// nujia's Flexlm Seedfinder Script for Ollydbg // Supported should be every Flexlm version 7.2~11.1 // Remove all BP in the code before running this script // Codebase is usually 00401000 for .exe or 10001000 for .dll // In more recent Flexlm versions you need a faked license // Feature f1 1.000 permanent uncounted HOSTID=ANY SIGN=12345678 // otherwise it might not work var jobstruct var codebase // start msgyn "Did you remove all BPs?" cmp $RESULT,1 je setup ret setup: ask "Enter Codebase of the Flexlm Module" cmp $RESULT, 0 je cancel mov codebase, $RESULT jmp findlsg cancel: msg "Please enter Codebase" ret // It searches for a cmp with 0x3D4DA1D6, which is located below a call to l_sg // Then we calculate the offset for the call and execute to it findlsg: var pos var callpos find codebase, #992BC2D1F883C001508B550852# //找l_string_key函数 mov codebase, $RESULT find codebase, #85C?0F84????0000C7?5# //找一个特定的jz,将其改成jz 00 mov pos, $RESULT add pos, 4 fill pos, 4,00 find pos, #83c404# mov pos, $RESULT cmp pos, 0 je error go pos jmp lsg error: msg "An unknown error occured" // It searches for a cmp with 0x3D4DA1D6, lsg: var seed1 var seed2 mov seed1, eax add pos,6 find pos, #83c404# mov pos, $RESULT go pos mov seed2, eax eval "Your seeds are Seed1: 0x{seed1} and Seed2: 0x{seed2}" WRT "seeds.txt",$RESULT msg $RESULT ret