|
FlexLm handy hints
more stuff on FlexLm
|
Not Assigned
|
|
June 1999
| by
pilgrim
|
|
 |
Courtesy of Fravia's page
of
reverse engineering
|
slightly edited
by fravia+
|
fra_00xx
980616
Pilgrim
0100
NA
PC
|
Quite deep. We are descending quite deep into FlexLm, and Pilgrim is one of those 'dedicated'
reversers, that keeps his interested on a particular scheme as long as it needs be to
completely elucidate how things work "inside" it. So I'm sure we are not yet quite finished with
this matter. Quite some lessons for programmers as well in here, btw: for instance
you should not allow easy
patching of your code (duh). Pilgrim writes: "I used the 'obsolete' function lc_baddate
as sparespace for my code patches". That's indeed a very interesting part of this
essay...
Enjoy!
| |
|
There is a crack,
a crack in
everything
That's how the light gets in
| |
| Rating
|
( )Beginner (X)Intermediate (
)Advanced (
)Expert
| |
FlexLm is pretty complicated, it's easy to become
confused.
Here's some handy hints which may help.
FlexLm handy hints
more stuff on FlexLm
Written by
pilgrim
The recent Generation of older style FLEXlm license files essay by VoxQuietis re-awakened my interest
in FlexLm.
So I've been digging a little deeper.. applying a
little zen...
This document is intended to supplement the other
essays
by Siul+Hacky, pilgrim and Vox.
Just various bits of info which may help in your
analysis of your
particular target.
W32DASM, your favourite HexEditor
No specifics.
Known users of FlexLm:
MatLab: www.mathworks.com
ProE: www.ptc.com
The oldest I've seen is 16 bit, V5 ( lmgr165.dll )
It's evolved into 32 bit, V6, and soon V7.
This seems to be a layered approach, adding more and
more layers around the basic core.
We're attacking the core, so version is, mostly,
irrelevant.
But the history, the evolution, is well worth studying.
Contents
========
1. Code signatures
2. How key 5 is generated and how to get it fast
3. Useful tools
4. More notes on license generation
5. Fast 32 bit Cryptwin decryption
1. Code signatures
==================
The license manager DLLs are useful - they've got
export tables for _most_ functions.
However, in Globetrotters own utilities, and some
third party code,
the DLLs aren't used. Functions are called within the
target EXE, and rarely have export tables.
So it's useful to look at a desired function in the DLL,
find some identifying features, and look for these in
our target EXE.
A few examples from lmgr326a.dll:
a) XOR of seeds 1 and 2 with key 5:
mov eax, dword ptr [edi+04] "FLEXcrypt Copyright (C) 1990-1997,"
->"Globetrotter Software, Inc."
|
:00402D66 6870AE4200 push 0042AE70
:00402D6B 51 push ecx
:00402D6C E8CFC40100 call 0041F240
As Vox says, there's still more to do on FlexLm.
Vendor-defined checkouts, encryption etc, and then
there's FlexLock...
pilgrim
I wont even
bother explaining you
that you should BUY this target program if you
intend to use it for
a
longer period than the allowed one. Should you want
to STEAL this
software instead, you don't need to crack its
protection scheme at
all:
you'll find it on most Warez sites, complete and
already regged,
farewell, don't come back.
You are deep inside fravia's page of
reverse
engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
academy database
bots wars
antismut
tools
cocktails
javascript wars
search_forms
mail_fravia
Is reverse engineering illegal?