原作者:CrackZ
原文出处:http://www.woodmann.com/crackz/Flexlm.htm
标题:FLEXlm--愚人的商业许可证管理器
翻译:sln
申明:感谢Flexlm群,看雪上的朋友,新年将至,作为礼物送给大家。
特别注意:考虑到未涉及技术,该部分不加以翻译,文中有说明。
译文:
在
FLEXlm,还是“灵活的谎言管理者”这取决于你的理解。现在出了这么多的版本,你或许惊讶于今天又要干掉哪个,或者开发商怎么可能去信任这个系统呢,下面我所写的仍旧使用现在这个版本(v9.x),括号里面引自Macrovison(版权所有等等,等等),之前他们一直试图关闭我的网站。
*新 2006年8月
我已经将Lmkg源代码给Nolan
Blenders(此处为我猜测).只要给出vendor
name, 你自己就可以用这个生成V9版之前的vendor
keys和CRO keys,此外,该代码也可以生成与v10兼容的key,现在可以从这下载(141k)。承蒙tom324的好意,带来了一个礼物,就是FLEXlm v10.0的vendor
key生成器(18k)。
嘿!FLEXlm迷们(afficionados,这个单词字典里也没有,我又自作主张的猜测一下),看过我最新的FLEXlm v8.x和9.x的文章没?如果还没有看过的话,现在就点这看吧(2004年更新!)并且有快速回收seed的小窍门!
“清除seed变量的默认止是3D4DA1D6。很多的软件厂商(vendor)或者是懒亦或是愚蠢吧,他们不去修改这个默认值。所以,一个非常容易的方法就是只要在汇编代码里搜索3D4DA1D6h。你能搜索到很多下面模样的代码:mov [ebp-xxxx], 3D4DA1D6h。只要在每个的含有该值的立即数上下断……跑一下。如果程序去检查许可证(license),当第一次断下时记下[ebp-xxxx]的值。这个就是你的SEED1(不是用key5 XOR过的SEED,就是真正的SEED1)。第二次断下时你得到的是SEED2。往回跟踪到函数入口处,key(1-4)在参数里。无论如何,这个方法并不适用于所有的情况,但是对于新手,很容易学习。;-)。”
FLEXlm的说法
“最佳的交配加密技术”--大约从v8.1开始,Macrovision终于成功地经由license生成器(从Certicom购买)来实现对产品的加密。曾经倍受赞誉的诸如“异或加密(xor encryption)”,“ 用随机数据隐藏关键值(hiding keys with random data)”“ 藏匿法安全技术(security
by obscurity)”“弱随机数生成(weak random number generation)”之类的加密概念成为光荣历史,如今被抛弃不用。我能这么说吗,努力尝试并最终得到正确答案? 良好的加密到来使得许可证生成器能获得最大的安全,麻烦的是,零碎的补丁仍然能够打败FLEXlm。
“用Macrovision咨询服务为您的商务实现最佳的许可解决方案”—-因为这些家伙甚至不能保证自己旗舰产品的安全,我不会让他们靠近我需要极力保护的东西。
我鼓励所有想购买FLEXlm的人去访问Macrovision的网页,然后回到这来浏览我的网页,他们自己的Safecast和CD技术也已经被破解了多年了。
http://www.globetrotter.com现在已经被Macrovision购买(或者那就是Microvision
;-))。
“FLEXlm是软件工业最流行的许可证管理器,让FLEXlm最负盛名的是它能允许软件从网络上的任意一个地方获得许可证(浮点),而不必捆绑在某一台机器上。浮点许可既有利于用户又有利于许可证管理员。用户可以通过网络共享而用更少的许可证数达到高效的利用。许可证管理员可以控制已授权申请的用户以及许可证可用的节点”。
“或者我应该说它曾经是最流行的”…
让人嗤之以鼻的FLEXlm许可授权(经Skullcoder同意),v7.2资料摘录 ,
FLEXlm盗版讨论 (EDA 开发者们小心了),
FLEXlm seeds ,
SentinelLM / ElanLM部分
我的许多对高端或专业软件应用熟悉的读者已经很了解FLEXlm了,在某些市场GlobeTrotter已经开始建立他们自己的WINDOWS平台。现在已经有了足够多的资料,我按FLEXlm自己的特点分类附上。我真诚建议你下载下面地SDK以及工具地同时仔细地读读FLEXlm的使用手册。
FLEXGen
由RBS放出,BlastSoft的FLEXGen利用了早期在FLEXlm dll里的许多漏洞。由于BlastSoft 的退出(译者注:quit
the scene是退场、离开人间的意思,我不知道作者这里是不是说BlastSoft已经去世还是仅仅收手了呢? 从语气上看已经去世了)FLEXGen已经不可能在未来能够获得支持。FLEXGen现在已经重新开放(应大家的要求)并且现在包括了其全部的源代码(请不要滥用它;-))。
FLEXGen Disk 1, Disk 2, Disk 3, Disk 4, Disk 5 (总共大约 3Mb).
FLEXlm SDK + 有用的东西
下面你会看到老版本的SDK序列号,还有很多新版的。你可以从下面这地方下载FLEXlm工具 (166k) :-
Nolan Blender的lmvkey5 v1.0 和lmrecode。
prs的 FLEXlm Key 5生成器。
UCF的FlexSeedGen v0.3.
还很糊涂吗?看我写的SDS/2教程吧(描述了非常基础的FLEXlm操作)。承蒙ZiGo好意提供了这些旧的修改过的FLEXlm dll's,这页已经从网上删除已久了,现在保留在这纯粹当作为历史意义上的参考资料(100k)。
出于保密的原因,GlobeTrotter已经大部分网站上和他们的公用FTP上删除了SDK(距离RBS放出BlastSoft利用dll里的漏洞做的
FlexGen仅三个月)。有意思的是GlobeTrotter对这仅是做了个列黑名单用户ISSUER=BlastSoft(在最新dll的反汇编里可以清楚的看见)的应对措施,虽然也有一些算法和key隐藏的改进。
SDK(2003年9月)
由于带宽的限制,同时我希望能够鼓励社区为我的网站提供捐款,FLEXlm SDK的下载已经删除了,现在只能是那些有权限的用户从其他站点获得。这里列出了现在可以下载的版本,(感谢sporaw纠正了一些我版本里的不精确之处)。
FLEXlm SDK SUN版
FLEXlm v5.0b, v5.0e Update, v5.12,
v6.0k, v
FLEXlm v8.1 ECC 补丁 – 补丁了_l_pubkey_verify()的返回值。
FLEXlm v8.x lmv8gen – 生成FLEXlm8.x的 vendor keys (17k).
FLEXlm 系统 ID 改变器 适合于 IRIX 6.5 (承蒙WellMoon的同意) (2k).
我很抱歉的告诉告诉大家,尽管我有几个Linux版SDK,但没有把它们放在这,这正是我很当心的地方。
序列号 (这个是必须的用到的)
v5.12 - 5537-2182-6912-6163-32.
v6.0 - 7445-5305-5517-4801-06 or 2143-0909-0581-5196-06 (v6.0k).
v
v
This is the core of a very rough yet
interesting text I received from Skullcoder.
我收到Skullcoder的信,这是精髓之所在,虽然很粗糙,但是很吸引人。
Hello CrackZ, I have a lot of pleasant
hours playing with VirtuoZo software license creation and have no success
with license generation at all using standard methods of seed & vendor
codes recovery. I already have good practice with FLEXlm deprotection but
VirtuoZo implementation made me really stuck. Once I have visited your website
and read really interesting issue by Acme about "alternative license
generation" for FLEXlm 5.1. You may know this issue doesn't work for
v6.1 and future versions but inspired by this I have discovered how a license
can be created in a similar way.
CrackZ你好,我在制作VirtuoZo许可证里度过了快乐的时光,但是用标准的SEED和VENDOR代码回收技术没有成功生成许可证。对于FLEXlm的去保护我已经过有良好的实践,但是VirtuoZo把我给难住了。我曾经浏览过您的网站,认真读过Acme的FLEXlm5.1“许可证生成又一法”中令人感兴趣的问题。你知道,这个方法对于v6.1和今后的版本已经不适用了,但是在这个的启发之下,我已经发现怎样用这个相似的方法制作许可证。
I'll describe the method in few words
and probably you'll bring my ideas to more people interested in FLEXlm 6.1/7.0
license keys for 1-3 features without Genlic32 or Flexgen but just with SoftICE.
The software has just v6.1 FLEXlm code implemented into about 30 executables
with nothing special. I've turned on FLEXlm diagnostics inside registry and
discovered feature name and version. Vendor name was easy to find too. Next
I have played a lot with seeds and vendor code before discovering a really
interesting part of code (address
我用几句话来描述这个方法,或许你可以将我的想法告诉给对FLEXlm6.1/7.0的license key制作感兴趣的人(有1-3个FEATURE,没有Genlic32或Flexgen但只有SoftICE)。这个软件用v6.1 FLEXlm的代码大约30个可执行文件,没有什么特别之处。启动FLEXlm诊断发现FEATURE NAME和版本。VENDOR NAME也很容易找到。下一步,在找到真正让人感兴趣的代码(地址 .4712F0)之前我花了很多时间在SEED和VENDOR代码上。“它真的象极了许可证的制作”,我继续跟踪这部分代码。下一步看起来真的很酷(地址 .471538)因为这怎么看怎么象通常的文本-二进制比较!
Voila! At address .4715EC you can
see the best part of all FLEXlm code -- license number from license.dat and
generated number comparison. That's all. You can have it directly by typing
:D DS:71E1B8 or by passing all JNE 471613 with zero flag and wait while FLEXlm
converts this binary to text string at .471609!. Another interesting thing
has been revealed. This procedure have been called twice so not only one valid
license number can be generated but some more :-).
瞧,那就是!地址.4715EC,你看到了所有FLEXlm代码中最棒的部分――从license.dat读出的license数值和生成的数值比较。一切就到此为止。你直接键入:D DS:71E1B8或用0标记过所有的JNE 471613,你等着FLEXlm将这个二进制在地址.471609转变为字符串吧。还发现了另一个有意思的事情。这个过程被调用两次,所以不会仅是一个有效的许可证数码的生成,而且还有别的东西:-)。
.004712CF: push esi
.004712D0: call .0048EDA8 -------- (1)
.004712D5: add esp,
.004712D8: jmps .004712DD -------- (2)
.004712DA: mov esi,[ebp][
.004712DD: mov d,[ebp][-0004],0 ;"
.004712E4: cmp d,[ebp][-0024],0 ;" "
.004712E8: jle
.004712EE: xor eax,eax
.004712FA: cmp eax,8 ;""
.004712FD: jl
.004712FF: cmp d,[ebp][-0004],000 ;" "
.00471303: jne .004714AA -------- (5)
.00471309: mov ecx,[ebp][00008]
.00471313: jne .00471454 -------- (6)
代码继续 :-
.00471521: mov d,[ebp][-0008],000000008
;"
.00471528: cmp d,[ebp][00018],066D8B337 ;
.00471531: mov d,[ebp][-0008],000000006 ;"
.00471538: xor esi,esi <-- 开始比较
.0047153D: jle .00471601 -------- (2)
.00471543: lea edi,[ebp][-0020]
.00471546: mov bl,[edi]
.00471548: call __p___mb_cur_max ;MSVCRTD.dll
.0047154E: cmp d,[eax],001 ;""
.00471551: jle .00471564 -------- (3)
.00471553: movsx eax,bl
.00471556: push 004
.00471558: push eax
.00471559: call _isctype ;MSVCRTD.dll
.004715D6: je .004715EC -------- (1)
.004715D8: movzx eax,bl
.004715DB: push eax
.004715DC: lea edx,[esi][00071E1B8]
.004715E2: push esi
.004715E3: push edx
.004715E4: push d,[ebp][00008]
.004715E7: call ecx
.004715E9: add esp,010 ;""
.004715EC: cmp [esi][00071E1B8],bl <- 猜猜这是什么?
.004715FB: jg .00471546 -------- (3)
.00471601: push d,[ebp][00018] <-- 在这里,数码转化为字符串
.00471604: push 0071E1B8 ;" qá¸"
.00471609: call
.0047160E: add esp,008 ;""
.00471611: jmps .00471615 -------- (5)
Needless to say, you should be able
to find something useful amongst this snippet to search for with your hex
editor.
毋庸置言,用十六进制编辑器搜索你能在这个代码段里找到有用的东西。
对FLEXlm v7.2x的绪言性评论来自两个地方。
“v7.2有几个变化:(a)4个vendor seed;(b)CRO key。我试着用特定的seed和key做了个deamon,编译了一个新的demo.exe和lmcrypt.exe。然而,demo.exe不认lmgrypt做出来的license。我想问题主要出在SEED3和SEED4是我自己指定的”。
“不幸的是,该SEED并没有保存在deamon里。ECC专用的SEED3和SEED4用来制作公匙和私匙。DEAMON和/或应用程序从许可证文件读取到的SIGN=只是用来验证签名(signature),并不是真正的key。私匙是用来制作签名并仅编译在lmcrypt的二进制文件里。回收SEED3和SEED4是ECC制作关键的第一步,然后,一旦私匙确定下来,你就得做逆向工程:私匙是如何从SEED里产生。希望这对你有用。”
所以在早期,看起来我们很像又回到了补丁 ;-)。
文档标题 |
说明 |
日期 |
FLAIR辅助FLEXlm许可证的制作 |
|
|
承蒙Nolan Blender好意,描述了加密滤波器(crypt filter)如何执行并如何用标准工具破解 |
|
|
讨论了早期FELXlm用来提高性能的ECC的弱点 |
Dec 2001 |
|
Pilgrim的FLEXcrypt和FLEXlm破解文章(2篇合并在一块) |
|
|
FlexLock破解, pilgrim的第三篇友情贡献. |
June 1999 |
|
FLEXlm逆向拓展,7个教程. |
April 2004 |
|
描述了新版的FLEXlm如何隐藏重要的SEED代码。FLEXlm专家Nolan
Blender提供。 |
October 1999 |
|
很棒的分析文章,描述了GlobeTrotter所用迷乱法的逆向来回收key |
September 1999 |
|
Nolan Blender的Key提取与加密算法逆向 |
|
|
简单的例子演示了怎样生成FLEXlm的许可证 |
|
|
一个非常棒的文章,描述了Linux的调试与反汇编和FLEXlm的弱点(开山鼻主之作) |
July 1999 |
|
Macilaci's first foray
inside Unigraphics. |
|
|
Macilaci's second Unigraphics
tutorial, this time to generate the correct keys. |
|
|
利用FLEXlm内诊断来找到一,Acme倾情奉献。 |
Jul. 1999 |
|
开发商的自定义保护,Amante4倾情奉献。 |
|
|
出自Nolan Blender之手,提供更多的FLEXlm技巧. |
June. 2001 |
FLEXlm加密滤波器和其他的问题
Most of this is reworked from posts
I saw at Fravia's Message Board (it may however be useful even if the questions
are target related) :-
大部分是我从Fravia的信息公告栏里的帖子整理出来(即使问题是个案相关,但是可能有用):-
Q1. I have read most all the
essays I could get my hands on and the API, header files, observed lc_set_attr
etc, etc. Yet I still can't seem to generate correct codes with the keys/seeds
I extract. The target is Pixar Renderman, found a copy and thought it would
be fun to play around with. At any rate, I'm not positive that I have the
correct vendor key 5, although from previous posts, I gather that the only
thing used to make the keys, is the seeds. Has this changed in Flex 6.1?.
问1. 我看完了我手头能有的所有文章,API,头文件, 观察lc_set_attr等等、等等。但我似乎仍不能产生正确的key/seed。 目标是pixarRenderMan,找到一个拷贝,以为会玩地很好. 无论如何,我不认为我得到正确的vendor key 5,尽管有以前的帖子, 我推测, 唯一用来制造key的是SEED. 这在Flex6.1里难道有不这样吗?
A1. Another poster has mentioned
that this product uses crypt filters. Although this makes it more difficult,
it is still possible to keygen these as well. The key is to understand what
the filter does. If you have the 6.1 FLEXlm SDK, start by examining what happens
when you use the -filter_gen argument to lmrand1.exe. One approach may be
to write your own program which incorporates the crypt filters, then examine
what goes in/out of the filter subroutines.
答1.已经有帖子谈到这个软件用了加密滤波器。尽管这使得破解更加困难,但仍旧可以keygen出所有的东西。关键是要去了解滤波器作了什么。如果你有6.1的FLEXlm SDK,从检查filter_gen参数的开始使用到lmrand1.exe发生了什么入手。另外一个方法是写一个你自己的程序,用上加密滤波器,然后看看加密滤波器子程序进去了什么,出来了什么。
Q2. How can I find more features
in the program which was encrypted by FLEXlm? Such as Cadence Specctra, I
have looked through all .exe .dll files, but I can't find similar features.
Other programs which were integrated with lmgrxxx.dll, I also can't find more
features. I can only find one feature prior to lc_checkout, where were the
other features placed?.
问2.我怎样才能在用FLEXlm加密的程序里找到更多的FEATURE?比如Cadence Specctra,我看遍了所有的.exe、.dll文件,但是我没有找到相似的FEATURE。其它的整合lmgrxxxx.dll的程序,我照样找不到更多的FEATURE。我只能在lc_checkout前找到一个FEATURE,其它的FEATURE能在哪里呢?
A2. You can often find the
features by doing a search of the executable for the feature you know - often
the other features are very close to it in the binary. One thing you can do
is start up the cdslmd server and see if the program is trying to check out
any specific features - attempts to check out unsupported features will show
up in the log file. I've found that there's usually an attempt to check out
a license before it bombs; A few programs call lc_get_config and then check
the returned list for features.
Either way, you find out what it is
trying to do. Try searching everything for _ALL to see if you can find anything.
Tell me the version of FLEXlm that cdslmd uses, plus the first two bytes of
ENCRYPTION_SEED1 and I may be able to help you more.
答2.你经常可以在可执行文件里搜索找到你已经知道的FEATURE—通常情况下其它的FEATURE也就在附近。你可以将cdslmd服务器启动,看看程序是否试图去检查所说的FEATURE――试图检查出那些不支持的FEATURE并在log文件里列出来。我已经发现在它轰炸(bombs)之前经常会去检查license;少数的程序会调用lc_get_config然后检查返回的FEATURE列表。
Q3. I used IDA in conjuction
with SoftICE to get a nice map of a particular vendor daemon. Everything was
going great, I loaded the *.nms with Symbol Loader. I set the following breakpoints
- lc_init, l_sg, l_key, lc_checkout and a memory address close to l_sg (just
for the hay of it). I wrote out a dummy license file and tried both node-locked
and floating models with 0'ed out encryption strings. I then tried firing
up my target on both accounts and nothing. SoftICE never broke.
I spent the next 20 or so minutes
trying to figure out what was wrong. I restarted and stopped the license server
and made sure the dat file syntax was correct. Just as an experiment I double
clicked on the vendor daemon and SoftICE broke on all of the bpx except lc_checkout
and not the bpm. I got inside lc_init, then l_sg, inside l_sg was l_key I
searched around in there and I managed to find the major version in memory.
I read some essays, and none of them could seem to help. I already have the
vc's and es's for this target, but I would like to find them myself.
问3.我用IDA与SoftICE分析一个vendor deamon得到漂亮的地址表。一切都很顺利,我载入带Symbol Loader的.nms文件。设置如下断点――lc_init,l_sg,l_key,lc_checkout和靠近l_sg的内存地址(只是为了弄乱它)。我做了一个伪许可证文件,并试了节点锁定(node-locked)与浮点(floating)模式,他们的加密串为0代替。然后我启动了目标,两个模式都试了,这什么都没有。SoftICE没有断下。
A3i. Most likely the FLEXlm
libs are built into the target itself (you don't need a daemon running, the
target application looks at the license directly). Try putting USE_SERVER
in the license file after the SERVER and DAEMON lines.
答3i.极可能是因为FLEXlm libs被内置到目标程序里(你不需要跑deamon,目标程序直接去找许可证文件)。试试将USER_SERVER添加放在许可证文件的SERVER与DEAMON行之后。
Q4. I try to make a license
with 20 characters, but I can't. I have the good seeds and vendors keys and
have modified lsvendor.c:ls_a_lkey_long=1 & ls_a_lkey_start_date=1, my
license had 16 characters.
问4.我试着做了一个20个字符的许可证文件,但我失败了。我有正确的SEED和VENDOR KEY,并且修改了lsvendor.c:ls_a_lkey_long=1和ls_a_lkey_start_date=1ls_a_lkey_start_date=1,我的许可证有16个字符。
A4. lsvendor.c is only for
building the daemon - try building lmcrypt, then use lmcrypt -verfmt 5 -longkey
license.dat and see what happens.
答4. lsvendor.c只是用来编译deamon—-试着编译lmcrypt,然后用lmcrypt-verfmt5-长加密匙 license.dat,看看发生了什么。
Q5. I have utilized Amante4's
essay (vendor-defined encryption / lc_set_attr $
In addition, my target seems to call
lc_set_attr(b) = 11 = LM_A_NORMAL_HOSTID which is undocumented. I dont like
to patch lc_checkout to return a 0 always; my target detects that and though
it runs initially, it is not very functional. May I kindly request for some
assistance in this matter; Have you ever come across such a situation?
问5.我已经用Amanted4文章方法(vendor-defined 加密/lc_set_attr $
此外,我的目标程序看来调用lc_set_attr(b)=11=LM_A_NORMAL_HOSTID,这个是不公开的。我不想总是将lc_checkout的返回补丁为0;我的目标程序会检测这个然后从头开始运行,这不怎么有用。我希望就这个问题得到帮助;你从来没有碰到这样的情况吗?
A5. I recently worked on an
application where I knew I had the right keys and seed, but could not get
them to work. My target had checkout filters. I found that the vendor was
doing something in the daemon itself. There are two daemons the lmgrd and
a vendor daemon. So basically all I did was compile the vendor daemon and
replace it with mine ... it worked.
答5.我最近在弄一个应用程序,我知道我的key和seed是正确的,但是就是不能用。我的目标程序有校验滤波器。我发现,软件厂商在deamon做了手脚。有两个deamon,lmgrd和vendor deamon。所以,我所能做的就是编译个vendor daemon并用自己的代替原有的…,成功了。
Q6. I have a demo license
for software protected by FLEXlm v6.1, I saw something unusual in the feature
names, this particular software used special charaters like $, /, \ in the
feature name, as shown below :-
FEATURE my$feature .....
FEATURE my/feature .....
I was able to extract the vendor seeds
and generate licenses for features which did not contain the special charaters,
but when I tried for my$feature, I got an error message saying that special
characters are not allowed in feature name. Can anyone let me know, how to
generate license with special characters in feature name?.
问6.我有一个FLEXlm v6.1加密程序的试用license,我发现它的FEATURE name与众不同,这个特别的软件有特殊的字符如$,/,\在FEATURE name里,如下所示:-
FEATURE my$feature .....
FEATURE my/feature .....
我能将vendor提取出来并就没有特殊字符的FEATURE生成license,但是当我试图对my$feature生成license时,我得到错误提示说FEATURE name不得用特殊字符。有人能告诉我怎么生成带特殊字符FEATURE
NAME的的license文件吗?
A6. I think that it may still
generate correct keys even though it gives you a warning - try -verfmt 4 to
lmcrypt maybe. I can't remember if that does it or not, but some Sun stuff
does this.
答6.我想即使有错误提示依旧可以生成正确的license――试试--verfmt 4到lmcrypt或许就可以。我不记得这行不行了,但是某些SUN的软件可以。
…&还有更多的FLEXlm片断…
"One alternative method of custom
encryption of the FLEXlm seeds (that do not use the lm_set_attrib() function
to set either user encyption or user filter) is implemented by rsinc. IDL
http://www.rsinc.com
uses custom encryption of all the vendor information. All the license checkouts
including the FLEXlm routines are located in the idl32.dll. There is a routine
that generates the VENDORCODE structure and the VendorID string prior calling
lc_init. It also sets a flag into the LM_HANDLE->CONFIG structure for alternate
generation of the VENDORCODE seeds (look at l_sg, l_n36_buff call in the lmgr326b.lib).
“另外一个另类的自定义加密FLEXlm SEED的方法(不用lm_set_attrib()函数去设置user encyption或user filter)是用rsinc实现的。ID Lhttp://www.rsinc.com用自定义加密所有的vendor资料。所有的许可证检查包括FLEXlm子程序位于idl32.dll。在调用lc_init之前有个子程序会生成VENDORCODE结构和VendorID字符串。同时设置一个标记到LM_HANDLE->CONFIG结构为这个另类方法生成VENDORCODE SEED(查看l_sg,
l_n36_buff在lmgr326b.lib的调用)。
Upon the first call to the l_sg from
the lc_init, a standard (l_key) routine is called to generate the crypt keys.
On the second l_sg call (from the lm_checkout for instance), alternate crypt
seeds are generated in a custom l_n36_buff routine, and naturally FLEMlm generates
wrong key message (-8)".
在第一次从lc_init调用l_sg时,调用了标准的子程序(l_key)生成密匙。第二次l_sg调用(从lm_checkout来),在自定义的l_n36_buff子程序里生成另类的加密SEED,自然地FLEXlm就有错误地密匙报错信息(-8)”。
"
“曼托尔图――该Daemon的名字是mgcld。他们用一个私有的检查和算法来检查vendor字串。如果你得到的是"FATAL CS ERROR"信息,那是因为你没有检查和(checksum)正确。并不是所有的保护都这样――基本上某些资料比如开始日期(start date), 许可证的数量(number of licenses), 到期(expiry)和 FEATURE name会组合一块用。这通过一个checksum子程序来完成,这些值与vendor_string提供的值进行比较”。
特别的目标程序 (拓展)
Cossap (simulation program from Synopsys)
on HPUX 10.20. Older Synopsys products use vendor defined encryption, so simply
getting the seeds is insufficient to generate valid licenses. You will have
to firstly generate a license file containing a set of licenses without the
vendor defined encryption, then set a breakpoint at the vendor defined encryption
routine (this is easy to find, since lc_set_attr is used to force FLEXlm to
use this routine), then look at the return values from that routine. There
will be multiple calls to the routine, about 3 for every feature. Later products
use SCL (Synopsys Common Licensing) which has a different vendor name, and
uses user crypt filters instead.
Cossap(Synopsys的模拟软件)在HPUX10.20上用。更旧的Synopsys产品用vendor定义加密,所以仅是简单地得到SEED来生成有效地许可证是行不通地。你不得不首先生成一个没有vendor定义加密的许可证文件,然后在vendor定义加密子程序处下断点(这个很容易找到,因为lc_set_attr是强迫FLEXlm用这个子程序),然后看看这个子程序的返回值。有多次调用这个子程序,大约每个FEATURE调用3次。最新的产品用SCL(Synopsys
Common Licensing),这个东西有个不一样的vendor name,并利用了用户加密滤波器。
My target is Synplify, which uses
FLEXlm v6.1 linked statically. After reading Dan's essay I tried to find out
the vendor codes / seeds his way, but in my target "vector call"
never occurs. In _l_sg it always uses standard ^key5 method. It seems like
my target calls lc_init, not lc_new_job. So I tried usual ways to get the
seeds, generated license file and... nope. My target contains vendor checkout
procedure, but bpx there never breaks - maybe some earlier test leads to -8?.
My question is : does FLEXlm v6.1 library obfuscate keys in any way if the
client simply calls lc_init, not lc_new_job?.
我的目标是Synplify,利用FLEXlm v6.1静态的链接。读完Dan的文章后我试着照他的方法找到vendor代码/SEED,但是我的目标程序“vector call”从来没有出现。在l_sg它总是用标准的ˆkey5法。看起来像是我的目标程序调用lc_init,而不是lc_new_job。所以我试着用通用的方式得到SEED,生成许可证文件…不是。我的目标程序有vendor检验程序,但是bpx从来没有断下过――或许在这之前的有测试导致-8?。我的问题是:如果客户仅调用lc_init,而不是lc_new_job,那么FLEXlm v6.1库会以任何方式迷惑密匙吗?
Think this one needs a special vendor
defined hostid - also there was something that had to be in the vendor string.
It's now solved, it actually was the problem with vendor-defined hostid, I
simply didn't know that I need to include the vendor-defined hostid functions
in my key generator, I thought (how stupid I was), that it's needed only by
client side. I've included a function from examples modified to return label
= 'SKEY' and type=1003. The actual value returned doesn't matter and voila!
My key generator works.
想到这,我们要作的一个特别的软件厂商定义的hostid(vendor-defined hostid)—也要在vendor字串里来点什么东西。现在问题解决了,事实上,问题就在于软件厂商定义的hostid(vendor-defined
hostid),我知道我不需要将软件厂商定义的hostid包括在我的密匙生成器里,我认为(多么愚蠢的我啊),那仅是客户端需要。我将例子里的函数修改成返回label='SKEY'以及type=1003后加入。实际的返回值并不重要,哦,成功了!我的密匙可以用了。
'SKEY' type=1003 is used for evaluation
licenses (thus length SKEY = %.8X) and type=1001 for dongle based licenses
(thus length SKEY = %.4X).
'SKEY' type=1003用于使用版的许可证文件(因此长度
SKEY= %.8X)以及type=1001是基于狗的许可证(因此length SKEY = %.4X)。
---------------------->这里开始,不涉及技术,不加以翻译ß---------------------------------------
FLEXlm Piracy Concerns
FLEXlm盗版问题
Just an interesting publicity snippet
(this refers to a very well known message board in the east ;-) ).
FLEXlm, from Globetrotter Software,
is used by nearly all EDA vendors to manage a variety of licensing schemes.
Although it's not positioned as a security system, many vendors rely on FLEXlm
to protect their software from piracy. But FLEXlm has been attacked by hackers
in the past, prompting Cooley to launch Stealthnet in 1999, a private mailing
list for EDA vendor representatives to share information about hacking activity.
The latest attacks come from a discussion
group that Cooley has declined to publicly identify, on the grounds that anyone
who finds it will have immediate access to a lot of illegal software. Numerous
postings, some confirmed by EE Times, share tips on how to crack FLEXlm or
point to Web sites containing code for breaking licenses on specific EDA products.
"Basically, these guys are doing
things like downloading evaluation copies of [Model Technology] ModelSim and
cracking licenses," Cooley said. "They have no intention of buying
it." While some participants in the discussion group are apparently from
One individual, using an anonymous
Yahoo address, boasted of hacking FLEXlm licenses on products from Altera,
Novas, Exemplar, Agilent EEsof, Innoveda, Synopsys and Avanti, among others.
This individual offered to help readers crack licenses for other tools as
well. "So if you have tools that are not listed above or newer releases,
I am very glad to check them for you," wrote this helpful individual.
"The purpose of me [sic] is to find a robust way for FLEXlm cracking."
Cooley, moderator of the E-Mail Synopsys
User's Group (ESNUG), said he could understand why an EDA user might want
to temporarily bypass a FLEXlm license. "But when the purpose is to steal
the software and never pay the EDA vendor, that's problematic," he said.
"I lose in the long run because they [EDA vendors] don't develop better
software." Rich Mirabella, vice president of marketing at Globetrotter
Software, said he wasn't aware of any new attacks on FLEXlm. But, he acknowledged,
they've happened "on and off for over five years."
Mirabella emphasized that FLEXlm is
positioned as a licensing manager, not a security system. "The business
purpose is to allow software vendors to offer licensing models that match
how people use their products," he said. "The security is there
to keep honest people honest. In every release we do things to increase the
security, but it's like an arms race — we do stuff, the hackers do stuff."
Mirabella said that Globetrotter has
participated in several criminal prosecutions of people who have hacked FLEXlm
and has helped shut down hacker Web sites in the
Mirabella downplayed the role of FLEXlm
hacking on EDA revenues. "I'm sure it does happen on occasion, but in
the high end you wouldn't see it much," he said. "The kinds of companies
that use those products wouldn't engage in these kinds of practices."
Some hacking does take place, he said, with "low end" products such
as pc-board layout tools, which might be used by small, struggling companies.
Much more revenue loss, he said, comes
from honest companies who lack the means to keep track of licenses in networked
environments. When Cooley launched Stealthnet in 1999, Globetrotter was critical.
Matt Christiano, Globetrotter's chief executive, wrote an angry letter to
ESNUG stating that Cooley's efforts could encourage hackers and cause EDA
vendors to seriously inconvenience users.
But some EDA vendor representatives
lauded Cooley's efforts. "I want to thank you on behalf of the EDA industry
for your handling of the situation and condemning of these hackers,"
wrote Rob Genco, director of software operations at Synopsys. Mirabella scoffed
at Cooley's intent to relaunch Stealthnet. "If issues arise, users and
software vendors should come to us directly," Mirabella said. "I
don't see any value added that John Cooley brings to the situation. It's not
clear what his agenda is."
Cooley responded that Globetrotter
is trying to avoid any public discussion of potential problems with FLEXlm.
He didn't contact Globetrotter about the EDA discussion group, he said, because
of the company's negative reaction last time. Cooley will announce the relaunch
of Stealthnet, open only to confirmed EDA vendor representatives, in an upcoming
ESNUG bulletin. Previous bulletins, including several past discussions of
FLEXlm hacking, are archived at the EDTN DeepChip Web site.
See reversers ;-), by exposing these
snake oil salespeople you might 'seriously inconvenience users' by forcing
developers to learn a little about protections cracking, god forbid.....
-----------------――--->这里结束,不涉及技术,不加以翻译ß-------------------------------------
Seeds
On the other side I am currently in
the process of building and maintaining a FLEXlm vendor & seed database,
after some consideration (from several e-mails I mighten add ;-) ) I have
decided to make this list private since with these just about anyone can generate
licenses.
另一方面,我目前正在建立和维护一个FLEXlm vendor及其SEED的数据库,再三考虑后(从几封电邮,我将来会加上;-))我决定让这个列表私密使用,因为这使得任意一个人都能生成许可证。
SentinelLM / ElanLM
SentinelLM v7.2 information (courtesy
of myself) - A good indication of the version of SentinelLM being used is
the actual file version info from the file lsapiw32.dll e.g.
SentinelLM v7.3 information - this
courtesy of FoxB (applicable to patching WlscGen.exe).
"Query/Response length is 0x10,
algo cells are 0x
SentinelLM SDK v7.1, v7.2, v7.3 &
Sentinel RMS v8.0 (Regrettably. As with the FLEXlm SDK's this download is
now on the other side). Or check here.
ElanLM API Guide :- (138k).
SentinelLM Remover :- A tool that claims to
generically remove SentinelLM (237k), I'd be pretty interested to know which
SentinelLM targets this has been tested with because it doesn't seem to recognise
SentinelLM at all.
SentinelLM Signatures for IDA :- Courtesy
of Nolan Blender (40k).
SentinelLM Toolkit :- Includes a SDK serial
number generator and vendor array generator, courtesy of me & moZfet (CROSSFiRE)
(632k).
SentinelLM Vendor ID to Serial Number :- Type
in your desired Vendor ID and this little tool will give you the SentinelLM
installation serial number (619k).
Wlscgen Patch for SentinelLM SDK v7.1 :- Remove
the dongle for Wlscgen (17k).
SentinelLM v7.2资料 (我本人自己提供)――从文件lsapiw32.dll可以得到所用的SentinelLM实际的版本信息,比如,
SentinelLM v7.3资料――FoxB提供(适合于补丁WlscGen.exe)。“Query/Response length为0x10, algo cells 为 0x
SentinelLM SDK v7.1,v7.2,v7.3和Sentinel RMS v8.0(很抱歉。与FLEXlm SDK一起,现在得在其它地方下载)。或看看这吧。
ElanLM API 指南 :- (138k).
SentinelLM杀狗机 :- 这个工具据称能除去SentinelLM狗 (237k), 我一直很想知道在什么样的SentinelLM狗保护软件上测试过,因为这个东西看起来似乎连SentinelLM 都不能识别。
SentinelLM 签名文件IDA :- Nolan Blender提供 (40k).
SentinelLM狗工具箱 :- 里面有SDK注册机和vendor array注册机, 由我和moZfet
(CROSSFiRE) (632k) 提供。
SentinelLM Vendor ID to Serial Number :- 键入你想要的Vendor ID,这个小巧的工具就会生成SentinelLM 安装的序列号(619k)。
SentinelLM SDK v7.1的Wlscgen补丁:- Wlscgen去狗
(17k).
Document Title |
Description |
Date |
Reviving functions from
the past, courtesy of pilgrim. 还原以前的函数,pilgrim提供。 |
Jan 2001 |
|
Cracking the SentinelLM
Delphi v5.0 Trial, courtesy of CyberHeg. 破解SentinelLM Delphi
v5.0试用版, CyberHeg提供。 |
|
|
Cracking the SentinelLM
protected program MrSID GEOSPATIAL ENCODER v1.4 Desktop edition, courtesy
of CyberHeg. 破解SentinelLM 保护程序MrSID GEOSPATIAL ENCODER v1.4桌面版,CyberHeg提供。 |
|
|
Removing need for dongle
in SentinelLM Wlscgen.exe, courtesy of CyberHeg. SentinelLM Wlscgen.exe狗的移除,CyberHeg提供。 |
|
|
Generating keys for SentinelLM,
courtesy of Nolan Blender. 制作SentinelLM的密匙,NolanBlender提供。 |
|
|
My own generic research
paper into SentinelLM. 我自己研究SentinelLM的文章。 |
September 2001 |
|
Creating your own Wlscgen
courtesy of Mayaputra. 制作一个自己的Wlscgen,
Mayaputra提供。 |
February 2006 |