Find a quick way back to more documents with this link.
Return to Main Index,
Miscellaneous/Papers.
http://www.globetrotter.com - Webpage.
ftp://ftp.globes.com - FTP.
If you are at all familiar with some of the expensive CAD and engineering applications released by certain warez groups you probably are already very familiar with the FlexLM scheme. To be fair to GlobeTrotter they aren't marketing their product as a crack-proof solution, unlike certain dongle snake-oil sellers. The basic concept behind FlexLM is that of a license/server arrangement, you can probably find the main HTML manual around the web.
The first thing you'll want to get is the FlexLM SDK (I'm using v6.1 here which you may have to FTP search for). Sure enough this file is protected using another of GlobeTrotter's schemes (FLEXcrypt), I tried unsuccessfully to obtain a key for this from GlobeTrotter (I'm pretty sure they are verifying all your details via phone before passing you the key so don't waste your time with their form, head direct for the FTP).
There are 5 essays dealing with how to get a valid FLEXcrypt key on Fravia's site so I don't propose to cover it here, a small brute-force program will do the trick, in fact when I first did this I used a Windows based macro player that basically ran FlexLM.exe, tried the key (last 2 digits are the ones to force), if false, increment and try again (you get the picture). With the delays I had to insert into the macro loop this took something of the order of 5 minutes.
My target program SDS/2 is a CAD program and VERY expensive, identifying FlexLM targets isn't really very hard, most of the time the documentation will advise you that license.dat is required, some protectionists even ship the FlexLM end-user documentation. If you still are unsure look for the license manager dll, lmgrxxxx.dll. Depending on your OS you'll next need to configure the FlexLM environment settings, now to the target.
The FlexLM system is based around 8 parameters :-
Vendor specific Code.
Vendor Keys 1-4.
Seed Codes 1 & 2.
Vendor Key 5.
I developed a pretty simple way to find all of these values really quickly, firstly disassemble your target (assuming it isn't packed) and establish which version of the license manager dll is being used, you should load this into SoftICE's loader. Next set a bpx for lc_init :-
0137:008689FF PUSH ESI
0137:00868A00 PUSH 00EA189C
0137:00868A05 PUSH 00B28AD8 <-- struct
0137:00868A0A XOR ESI,ESI
0137:00868A0C PUSH 00AA9558 <-- VENDOR_NAME
0137:00868A11 PUSH ESI <-- prevjob
0137:00868A12 CALL LMGR326B!lc_init
In this case the vendor name is "dsndata". Now lets take a closer look at the
parameter I've marked struct.
04 00 00 00 91 CA 9D F6 A0 67 5B CD DF EC 26 2B AA F2 83 5C EF 77 83 F9 C9 B6 D5 7D 06 00 01 00This struct is an absolute gift believe me, these parameters are actually as follows :-
F69DCA91h - Seed Code 1 XOR Vendor Key 5.
CD5B67A0h - Seed Code 2 XOR Vendor Key 5.
2B26ECDFh - Vendor Key 1.
5C83F2AAh - Vendor Key 2.
F98377EFh - Vendor Key 3.
7DD5B6C9h - Vendor Key 4.
Now we have everything except our 2 seed codes and Vendor Key 5. The equation is thus simple enough, find Key 5 and the seed codes will fall, alternatively find the seed codes and Key 5 will fall. For some reason known only to my illogical self I wen't after the seed codes, at the time I figured that the seed codes must be related to the 4 vendor keys and vendor code. The way I found this was by bpx'ing for lc_init and then setting a bpr on the vendor string. This code below is obviously only good for lmgr326b.dll used by my target, I strongly suspect however that once you've seen how the code looks you'll be able to easily find it in other versions. Note for real 'zen' you might have guessed that the dll would check for the default 12345678h, 87654321h seeds shipped with the SDK.
:100116D7 MOV EBX, A8F38730 <-- Worthy of further investigation perhaps.
:100116E9 XOR ECX, EBX <-- ECX = Seed 1.
:100116F3 XOR EDX, EBX <-- EDX = Seed 2.
.....and just look where this returns.
:10019983 ADD ESP,0C <-- Stack correct.
:10019986 CMP DWORD PTR [EBP-34],87654321 <-- Are we using default Seed 1?.
:1001998D JZ 10019998
:1001998F CMP DWORD PTR [EBP-30],12345678 <-- What about Seed 2?.
:10019996 JNZ 100199BF
Done and dusted, I decided not to waste any further time hunting for Key 5,
instead you'll find my FlexLM Key 5 brute-forcer.
All you need to do is calibrate the source code, run the program and in short
order you'll have Key 5. On a strong key (if I dare to call it that) my P166
took around 9 minutes. With all this information you should now open lm_code.h
and fill in the required information. If you have done everything correctly
genlic32.exe should now run without any error messages.
The final task now is to locate the "feature" names. This can be achieved in many ways, including but not limited to :-
i) bpx for lc_checkout.
0137:00868978 PUSH 04
0137:0086897A PUSH 00B28AD8
0137:0086897F PUSH 00
0137:00868981 PUSH 01
0137:00868983 PUSH EAX <-- version
0137:00868984 PUSH DWORD PTR [EBP+08] <-- FEATURE name
0137:00868987 PUSH DWORD PTR [00EA189C] <-- job
0137:0086898D CALL LMGR326B!lc_checkout
ii) Scroll the data window around the struct passed to lc_init.
iii) Disassembly listing.
In the case of SDS/2 all 30 features are checked in a loop at startup (sds2, at_dd, bif, epics to list the first few), you just need to bpx and note the names, also grab the version (6.112) as this is needed for the license generator. The final stage is to generate a valid license file using genlic32.exe (I won't describe this). A small note, I also disassembled some other versions of lmgrxxx.dll and '12345678' is indeed a good search string when it comes to finding the super secret seed codes.
Return to Main Index,
Miscellaneous/Papers.