FlexLm handy hints
more stuff on FlexLm
student
Not Assigned
June 1999
by pilgrim
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
980616
Pilgrim
0100
NA
PC
Quite deep. We are descending quite deep into FlexLm, and Pilgrim is one of those 'dedicated' reversers, that keeps his interested on a particular scheme as long as it needs be to completely elucidate how things work "inside" it. So I'm sure we are not yet quite finished with this matter. Quite some lessons for programmers as well in here, btw: for instance you should not allow easy patching of your code (duh). Pilgrim writes: "I used the 'obsolete' function lc_baddate as sparespace for my code patches". That's indeed a very interesting part of this essay...
Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (X)Intermediate ( )Advanced ( )Expert

FlexLm is pretty complicated, it's easy to become confused. Here's some handy hints which may help.
FlexLm handy hints
more stuff on FlexLm
Written by pilgrim


Introduction
The recent Generation of older style FLEXlm license files essay by VoxQuietis re-awakened my interest in FlexLm.
So I've been digging a little deeper.. applying a little zen...
This document is intended to supplement the other essays by Siul+Hacky, pilgrim and Vox. Just various bits of info which may help in your analysis of your particular target.

Tools required
W32DASM, your favourite HexEditor

Target's URL/FTP
No specifics.
Known users of FlexLm: MatLab: www.mathworks.com ProE: www.ptc.com

Program History
The oldest I've seen is 16 bit, V5 ( lmgr165.dll ) It's evolved into 32 bit, V6, and soon V7.
This seems to be a layered approach, adding more and more layers around the basic core.
We're attacking the core, so version is, mostly, irrelevant.
But the history, the evolution, is well worth studying.

Essay

Contents

========



1. Code signatures

2. How key 5 is generated and how to get it fast

3. Useful tools

4. More notes on license generation

5. Fast 32 bit Cryptwin decryption



1. Code signatures

==================



The license manager DLLs are useful - they've got

export tables for _most_ functions.

However, in Globetrotters own utilities, and some

third party code, 

the DLLs aren't used. Functions are called within the

target EXE, and rarely have export tables.

So it's useful to look at a desired function in the DLL, 

find some identifying features, and look for these in

our target EXE.

A few examples from lmgr326a.dll: 



a) XOR of seeds 1 and 2 with key 5:



mov eax, dword ptr [edi+04] "FLEXcrypt Copyright (C) 1990-1997,"

					->"Globetrotter Software, Inc."

                                  |

:00402D66 6870AE4200              push 0042AE70

:00402D6B 51                      push ecx

:00402D6C E8CFC40100              call 0041F240 



Final Notes

As Vox says, there's still more to do on FlexLm.

Vendor-defined checkouts, encryption etc, and then

there's FlexLock...



pilgrim





Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside fravia's page of reverse engineering, choose your way out:


red

 


red

redhomepage red links red anonymity +ORC redstudents' essays redacademy database redbots wars
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_fravia
redIs reverse engineering illegal?