Need Help Seed Flexlm (BP)

[fkecil]

Dear All master,
I already trying Flexlm Encryption seed recovery technique.pdf
but, I confuse to find BP1, BP2 and BP 3
Can you help me
The vendor.exe and the lic is in http://www.mediafire.com/?x4vddcb3h3ym7nr

thanks
-fkecil-

I try to capture my process

Quote:

004153DE /$ 55 PUSH EBP
004153DF |. 8BEC MOV EBP,ESP
004153E1 |. 83EC 24 SUB ESP,24
004153E4 |. C645 EC 00 MOV BYTE PTR SS:[EBP-14],0
004153E8 |. 33C0 XOR EAX,EAX
004153EA |. 66:8945 ED MOV WORD PTR SS:[EBP-13],AX
004153EE |. 8845 EF MOV BYTE PTR SS:[EBP-11],AL
004153F1 |. C745 F4 B83073>MOV DWORD PTR SS:[EBP-C],6F7330B8
004153F8 |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
004153FF |. C745 F8 000000>MOV DWORD PTR SS:[EBP-8],0
00415406 |. C745 F0 030000>MOV DWORD PTR SS:[EBP-10],3
0041540D |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00415410 |. 8B51 6C MOV EDX,DWORD PTR DS:[ECX+6C]
00415413 |. 8B82 540F0000 MOV EAX,DWORD PTR DS:[EDX+F54]
00415419 |. 25 00800000 AND EAX,8000
0041541E |. 85C0 TEST EAX,EAX
00415420 |. 74 23 JE SHORT lmcfloor.00415445
00415422 |. 833D D8744B00 >CMP DWORD PTR DS:[4B74D8],0
00415429 |. 74 1A JE SHORT lmcfloor.00415445
0041542B |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0041542E |. 51 PUSH ECX
0041542F |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00415432 |. 52 PUSH EDX
00415433 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00415436 |. 50 PUSH EAX
00415437 |. FF15 D8744B00 CALL DWORD PTR DS:[4B74D8] ; lmcfloor.0040CB57 >>>>>>>BP1
0041543D |. 83C4 0C ADD ESP,0C
00415440 |. E9 13010000 JMP lmcfloor.00415558
00415445 |> 6A 04 PUSH 4 ; /Arg4 = 00000004
00415447 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] ; |
0041544A |. 51 PUSH ECX ; |Arg3
0041544B |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10] ; |
0041544E |. 83C2 0C ADD EDX,0C ; |
00415451 |. 52 PUSH EDX ; |Arg2
00415452 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; |
00415455 |. 50 PUSH EAX ; |Arg1
00415456 |. E8 08090200 CALL lmcfloor.00435D63 ; \lmcfloor.00435D63
0041545B |. 83C4 10 ADD ESP,10
0041545E |. C645 EF 00 MOV BYTE PTR SS:[EBP-11],0
00415462 |. 8A4D EF MOV CL,BYTE PTR SS:[EBP-11]
00415465 |. 884D EE MOV BYTE PTR SS:[EBP-12],CL
00415468 |. 8A55 EE MOV DL,BYTE PTR SS:[EBP-12]
0041546B |. 8855 ED MOV BYTE PTR SS:[EBP-13],DL
0041546E |. 8A45 ED MOV AL,BYTE PTR SS:[EBP-13]
00415471 |. 8845 EC MOV BYTE PTR SS:[EBP-14],AL
00415474 |> 8B4D 0C /MOV ECX,DWORD PTR SS:[EBP+C]
00415477 |. 0FBE11 |MOVSX EDX,BYTE PTR DS:[ECX]
0041547A |. 85D2 |TEST EDX,EDX
0041547C |. 74 34 |JE SHORT lmcfloor.004154B2
0041547E |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
00415481 |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]
00415484 |. 8A5405 EC |MOV DL,BYTE PTR SS:[EBP+EAX-14]
00415488 |. 3211 |XOR DL,BYTE PTR DS:[ECX]
0041548A |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
0041548D |. 885405 EC |MOV BYTE PTR SS:[EBP+EAX-14],DL
00415491 |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]
00415494 |. 83C1 01 |ADD ECX,1
00415497 |. 894D 0C |MOV DWORD PTR SS:[EBP+C],ECX
0041549A |. 8B55 F0 |MOV EDX,DWORD PTR SS:[EBP-10]
0041549D |. 83EA 01 |SUB EDX,1
004154A0 |. 8955 F0 |MOV DWORD PTR SS:[EBP-10],EDX
004154A3 |. 837D F0 00 |CMP DWORD PTR SS:[EBP-10],0
004154A7 |. 7D 07 |JGE SHORT lmcfloor.004154B0
004154A9 |. C745 F0 030000>|MOV DWORD PTR SS:[EBP-10],3
004154B0 |>^EB C2 \JMP SHORT lmcfloor.00415474 >>>>BP3
004154B2 |> 0FBE45 EC MOVSX EAX,BYTE PTR SS:[EBP-14]
004154B6 |. 0FBE4D ED MOVSX ECX,BYTE PTR SS:[EBP-13]
004154BA |. C1E1 08 SHL ECX,8
004154BD |. 0BC1 OR EAX,ECX
004154BF |. 0FBE55 EE MOVSX EDX,BYTE PTR SS:[EBP-12]
004154C3 |. C1E2 10 SHL EDX,10
004154C6 |. 0BC2 OR EAX,EDX
004154C8 |. 0FBE4D EF MOVSX ECX,BYTE PTR SS:[EBP-11]
004154CC |. C1E1 18 SHL ECX,18
004154CF |. 0BC1 OR EAX,ECX
004154D1 |. 3345 F4 XOR EAX,DWORD PTR SS:[EBP-C]
004154D4 |. 3345 E0 XOR EAX,DWORD PTR SS:[EBP-20]
004154D7 |. 3345 E4 XOR EAX,DWORD PTR SS:[EBP-1C]
004154DA |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
004154DD |. 8B4A 04 MOV ECX,DWORD PTR DS:[EDX+4]
004154E0 |. 33C8 XOR ECX,EAX
004154E2 |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
004154E5 |. 0FBE55 EC MOVSX EDX,BYTE PTR SS:[EBP-14]
004154E9 |. 0FBE45 ED MOVSX EAX,BYTE PTR SS:[EBP-13]
004154ED |. C1E0 08 SHL EAX,8
004154F0 |. 0BD0 OR EDX,EAX
004154F2 |. 0FBE4D EE MOVSX ECX,BYTE PTR SS:[EBP-12]
004154F6 |. C1E1 10 SHL ECX,10
004154F9 |. 0BD1 OR EDX,ECX
004154FB |. 0FBE45 EF MOVSX EAX,BYTE PTR SS:[EBP-11]
004154FF |. C1E0 18 SHL EAX,18
00415502 |. 0BD0 OR EDX,EAX
00415504 |. 3355 F4 XOR EDX,DWORD PTR SS:[EBP-C]
00415507 |. 3355 E0 XOR EDX,DWORD PTR SS:[EBP-20]
0041550A |. 3355 E4 XOR EDX,DWORD PTR SS:[EBP-1C]
0041550D |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
00415510 |. 8B41 08 MOV EAX,DWORD PTR DS:[ECX+8]
00415513 |. 33C2 XOR EAX,EDX
00415515 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00415518 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0041551B |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0041551E |. 3B51 04 CMP EDX,DWORD PTR DS:[ECX+4]
00415521 |. 75 0C JNZ SHORT lmcfloor.0041552F
00415523 |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00415526 |. 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
00415529 |. 334D F4 XOR ECX,DWORD PTR SS:[EBP-C]
0041552C |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
0041552F |> 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
00415532 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00415535 |. 3B42 08 CMP EAX,DWORD PTR DS:[EDX+8]
00415538 |. 75 0C JNZ SHORT lmcfloor.00415546
0041553A |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0041553D |. 8B51 08 MOV EDX,DWORD PTR DS:[ECX+8]
00415540 |. 3355 F4 XOR EDX,DWORD PTR SS:[EBP-C]
00415543 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00415546 |> 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00415549 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0041554C |. 8948 04 MOV DWORD PTR DS:[EAX+4],ECX
0041554F |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
00415552 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00415555 |. 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
00415558 |> 8BE5 MOV ESP,EBP
0041555A |. 5D POP EBP
0041555B \. C3 RETN >>>>>>>>BP2

But I don't know this is right BP???

Thanks for your help


-fkecil-

for the information
i use flexlm version 9.2

thanks

-fkecil-