在flexlm v9.2中,程序首先调用lc_new_job--l_n36_buf--lc_init,l_n36_buf实际上是获取vendorid以及SEED0 SEED1 KEY0--KEY3以及其他的初始化数据,当然vendorid是明码,seed和key0--key3是加过密的,将code放入l_xorname执行后key0--key3就恢复成原始状态,然后在l_sg的函数里边把code放入l_n36_buff去执行。
l_n36_buff使用_time函数生成job->mem_ptr2_bytes[12]数据,l_n36_buff恢复key5_order[0]--key5_order[3],key5_uniqx,sig[0]--sig[3],然后对l_n36_buf提取出的SEED0,SEED1进行xor运算,所以为什么在l_string_key程序中看到的seed0和seed1都是变化的,原因就在于mem_ptr2_bytes[12]是用_time函数生成的。如果用idapro手工恢复seed只需要把mem_ptr2_bytes[12]全部设为0或者直接用lmnewgen.c中的key5()程序恢复就可以了。我相信CrackZ没有完全看这2个函数,所以他发表的文章对这2个函数没有详细的说明。
l_getattr.c
void
l_xorname(name, vc)
char *name; //一般是vendorid
VENDORCODE *vc;
{
#define VENDORMAGIC_V7 0x08BC0EF8
int i;
char buf[MAX_VENDOR_NAME + 1];
/* make sure vendor name is all zeros after the first zero */
memset(buf, 0, sizeof(buf));
strcpy(buf, name);
for (i = 0;i < 4; i++)
vc->keys[i] &= 0xffffffff; /* 64-bit fix */
vc->keys[0] ^= buf[0] ^
(buf[1] << 8) ^
(buf[2] << 16) ^
(buf[3] << 24) ^ VENDORMAGIC_V7;
vc->keys[1] ^= buf[2] ^
(buf[5] << 8) ^
(buf[7] << 16) ^
(buf[4] << 24) ^ VENDORMAGIC_V7;
vc->keys[2] ^= buf[4] ^
(buf[6] << 8) ^
(buf[1] << 16) ^
(buf[6] << 24) ^ VENDORMAGIC_V7;
vc->keys[3] ^= buf[5] ^
(buf[0] << 8) ^
(buf[2] << 16) ^
(buf[3] << 24) ^ VENDORMAGIC_V7;
}
#define MAX_DAEMON_NAME 10 /* Max length of DAEMON string */
#define MAX_VENDOR_NAME MAX_DAEMON_NAME /* Synomym for MAX_DAEMON_NAME */
lmnewgen.c
static
void
key5(k)
VENDORCODE *k;
{
unsigned long *keys;
unsigned long signature;
#define SIGSIZE 4
char sig[SIGSIZE];
int i = SIGSIZE-1;
int len = strlen(vendor_name);
//len直接把vedorname的长度写进去就好,比如vendor=KHJZXe,那么len=6
sig[0] = sig[1] = sig[2] = sig[3] = 0;
for (i = 0; i < 10; i++)
{
if (sig[i%SIGSIZE] != vname[i%len])
sig[i%SIGSIZE] ^= vname[i % len];
}
k->data[0] ^=
(((((long)sig[0] << key5_order[0])|
((long)sig[1] << key5_order[1]) |
((long)sig[2] << key5_order[2]) |
((long)sig[3] << key5_order[3]))
^ key5_uniqx
^ k->keys[1]
^ k->keys[0]) & 0xffffffff);
k->data[1] ^=
(((((long)sig[0] << key5_order[0])|
((long)sig[1] << key5_order[1]) |
((long)sig[2] << key5_order[2]) |
((long)sig[3] << key5_order[3]))
^ key5_uniqx
^ k->keys[1]
^ k->keys[0]) & 0xffffffff);
}
- 标 题:flexlm v9.2的l_n36_buf及l_n36_buff说明
- 作 者:gcxiong
- 时 间:2009-06-11 18:29
- 链 接:http://bbs.pediy.com/showthread.php?t=91334