好友
阅读权限40
听众
最后登录1970-1-1
|
mycsy
发表于 2008-5-14 15:09
曾经研究过一段时间的FLEXLM,也写了自己的VENDERCODER生成器.
后来因为ECC无法解决停了2年.
这个自动提取VENDERCODE的插件. 用V6,V7,V8,V9都试过几个,可以担取. V10因为新的l_n36_buf,不提供样本License,CALL的地址为0,所以没继续试(也许提供一个假的license也可以正常工作,不过本人没试.
// Flexlm Vender data refatch
// by Tylon
// Dec . 30 . 2007
var demo
var avar
var fadd
var stp
var ofile
lclr
mov ofile, "c:\data.txt" // noway to let you define the out-file name
mov demo, 401000
find demo, #21436587# // use 0x87654321 as 1st ancor
mov demo, $RESULT
find demo, #78563412# // the next demo Skey,
mov demo, $RESULT
sub demo, 20
add demo, 6
bp demo // adjust to the call
run
sti // step-into the call
mov stp,eip //back up the start eip of the subroutingfor later searching
dm [esp+08], 14, ofile // get vendor name
mov avar, [esp+0c] // v_ata
mov demo, 0;
vdata:
itoa [avar];
wrta ofile, $RESULT
add avar, 4
add demo, 4
cmp demo, 164
jb vdata
wrta ofile,"\r\n"
// mov demo, eip+9 //we don't need thisone
// itoa [demo]
// wrta ofile, $RESULT
findop eip, #ff??#, ff
mov fadd, $RESULT
// if not do this check, it'll lead to good sub
// cmp [avar],0
// je erra
bc
bp $RESULT //set bp on the call [???]
sub fadd, stp;
findop eip, #2500800000#, fadd // find cmp eax
cmp $RESULT,0
je findother
mov fadd,$RESULT
// repl fadd, #2500800000#, #0500800000#,10
jmp torun
findother:
findop eip, #81??00800000#,fadd
mov fadd, $RESULT
// repl fadd, #81??00800000#, #8B??00800000#,12
torun:
add fadd,4
repl fadd, #74??#, #9090#, 10
run
sti //now we are inside the destinely aera
wrta ofile, "magic_4: "
mov demo, eip+9 //magic_4
itoa [demo]
wrta ofile, $RESULT
wrta ofile, "\r\n"
wrta ofile, "can't get turns directly,so just dump the asm-code:\r\n"
// find eip, #0FBE????????0FBE#,2000
// mov stp, $RESULT
// find eip, #0FBE??????????0FBE#,2000
// mov fadd, $RESULT
// cmp stp, 0
// je start_2
// cmp fadd, 0
// je start_1
// cmp fadd, stp
// jb start_2
//start_1:
// mov fadd, stp
// jmp here
//start_2:
// go fadd
//here:
findop eip, #0FBE??D?#,2000
mov fadd, $RESULT
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
add fadd,$RESULT_2
opcode fadd
wrta ofile, $RESULT
wrta ofile, $RESULT_1
// add fadd,$RESULT_2
msg "Congradulation!\r\n we've got our vendor data to\r\n "C:\data.txt"\r\n Thanks for using! "
ret
data_b:
msg "yes"
jmp cont1
ret
erra:
ask "Error: ver > 10, continue handly?"
ret
提到的数据可以用key10.exe等工具生成最终的VENDERCODE.
那脚本只要在OD里面执行就可以了,会自动生成数据到C:\data.txt.
生成的文件里面有VENDER NAME, 加密的VENDERCODE. 和重新生成KEY5用的随机密码,最后是一段反汇编的源程序,里面就是Y5生成用的移位顺序.
有这些就可以生成VENDERCODE了.
不过只能对付没有ECC的....
那个KEYGEN可以做重新生成工作. 之前曾经看到脸说是自己做的MAKEKEY生成的LICENSE不能通过自己的(做MAKEKEY同时生成的DAEMON)的验证,我想原因可能是他们只生成了一对加密种子, 我这里生成的是2对加密种子,一对是用在MAKEKEY上的,一对是用在DAEMON上的(生成MAKEKEY的时候FLEXLM自动会处理,不用自己选择)
用导入文件的格式很简单,就是按data.txt的前面到key4为止, 后面是一行版本,如9.2B就写
902(9.0,B),再后面是上述文件里面的MAGIC4, 然后是移位顺序, *8,*4,*2,*1.
一个我试验的DAEMON撮的数据如下:
c:\data.txt:
prflexd
4
a1162d59
49209a94
6a93b3ec
d577e5b0
3f3d9d1f
945a9c32
9
39300020
302e
5059772
64286a4c
0
3
1
10
16
1f
adea8e72
4069a9ed
5d6b6335
b302987b
0
0
magic_4:
38115f7f
can't get turns directly,so just dump the asm-code:
0FBE45 D8
movsx eax,byte ptr ss:[ebp-28]
D1E0
shl eax,1
0FBE4D D9
movsx ecx,byte ptr ss:[ebp-27]
C1E1 03
shl ecx,3
0BC1
or eax,ecx
0FBE55 DA
movsx edx,byte ptr ss:[ebp-26]
0BC2
or eax,edx
0FBE4D DB
movsx ecx,byte ptr ss:[ebp-25]
C1E1 02
shl ecx,2
0BC1
or eax,ecx
8B55 FC
mov edx,dword ptr ss:[ebp-4]
*****************************
lmgenkey可以导入的文件
注意: 从prflexd开始,没有任何其他附加
*******************************
prflexd
a1162d59
49209a94
6a93b3ec
d577e5b0
3f3d9d1f
945a9c32
902
38115f7f
3142
ok
***************
生成的数据(保存到文件的)
\************************************************
* Vendor_Code for prflexd Ver:9.0C *
* re-generated with LMKEYGEN Wver:2.0 *
* Thu Jan 10 19:49:06 *
* _by tylon *
************************************************\
Uses file_in : prf.txt
#define VENDOR_NAME "prflexd"
#define ENCRYPTION_SEED1 0x568D25EB
#define ENCRYPTION_SEED2 0xBEBB9226
#define ENCRYPTION_SEED3 0x2F852D92
#define ENCRYPTION_SEED4 0xC7B39A5F
#define VENDOR_KEY1 0x0E49CF64
#define VENDOR_KEY2 0xB8CB932E
#define VENDOR_KEY3 0x53F3F782
#define VENDOR_KEY4 0xF080E2B2
#define VENDOR_KEY5 0x4773BA84
\***********************************\
#define CRO_KEY1 0x55C207A8
#define CRO_KEY2 0x9E4587B8
\***********************************\
\******** for review only ********\
kcksum[0] =: 0x37FFBBFE
kcksum[1] =: 0x04008029
kcksum[2] =: 0x40020000
kcksum[3] =: 0x03EEA001
VNAME_CKS =: 0x03FE
EFA的数据库保存的就是上面的KCKSUM,呵呵,一个很直接的VENDERKEY
上面生成的两对加密种子,KEY1/2和KEY3/4也许应该反过来,即:
#define ENCRYPTION_SEED1 0x2F852D92
#define ENCRYPTION_SEED2 0xC7B39A5F
#define ENCRYPTION_SEED3 0x568D25EB
#define ENCRYPTION_SEED4 0xBEBB9226
由于很久没有做过LICENSE了,也没有8.1以上的SDK,所以懒得再试. |
|