2> Does this encryption use "vendor defined checkout filters" similiar as Amante4's essay below of "vendor defined checkout filters"?
http://www.reteam.org/ID-RIP/database/essays/amante/flexlm2.htm
<3>I still feel confused about 'not in daemon snpslmd.exe', for I add fake(but still with right xor and permutation tables) SSS feature in the licesen file, when start license with lmgrd, it reports 'The SSS features are garbled', whether that means this version 'snpslmd' include the encryption method also?

Thanks again,
Joyung

(Since long time past, I want to open a new thread for this question, but it's locked, I'm not sure whether caused by cross post.)

2011-6-2

* Re-opened to ask for help on 'VENDOR_STRING' encryption method.

Can anyone help to check this 'VENDOR_STRING' encryption method? Many thanks!

yes, i'm wrong. have the old vendor daemon file without "SSS". new have this:

.004338EA: 53 push ebx
.004338EB: E80A030000 call .000433BFA --1
.004338F0: 59 pop ecx
.004338F1: 59 pop ecx
.004338F2: 47 inc edi
.004338F3: 3B7D08 cmp edi,[ebp][8]
.004338F6: 7CDB jl .0004338D3 --2
.004338F8: 53 push ebx
.004338F9: E88B030000 call .000433C89 --3
.004338FE: 85C0 test eax,eax
.00433900: 59 pop ecx
.00433901: 7F0A jg .00043390D --4
.00433903: 6850035F00 push 0005F0350 ;'The SSS features are garbled'
.00433908: E9D1000000 jmp .0004339DE --6
.0043390D: 53 4push ebx

Thanks, FoxB, then do you know which technology used for this SSS license with 'VENDOR_STRING' ?

try to break at
.text:004337AD sub_4337AD proc near ; CODE XREF: sub_401EB4+255

or on string

.rdata:005F0344 ; char aSsst[]
.rdata:005F0344 aSsst db 'SSST',0 ; DATA XREF: sub_4337AD+1C2o
.rdata:005F0344 ; sub_435FA7+15Co ...

.rdata:005F034C ; char aSss[]
.rdata:005F034C aSss db 'SSS',0 ; DATA XREF: sub_4337AD+17Do
.rdata:005F034C ; sub_435FA7+14Bo ...


the daemon use:

43258D: found sparse constants for MD5
432D62: found sparse constants for MD4
48AFA2: found sparse constants for SHA-1
4AF4F4: found sparse constants for SHA-1
4AF824: found sparse constants for MD4
5EF170: found const array Blowfish_p_init (used in Blowfish)
5EF170: found sparse constants for HAVAL
5EF190: found const array HAVAL_mc2 (used in HAVAL)
5EF1B8: found const array Blowfish_s_init (used in Blowfish)
5EF210: found const array HAVAL_mc3 (used in HAVAL)
5EF290: found const array HAVAL_mc4 (used in HAVAL)
5EF310: found const array HAVAL_mc5 (used in HAVAL)
618428: found const array DES_ip (used in DES)
618468: found const array DES_fp (used in DES)
6184A8: found const array DES_pc1 (used in DES)
6184F0: found const array DES_pc2 (used in DES)
618520: found const array DES_sbox (used in DES)
618720: found const array DES_p32i (used in DES)
61DBA8: found const array MD2_S (used in MD2)
622FC8: found const array CRC32_m_tab (used in CRC32)
623490: found const array Blowfish_p_init (used in Blowfish)
623490: found sparse constants for HAVAL
6234B0: found const array HAVAL_mc2 (used in HAVAL)
6234D8: found const array Blowfish_s_init (used in Blowfish)
623530: found const array HAVAL_mc3 (used in HAVAL)
6235B0: found const array HAVAL_mc4 (used in HAVAL)
623630: found const array HAVAL_mc5 (used in HAVAL)
Found 27 known constant arrays in total.

vendor string for SSS feature can be hash value from the host/SN/ISSUER/version/exp date. i'm dont known

add:
.textidx:00550A90 lm_set_attr
and
.textidx:0055EA80 lm_get_attr

i'm try to change VENDOR_STRING from "bd... to "ad... and re-sign license. all OK

13:49:34 (snpslmd) FLEXnet Licensing version v11.6.1.6 build 77180 i86_n3
13:49:36 (snpslmd) Synopsys Corporate Licensing (SCL) Release: version SCL_11.1
13:49:36 (snpslmd) Server started on 12345678 for: SSS
13:49:36 (snpslmd)
13:49:36 (snpslmd) Licenses are case sensitive for TE_CATS
13:49:36 (snpslmd)
13:49:36 (snpslmd) EXTERNAL FILTERS are OFF

SERVER 12345678 008048264d90 1700
DAEMON snpslmd daemon.exe
USE_SERVER
INCREMENT SSS snpslmd 1.0 28-jul-2020 1 49D455A5BFEA \
VENDOR_STRING="ad....fd 05c" \
ISSUER="Synopsys Inc." NOTICE="[PLEASE DO NOT \
DELETE THIS SSS KEY]" SN=RK:0:0:891808

add: VS have 24 byte of length and used in BlowFish cipher

next im try to debug the Check.exe from synopsys

initial string for MD5 hash inside sub_4173DE:
ripped from ISSUER="" and NOTICE="" context and 2 dword.

[PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80

.text:00417566 lea eax, [ebp+hash]
.text:00417569 push eax
.text:0041756A call sub_4173DE

i'm dont known about last 2 dword.
hash it and got:

8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76

next used in BlowFish Init:
.text:00417576 lea ecx, [ebp+hash]
.text:00417579 push ecx
.text:0041757A push eax ; BF init table
.text:0041757E call Blowfish_init

and use VENDOR_STRING for the blow_fish cipher:
.text:00417595 push eax ; vendor_string lendth 0x18
.text:00417596 push edi ; vendor_string
; DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5
.text:00417597 push [ebp+var_24] ; after BlowFish init table
.text:0041759A call BlowFish_Cipher

.text:004175A2 cmp byte ptr [edi], 0F0h
.text:004175A5 jnz loc_41777D
.text:004175AB cmp byte ptr [edi+1], 0Dh
.text:004175AF jnz loc_41777D
.text:004175B5 mov al, [edi+2]
.text:004175B8 mov ebx, ds:__imp_ntohs
.text:004175BE mov byte ptr [ebp+netlong], al
.text:004175C1 mov al, [edi+3]
.text:004175C4 mov byte ptr [ebp+netlong+1], al
.text:004175C7 push dword ptr [ebp+netlong] ; netshort
.text:004175CA call ebx ; __imp_ntohs
................

final - im not have valid vendor_string for my PC and cant research next...

Dear FoxB,

I send you a pm to provide more message, would you have a look?

Thank you so much for your help, it's valuable for me to study.

check my answer in PM

Thanks, FoxB, now, I know 'VENDOR_STRING' may use blowfish, I'll go on study.

Anyone can give more help is still be welcome and be very appreciated.

The question I mostly want to ask is: if blowfish alalgorithm used to generate the 'VENDOR_STRING', how the length of 'VENDOR_STRING' be controlled?

ex.

If want to output 'VENDOR_STRING' with length=48, how to realize on blowfish alalgorithm?
If want to output 'VENDOR_STRING' with length=568, how to realize on blowfish alalgorithm?

length is param no.3 in the blowfish cipher call

Dear FoxB,

Based on your check, I study blowfish algorithm and want to understand the 'VENDOR_STRING' generation, but still failed for knowledge limit.

May I ask more help from you, I just send you a PM, would you help have a look?

Thanks a lot!

I guess the MD5 hash is part of the 'Plain Text String' for Blowfish, if can find out the 'Plain Text String' and the 'Key' for Blowfish, then the 'VENDOR_STRING' can be generated.

first:
8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 = MD5( [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80 )

second:
BlowFish_Init( 8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 )

final:
deciphered = BlowFish_Cipher( DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 )

and

first:
8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 = MD5( [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80 )

second:
BlowFish_Init( 8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 )

final:
VENDOR_STRING like DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 = BlowFish_Cipher( deciphered )

[Originally Posted by FoxB;92132]first:
8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 = MD5( [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80 )

second:
BlowFish_Init( 8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 )

final:
deciphered = BlowFish_Cipher( DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 )

and

first:
8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 = MD5( [PLEASE DO NOT DELETE THIS SSS KEY]Synopsys Inc.0x000000000x5f1f6a80 )

second:
BlowFish_Init( 8D EA AC 0F 68 8C 2F 86 55 CF 22 2F 32 74 F6 76 )

final:
VENDOR_STRING like DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 = BlowFish_Cipher( deciphered )

Hi FoxB,

Seems you have worked it out, but sorry, I still haven't understood, you say VENDOR_STRING get from:
VENDOR_STRING like DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 = BlowFish_Cipher( deciphered )[/QUOTE]

But,
deciphered = BlowFish_Cipher( DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5 )

Then whether loop call between deciphered and VENDOR_STRING ?
If no valid license, how to get this vaule of 'DB 9C 49 72 1A 44 79 9F 0E 5A 5C 65 18 DF 89 C6 EF D7 C5 28 B9 FD 0D C5' that you see at 00417569 , would you give more explaination? Thanks!

Former one is encryption for 'START' date, and latter one is encryption for 'EXPIRE' date.

Hi FoxB,

I almost understand your inputs now, still want get your help on last step, would you check the PM?

Thanks for your time and trouble!

Thanks FoxB's help. Anyone can go on help what message encrypted into the 'VENDOR_STRING' and direct how to debug? I only understand part of the numbers.

Seems not easy...... I can PM to provide some more message if needed, thanks in advance.

Sorry, just found that, the latter part of 'VENDOR_STRING' only exist in lic, still not be checked neither in lic checker nor in daemon file, also not in application file, so only former part is ok, latter part only contribute on SIGN check, FoxB's check results are almost all that can be gotten at present.