FlexLm - Alternative License Generation
Using FlexLM Internal Diagnostics to reveal ALL
student
Not Assigned
July 1999
by Acme
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
980704
Acme
1100
NA
PC
"FLEXlm is the most popular license manager used in the software industry. FLEXlm is best known for its ability to allow software licenses to be available (or float) anywhere on a network, instead of being tied to specific machines. Floating licensing benefits both users and license administrators. Users can make more efficient use of fewer licenses by sharing them on the network. License administrators can control who uses the licensed application, and the node(s) where the licenses will be available."
Words, as usual, just words. "Commercial" protection schemes are inehrently weak, and my advice to all software developers perusing my site is to STEER CLEAR from them.
The reason there are so many FlexLM cracks allover the web (since 1997) will be apparent to anyone reading this essay.

"Let me just say how can FLEXLM be so stupid as to generate a key and then COMPARE it and leaving such a large amount of room for the casual programmer to extend the working operation of their own program."
Indeed I believe that the programmers at FlexLM should take due note of the weaknesses we are pointing out and modify accordingly their protection scheme. See: the problem is that the inehrent weakness of FlexLM is responsable for the hundred thousands of existing cracks and keygenerators for all software "protected" through this "most popular license manager used in the software industry".
The point is that FlexLM claim to "reduce software piracy" does not held for the reasons discussed in this, and other papers.
Software programmers should KLEEP CLEAR from using such a weak protection scheme for their products, and, together with the programmers at FlexLM, should have a thorough look at our how to protect better section in order to build a more robust protection.
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert

An essay on the simplicity of using inbuilt Diagnostic functions inside Flexlm to reveal information normally kept hidden. Many previous methods offered by Pilgrim (flexm11.htm: FlexLm handy hints (more stuff on FlexLm) and pflexlo1.htm: FlexLock...less secure than the rest of FLEXlm) and SiuL+Hacky (Linux advanced cracking: flexlm Advanced) utilised the SDK from globetrotters (Flexlm Programmers). This essay utilises the inbuilt generation of ACCESS keys in the lmgr325c.dll to supply codes for any type of license and uses the diagnostics function to deliver the information to the user.

FlexLM - Alternative Method for License Generation
Using FlexLM Internal Diagnostics to reveal ALL
Written by Acme


Introduction
Previous essays on Flexlm required the use of the SDK to generate licenses. Since i couldn't be bothered downloading 7MB files I originally investigated the information at hand which involved the executable and the standard lmgr325c.dll.

SIDE NOTE : If anyone has a program similiar in nature to w32dasm that allows loading of a dll without decompiling the main executable... could you please leave a message at fravia's? Decompiling a 5-10MB executable is a real pain.

Tools required
W32dasm, Hex editor, ASM Knowledge (Who doesn't)

Target's URL/FTP
No target just our dear old FlexLM

Essay
Anyway lets get to it

BACKGROUND INFORMATION

Examination of the lmgr325c.dll string references
shows an interesting 
String
"FLEXLM_DIAGNOSTICS". This is a global variable which
flexlm uses to 
indicate the level of diagnostic information
that is required to be shown when a lm_checkout
returns an error.
The global variable is stored in the registry at

[HKEY_LOCAL_MACHINE\SOFTWARE\FLEXlm License Manager]
"Service"="FLEXlm License Manager"
"FLEXLM_DIAGNOSTICS"="2"
"LM_A_DIAGS_ENABLED"="1"

LM_A_DIAGS_ENABLED = 0 	Deactivates Diagnostics
LM_A_DIAGS_ENABLED = 1 	Activates Diagnostics
FLEXLM_DIAGNOSTICS = 1	Basic Diagnostics
FLEMLM_DIAGNOSTICS = 2  Enhanced Diagnostics

This Registry key is only present if you have
installed the SDK.

 GENERATION OF KEYS 

1)Information required for Generation of key

The serial key would be required for the license file.
This key is generated 
internally by
the lmgr325c.dll from information inside the license
file.

Before commencing generate a FAKE license file

FEATURE f1 VENDOR 1.000 1-jan-0 0 
10203040567898765432 "" ANY
FEATURE f2 VENDOR 1.000 1-jan-0 0 
10203040567898765432 "" ANY
FEATURE f3 VENDOR 1.000 1-jan-0 0 
10203040567898765432 "" ANY
FEATURE f4 VENDOR 1.000 1-jan-0 0 
10203040567898765432 "" ANY

NOTE :  The 2nd 4th 6th 8th digit in the
key is used for the date so they must be zero
This is only valid for ver 5.12. In version 6 i believe these are missing.
f1,f2,f3,f4  are feature names for your program.
Search around for these or just run the program and let it tell you which 
feature is missing in the license file.
VENDOR - This is needed and can easily be found
(See pilgrims essays)
1-jan-0 - Unlimited time access
10203040567898765432 - serial key (required)

NEXT STEP

If you follow pilgrims essays you will find the key 5
generation point. 
Continue steping over
local functions until you see the extract date
followed by another call

E8A2940000              call 10030850			<- Key 5 Generation
83C40C                  add esp, 0000000C
8B4510                  mov eax, dword ptr [ebp+10]
8B4004                  mov eax, dword ptr [eax+04]
3345FC                  xor eax, dword ptr [ebp-04]
8945DC                  mov dword ptr [ebp-24], eax	<- Seed 1
8B4510                  mov eax, dword ptr [ebp+10]
8B4008                  mov eax, dword ptr [eax+08]
3345FC                  xor eax, dword ptr [ebp-04]
8945E0                  mov dword ptr [ebp-20], eax	<- Seed 2
8D45D8                  lea eax, dword ptr [ebp-28]
50                      push eax
8B450C                  mov eax, dword ptr [ebp+0C]
83C048                  add eax, 00000048
50                      push eax
* Reference To: LMGR325C.l_extract_date
                                  |
E815BDFDFF              call 100030EE	    <- Extract date from fake license file
83C404                  add esp, 00000004
50                      push eax
8B450C                  mov eax, dword ptr [ebp+0C]
50                      push eax
8B4508                  mov eax, dword ptr [ebp+08]
50                      push eax
E8261BFFFF              call 10018F10			<- Look at what this returns
83C410                  add esp, 00000010

Examine the location EAX is pointing to. Does this
look like a KEY for the license file.

You don't think that the FLEXLM would really create a
system where the license key is generated
and the COMPARED to the one in the license file. YES
they would because this is exactly what they do.
And not only that they leave it in memory untouched
when they are finished with it.

Note this key generated by lmgr325c.dll matches the
license file criteria i.e ANY and 1-jan-0

So note the location of this CODE

2)Let FLEXLM do the work for you.

Now wouldn't it be nice if FLEXLM would display this
code along with the feature name when you ran it

Now for some information Diagnostics only comes into
effect when the key is incorrect. With our FAKE
license file the diagnostics kick in and save a
flexNNN.log file in the directory where you ran it.
Examining a typical flexnnn.log file on DIAGNOSTICS
level 2 shows that they kindly show

FLEXlm checkout error: Invalid (inconsistent) license key (-8,130)
license file(s):  c:\flexlm\license.dat
lm_checkout("f1", VENDOR, (null), 0x12345678, ..., 0x12345678)

Lets use this lm_checkout line to show us the Feature
name and the correct KEY
Search through the dead listing and find
lm_checkout("%s", %s, %d, 0x%x, ..., 0x%x)"
Now patch the routine before it to push the location
of the CODE/KEY and voila

The first time you run your program it will report an
error and give you the correct key to use.
replace the key with the Generated key in the license
file and its up and running

The nice thing about this patch is that it does not
interfere with the operation of the
program The patch only operates when there is a
problem.

Having just read pilgrims essay about using lc_baddate
as a place to insert code wouldn't it be
easier to use the diagnostic function to spit out the
keys and seeds and anything else you need

Note : To add more information to the print out edit
the lm_checkout("%s", %s, %d, 0x%x, ..., 0x%x) to anything
you like
LM %s,%s,%s,%x,%x,%x,%x,%x,%x,%x,%x,%x,%x) will supply
a lot of information as long as you push it
to the stack before calling it.



Final Notes
Let me just say how can FLEXLM be so stupid as to generate a key and then COMPARE it and leaving such a large amount of room for the casual programmer to extend the working operation of their own program. Anyway let us further examine FLEXLM in order to find easy solutions to complex problems

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's pages of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?