GinFix
February 8th, 2004, 14:43
Hi all
I have a bit of trouble here, understanding a Target that
uses FlexLM 7.2i without any goodies like crypt_filters
checkout_filter ...
I started to examine the lmgr327b.dll in IDA and applied
a sig for 7.2i. Unfortunatly l_sg was not revealed I tried
to follow the path shown in Nolan's essay. Looking for
multiple calls to time() did not work. My target has calls
to time() but they're never taken. I also was unsuccessful
with a search for the compare for 12345678 demokeys
I hoped to find l_sg there. After that I tried it by
searching for the push sequence with the following call
to the decoding routine. I found 80 of them. Ok lets go
I found a few that were actually taken and one of them
seemed promising. I was able to get vendorcode+4 / +8
but job+8 / +c / +10 were zeroed Steeping further
and setting breakpoints at job+8 / +c / +10 ... showed
that there was some code that accessed that data but
never there was some info filled in
I went back to the zendec demo from Nolan, just to
verify that I'm not doing any very basic errors.
btw. after getting stuck at that point I modified my
license by dropping out the server stuff.
Now the targets seems to want 6.1 behaviour while
it would have liked 7.1 before ...
Is there another way to find l_sg ? What about the
zeros in job+8/c/10 and the missing time calls ?
Did they change anything for 7.2i ?
Greetings
GinFix
I have a bit of trouble here, understanding a Target that
uses FlexLM 7.2i without any goodies like crypt_filters
checkout_filter ...
I started to examine the lmgr327b.dll in IDA and applied
a sig for 7.2i. Unfortunatly l_sg was not revealed I tried
to follow the path shown in Nolan's essay. Looking for
multiple calls to time() did not work. My target has calls
to time() but they're never taken. I also was unsuccessful
with a search for the compare for 12345678 demokeys
I hoped to find l_sg there. After that I tried it by
searching for the push sequence with the following call
to the decoding routine. I found 80 of them. Ok lets go
I found a few that were actually taken and one of them
seemed promising. I was able to get vendorcode+4 / +8
but job+8 / +c / +10 were zeroed Steeping further
and setting breakpoints at job+8 / +c / +10 ... showed
that there was some code that accessed that data but
never there was some info filled in
I went back to the zendec demo from Nolan, just to
verify that I'm not doing any very basic errors.
btw. after getting stuck at that point I modified my
license by dropping out the server stuff.
Now the targets seems to want 6.1 behaviour while
it would have liked 7.1 before ...
Is there another way to find l_sg ? What about the
zeros in job+8/c/10 and the missing time calls ?
Did they change anything for 7.2i ?
Greetings
GinFix