I guess 2013 is not compatible with win 8 x64.
thats why I use 2014 version

I know some people already patched 2014 but they wont share.
experts who know how to fix this,they will not share.They just talk
I hope here is different :)

事实上这个东东的linux版和windows版的早期作品是没是加混淆或壳的，但新近版本的daemon和部分主程序做了手脚，但出于水平和时间，没法长时间玩这个，希望知道这种混淆有没有可能处理，或加的什么壳？ 不然主程序就只有部分的可以用，有点遗憾， 哎，自己的水平不行呀，只能这么说了！

另：同问一下vendor_info如何处理，介个，好长时间没有研究flexlm, 严重表示不懂！

這個ecc的check是用sign2 codes,vendor daemon是不檢驗vendor_info,vendor_info的檢驗是在"libmmfileshared.dll",這個檔案沒有加殼,將程序"check_signature"的值返回0應該就可以通過RSA的check,但沒有此軟件可驗證,僅猜猜!

查了一下check_signature, 觉得代码怪怪的， 找不到可返回的地方，有什么特征吗？

没有程序，没法分析

因為沒有正確的RSA key,所以call    RSA_verify的返回值猜是1吧,所以eax將不會填6,是否將
cmovz r13d, ecx改成cmovnz r13d,ecx, eax的值填6就應該正確,先前寫錯應該是RSA_verify的返回
值是0才對,但此程序是import,不可動,乃猜測僅供參考!
.text:000000018006E021                 xor     ecx, ecx
.text:000000018006E023                 call    sub_18006D2A0
.text:000000018006E028                 mov     cs:qword_18021D748, rax
.text:000000018006E02F
.text:000000018006E02F loc_18006E02F:                          ; CODE XREF: check_signature+16Fj
.text:000000018006E02F                 mov     r8d, 14h
.text:000000018006E035                 mov     [rsp+288h+var_260], rax
.text:000000018006E03A                 lea     r9, [rsp+288h+var_238]
.text:000000018006E03F                 lea     rdx, [rsp+288h+var_258]
.text:000000018006E044                 lea     ecx, [r8+2Ch]
.text:000000018006E048                 mov     [rsp+288h+var_268], edi
.text:000000018006E04C                 call    RSA_verify
.text:000000018006E051                 mov     ecx, 6         
.text:000000018006E056                 test    eax, eax
.text:000000018006E058                 cmovz   r13d, ecx
.text:000000018006E05C                 mov     eax, r13d
.text:000000018006E05F                 jmp     loc_18006DF5B

这是哪个的：SCHROD 还是libmmfileshared.dll, 我怎么从这两个文件的IDA pro中没看到RSA_verify字样？

http://www.share.az/4n0ui9lm87fw/vendr.rar.html

这个是windows的，

http://bbs.pediy.com/showthread.php?t=197097
这个是linux的

想问一下：有人用PUBKEY 直接替换可以得到可工作的license, 如果想生成license, 在编译lmcrypt.exe时是不是还是要找seeds, 但seed 3从何而来？不明白他们是怎么搞出来的。

MIIBSFGSFGSDFGSDGFSFDGSQEFAAOCAQ8AMIIBCgKCAQEARGEG536ERGTW5YUW
GGDSGFDSG3QQEWSFSHEW5U76W4YJDDXFNSRHTQTEGDHFGNW4SFDSFGSFDGSG
+hPd6UbCwBuso4C9gRL27jvOgW5yOrWsMiy/1dN4m81zdRS01VEMA4Vp9xoFRl43
3jXb6T8sBIhcisE/PmjNo+Z6QSI4yAFSoGvpPjrNORU45PEeAFXTTYj3tZqFDGGFSSFjjSx
LpweaNrTtw84DCBG+sBm7UWHpoi3e1fX7uN3U9xT51Jr3ZgsNqSPrrysryGceB/itSsy
JImmEgKtZSIkl2+ltSRYWd2/58nnNEz9zyeCe9TBqhBCYpUngHmfgML5sgmAcLC8Hn
retwtrewB
-----END PUBLIC KEY----
这么长的PUBLIC KEY, 是不是也要放到lprikey.h或什么中去然后再编lmcrypt.exe?

I can patch vendor ECC

Patch the ecc protection is very easy.. The problem is the cypher inside the vendor_info routine.. And i guess is not RSA..

ericliu, are you sure you got RSA libray  inside the dll..???

Hi friends,
I need of a bit help please. I want to patch the same target  above and finally I found, or hope so, the functions that call the PUBLIC key. This key, as is shown above is in a visible form..MIIB...thus I decided to patch (as also one claims to patched in this way) the function that calls the Pubkey. Indeed I also patched the ECC verify.   
Please see here the maps:
http://www.finetopix.com/showthread.php?34233-FlexLM-ECC-Generic-Patcher-Flexlm-targets-%28x86-x64-up-to-version-11-9-x%29&p=236940&viewfull=1#post236940
Then I applied a regular patch as those for I_pubkey_verify, i.e. at the beginning of the function I replaced 3 hex values with 33C0C3 and after that in Ida I see that result is the same as the I_pubkey_verify, which means that I am pushing the function to respond eax=0. Am I correct? This is the patched function:

.text:00416FB0 ; =============== S U B R O U T I N E =======================================
.text:00416FB0
.text:00416FB0
.text:00416FB0 sub_416FB0      proc near               ; CODE XREF: sub_417A60+12Fp
.text:00416FB0                 xor     eax, eax
.text:00416FB2                 retn
.text:00416FB2 sub_416FB0      endp
.text:00416FB2
.text:00416FB3 ; ---------------------------------------------------------------------------
.text:00416FB3                 and     esp, 0FFFFFFF8h
.text:00416FB6                 mov     eax, 110Ch
.text:00416FBB                 call    __alloca_probe
.text:00416FC0                 mov     eax, ___security_cookie
.text:00416FC5                 xor     eax, esp
.text:00416FC7                 mov     [esp+1108h], eax
.text:00416FCE                 push    ebx
.text:00416FCF                 push    esi
.text:00416FD0                 push    edi
.text:00416FD1                 push    0FFFh
.text:00416FD6                 lea     eax, [esp+115h]
.text:00416FDD                 push    0
.text:00416FDF                 push    eax
.text:00416FE0                 mov     esi, ecx
.text:00416FE2                 mov     byte ptr [esp+11Ch], 0

I patched all files where the PUBKEY is present and also the same function (55 8B EC 83 E4 F8 B8 0C  11 00 00 in Hex) was present too.
However, the program not "eat" the vendor info /PUBLIC key..and not working. Here is the original file:
https://mega.co.nz/#!alMkCSwI!Y6Xh1-aQ-D1PZ35-w02vtzTs3k8Az8Tb_4xH6Em-6mA
I see also a RSA verity function but ...think that @ericliu showed but the one that patched the claims that this is not necessary to be manipulated.   
Thanks in advance!

P.S. As it was described here if you replace just the PUBLIC key (in a simple way with Hex editor) and use the already generated license for the old version, the program works both under Linux and Windows. I just want to add additional features and extend the period of the previous license.

Original function was:
.text:004170F0 ; =============== S U B R O U T I N E =======================================
.text:004170F0
.text:004170F0 ; Attributes: bp-based frame
.text:004170F0
.text:004170F0 sub_4170F0      proc near               ; CODE XREF: sub_417270+12Fp
.text:004170F0
.text:004170F0 Buf             = byte ptr -1108h
.text:004170F0 var_1008        = byte ptr -1008h
.text:004170F0 Dst             = byte ptr -1007h
.text:004170F0 var_4           = dword ptr -4
.text:004170F0
.text:004170F0                 push    ebp
.text:004170F1                 mov     ebp, esp
.text:004170F3                 and     esp, 0FFFFFFF8h
.text:004170F6                 mov     eax, 110Ch
.text:004170FB                 call    __alloca_probe
.text:00417100                 mov     eax, ___security_cookie
.text:00417105                 xor     eax, esp
.text:00417107                 mov     [esp+110Ch+var_4], eax
.text:0041710E                 push    ebx
.text:0041710F                 push    esi
.text:00417110                 push    edi
.text:00417111                 push    0FFFh           ; Size
.text:00417116                 lea     eax, [esp+111Ch+Dst]
.text:0041711D                 push    0               ; Val
.text:0041711F                 push    eax             ; Dst
.text:00417120                 mov     esi, ecx
.text:00417122                 mov     [esp+1124h+var_1008], 0
.text:0041712A                 call    memset
.text:0041712F                 mov     eax, dword_53B928
.text:00417134                 add     esp, 0Ch
.text:00417137                 test    eax, eax
.text:00417139                 jz      short loc_41714E
.text:0041713B                 push    eax
.text:0041713C                 call    RSA_free
.text:00417141                 add     esp, 4
.text:00417144                 mov     dword_53B928, 0
.text:0041714E
.text:0041714E loc_41714E:                             ; CODE XREF: sub_4170F0+49j
.text:0041714E                 test    esi, esi
.text:00417150                 jz      loc_41720D (HERE IS A JUMP TO PUBLIC KEY)
.text:00417156                 push    offset Mode     ; "r"
.text:0041715B                 push    esi
.....
if I patch all the function as shown in previous post it crash...the problem is in the libmmlibs dll ..It not allows such patching, the other files are ok. Here are the lictest.exe and above dll.
Can someone please help, what to be patched in a way than each PUBLIC key to be accepted and hence, if I am not wrong, each vendor info?
Thanks in advance!
https://mega.co.nz/#!79Mj2ISb!1c5sFUyn7abiJTC9eum1LjeXEozW00od_eChn1E02CQ

P.S. In fact suggested for patching function check_ signature and all others are located exactly in this .dll, at least for 2013-1, not in the lictest.exe. I used 2013-1x64 as an initial test.

I did it!

good to see that you made the job..!!! well done.. Upload some videos about your job..

最近需要用到一个密码破解的，还希望大家多帮助，谢谢！

请问哪里有可靠的链接可以下载Flexlm/FlexNet SDK 11.10版或更新的版本？在坛上搜索了半天也没有找到可靠的下载信息。

acekillerf 请教一下     去除ecc的方法中     有一种是将 ...

修改的验证方式，把ecc验证强制为无，达到无论何时调用l_pubey_verify()都返回为true的目的。