×÷Õß: laoqian [FCG]
ʱ ¼ä:2005-12-15
Èí¼þÃû³Æ: Zendenc £¨FLEXlm 7.1d£©
Èí¼þÀà±ð£ºNolan BlenderÌṩµÄ¾µäÀý×Ó
Èí¼þ½éÉÜ£º FLEXlm 7.1d¼ÓÃÜ
ÆÆ½â¹¤¾ß£ºollydbg 1.10(FLYÐÞ¸Ä) £¬w32Dasm_2002828_pll621£¬UltraEdit10.0£¬Flexlm7.2 SDK,calcseed,lmkg7£¬lmcryptgui£¬flexlm9.2
sdkµÄÔ´ÂëµÈ
ÆÆ½âÄ¿µÄ£ºÖÆ×÷ÎÞÏÞÖÆÊ¹ÓÃlicenseÎļþ
ͨ¹ýÕâÆªÎÄÕÂÎÒÃǽ«ÏòÄã½éÉÜÈçºÎÖÆ×÷FlexLmµÄlicense£¬²¢×ܽá¾Ñé
µÚÒ»²¿·Ö: ·Ï»°
ZendencÕâ¸öÈí¼þÊÇNolan BlenderÌṩµÄ¾µäÀýÌ⣬crackZ»òÍøÉÏÓÐÏÂÔØºÍ·ÖÎöÎÄÕ¡£ÍæÁ˼¸¸öFlexlm, Ïë×ܽáһϣ¬ ¾ÍÄÃËüÀ´¿ªµ¶·½±ã£¡±¾
ÎÄÊǹØÓÚ7.xµÄ£¬µ«Óв¿·ÖÊÊÓÃÓÚ8.xºÍ9.x,ÉõÖÁ10.x¡£
µÚ¶þ²¿·Ö: תÈëÕýÌâ
ÆÆ½âFlexLm×îÖ÷ÒªµÄÊÇÕÒµ½4Ñù¶«Î÷.
1. È·¶¨°æ±¾ºÅ
2. ÕÒvendor
3. ¼ÆËãENCRYPTION_SEED
4. ÕÒFEATURE
ÓÐÁËÕ⼸¸ö,¾Í¿ÉÒÔʹÓÃFlexLm SDK£¨Èç¹ûÄãÓУ©»ò¹¤¾ß×ö³ö×¢²á»úÁË.
btw£ºFlexLm SDKÒ»°ãÊÇͨÓüæÈݵĵ쬱ÈÈç7.2¾Í¿ÉÒÔÖÆ×÷7.1µÄ£¬ÉõÖÁÓÐʱ7.1Ò²¿ÉÒÔÖÆ×÷7.2µÄ£¬¹Ø¼üÊDzÎÊýÉèÖá£
1. È·¶¨FlexLm°æ±¾ºÅ BEHAVIOR Version
·½·¨Ò»£º
* Óöþ½øÖÆ±à¼Æ÷,ÍÆ¼öʹÓÃHexWorkshop£¨ÎÒÓÃUltraEdit10.0£¬ºÇºÇ£©,ËüµÄ²éÕÒ¹¦ÄܺÜÇ¿,ÌØ±ðÊÇFind All Instances¸üÊÇÎÒ×î×î³£ÓõÄ.
ÔÚ²éÕÒ¶Ô»°¿òTypeÖÐÑ¡ÔñÀàÐÍText String,ValueÖÐÊäÈë"@(#) FLEXlm v",²éÕÒ,"@(#) FLEXlm v"ºóÃæµÄ¾ÍÊǰ汾ºÅ.
¡¾ÒÔÉÏÊÇtulipfan[CCG]´óϺ˵µÄ¡¿
·½·¨¶þ£º
ÓÃFlexlm SDKÀïµÄlmtools£¨ÔÚ\flexlm\v7.1\i86_n3Ŀ¼À£¬ÔËÐнøÈëUtilities£¬µã»÷¡°Browse¡±²éÕÒÄãµÄFlexlm¼ÓÃܵijÌÐòÖ÷exe»òdll£¬
È»ºó¡°find version¡±£¬ÔÚÏÂÃæ¾Í»áÏÔʾÄãµÄFlexlm°æ±¾£¬ÓÃv7.1°æÉõÖÁ¿ÉÒÔ¿´µ½8.3°æÒÔºó£¬ÊÇͨÓõġ£Óиö±ð³ÌÐò¿ÉÄÜ´Ë·¨²»ÐУ¡
·½·¨Èý£ºÔÚ·´»ã±àÒÔºó£¬ËÑË÷¡°87654321¡±£¬ÔÚÇ°ÃæÉè¶Ïµã
ÔÚFlexlm SDKÀïlm_code.hÎļþÀïÄã¿ÉÒÔ¿´µ½Ò»Ï¼¸¾ä£º
´úÂë:
* Vendor's private seeds, -- replace with 32-bit numbers that
* you make up.
*/
#define ENCRYPTION_SEED1 0x87654321
#define ENCRYPTION_SEED2 0x12345678
/*
* FLEXlm vendor keys -- enter as received from Globetrotter.
* Changing these keys has NO impact on license files (unlike
* the ENCRYPTION_SEEDs).
*/
/*-
* Generate these keys with: lmvkey -v demo -d (+3 months) -p ALL -c DEMO
* (Use a date approx 3 months out)
*/
Õâ˵Ã÷demoµÄSEED1£½0x87654321£¬SEED2£½0x12345678
¶ÔÓ¦ZendencÀïÊÇ£º
´úÂë:
0043391D E8 184B0400 call <jmp.&MSVCRT.memcpy>
00433922 83C4 0C add esp,0C
00433925 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0] £»ÎÒÃÇ¿ÉÒÔÔÚÕâÀïÉè¶Ïµã£¡
0043392B 51 push ecx
0043392C 8B95 30FFFFFF mov edx,dword ptr ss:[ebp-D0] £»ebp-D0µØÖ·ÊÇÒÔºóÒªÓõģ¡
00433932 81C2 4C010000 add edx,14C £»¼ÆËãµÃµ½VENDORµØÖ·
00433938 52 push edx £»VENDORÈëÕ»£¡(ASCII "zend")
00433939 8B85 30FFFFFF mov eax,dword ptr ss:[ebp-D0]
0043393F 50 push eax
00433940 E8 95560000 call zendenc.00438FDA £»Õâ¸öcall¾ÍÊÇÖøÃûµÄËùν7648B98E±êÖ¾call£¡ºóÃæÒª½øÈ¥µÄ£¡£¡£¡
00433945 83C4 0C add esp,0C
00433948 81BD 44FFFFFF 214>cmp dword ptr ss:[ebp-BC],87654321 £»´Ë´¦±È½ÏÊÇ·ñÊÇdemoµÄseed1£¬µ±È»ÔÚ´Ëseed1Òѱ»¼ÓÃÜ£¡
00433952 74 0C je short zendenc.00433960 £»´Ë´¦±È½ÏÊÇ·ñÊÇdemoµÄseed2£¬µ±È»ÔÚ´Ëseed2Òѱ»¼ÓÃÜ£¡
00433954 81BD 48FFFFFF 785>cmp dword ptr ss:[ebp-B8],12345678
0043395E 75 5D jnz short zendenc.004339BD
00433960 8B8D 30FFFFFF mov ecx,dword ptr ss:[ebp-D0]
00433966 8379 14 00 cmp dword ptr ds:[ecx+14],0
0043396A 74 17 je short zendenc.00433983
ÎÒÃÇÔڶϵãÍ£ÏÂd ebp-c0
´úÂë:
0012D404 00000004 ...
0012D408 E0AAA4A0 _¤ª? ´Ëseed1Òѱ»¼ÓÃÜ
0012D40C C0121579 y ´Ëseed2Òѱ»¼ÓÃÜ£¡
0012D410 3F9F6A79 yj? ´ËVENDOR_KEY1Òѱ»¼ÓÃÜ£¡
0012D414 25DC750E u? ´ËVENDOR_KEY2Òѱ»¼ÓÃÜ£¡
0012D418 B8B046C5 ÅF°¸
0012D41C 0B2EAC4E N?
......ÏòÏÂÀ¿´
0012D4A8 00000000 ....
0012D4AC 00010007 ..
0012D4B0 37300064 d.07 ´Ë´¦ÏÔʾ7.1d
0012D4B4 0000312E .1.. 7.1
0012D4B8 00000000 ....
ÕâÖ®ºó£¬µÈÎÒÃǵÚÒ»´Î×ß¹ýÖøÃûµÄËùν7648B98E±êÖ¾call£¬¡°00433940 call zendenc.00438FDA¡±ÒԺ󣬻ᷢÏÖ±»¼ÓÃÜseedÓָıäÁË£¬Æäʵ
¾ÍÊǼòµ¥µÄxor£¬¿ÉÊÇÕâ¸öxorÎÒÃDz»µÃ¶øÖª£¡
ÎÒÃǵõ½BEHAVIOR Version V7.1d
btw£º87654321´Ë´¦£¬ÔÚ6.x°æÊ±£¬¿ÉÒԵõ½Õæseed£¬
²Î¿¼ÎÄÕ¡°Ansoft Serenade v8.5 - Tutorial¡±
http://www.woodmann.com/crackz/Tutorials/Serenade.htm
´úÂë:
I also remembered that the checks for the default seed codes (shipped with the SDK) was a good place to fish the correct
seeds, a simple disassembly search for '87654321' finds this code :-
:00429C4C CMP D, [EBP-34], 87654321 <-- Check for encryption_seed1.
:00429C53 JZ 00429C5E <-- Jump to Error.
:00429C55 CMP D, [EBP-30], 12345678 <-- Check for encryption_seed2.
:00429C5C JNZ 00429C85 <-- Good jump.
:00429C5E MOV EDI, FFFFFFA5 <-- Error Code (-91).
Routines inside Ser85.exe detect bpx type breakpoints and patching of key files, the checking code starts at 0040EFD3, here
you'll see the names of the files that are checked and the rather obvious 'PUSH 7' instructions which produce a cryptic error
message box asking you to call Ansoft for assistance. The files verified should give us a good idea where to look for other
parts of the protection, Ansoft's developers evidently tried (as is good policy) to identify possible points of attack. Using
bpmb style breakpoints we can quickly recover (what we think are valid) encryption_seed1 (0x7CB2B081) & encryption_seed2
(0x2DFE22B6).
.....
×îºóÓ÷½·¨Ò»¡¢¶þ¿ÉÒÔÈ·¶¨Zendenc°æ±¾ºÅÊÇ7.1d,ÕâÒ»²½µÄÄ¿µÄÓÐÁ½¸ö,Ò»ÊÇÔÚlmkg.exeÖÐÉú³ÉVendorÐÅϢʱÓÃ,¶þÊÇÔÚʹÓÃFlexLm SDKÖÆ×÷
FlexLmµÄlicenseʱʹÓá£
2. ÏÈÕÒFEATURE
·½·¨Ò»£º
²»ÓÃIDA£¬Ì«Âé·³ÁË£¬¼ÈÈ»ÓÐSDKºÍǰÈ˵ľÑ飬ÎÒ͵¸öÀÁ¡£ÎÒ͵ÀÁµÄ°ì·¨£¬»¹ÊÇÓð²×°Flexlm SDKÀïµÄlmtools£¡´ò¿ª¡°Server status¡±Ï
µã»÷¡°Perform status Equiry¡±,Äã¾Í»á¿´µ½·þÎñÆ÷¶ËµÄÕý°ælicense.datÄÚÈÝ£¡Ç°ÌáÊÇÄãÒªÅäÖú㬶øÇÒÓÐÕý°æ³ÌÐòºÍlicense£¬·Ï»°£¡
±ÈÈçÏÔʾÈçÏ£º
101: SERVER main 001234567890 £¨ÎҵķþÎñÆ÷Íø¿¨ºÅ£¬ÎÒÒþÈ¥ÕýÈ·µÄ£¬±ÜÃâÂé·³°¡£¡£©
80: VENDOR adskflex port=8080
150: INCREMENT 41100ACD_2002_0F adskflex 1.000 permanent 100 VENDOR_STRING=£¨ÖмäÓкܶà²ÎÊý£¬Ê¡ÂÔ±ÜÃâÂé·³£©SIGN=787878787878
£¨ÎÒÒþÈ¥ÕýÈ·µÄ£¬±ÜÃâÂé·³£¬ÎªÊ²Ã´ÊÇ78¡¡£¿£©
¹ØÁªÐÅÏ¢: Ê¡ÂÔ
170: (overall file checksum)
¿´µ½ÁËÂð£¡
VENDOR adskflex
INCREMENT 41100ACD_2002_0F£¬Õâ¸öINCREMENTÆäʵ¾ÍÊÇFEATURE£¬ºóÃæÄǸö1.000¾ÍÊÇVersion
permanent ÊÇÓû§Êý
VENDOR_STRING=¡¡¡¡Õâ¸öÒ²²ÎÓë¼ÆËãÑéÖ¤µÄ
ÖмäÓкܶà²ÎÊýÒ²²ÎÓë¼ÆËãÑéÖ¤µÄ£¬Ê¡ÂÔ±ÜÃâÂé·³
SIGN=787878787878¡¡ÎҾͲ»ËµÁË
Èç¹ûÄãûÓÐÏñÎÒµÄÌõ¼þ¾ÍÖ»ºÃÈ¥¿´±ðµÄ×ÊÁÏѧϰ£¬ºÜ¼òµ¥µÄ£¡
btw£ºÈç¹ûÄãµÄÑ¡ÏîµÃµ±£¬ÏÖÔÚÄãÉõÖÁ¾Í¿ÉÒÔÔÚ¿Í»§¶Ë¿ØÖÆlicense·þÎñÆ÷£¬Äã¿ÉÒԹرÕlicense·þÎñ¡ª¡ªÉ÷Óã¡£¡£¡£¬ÎÒÔøÔÚ¼¸´ÎÎÞÒâµÄ²Ù×÷ÖÐ
¹Ø±ÕÁËlicense·þÎñ£¬½á¹ûµ¥Î»µÄËùÓлúÆ÷cad°Õ¹¤£¬¹ÜÀíÔ±»¹²»ÖªµÀÔõô»ØÊ£¬Ö»ºÃÖØÆô·þÎñÆ÷£¬ÄǼ¸Ìì¿É滵ÁËËý£¡ÕâÊÇflexlmµÄÒ»¸öbug°É
£¡
·½·¨¶þ£º
ÓÃIDA£«ÏàÓ¦°æ±¾µÄsig£«sdk£¬ÕÒµ½_lc_checkoutº¯Êý£¬Éè¶Ïµã£¬Äã»áÕÒµ½FEATURE¡£ÎÒ²ÉÓõÄÊÇ7.2µÃsig£¬ÏÔʾÊÇ_lp_checkout
´úÂë:
00478043 68 00400000 push 4000
00478048 51 push ecx
00478049 6A 00 push 0
0047804B 6A 01 push 1
0047804D 68 ECDB4900 push zendenc.0049DBEC ;FEATURE°æ±¾ ASCII "1.0"
00478052 56 push esi ;FEATURE id£¬ ASCII "Zend_Encoder"
00478053 52 push edx
00478054 E8 57DFFBFF call zendenc.00435FB0 ; lp_checkout
00478059 83C4 4C add esp,4C
0047805C 85C0 test eax,eax ; 0£¬jmp
0047805E 74 3F je short zendenc.0047809F
00478060 8A8424 18090000 mov al,byte ptr ss:[esp+918]
00478067 84C0 test al,al
00478069 75 12 jnz short zendenc.0047807D
0047806B 8B4424 10 mov eax,dword ptr ss:[esp+10]
0047806F 68 DCDB4900 push zendenc.0049DBDC ; ASCII "Checkout failed"Ò»°ãËÑË÷Õâ¸ö×Ö·û£¬ÉÏÃæµÄ¾ÍÊÇcheckoutÁË£¡
00478074 50 push eax
ÔÚ00478054Öжϣ¬Äã»á¿´µ½¶ÑÕ»´°¿ÚÀï³öÏÖÁËFEATURE idºÍ°æ±¾£¬»òÕßd esi¡£
3. ÕÒvendorÒÔ¼°¼ÆËãseedµÄ¹Ø¼üÊý¾Ý
·½·¨Ò»Í¬Ç°£¬²»ËµÁË¡£
·½·¨¶þ£º
ÏÂÃæÒýÓÃ×Ôtulipfan[CCG]£º
********
¡°ÒªÕÒvendor_id¾ÍÐèÒªÕÒµ½l_sgÕâ¸öº¯ÊýÁË(ÖÁÓÚΪʲôҪÕÒÕâ¸öº¯Êý½¨Ò鿴һЩ¸ü»ù´¡µÄÎÄÕÂ),ÔÚÕâ¶ùÎÒÖ÷ÒªÊǽéÉÜÒ»ÏÂÈçºÎ¶¨Î»l_sgº¯Êý,
Õâ¸öÊÇFlexLmµÄÒ»¸öÄÚ²¿Ê¹Óõĺ¯Êý. lc_init,lc_checkout¶¼»áµ÷ÓÃËüÏÂÃæÊÇËüÃǵĵ÷ÓùØÏµ,À¨ºÅÀïÃæµÄÊý×ÖÊǵ÷ÓõĴÎÊý¡£
a. lc_init -> l_init
b. l_init -> l_sg(1)
a. lc_checkout -> l_checkout
b. l_checkout -> lm_start_real(2)
c. lm_start_real -> l_good_lic_key(3)
d. l_good_lic_key -> l_sg(2)
´ÓÉÏÃæ¿ÉÒÔ¿´µ½ËüÃǵĵ÷ÓùØÏµ.
ÎÒÃÇ¿ÉÒÔͨ¹ýl_sgÈ·¶¨vendor_idºÍENCRYPTION_SEED,ͨ¹ýlc_checkout¿ÉÒÔÈ·¶¨FEATURE
IDAͨ¹ýFlexLmµÄsigÎļþ¿ÉÒÔÈ·¶¨ÉÏÃæµÄ´ó²¿·Öº¯Êý,ÔÙͨ¹ýËûÃǵĵ÷ÓùØÏµ,ºÜÈÝÒ×ÕÒµ½ÆäËûº¯Êý.
ÖÆ×÷FlexLmµÄÅú´¦ÀíÎļþºÍ¹¤¾ß°ü¿ÉÈ¥CrackZÈ¥ÏÂÔØ.
×îºó¶¨Î»µ½l_sgº¯Êý¡±
************
ÎÒÃÇÓÐ9.2µÄsource£¬ÎÒÃÇ¿´µ½lm_ckout.cÖÐÓÐÏÂÃæÒ»¶Î,ÄǼ¸¸öÊý¾ÍÊÇÈ·¶¨l_sgº¯ÊýÉϺÜÓÐÓõģ¬Õë¶Ô
0x7648b98e; v7.x */
0x6f7330b8; /*- v8.x£¬9.x*/
ÏÂÃæ¸ø³ö²Î¿¼£º
V7
glseed = 0x788F71D2
seedval = 0x7648B98E
V8
glseed = 0x3CDE3EBF
seedval = 0x6F73330B8
V9
glseed = 0x72346B53
seedval = 0x6F7330B8
v10
glseed = 0x5332322F
seedval = 0x6F7330B8
¹ØÓÚÕâÒ»¶Î£¬zhanzixin ÓÐÒ»µãССµÄ²¹³ä¡£
0x7648b98eÕâ¸öÊý×Ö£¬±»³ÆÎªseedvalµÄ£¬
ÔÚ°æ±¾4¡¢5¡¢6ÖÐÊÇ 0xa8f38730
ÔÚ°æ±¾7.0-8.0cÖÐÊÇ 0x7648b98e
ÔÚ°æ±¾8.0dÒÔºó£¬Ò»Ö±Ã»±ä£¬ÊÇ0x6f7330b8¡£
´úÂë:
/*-
* Also used by flexcrypt -- notify if API changes.
*/
void
l_sg(
LM_HANDLE * job,
char * vendor_id,
VENDORCODE * key) /*- l_sg means "signature vendor_key5" */
{
unsigned long keys[4];
char sig[SIGSIZE] = {'\0'};
/*- If you change this, you must change it also in utils/lmnewgen.c */
/*- unsigned long x = 0xa8f38730; v3.1 */
/*- unsigned long x = 0x7648b98e; v7.0 */
unsigned long x = 0x6f7330b8; /*- v8.x */
extern void (*L_UNIQ_KEY5_FUNC)();
unsigned long d0 = 0, d1 = 0;
int i = SIGSIZE-1;
if (( job->options->flags & LM_OPTFLAG_CUSTOM_KEY5) && L_UNIQ_KEY5_FUNC)
{
(*L_UNIQ_KEY5_FUNC)(job, vendor_id, key);
return;
}
·Ï»°ÉÙ˵£¬ÎÒÃÇÖ±½Ó·´»ã±àzendenc.exe£¬ÎÒÃDzéÕÒ¡°7648B98E¡±£¬À´µ½ÏÂÃæ£¬ºÃÏñ¾ÍÕâô£±£¬£²´¦
¡£Ç°È˵ľÑé¾ÍÊDZ¦¹ó°¡£¬ÎÒÊ¡Á˺ܶàÊ£¡
´úÂë:
.text:00438FDA ; =============== S U B R O U T I N E ?=====================================
.text:00438FDA
.text:00438FDA ; Attributes: bp-based frame
.text:00438FDA
.text:00438FDA sub_438FDA proc near ; CODE XREF: sub_432CC4+C7Cp
.text:00438FDA ; sub_437621+B9p ...
.text:00438FDA
.text:00438FDA push ebp ====ÏÈÔÚÕâ¸öµØ·½Ï¶Ï
.text:00438FDB mov ebp, esp
.text:00438FDD sub esp, 30h
.text:00438FE0 mov [ebp+var_10], 7648B98Eh ====¾ÍÊÇÕâ¸öÊýÔÚÈ·¶¨l_sgº¯ÊýÉϺÜÓÐÓÃ
.text:00438FE7 mov [ebp+var_14], 3
.text:00438FEE mov eax, [ebp+arg_0]
.text:00438FF1 mov ecx, [eax+6Ch]
.text:00438FF4 mov edx, [ecx+1D4h]
.text:00438FFA and edx, 8000h
.text:00439000 test edx, edx
.text:00439002 jz short loc_439027 ====Õâ¸öÌøÇ°Ãæ·ÖÎöÁË£¬µÚÒ»´Î¿Ï¶¨»áÌøµÄ£¡µÚ¶þ´ÎÔÙÀ´£¡
.text:00439004 cmp dword_49E5EC, 0
.text:0043900B jz short loc_439027
.text:0043900D mov eax, [ebp+arg_8]
.text:00439010 push eax
.text:00439011 mov ecx, [ebp+arg_4]
.text:00439014 push ecx
.text:00439015 mov edx, [ebp+arg_0]
.text:00439018 push edx
.text:00439019 call dword_49E5EC ====ÔÚÕâ¸öµØ·½Ï¶ϣ¬F8Ö®ºó¾ÍÊÇÎÒÃÇÒªµÄ£¡
.text:0043901F add esp, 0Ch
.text:00439022 jmp loc_43913A
.text:00439027 ; ---------------------------------------------------------------------------
.text:00439027 loc_439027: ; CODE XREF: sub_438FDA+28j
.text:00439027 ; sub_438FDA+31j
.text:00439027 push 4
.text:00439029 lea eax, [ebp+var_28]
.text:0043902C push eax
.text:0043902D mov ecx, [ebp+arg_8]
.text:00439030 add ecx, 0Ch
.text:00439033 push ecx
.text:00439034 mov edx, [ebp+arg_4]
.text:00439037 push edx
.text:00439038 call sub_451F26
*************************
±ð¼±£¬ÏÈ×öÒ»ÏÂ×¼±¸¹¤×÷£º
*************************
Ç°ÃæÎÒÃÇÔÚ00433938 ´¦¿ÉÒԵõ½VENDORΪ "zend"£¬¶ø0043392C´¦µÄebp-D0Êdzõʼ»¯VENDORkeyµÄµØ·½£¡
´úÂë:
0043391D E8 184B0400 call <jmp.&MSVCRT.memcpy>
00433922 83C4 0C add esp,0C
00433925 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0] £»ÎÒÃÇ¿ÉÒÔÔÚÕâÀïÉè¶Ïµã£¡
0043392B 51 push ecx
0043392C 8B95 30FFFFFF mov edx,dword ptr ss:[ebp-D0] £»ebp-D0µØÖ·ÊÇÒÔºóÒªÓõģ¡
00433932 81C2 4C010000 add edx,14C £»¼ÆËãµÃµ½VENDORµØÖ·
00433938 52 push edx £»VENDORÈëÕ»£¡(ASCII "zend")
00433939 8B85 30FFFFFF mov eax,dword ptr ss:[ebp-D0]
0043393F 50 push eax
00433940 E8 95560000 call zendenc.00438FDA £»Õâ¸öcall¾ÍÊÇÖøÃûµÄËùν7648B98E±êÖ¾call£¡ºóÃæÒª½øÈ¥µÄ£¡£¡£¡
00433945 83C4 0C add esp,0C
00433948 81BD 44FFFFFF 214>cmp dword ptr ss:[ebp-BC],87654321 £»´Ë´¦±È½ÏÊÇ·ñÊÇdemoµÄseed1£¬µ±È»ÔÚ´Ëseed1Òѱ»¼ÓÃÜ£¡
00433952 74 0C je short zendenc.00433960 £»´Ë´¦±È½ÏÊÇ·ñÊÇdemoµÄseed2£¬µ±È»ÔÚ´Ëseed2Òѱ»¼ÓÃÜ£¡
00433954 81BD 48FFFFFF 785>cmp dword ptr ss:[ebp-B8],12345678
0043395E 75 5D jnz short zendenc.004339BD
00433960 8B8D 30FFFFFF mov ecx,dword ptr ss:[ebp-D0]
00433966 8379 14 00 cmp dword ptr ds:[ecx+14],0
0043396A 74 17 je short zendenc.00433983
µ«ÊÇÎÊÌâÓÖÀ´ÁË£¬ÎÒÃDz¢Ã»ÓÐlicense.dat£¬Õâ¾ÍÒªÎÒÃÇ×öÒ»¸ö¼ÙµÄ£¬·ñÔòµÚ¶þ´Î²»»áÀ´µ½text:00438FDA£¬ÄǾÍǰ¹¦¾¡ÆúÁË£¡
license.dat¸ñʽÎÒ²»ËµÁË¿´Ñ©µÄÊéÉÏÒÔ¼°ºÜ¶à×ÊÁÏ˵µÃºÜÇå³þÁË¡£
ÎÒÃǸù¾ÝÎÒÃÇÉÏÃæµÃµ½µÄÕý°ælicense.datÄÚÈÝ£¬×öÒ»¸ö¼ÙµÄlicense.dat£¬·ÅÔÚzendencĿ¼ÀïÏÂ:
***************
FEATURE Zend_Encoder zend 1.0 permanent uncounted VENDOR_STRING=www.FCGchina.com \
HOSTID=ANY SIGN=787878787878 (ÔõôÓÖÊÇ78¡¡!?)
***************
ÒòΪ¶Ï¿ªÍøÂ磬ËùÒÔÔËÐÐzendenc.exe»áÕÒ²»µ½license£¬ÎÒÃǰÑËüÖ¸ÏòÎÒÃǵļٵÄlicense.dat£¬µ±È»Êdzö´íÍ˳ö£¡¾¹ý×Ðϸ¸ú×Ù»¹»á·¢ÏÖ
licenseÎļþÃû±ØÐëÊÇZend_Encoder.dat£¡
ºÃ£¬¹¤×÷¿ªÊ¼£º
ÏÂÃæÎÒÆô¶¯ollydbg 1.10µ÷Èëzendenc.exe£¬ÔÚÈë¿Úͣϣ¬Ö±½ÓÏÂbp 00438FDA ,bp 00439019
F9Ö´ÐУ¬ÖжÏÔÚ00438FDA¡£
ÕâʱµÚÒ»´ÎÀ´µ½00439002 jz short loc_439027ʱËüÊÇÒªÌø¹ýÈ¥µÄ£¬×¢ÒâÒªÌø¾ÍÈÃËûÌø°É¡£
Èô¿ªÊ¼µÚÒ»´ÎÊ±Ç¿ÖÆ²»Ìø£¬µ¹ÊÇÄÜÀ´µ½00439019£¬½á¹û¸ú³öÁË´íÎóµÄseed1ºÍseed2£¬¶øÇÒ¶àÉٴνá¹û»¹¶¼Ò»Ñù¡£
ÔÙ´ÎF9£¬ÎÒÃÇÓÖ»ØÀ´ÖжÏÔÚ00438FDA£¬F8µ¥²½Ö´ÐУ¬Õâ´Î²»ÌøÁË£¬Ö±µ½¹ýÁË00439019£¬ÔÝÍ££¡
ÎÒÃÇÔÚÃüÁîÀ¸ÏÂÈçÏÂÃüÁ¿ÉÒÔ¿´µ½£º£¨¿ÉÒԼͼÁ˶à´ÎµÄµ÷ÊÔ½á¹û£©
´úÂë:
ÊäÈë¡¡d [esp+4] ÔÚÄÚ´æ´°¿Ú¿´µ½£¬¡¾³¤ÐÍ¡ª¡ªASCII ת´æ¡¿
**********
003983AC 646E657A zend
ÊäÈë¡¡d [esp+8] ÔÚÄÚ´æ´°¿Ú¿´µ½£¬¡¾³¤ÐÍ¡ª¡ªASCII ת´æ¡¿
****1****
0012CF98 00000004 ...
0012CF9C B68ACAC8 ÈÊŠ¶ data[0]
0012CFA0 96327B11 {2 data[1]
0012CFA4 534D01FB ?MS
0012CFA8 2D607B98 ˜{`-
0012CFAC B069483D =Hi
0012CFB0 67FCD8B6 ¶Øüg
0012CFB4 00000000 ....
********1************
ÊäÈëd [esp] ¡¾³¤ÐÍ¡ª¡ªASCII ת´æ¡¿
******2*****
00398260 00000066 f...
00398264 00F400E6 ??
00398268 B9DEDAA8 ¨ÚÞ¹ job+08
0039826C EB6E4C33 3Ln job+0c
00398270 BEF9AA16 ªù job+10
********2***********
ÕâЩÊý¾Ý¾ÍÊÇÎÒÃǼÆËãseed1ºÍseed2µÄ¹Ø¼ü£¡
4. ¼ÆËãENCRYPTION_SEED
ʹÓù¤¾ßcalcseed.exe,ÊäÈëdata[0]£¬data[1]£¬job+08£¬job+0c£¬job+10£¬VENDORnameΪ "zend"ÉÏÊöÐÅÏ¢,¼ÆËã
ENCRYPTION_SEED1 0xfa5410de
ENCRYPTION_SEED2 0xdaeca107
¶à´Î½á¹ûÊÇÒ»ÑùµÄ£¬×¢ÒâÊǵڶþ´Î×ÔÈ»À´µ½Ê±£¡
ÖÁ´Ë,·ÖÎöÒѾ»ù±¾Íê³É,¿ÉÒÔʹÓÃSDKдlicense.dat
µÚÈý²¿·Ö: ÖÆ×÷license.dat
·½·¨Ò»£º
ÎÒÃǵõ½Êý¾ÝÈçÏ£º
´úÂë:
Feathure Zend_Encoder
FeathureVersion 1.0
ENCRYPTION_SEED1 0xfa5410de
ENCRYPTION_SEED2 0xdaeca107
VENDOR Zend
BEHAVIOR Version V7.1d
ʹÓÃlmkg.exe,Ñ¡Ôñversion 7.0,ÔÚvendor_idÊäÈë"Zend"µÃµ½:
´úÂë:
/* Version 7 keys */
#define VENDOR_KEY1 0xdb5c129b
#define VENDOR_KEY2 0x7c9d919a
#define VENDOR_KEY3 0x1ee3b786
#define VENDOR_KEY4 0x01745090
#define VENDOR_KEY5 0x2c2dd7f7
#define CRO_KEY1 0xdf7c1093
#define CRO_KEY2 0x3abff31c
#define VENDOR_NAME "Zend"
°´ÕÕÉÏÃæµÄÐÅÏ¢,±à¼\flexlm\v7.2\machind\lm_code.h
´úÂë:
**********************************
#ifndef LM_CODE_H
#define LM_CODE_H
#include "lm_cro.h"
/*
* Pick an LM_STRENGTH.
*
* If you're not using CRO public-key, then leave this as
* LM_STRENGTH_DEFAULT.
* If you're upgrading from pre-v7.1, and want no changes,
* set this to LM_STRENGTH_LICENSE_KEY.
*/
#define LM_STRENGTH LM_STRENGTH_DEFAULT /*×¢Òâ12λµÄSIGNÒªÕâ¸ö²ÎÊý */
/*
* LM_STRENGTH Options are
* LM_STRENGTH_DEFAULT Public key protection unused
* Use SIGN= attribute
* sign length = 12
* Public key:
* LM_STRENGTH_113BIT, LOW sign length = 58 chars
* LM_STRENGTH_163BIT, MEDIUM sign length = 84 chars
* LM_STRENGTH_239BIT, HIGH sign length = 120 chars
*
* Use pre-v7.1, non-CRO
* LM_STRENGTH_LICENSE_KEY Use pre-v7.1 license-keys.
* Doesn't use SIGN= attribute.
*/
/*
* Vendor's private seeds, -- replace with 32-bit numbers that
* you make up.
*/
#define ENCRYPTION_SEED1 0xfa5410de¡¡¡¡ /*ÎÒÃÇÕÒµ½µÄSEED1 */
#define ENCRYPTION_SEED2 0xdaeca107¡¡¡¡¡¡/*ÎÒÃÇÕÒµ½µÄSEED2 */
#define ENCRYPTION_SEED3 0x22222222 /*ûÓ㬲»±ä */
#define ENCRYPTION_SEED4 0x32323232¡¡¡¡¡¡/*ûÓ㬲»±ä */
/*
* FLEXlm vendor keys -- enter as received from Globetrotter.
* Changing these keys has NO impact on license files (unlike
* the ENCRYPTION_SEEDs).
*/
/*-
* Generate these keys with: lmvkey -v demo -d (+3 months) -p ALL -c DEMO
* (Use a date approx 3 months out)
*/
#define VENDOR_KEY1 0xdb5c12db /*ÎÒÃÇËã³öµÄ */
#define VENDOR_KEY2 0x7c9d91ba
#define VENDOR_KEY3 0x1ee3b7c6
#define VENDOR_KEY4 0x017450b0
#define VENDOR_KEY5 0x0c2dd7f7 /*ÎÒÃÇËã³öµÄ */
#define CRO_KEY1 0xdf7c10d3 /* Used to enable CRO -- turned off by default */
#define CRO_KEY2 0x3abff33c /* Be sure to reset LM_STRENGTH above if
CRO_KEY is non-zero */
/*
* FLEXlm vendor name. Leave as "demo" if evaluating FLEXlm. Otherwise
* set to your vendor daemon name.
*/
#define VENDOR_NAME "Zend"¡¡¡¡/*ÎÒÃÇÕÒµ½µÄVENDOR */
/*
* Older customers with newer versions may want to set
* behavior defaults to previous version, though this is usually
* discouraged. Behaviors can be changed individually using
* LM_A_xxx in the flexible API. New customers should use the
* current default, as set below
*
* Valid settings include:
* LM_BEHAVIOR_V2, _V3, _V4, _V5, _V5_1, _V6, _V7, _V7_1
*/
#define LM_VER_BEHAVIOR LM_BEHAVIOR_V7_1
#endif /* LM_CODE_H */
**************************************
±à¼ºÃÁË£¬´æÅÌ£¬OK
´ò¿ª\flexlm\v7.2\i86_n3\genlic.exe¿ªÊ¼ÎÒÃǵÄÖÆ×÷°É
¿´¸½Í¼£º
£±£®basic´°¿ÚÄÚÌîºÃFeathure£¬Ñ¡Ôñpermanent´ò¹´£¬Ñ¡Ôñrun anywhere
£²£®½øÈëadvance´°¿Ú£¬versionÄÚÌîFEATUREµÄVersion1¾ÍÊÇ.000£¬Vendor infoÌîÉÏCracked by laoqian[FCG]
£³£®ÆäÓ಻¸ÄÁË£¬»Øµ½basic´°¿Ú£¬µã»÷make license£¬È»ºósaveÄãµÄlicense.datÎļþ
´ó¹¦¸æ³É£¡
Äã¿ÉÒÔÖÆ×÷¸÷ÖÖÏÞÖÆÌõ¼þµÄlicense.dat£¬ËæÄã±ãÁË£¬ÎÒ×öµÄÊÇÎÞÏÞÖÆ£¡
±¾
·½·¨¶þ£º
ÓÃlmcryptgui¿ÉÒÔÖÆ×÷³É¹¦ÒÔÉϵÄlicense£¡
ÎÒÃǵõ½Êý¾ÝÈçÏ£º
´úÂë:
Feathure Zend_Encoder
Feathure Version 1.0
ENCRYPTION_SEED1 0xfa5410de
ENCRYPTION_SEED2 0xdaeca107
VENDOR Zend
BEHAVIOR Version V7.1d
1.ÊÖ¶¯ÕÒµ½vendor,seed1£¬seed2£¬FEATUREºÍ°æ±¾7.1£¬7.2....£¬8.xµÈ
2.Ìîдvendor,seed1£¬seed2£¬ºÍBEHAVIOR Version 7µÈ£¬×¢ÒâûÓÐ0x
3.Ö´ÐÐ,Éú³ÉÒ»¸öexeÎļþ.
4.ÖÆ×÷Ò»¸ö¼ÙµÄlicense.datÎļþ,¸ñʽ²Î¿¼ÆäËû×ÊÁÏÁË,Ò»¶¨ÒªÕýÈ·µÄ¸ñʽ,Ö»ÓÐsign=ÊÇËæ±ãдһ¸ö!
5.°ÑÕâ¸ö¼ÙµÄlicense.datÎļþÍùÄǸöÉú³ÉµÄexeÎļþÉÏÒ»ÍÏ·Å,¼°×Ô¶¯Éú³ÉÕýÈ·µÄlicense.datÎļþ,signÒѾÊÇÕýÈ·µÄÁË,ǰÌáÊÇÄãÇ°ÃæµÃµ½µÄ
vendor,seed1£¬seed2£¬FEATUREºÍ°æ±¾µÈ¶¼ÊÇÕýÈ·µÄ!
¸½license.datµÄд·¨£º
FEATURE xxxxx VENDORxxx 1.000 permanent uncounted \
VENDOR_STRING=WWW.FCGCHINA.COM HOSTID=ANY ISSUER="by \
laoqian[FCG] Ï׸ø×ÔÓɵÄFCG" ISSUED=11-NOV-2004 \
SIGN=123456789012
ÆäÖС°xxxxx ¡±FEATUREÕâ¸öÐèÒªÄãÊÖ¶¯ÕÒ£¬¡°VENDORxxx¡±°æ±¾ Feathure Version¡°1.000 ¡±Ò²ÐèÒªÄãÊÖ¶¯ÕÒÈ·¶¨£¬²»¹ýFeathure Version¿É
ÒÔËæ±ãÄØ£¬ÎÒÊÔÁ˼¸¸ö¶¼¿ÉÒÔÔËÐеġ£
SIGN=123456789012Ëæ±ãÌîд12λ16½øÖƵÄÊý¡£ÆäÓàÒ»Ñù¡£
license.datÎļþ¸ñʽ¸ù¾Ý°æ±¾²»Ò»Ñù£¬ÒÔÉÏÊÇflexlm7.1°æ±¾Ö®ºóµÄ¸ñʽ¡£
flexlm7.1֮ǰµÄ¸ñʽ£¬Ã»ÓÐSIGN=£¬¶øÇÒλÖÃÔÚÇ°Ãæ¡£
ÓÖ˵Ã÷£ºVENDOR_STRING£¬ISSUER£¬ISSUED¿ÉÒÔ²»ÒªµÄ ¡£
btw£ºÕâ¸öµÄlicenseÎļþÃû±ØÐëÊÇZend_Encoder.dat£¬ÇÒ±ØÐë·ÅÔÚzendenc.exeͬĿ¼Àzendenc.exe³ÌÐòÔÚDOS´°¿ÚÔËÐУ¡
´úÂë:
FEATURE Zend_Encoder zend 1.0 permanent uncounted VENDOR_STRING=blah \
HOSTID=ANY SIGN=B6457F8A4618
µÚËIJ¿·Ö: Ô´´·¢»Ó
·ÖÎöµÃÖªflexlm9.22¡£sdkµÄÔ´Âë
´úÂë:
ÎÒÃÇÔÚflexlm9.22 sdkµÄÔ´ÂëÀï¿´µ½l_privat.h
*-
* -------------------------------------------------------------
* license-key-length stuff
*/
#define LM_OPTFLAG_LKEY_LONG 0x800 /* default False */
#define L_SECLEN_SHORT 0x66D8B337
#define L_SECLEN_LONG 0x289BEB8A
#define L_SECLEN_SET_LONG job->options->flags |= LM_OPTFLAG_LKEY_LONG; \
job->options->sf = L_SECLEN_LONG;
#define L_SECLEN_SET_SHORT job->options->flags &= ~LM_OPTFLAG_LKEY_LONG; \
job->options->sf = L_SECLEN_SHORT;
#define L_SECLEN_OK (((job->options->flags & LM_OPTFLAG_LKEY_LONG) && \
(job->options->sf == L_SECLEN_LONG)) || \
(job->options->sf == L_SECLEN_SHORT))
0x66D8B337ÊÇlicense-key-length µÄÒ»¸ö±êÖ¾£¬¹À¼ÆÊÇ12λsign£¡
´úÂë:
0043C545 25 FF000000 and eax,0FF
0043C54A 25 FF000000 and eax,0FF
0043C54F A2 41E64900 mov byte ptr ds:[49E641],al
0043C554 C605 47E64900 00 mov byte ptr ds:[49E647],0
0043C55B 8A15 47E64900 mov dl,byte ptr ds:[49E647]
0043C561 8815 46E64900 mov byte ptr ds:[49E646],dl
0043C567 C785 74FEFFFF 08000000 mov dword ptr ss:[ebp-18C],8
0043C571 817D 18 37B3D866 cmp dword ptr ss:[ebp+18],66D8B337 £»¾ÍÔÚÕâÀï¶ÏÏ£¡×ßµ½Õâ¿´¿´£¡
0043C578 75 0F jnz short zendenc.0043C589
0043C57A 8B85 74FEFFFF mov eax,dword ptr ss:[ebp-18C]
ÊäÈëd 49E641 ¡¾³¤ÐÍ¡ª¡ªASCII ת´æ¡¿¿ÉÒÔ¿´µ½ÈçÏ£º
´úÂë:
0049E63D B6000000 ...
0049E641 468A7F45 EŠF
0049E645 EE000018 ..
ÕâÊÇ¿´µ½ÎÒµÄSIGN=B6457F8A4618£¬ÔÙ¿´ÉÏÃæÊÇʲôB6+¡°468A7F45¡±+18£¡ÆäÖС°468A7F45¡±µÍλÔÚǰµÄÔÔò£¬Äã·¢ÏÖÔÀ´Ã÷ÂëÔÚÕâÀ
ÔõôÕÒµ½ÕâÀïµÄ0043C571£¿
´úÂë:
0043C6D0 83BD 8CFEFFFF 00 cmp dword ptr ss:[ebp-174],0
0043C6D7 74 2A je short zendenc.0043C703
0043C6D9 8B95 78FEFFFF mov edx,dword ptr ss:[ebp-188]
0043C6DF 33C0 xor eax,eax
0043C6E1 8A82 40E64900 mov al,byte ptr ds:[edx+49E640]
0043C6E7 50 push eax
0043C6E8 8B8D 78FEFFFF mov ecx,dword ptr ss:[ebp-188]
0043C6EE 51 push ecx
0043C6EF 8D95 30FEFFFF lea edx,dword ptr ss:[ebp-1D0]
0043C6F5 52 push edx
0043C6F6 8B45 08 mov eax,dword ptr ss:[ebp+8]
0043C6F9 50 push eax
0043C6FA FF95 8CFEFFFF call dword ptr ss:[ebp-174]
0043C700 83C4 10 add esp,10
0043C703 8B8D 30FEFFFF mov ecx,dword ptr ss:[ebp-1D0]
0043C709 81E1 FF000000 and ecx,0FF
0043C70F 8B95 78FEFFFF mov edx,dword ptr ss:[ebp-188]
0043C715 33C0 xor eax,eax
0043C717 8A82 40E64900 mov al,byte ptr ds:[edx+49E640] £»¿´µ½49E640µØÖ·ÁËÂð£¿ÎÒÃÇÈ¥ÄÇÀïÏÂÄÚ´æ¶Ïµã°É
0043C71D 3BC8 cmp ecx,eax £» eax£½ÕæsignµÄһλºÍecx£½¼ÙsignµÄһλ±È½Ï
0043C71F 74 04 je short zendenc.0043C725 £»±È½Ï
0043C721 33C0 xor eax,eax £»²»¶Ô¾Í°Ý°ÝÁË£¡
0043C723 EB 26 jmp short zendenc.0043C74B
0043C725 ^ E9 6BFEFFFF jmp zendenc.0043C595 £»ÔٱȽÏÏÂһλ£¡
0043C72A 8B4D 18 mov ecx,dword ptr ss:[ebp+18]
ÔõôÕÒµ½ÕâÀïµÄ0043C71D£¿ ÒòΪÎÒÃÇÒª¶Á¼ÙlicenseÎļþ£¬¶Á³ö¼ÙsignÒªÔÚÄÚ´æ´æ×Å£¬ÎÒÃÇÔÚÄÇÀïÏÂÄÚ´æ¶Ïµã£¨Ó²¼þ¶Ïµã£©£¬Ò»²½Ò»²½¸úµ½Õâ
ÀºÇºÇ£¬ÐèÒªÄÍÐÄ£¡²»¹ýÒ²²»ÄÑÕÒ£¬µÚ¶þ´Î½øÈë¡°7648B98E¡±µÄcall£¬Ö®ºóÂýÂý¸ú¾ÍÀ´µ½ÁË£¬Öмä¹ý³Ì²»ÔÙÂÞàÂÁË£¡
ÏÖÔÚ£¬ÄãÖ»Òª²éÕÒ66D8B337£¬¿´µ½ÉÏÃæÉÏÃæµÄÀàËÆ´úÂ룬϶ϰɣ¡´Ë·¢ÊÊÓÃÓÚ8.x£¬9.x¿ÉÄÜÒ²ÊÊÓã¡ÒòΪ66D8B337ûÓб䣡
¾ÍÊÇ˵ÎÒÃÇ¿ÉÒÔÕÒÃ÷Â룬ÖÁÉÙÔÚ0043C71D´¦¿ÉÒÔһλһλÕÒµ½£¡Ç°ÌᣬÄã×öÁËÒ»¸öÕýÈ·µÄ¼ÙlicenseÎļþ£¬¶øÇÒ·¾¶ÕýÈ·£¬»¹Òª½â¾öÒ»ÏÂanti£¨
Èç¹ûÓеϰ£©
µÚÎ岿·Ö:Ò»¸öÎÊÌ⣺
¾ÍÊÇÎÒÃÇÔÚ¸ú×ÙijЩflexlm¼ÓÃܵÄÈí¼þʱ£¬ÓÐʱ²»»áÀ´µ½ÀàËÆ00439019 call dword_49E5ECµÄµØ·½£¬Ó¦¸ÃÊÇ2´ÎÀ´µ½Õâ¸öµØÖ·ËùÔÚµÄcall£¬Ò»°ã
µÚÒ»´ÎÌø¹ý00439019 call dword_49E5EC£¬µÚ¶þ´Î²ÅÕæÕý½øÈëÕâ¸ö00439019£¬´Ëʱ²ÅÄܵõ½ÎÄÖÐÄÇЩֵ£»ÎÊÌâÊǺܶàµÚ¶þ´Î¾Í²»À´ÁË£¡Ö±½Ó³ö
´íÍ˳ö£¬¼´Ê¹ÊǼÙliceseÎļþ¸ñʽ²ÎÊýÕýÈ·£¨³ýÁËsignÒÔÍ⣩£¬Ò²²»¹ýÀ´µÚ¶þ´Î£¬Òò´ËÎÞ·¨µÃµ½ÐèÒªµÄÖµ£¬Ç¿ÖÆÌøÀ´ÊDz»Ðеģ¡Óöµ½´ËÎÊÌ⣬
ÈçºÎ½â¾öÄØ£¿Ò»°ã´ËÇé¿ö³öÏÖÊÇ£¬¹Ø¼ücall¶ÏµãÔÚdllÖУ¡¸öÈ˸оõÊÇlicenseÎļþÃû»ò·¾¶²»¶Ô£¬»òÕßÓÐantiºÍcrcУÑ飬ÔÙ»òÕßÊÇecc×÷¹Ö£¡´ËÎÊÌâÐèÒª
ÓÐÐÄÖ®ÈËÀ´½â¾ö£¡
µÚÁù²¿·Ö: ¸Ðл
CrackZ
Nolan Blender
Oleh Yuschuk
tulipfan[CCG]
allenzhu[CCG]
zhanzixin
FCGµÄͬÈÊ
ºÍËùÓп´Ñ§ÂÛ̳ÉϵÄÅóÓÑÃÇ!