Hi all

I have a bit of trouble here, understanding a Target that
uses FlexLM 7.2i without any goodies like crypt_filters
checkout_filter ...

I started to examine the lmgr327b.dll in IDA and applied
a sig for 7.2i. Unfortunatly l_sg was not revealed I tried
to follow the path shown in Nolan's essay. Looking for
multiple calls to time() did not work. My target has calls
to time() but they're never taken. I also was unsuccessful
with a search for the compare for 12345678 demokeys
I hoped to find l_sg there. After that I tried it by
searching for the push sequence with the following call
to the decoding routine. I found 80 of them. Ok lets go
I found a few that were actually taken and one of them
seemed promising. I was able to get vendorcode+4 / +8
but job+8 / +c / +10 were zeroed Steeping further
and setting breakpoints at job+8 / +c / +10 ... showed
that there was some code that accessed that data but
never there was some info filled in
I went back to the zendec demo from Nolan, just to
verify that I'm not doing any very basic errors.

btw. after getting stuck at that point I modified my
license by dropping out the server stuff.
Now the targets seems to want 6.1 behaviour while
it would have liked 7.1 before ...

Is there another way to find l_sg ? What about the
zeros in job+8/c/10 and the missing time calls ?
Did they change anything for 7.2i ?

Greetings

GinFix

GinFix:

This is your first post here and you appear to have a working knowledge of FlexLM so you are obviously no novice, even though you are new to these pages. However, we have a policy of having people search the forums before they post a question. That's why we have it in big red letters at the top of the Forums that one should Read the FAQ and Search before asking a question.

Your post gives no information as to whether or not you followed that guideline, so I ask whether you did, indeed, read the FAQ and any, or all of the 15 other threads which discuss FlexLM 7.2 before you asked your question? If not, please use the search button and use "FlexLM 7.2" and see whether part or all of your question's answer can be found in those prior discussions. If not, indicate you have reviewed them and not found what you are looking for and perhaps someone can guide you further along your way to a solution.

Regards,

JMI:

Sorry for not mentioning this

I looked through out the forum. Unfortunatly I did not
find a hint that could help me. There were multiple
threads about zeroed job-structs,some unanswered
but some of them could were solved by stepping
through the decoding routine
Maybe I missed something but I looked quite carefully

GinFix

And that's all we ask. And indicating you have done so avoids reminders, which are directed at the wider reading pulbic in any case. Hope someone who has spent time with this challenging system is able to help you out. Since this topic really isn't for Newbies, I'm taking the liberty of moving it to the Advanced Forum where it might get more critical reading.

Regards,

Thanks JMI

A little update It seems that I have been wrong ...
I just took a deeper look in the daemon itself
There are the calls to time, there is also a set_attr
to user_crypt (0F) A bit of work ...

The logfile also reports that the license is invalid
when the server is started. I should have looked there earlier

It seems that the hole checking is done in the daemon
and the target is just asking the daemon ...
Is that correct ? I'm asking cause that is my first try
to generate a server-base license

One thing is still confusing me. Commenting out the
server and daemon lines seems to change the targets
behaviour. No hard set_attr stuff. Maybe that's the easier
way to extract the key. One question left in that case
Why would a vendor allow that "backdoor" ?
server-licenses with user-crypt, nodelocked without
server no user-crypt ???

Any hints ... ?

Thanks

GinFix

"It seems that the hole checking is done in the daemon
and the target is just asking the daemon ..."

Hi GinFix,

"It seems that the hole checking is done in the daemon
and the target is just asking the daemon ..."

... sometimes the target ask only the daemon for the license.

Even if you have extracted the right vendor struct (keys and encryption seeds) you need also to reverse the _user_crypt_filter if you want to make
the lmcrypt for your app. Nolan Blender has written an essay on this topic
that can be a good starting point. Infact, after reading this essay, Flexlm has changed the way in which they store the values to be xored with inchar.
Keep in mind that the _user_crypt_filter is only a way to obfuscate the right
license to make impossible to sniff it from memory.

"One thing is still confusing me. ..."

It sounds strange...check if the target and the daemon belong to the same
version.


regards,

rs