Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > General Forum
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #21  
Old 09-15-2009, 06:55 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

9skumar - Normally, you would see the struct in the bottom right window, but something has gone wrong with the procedure. Read it carefully and try again.

Git
Reply With Quote
  #22  
Old 09-15-2009, 09:06 AM
BfoX BfoX is offline
Senior Member
 
Join Date: Aug 2007
Posts: 2,240
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

Quote:
Originally Posted by 9skumar View Post
..
Please Help
Vendor is arkclsld
simply upload the vendor daemon
__________________
... Either you work well or you work much ....
Reply With Quote
  #23  
Old 09-16-2009, 12:25 AM
9skumar 9skumar is offline
Member
 
Join Date: Sep 2009
Posts: 6
Default

I will definitely go through the procedure again and will show the results. Till FF90 & EB09 Everything was OK including edx 00 00 00 00. Perhaps something in the job editing ....

For Time being the Daemon is Here: http://www.megaupload.com/?d=SJI9O6IV

Thanks

[please don't comment to yourself, uyse the Edit button to add to your post]

Tryed Again. After BP09 the job structure inside ecx is all zero. So is it the right location of job structure. edx is 00 00 00 00.
Maybe i am still messing up something. New Screenshot is here

http://www.megaupload.com/?d=EIUQBTBY

Last edited by Git : 09-16-2009 at 08:26 AM.
Reply With Quote
  #24  
Old 09-16-2009, 08:25 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Your EB 09 breakpoint should be at 0x0040D7B4. You will then find the job structure OK.

Git

Code:
0012CF24  04 00 00 00 87 3E 4E 66  ...>Nf
0012CF2C  7C 75 65 18 8B E0 BD BC  |ueོ
0012CF34  0E 2B 1F DC 0B 4D 91 58  +MX
0012CF3C  76 EF 8D 66 0B 00 04 00  vf..
0012CF44  00 00 31 31 2E 30 00 00  ..11.0..
0012CF4C  83 DE 81 3F 8D 25 ED 8F  ށ?%
0012CF54  00 00 00 00 04 00 00 00  .......
0012CF5C  01 00 00 00 10 00 00 00  ......
0012CF64  16 00 00 00 1F 00 00 00  ......
0012CF6C  64 8F D9 99 F9 75 80 82  dٙu
0012CF74  7F 00 3F 21 AB E3 93 11  .?!
0012CF7C  00 00 00 00 00 00 00 00  ........
0012CF84  00 00 00 00 00 00 00 00  ........
0012CF8C  00 00 00 00 00 00 00 00  ........
0012CF94  64 95 AE 62 EE 62 2C 45  dbb,E
0012CF9C  DF 87 7E 41 34 72 F1 06  ߇~A4r
0012CFA4  3A 44 01 A1 7C B8 00 00  :D|..
0012CFAC  00 00 00 00 00 00 00 00  ........
0012CFB4  00 00 00 00 00 00 00 00  ........
0012CFBC  63 EB DB 67 F0 FB E0 C9  cg
0012CFC4  86 EB 72 38 C9 70 D4 3E  r8p>
0012CFCC  B5 60 88 25 55 D6 8E E7  `%U֎
0012CFD4  3D 18 F8 D5 61 59 21 00  =aY!.
0012CFDC  00 00 00 00 00 00 00 00  ........
0012CFE4  30 15 41 00 00 00 00 00  0A.....
0012CFEC  01 00 00 00 00 00 00 00  .......
0012CFF4  00 00 00 00 00 00 00 00  ........
0012CFFC  00 00 00 00 00 00 00 00  ........
Reply With Quote
  #25  
Old 09-17-2009, 12:01 PM
BfoX BfoX is offline
Senior Member
 
Join Date: Aug 2007
Posts: 2,240
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

@9skumar: u vendor daemon have activated ECC on board. imho seed1/2 not help you without some target patch...
__________________
... Either you work well or you work much ....
Reply With Quote
  #26  
Old 09-18-2009, 01:17 AM
9skumar 9skumar is offline
Member
 
Join Date: Sep 2009
Posts: 6
Default

Dear BfoX, I knew it has ECC. But the Seed1 & Seed2 should still be same. Please correct me if i am wrong as i am still learning. Can you throw some light how to locate _l_pubverify and patch ECC. Also how to extract all the feature names.

Last edited by 9skumar : 09-18-2009 at 04:03 AM.
Reply With Quote
  #27  
Old 09-18-2009, 07:01 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Search the forums first before asking for tutorials that already exist elsewhere please.

Git
Reply With Quote
  #28  
Old 09-30-2009, 03:02 AM
minthus minthus is offline
Member
 
Join Date: Mar 2009
Posts: 5
Default

#7
GIT,
Super thanks for shareing of flexlm_7.x-11.4_seed_extraction
Reply With Quote
  #29  
Old 10-13-2009, 04:02 PM
ssabb ssabb is offline
Member
 
Join Date: Oct 2009
Posts: 6
Default

Hello experts,
Some years ago, I learnt to find the seeds by the help of this forum & a certain Nblender. Initially, it was really easy, but in version later than 5 I needed to run the daemon to a dummy license file, which is the only way nowadays.

In my effort to regain my lost knowledge, I tried following the tips provided in above mention PDF on an old target which I knew what breakpoints to use, and my old method actually was using a breakpoint at the call to _l_n36_buff (inside _l_sg ).
But this (old) method set another bp (bp2) just after that call (i.e. add exp, 0000000c) & the method used watched the (encrypted) seeds being filled on between bp1 & bp2 at data adresses provided on the rows before the vendor daemon & after the vendor daemon. And after bp2 these addresses were filled with the job-struct & data-struct, which were put into a tool called calcseed.exe which derived the true seeds.

To summarize my findings, I can use the find text "6F7330B8" to set my old-school bp's at the call dword & the add exp, 0000000c just below the call dword, and after bp2, read the content of esp+00000000 & esp+00000008 for the job-struct & data-struct, and feed them into calcseed.

But I do not understand the new ways, which makes me kinda sad.

My old-school method, for daemons around version 7-8 using w32dasm:

1. search for ebp+10, look for pattern
mov ecx, dword ptr, ebp+10
push ecx
mov edx, dword ptr, ebp+0c
push edx
mov eax, dword ptr, ebp+08
push eax
call dword ptr [something]
add exp, 00000000c
(this method was a trial & error but a search for 6F7330B8 will get the correct ebp+10 every time!)
2. set bp's at call dword & the add exp,0000000c right below it
3. run target, wath for it to break on bp1
(using -t computername 4 -c license.dat as arguments)
4. watch for esp+00000004 to become the vendor daemon name, then is the correct bp's (remember I guessed prior to this new knowledge)
5. read value on esp+00000000 & esp+00000008 & write them into used adr1&2 (w32dasm syntax)
6. run to bp2 & watch the data addresses given at esp+00000000 & esp+00000008 become filled with the jobstruct & datastruct
7. put these into calcseed.exe for the true seeds
8. enter into lmcode.h & compile.
9. done

aha, I got further, I'm happy to inform.
I successfully combined tips from above mentioned PDF & my skills in w32dasm & the use of calcseed.exe to find the seeds in my v11.x target;

A) start w32dasm89.exe
B) load daemon
C) menu debug/load process/add optional command line -t computer_name 4 c license.dat (I put the license.dat in c:\flexlm to avoid setting any env-variables)
D) search/find text/6F7330B8
E) at find of mov [ebp-oc], 6F7330B8 scroll down (approx 20 lines) until the call dword ptr [eax+00000524 is seen]
F) set 1st breakpoint on this call dwrod
G) set 2nd breakpoint on row below (add esp, 000000c)
H) run target
I) watch it break at 1st bp, esp+000000004 has the vendor daemon name, esp+00000000 has the pointer to the jobstruct, esp+00000008 has the pointer to the datastruct
J) read off the values of these pointers, add these to User addr 1 & user addr 2.
K) run target again, breaks at next line.
L) hit the UA1 button to read the jobstruct, UA2 for datastruct, in this sepcial case:
[00333FCC] - 00000000 ....
[00333FD0] - 00000000 ....
[00333FD4] - 00000000 ....
[00333FD8] - 00000001 ....
[00333FDC] - 0040d280 ..@.
[00333FE0] - 00000000 ....
[00333FE4] - 006e005b [.n.
[00333FE8] - f39d61df .a.. job+08
[00333FEC] - 0073f814 ..s. job+0c
[00333FF0] - 001b0000 .... job+10
[00333FF4] - 00000000 ....

[0012CF14] - 0001218a .!..
[0012CF18] - 00000000 ....
[0012CF1C] - 00000000 ....
[0012CF20] - 00000000 ....
[0012CF24] - 00000000 ....
[0012CF28] - 00000004 ....
[0012CF2C] - f197605a Z`.. data
[0012CF30] - 89d04498 .D.. data1
[0012CF34] - 6b01412c ,A.k
[0012CF38] - aaad8c10 ....
[0012CF3C] - d4f9aa13 ....
M) put these values into calcseed.exe together with daemon name to retrieve the encryption seeds
N) generate vendor keys with lmvgen8 or similair
O) modify lm_code.h appropriately
P) compile (nmake /i)
Q) done

But, I have currently not understood how the encryption_seed (2x & found above) is related to lm_seed (3x needed in v8 SDK and later) and cro-keys (2x needed) or the 4x encryption seeds used in SDK8.
The lm_code2.h tries to explain the mapping, but I didnt get it.

In this particular case, the daemon could be launched with a lic. generated in version5 syntax, all other (later) versions caused the license to be invalid. The software in turn needed a SIGN= to start.
I fiddled around and managed to compile using SDK8 using the following;
- set 5xvendorkeys & 2xencr.seeds into lm_code.h
- commented out the encr.seed 3 & 4 (what are these for?)
- defined crokeys as provided by LMV8GEN.EXE
- #define LM_VER_BEHAVIOR LM_BEHAVIOR_V5
& built using nmake /i to force lmcrypt.exe to build

with the v5 old-school licensekeys & the SIGN (which seemingly use the v8 format) both the daemon & the software started.

CAn any of you gurus explain how the encr.seed 3&4 are used?

Last edited by Git : 10-31-2009 at 12:50 PM.
Reply With Quote
  #30  
Old 10-31-2009, 11:28 AM
G497RG G497RG is offline
Junior Member
 
Join Date: Sep 2009
Posts: 2
Default

Quote:
Originally Posted by minthus View Post
#7
GIT,
Super thanks for shareing of flexlm_7.x-11.4_seed_extraction
Do not use them. They are wrong. Try do checkout and follow these stpes twice and you will get different numbers in vc+4 and vc+8 (ver 10.8 for sure).
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.