Scribd
Upload
3K views2 pages

Flexlm 7.x-11.4 Seed Extraction

This document provides instructions for recovering the encryption seed used in Flexlm license managers versions 7.x-11.4. It describes setting breakpoints in the Flexlm daemon binary to find the memory location of the job structure containing the encrypted seed, deleting 16 random bytes within it and replacing with zeros to decrypt the seed values stored in the clear at specific offsets within the recovered vendor code structure.

Uploaded by

ammurasikan6477
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3K views2 pages

Flexlm 7.x-11.4 Seed Extraction

This document provides instructions for recovering the encryption seed used in Flexlm license managers versions 7.x-11.4. It describes setting breakpoints in the Flexlm daemon binary to find the memory location of the job structure containing the encrypted seed, deleting 16 random bytes within it and replacing with zeros to decrypt the seed values stored in the clear at specific offsets within the recovered vendor code structure.

Uploaded by

ammurasikan6477
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Flexlm Encryption seed recovery technique

1. Flexlm version 7.x-9.x:

• Create a fake license & name it “dummy.dat”


o SERVER Computer_Name ANY
o VENDOR Vendor_Name
o USE_SERVER
o INCREMENT test Vendor_Name Version_Number dd-mmm-yyyy 1 0123456789AB

• Load vendor daemon into ollydbg (with arguments: -t computer_name 4 –c dummy.dat

• Find _l_sg: by finding the seed value (use the “search for constant” command)
o 7648B98E for flexlm v7.x to v8.C
o 6F7330B8 for Flexlm v8.D and onwards
o you will find two references, and only the first one, which looks similar to:
C745 F4 B8307>MOV DWORD PTR SS:[EBP-C],6F7330B8, is _l_sg and counts.
(The 2nd one: C745 F8 B8307>MOV DWORD PTR SS:[EBP-8],6F7330B8 is _l_vk)

• Locate the call to _l_n36_buff (inside _l_sg )& set breakpoint #1.
o (This call which is a dword pointer call, can be found @ instruction FF15????????)
o (FF15 D4794B00 CALL DWORD PTR DS:[4B79D4] )

• Set a breakpoint # 2 at the ret of _l_n36_buff

• Run the program & let it break. (@ 1st breakpoint)

• Single step into the _l_n36_buff call (one step only!)

• Locate the EB05 (v7.x to v8.C) or EB09 (v8.D & ↑) jmp. (You will find this one just above the vendor
name loop inside _l_n36_buff, at the end of multiple calls to _time )
o ( EB 09 JMP SHORT callmd.0040C227)

• Set breakpoint #3, and Run the program & let it break. (at BP#3)

• Check the memory address inside ecx or edx.(follow in dump).One of them will contain the location of
the job structure.

• Delete the 16 random bytes inside the job structure, (starting @ job+04 and ending @ job+13), and
replace with “00”

• Run the program & let it break at BP#2 (“Break on RET” after returning from the call to _l_n36_buff)

• Now Look at the following stack locations: (follow in dump)


o ESP+04: Pointer to vendor name (name of vendor daemon)
o ESP+08: Pointer to vendor code (which now will contain the clean seed 1 and 2)
o VC+04 = Seed1
o VC+08 = Seed2

Page 1
2. Flexlm version 10.x-11.4:

• Create a fake license & name it “dummy.dat”


o SERVER Computer_Name ANY
o VENDOR Vendor_Name
o USE_SERVER
o INCREMENT test Vendor_Name Version_Number dd-mmm-yyyy 1 0123456789AB

• Load vendor daemon into ollydbg (with arguments: -t computer_name 4 –c dummy.dat

• Find _l_sg: (by finding the seed value 6F7330B8)


o you will find two references, and only the first one, which looks similar to:
C745 F4 B8307>MOV DWORD PTR SS:[EBP-C],6F7330B8, is _l_sg and does count.
(The 2nd one is: C745 F8 B8307>MOV DWORD PTR SS:[EBP-8],6F7330B8, & is _l_vk)

• Locate call to _l_n36_buff (inside _l_sg )& set breakpoint #1.


o This dword pointer call, can be found @ instruction FF90???????? call dword ptr [EAX+524] )
o (FF90 24050000 CALL DWORD PTR DS:[EAX+524])

• Set a breakpoint # 2 at the ret of _l_n36_buff

• Run the program & let it break. (@ 1st breakpoint)

• Single step into the _l_n36_buff call (one step only!)

• Locate the EB09 jmp


(You will find this one just above the vendor name loop inside _l_n36_buff, at the end of
multiple calls to _time )

• Set breakpoint #3

• Run the program & let it break. (at BP#3)

• Check the memory address inside ecx or edx.(follow in dump).One of them will contain the location of
the job structure. ( note that this new Job structure starts with 00 00 00 00 instead of 66 00 00 00)

• Delete the 16 random bytes inside the job structure, (starting @ job+04 and ending @ job+13), and
replace with “00”

• Run the program & let it break at BP#2 (“Break on RET”, after returning from the call to _l_n36_buff)

• Now Look at the following stack locations: (follow in dump)


o ESP+04: Pointer to vendor name (name of vendor daemon)
o ESP+08: Pointer to vendor code (which now will contain the clean seed 1 and 2)
o VC+04 = Seed1
o VC+08 = Seed2

Page 2

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy