能力值:
( LV2,RANK:10 )
8 楼
准备工作:
1. 用 w32dasm89 反汇编 vendor daemon 程序
按照下面的说明找到 "FLEXwrap" 前面的地址,
和相应的算法地址,为下一步设置断点做准备.
2. 假的格式正确的 license, 一定要有 SERVER 和 DAEMON 或者 VENDOR 这两行.
SERVER this_host ANY 2080
DAEMMON vendor_name
FEATURE feature_name vendor_name 1.000 permanent uncounted 123456654321 \
HOSTID=ANY
3. 常用工具:
calcseed.exe ---------- 用 job 和 data 计算种子,这种方法可以不用.
lmkg.exe (v4.x-11.x) -- 计算 vendor key 包括 CRO 和 TRL
lmcryptgui.exe ------- 用找到的种子和 vendor name 生成 lmcryptxxxx.exe 文件
相当于 FlexLM SDK 中的 lmcrypt.exe, 但是不适用带 ECC 的 license.
FlexLM SDK ------------ 用计算的种子和 vendor keys 修改 lm_code.h
方法按 laoqian 提供的.
softice --------------- 加载 vendor daemon 程序用.
开始工作:
1. 启动 softice, 用 Symbol Loader 加载 vendor daemon 程序 vendor?.exe
再用 lmtools 启动 server, 会在下面设置的断点出停下. 然后, .....
2. 寻找标志代码段 "FLEXwrap" 并且设置断点
在 "FLEXwrap" 之前的第一个 CALL xxxxxxx
前面的 :004ABDDE push ecx 出设置断点, 一定会停.
这时可设置内存断点 bpm ds:ecx+2 是 feature 名的内存地址
:004ABDC3 8B4DF4 mov ecx, dword ptr [ebp-0C]
:004ABDC6 33D2 xor edx, edx
:004ABDC8 8A9118030000 mov dl, byte ptr [ecx+00000318]
:004ABDCE 83FA04 cmp edx, 00000004
:004ABDD1 0F8451010000 je 004ABF28
:004ABDD7 8B450C mov eax, dword ptr [ebp+0C]
:004ABDDA 50 push eax
:004ABDDB 8B4DF4 mov ecx, dword ptr [ebp-0C] ;
:004ABDDE 51 push ecx ;设置断点,一定会停
:004ABDDF 8B15A83A5100 mov edx, dword ptr [00513AA8] ;
:004ABDE5 52 push edx ;bpm ds:ecx+2 是 feature 名
:004ABDE6 E821190000 call 004AD70C ;
:004ABDEB 83C40C add esp, 0000000C
:004ABDEE 85C0 test eax, eax
:004ABDF0 0F8532010000 jne 004ABF28
* Possible StringData Ref from Data Obj ->"FLEXwrap"
|
:004ABDF6 6814FF4F00 push 004FFF14
:004ABDFB 8B4508 mov eax, dword ptr [ebp+08]
:004ABDFE 50 push eax
:004ABDFF E88A7DF6FF Call 00413B8E
:004ABE04 83C408 add esp, 00000008
:004ABE07 894594 mov dword ptr [ebp-6C], eax
:004ABE0A 837D9400 cmp dword ptr [ebp-6C], 00000000
:004ABE0E 7414 je 004ABE24
* Possible StringData Ref from Data Obj ->"SAMwrap"
|
:004ABE10 6820FF4F00 push 004FFF20
:004ABE15 8B4D08 mov ecx, dword ptr [ebp+08]
:004ABE18 51 push ecx
:004ABE19 E8707DF6FF Call 00413B8E
:004ABE1E 83C408 add esp, 00000008
:004ABE21 894594 mov dword ptr [ebp-6C], eax
:004ABE24 833DD8FD4F0000 cmp dword ptr [004FFDD8], 00000000
:004ABE2B 7409 je 004ABE36
:004ABE2D 833DDCFD4F0000 cmp dword ptr [004FFDDC], 00000000
3. 寻找算法代码 83BD90FEFFFF08 是 FlexLM v10.x 以后的
83BD74FEFFFF08 是 FlexLM v9.x 以前的
个别版本需要自己验证,是这种代码 83BDxxFEFFFF08
在它的前面一定有一个 add ecx, 00000001
在地址 004CB131 处设置断点, 如果停了,大功告成,往下马上就可以找到种子
如果不停,还请 marstj 给出具体解决方案.
4. 接下来是找种子:
(i)在地址 004CB25A 设置断点,在 eax 直接得到种子 seed1,不需计算.
(ii)在地址 004CB422 设置断点,在 eax 直接得到种子 seed2,不需计算.
5. 注意代码中这个参数 3D4DA1D6 是清除种子的缺省值
:004CB367 mov dword ptr [ebp+FFFFFE70], 3D4DA1D6
在这里也可以直接得到种子 seed1 = [ebp+FFFFFE70]
:004CB52E mov dword ptr [ebp+FFFFFE6C], 3D4DA1D6
在这里也可以直接得到种子 seed2 = [ebp+FFFFFE6C]
=====================================================================
:004CB122 8B8D90FEFFFF mov ecx, dword ptr [ebp+FFFFFE90] ;算法的特征代码
:004CB128 83C101 add ecx, 00000001 ;83BDxxFEFFFF08
:004CB12B 898D90FEFFFF mov dword ptr [ebp+FFFFFE90], ecx ;注意:前面的 add ecx, 00000001
:004CB131 83BD90FEFFFF08 cmp dword ptr [ebp+FFFFFE90], 00000008 ;是重要的判断标志
:004CB138 7D2B jge 004CB165 ;
:004CB13A 8B55F4 mov edx, dword ptr [ebp-0C]
:004CB13D 039590FEFFFF add edx, dword ptr [ebp+FFFFFE90]
:004CB143 33C0 xor eax, eax
:004CB145 8A02 mov al, byte ptr [edx]
:004CB147 8B8D90FEFFFF mov ecx, dword ptr [ebp+FFFFFE90]
:004CB14D 33D2 xor edx, edx
:004CB14F 8A919CEE5000 mov dl, byte ptr [ecx+0050EE9C]
:004CB155 33C2 xor eax, edx
:004CB157 8B8D90FEFFFF mov ecx, dword ptr [ebp+FFFFFE90]
:004CB15D 88819CEE5000 mov byte ptr [ecx+0050EE9C], al ;
:004CB163 EBBD jmp 004CB122
:004CB165 83BD94FEFFFF00 cmp dword ptr [ebp+FFFFFE94], 00000000
:004CB16C 0F85D6040000 jne 004CB648
:004CB172 83BDA4FEFFFF00 cmp dword ptr [ebp+FFFFFEA4], 00000000
:004CB179 0F85BE030000 jne 004CB53D
:004CB17F 837DFC00 cmp dword ptr [ebp-04], 00000000
:004CB183 0F85B4030000 jne 004CB53D
:004CB189 6A01 push 00000001
:004CB18B 8B5508 mov edx, dword ptr [ebp+08]
:004CB18E 52 push edx
:004CB18F E8C916F7FF call 0043C85D
:004CB194 83C408 add esp, 00000008
:004CB197 85C0 test eax, eax
:004CB199 0F849E030000 je 004CB53D
:004CB19F C78574FEFFFF9CEE5000 mov dword ptr [ebp+FFFFFE74], 0050EE9C
:004CB1A9 8B4508 mov eax, dword ptr [ebp+08]
:004CB1AC 8B889C010000 mov ecx, dword ptr [eax+0000019C]
:004CB1B2 8B91E81C0000 mov edx, dword ptr [ecx+00001CE8]
:004CB1B8 8B45F8 mov eax, dword ptr [ebp-08]
:004CB1BB C1E004 shl eax, 04
:004CB1BE 8B8C05B0FEFFFF mov ecx, dword ptr [ebp+eax-00000150]
:004CB1C5 33C0 xor eax, eax
:004CB1C7 8A840A38050000 mov al, byte ptr [edx+ecx+00000538]
:004CB1CE 8B4D14 mov ecx, dword ptr [ebp+14]
:004CB1D1 8B5104 mov edx, dword ptr [ecx+04]
:004CB1D4 33D0 xor edx, eax
:004CB1D6 8B4508 mov eax, dword ptr [ebp+08]
:004CB1D9 8B889C010000 mov ecx, dword ptr [eax+0000019C]
:004CB1DF 8B81E81C0000 mov eax, dword ptr [ecx+00001CE8]
:004CB1E5 8B4DF8 mov ecx, dword ptr [ebp-08]
:004CB1E8 C1E104 shl ecx, 04
:004CB1EB 8B8C0DB4FEFFFF mov ecx, dword ptr [ebp+ecx-0000014C]
:004CB1F2 33DB xor ebx, ebx
:004CB1F4 8A9C0838050000 mov bl, byte ptr [eax+ecx+00000538]
:004CB1FB C1E308 shl ebx, 08
:004CB1FE 33D3 xor edx, ebx
:004CB200 8B4508 mov eax, dword ptr [ebp+08]
:004CB203 8B889C010000 mov ecx, dword ptr [eax+0000019C]
:004CB209 8B81E81C0000 mov eax, dword ptr [ecx+00001CE8]
:004CB20F 8B4DF8 mov ecx, dword ptr [ebp-08]
:004CB212 C1E104 shl ecx, 04
:004CB215 8B8C0DB8FEFFFF mov ecx, dword ptr [ebp+ecx-00000148]
:004CB21C 33DB xor ebx, ebx
:004CB21E 8A9C0838050000 mov bl, byte ptr [eax+ecx+00000538]
:004CB225 C1E310 shl ebx, 10
:004CB228 33D3 xor edx, ebx
:004CB22A 8B4508 mov eax, dword ptr [ebp+08]
:004CB22D 8B889C010000 mov ecx, dword ptr [eax+0000019C]
:004CB233 8B81E81C0000 mov eax, dword ptr [ecx+00001CE8]
:004CB239 8B4DF8 mov ecx, dword ptr [ebp-08]
:004CB23C C1E104 shl ecx, 04
:004CB23F 8B8C0DBCFEFFFF mov ecx, dword ptr [ebp+ecx-00000144]
:004CB246 33DB xor ebx, ebx
:004CB248 8A9C0838050000 mov bl, byte ptr [eax+ecx+00000538]
:004CB24F C1E318 shl ebx, 18
:004CB252 33D3 xor edx, ebx
:004CB254 52 push edx
:004CB255 E86D050000 call 004CB7C7 ;
:004CB25A 83C404 add esp, 00000004 ;seed1 = eax 直接得到种子 seed1
:004CB25D 898570FEFFFF mov dword ptr [ebp+FFFFFE70], eax ;
:004CB263 8B9570FEFFFF mov edx, dword ptr [ebp+FFFFFE70]
:004CB269 81E2FF000000 and edx, 000000FF
:004CB26F 8B8574FEFFFF mov eax, dword ptr [ebp+FFFFFE74]
:004CB275 8A08 mov cl, byte ptr [eax]
:004CB277 32CA xor cl, dl
:004CB279 8B9574FEFFFF mov edx, dword ptr [ebp+FFFFFE74]
:004CB27F 880A mov byte ptr [edx], cl
:004CB281 8B8574FEFFFF mov eax, dword ptr [ebp+FFFFFE74]
:004CB287 83C001 add eax, 00000001
:004CB28A 898574FEFFFF mov dword ptr [ebp+FFFFFE74], eax
:004CB290 81BD70FEFFFFFF000000 cmp dword ptr [ebp+FFFFFE70], 000000FF
:004CB29A 7F0C jg 004CB2A8
:004CB29C 81BD70FEFFFF00FFFFFF cmp dword ptr [ebp+FFFFFE70], FFFFFF00
:004CB2A6 7D30 jge 004CB2D8
:004CB2A8 8B8D70FEFFFF mov ecx, dword ptr [ebp+FFFFFE70]
:004CB2AE C1F908 sar ecx, 08
:004CB2B1 81E1FF000000 and ecx, 000000FF
:004CB2B7 8B9574FEFFFF mov edx, dword ptr [ebp+FFFFFE74]
:004CB2BD 8A02 mov al, byte ptr [edx]
:004CB2BF 32C1 xor al, cl
:004CB2C1 8B8D74FEFFFF mov ecx, dword ptr [ebp+FFFFFE74]
:004CB2C7 8801 mov byte ptr [ecx], al
:004CB2C9 8B9574FEFFFF mov edx, dword ptr [ebp+FFFFFE74]
:004CB2CF 83C201 add edx, 00000001
:004CB2D2 899574FEFFFF mov dword ptr [ebp+FFFFFE74], edx
:004CB2D8 81BD70FEFFFF007D0000 cmp dword ptr [ebp+FFFFFE70], 00007D00
:004CB2E2 7F0C jg 004CB2F0
:004CB2E4 81BD70FEFFFF0083FFFF cmp dword ptr [ebp+FFFFFE70], FFFF8300
:004CB2EE 7D2F jge 004CB31F
:004CB2F0 8B8570FEFFFF mov eax, dword ptr [ebp+FFFFFE70]
:004CB2F6 C1F810 sar eax, 10
:004CB2F9 25FF000000 and eax, 000000FF
:004CB2FE 8B8D74FEFFFF mov ecx, dword ptr [ebp+FFFFFE74]
:004CB304 8A11 mov dl, byte ptr [ecx]
:004CB306 32D0 xor dl, al
:004CB308 8B8574FEFFFF mov eax, dword ptr [ebp+FFFFFE74]
:004CB30E 8810 mov byte ptr [eax], dl
:004CB310 8B8D74FEFFFF mov ecx, dword ptr [ebp+FFFFFE74]
:004CB316 83C101 add ecx, 00000001
:004CB319 898D74FEFFFF mov dword ptr [ebp+FFFFFE74], ecx
:004CB31F 81BD70FEFFFF0024F400 cmp dword ptr [ebp+FFFFFE70], 00F42400
:004CB329 7F0C jg 004CB337
:004CB32B 81BD70FEFFFF00DC0BFF cmp dword ptr [ebp+FFFFFE70], FF0BDC00
:004CB335 7D30 jge 004CB367
:004CB337 8B9570FEFFFF mov edx, dword ptr [ebp+FFFFFE70]
:004CB33D C1FA18 sar edx, 18
:004CB340 81E2FF000000 and edx, 000000FF
:004CB346 8B8574FEFFFF mov eax, dword ptr [ebp+FFFFFE74]
:004CB34C 8A08 mov cl, byte ptr [eax]
:004CB34E 32CA xor cl, dl
:004CB350 8B9574FEFFFF mov edx, dword ptr [ebp+FFFFFE74]
:004CB356 880A mov byte ptr [edx], cl
:004CB358 8B8574FEFFFF mov eax, dword ptr [ebp+FFFFFE74]
:004CB35E 83C001 add eax, 00000001 ;3D4DA1D6 是清除种子的缺省值
:004CB361 898574FEFFFF mov dword ptr [ebp+FFFFFE74], eax ;
:004CB367 C78570FEFFFFD6A14D3D mov dword ptr [ebp+FFFFFE70], 3D4DA1D6 ;seed1 = [ebp+FFFFFE70]
:004CB371 8B4D08 mov ecx, dword ptr [ebp+08] ;
:004CB374 8B919C010000 mov edx, dword ptr [ecx+0000019C] ;[ebp+xxxxxxxx]是种子seed1
:004CB37A 8B82E81C0000 mov eax, dword ptr [edx+00001CE8]
:004CB380 8B4DF8 mov ecx, dword ptr [ebp-08]
:004CB383 C1E104 shl ecx, 04
:004CB386 8B940DB0FEFFFF mov edx, dword ptr [ebp+ecx-00000150]
:004CB38D 33C9 xor ecx, ecx
:004CB38F 8A8C1038050000 mov cl, byte ptr [eax+edx+00000538]
:004CB396 8B5514 mov edx, dword ptr [ebp+14]
:004CB399 8B4208 mov eax, dword ptr [edx+08]
:004CB39C 33C1 xor eax, ecx
:004CB39E 8B4D08 mov ecx, dword ptr [ebp+08]
:004CB3A1 8B919C010000 mov edx, dword ptr [ecx+0000019C]
:004CB3A7 8B8AE81C0000 mov ecx, dword ptr [edx+00001CE8]
:004CB3AD 8B55F8 mov edx, dword ptr [ebp-08]
:004CB3B0 C1E204 shl edx, 04
:004CB3B3 8B9415B4FEFFFF mov edx, dword ptr [ebp+edx-0000014C]
:004CB3BA 33DB xor ebx, ebx
:004CB3BC 8A9C1138050000 mov bl, byte ptr [ecx+edx+00000538]
:004CB3C3 C1E308 shl ebx, 08
:004CB3C6 33C3 xor eax, ebx
:004CB3C8 8B4D08 mov ecx, dword ptr [ebp+08]
:004CB3CB 8B919C010000 mov edx, dword ptr [ecx+0000019C]
:004CB3D1 8B8AE81C0000 mov ecx, dword ptr [edx+00001CE8]
:004CB3D7 8B55F8 mov edx, dword ptr [ebp-08]
:004CB3DA C1E204 shl edx, 04
:004CB3DD 8B9415B8FEFFFF mov edx, dword ptr [ebp+edx-00000148]
:004CB3E4 33DB xor ebx, ebx
:004CB3E6 8A9C1138050000 mov bl, byte ptr [ecx+edx+00000538]
:004CB3ED C1E310 shl ebx, 10
:004CB3F0 33C3 xor eax, ebx
:004CB3F2 8B4D08 mov ecx, dword ptr [ebp+08]
:004CB3F5 8B919C010000 mov edx, dword ptr [ecx+0000019C]
:004CB3FB 8B8AE81C0000 mov ecx, dword ptr [edx+00001CE8]
:004CB401 8B55F8 mov edx, dword ptr [ebp-08]
:004CB404 C1E204 shl edx, 04
:004CB407 8B9415BCFEFFFF mov edx, dword ptr [ebp+edx-00000144]
:004CB40E 33DB xor ebx, ebx
:004CB410 8A9C1138050000 mov bl, byte ptr [ecx+edx+00000538]
:004CB417 C1E318 shl ebx, 18
:004CB41A 33C3 xor eax, ebx
:004CB41C 50 push eax
:004CB41D E8A5030000 call 004CB7C7 ;
:004CB422 83C404 add esp, 00000004 ;seed2 = eax 直接得到种子 seed2
:004CB425 89856CFEFFFF mov dword ptr [ebp+FFFFFE6C], eax ;
:004CB42B 8B856CFEFFFF mov eax, dword ptr [ebp+FFFFFE6C]
:004CB431 25FF000000 and eax, 000000FF
:004CB436 8B8D74FEFFFF mov ecx, dword ptr [ebp+FFFFFE74]
:004CB43C 8A11 mov dl, byte ptr [ecx]
:004CB43E 32D0 xor dl, al
:004CB440 8B8574FEFFFF mov eax, dword ptr [ebp+FFFFFE74]
:004CB446 8810 mov byte ptr [eax], dl
:004CB448 8B8D74FEFFFF mov ecx, dword ptr [ebp+FFFFFE74]
:004CB44E 83C101 add ecx, 00000001
:004CB451 898D74FEFFFF mov dword ptr [ebp+FFFFFE74], ecx
:004CB457 81BD6CFEFFFFFF000000 cmp dword ptr [ebp+FFFFFE6C], 000000FF
:004CB461 7F0C jg 004CB46F
:004CB463 81BD6CFEFFFF00FFFFFF cmp dword ptr [ebp+FFFFFE6C], FFFFFF00
:004CB46D 7D30 jge 004CB49F
:004CB46F 8B956CFEFFFF mov edx, dword ptr [ebp+FFFFFE6C]
:004CB475 C1FA08 sar edx, 08
:004CB478 81E2FF000000 and edx, 000000FF
:004CB47E 8B8574FEFFFF mov eax, dword ptr [ebp+FFFFFE74]
:004CB484 8A08 mov cl, byte ptr [eax]
:004CB486 32CA xor cl, dl
:004CB488 8B9574FEFFFF mov edx, dword ptr [ebp+FFFFFE74]
:004CB48E 880A mov byte ptr [edx], cl
:004CB490 8B8574FEFFFF mov eax, dword ptr [ebp+FFFFFE74]
:004CB496 83C001 add eax, 00000001
:004CB499 898574FEFFFF mov dword ptr [ebp+FFFFFE74], eax
:004CB49F 81BD6CFEFFFF007D0000 cmp dword ptr [ebp+FFFFFE6C], 00007D00
:004CB4A9 7F0C jg 004CB4B7
:004CB4AB 81BD6CFEFFFF0083FFFF cmp dword ptr [ebp+FFFFFE6C], FFFF8300
:004CB4B5 7D30 jge 004CB4E7
:004CB4B7 8B8D6CFEFFFF mov ecx, dword ptr [ebp+FFFFFE6C]
:004CB4BD C1F910 sar ecx, 10
:004CB4C0 81E1FF000000 and ecx, 000000FF
:004CB4C6 8B9574FEFFFF mov edx, dword ptr [ebp+FFFFFE74]
:004CB4CC 8A02 mov al, byte ptr [edx]
:004CB4CE 32C1 xor al, cl
:004CB4D0 8B8D74FEFFFF mov ecx, dword ptr [ebp+FFFFFE74]
:004CB4D6 8801 mov byte ptr [ecx], al
:004CB4D8 8B9574FEFFFF mov edx, dword ptr [ebp+FFFFFE74]
:004CB4DE 83C201 add edx, 00000001
:004CB4E1 899574FEFFFF mov dword ptr [ebp+FFFFFE74], edx
:004CB4E7 81BD6CFEFFFF0024F400 cmp dword ptr [ebp+FFFFFE6C], 00F42400
:004CB4F1 7F0C jg 004CB4FF
:004CB4F3 81BD6CFEFFFF00DC0BFF cmp dword ptr [ebp+FFFFFE6C], FF0BDC00
:004CB4FD 7D2F jge 004CB52E
:004CB4FF 8B856CFEFFFF mov eax, dword ptr [ebp+FFFFFE6C]
:004CB505 C1F818 sar eax, 18
:004CB508 25FF000000 and eax, 000000FF
:004CB50D 8B8D74FEFFFF mov ecx, dword ptr [ebp+FFFFFE74]
:004CB513 8A11 mov dl, byte ptr [ecx]
:004CB515 32D0 xor dl, al
:004CB517 8B8574FEFFFF mov eax, dword ptr [ebp+FFFFFE74]
:004CB51D 8810 mov byte ptr [eax], dl
:004CB51F 8B8D74FEFFFF mov ecx, dword ptr [ebp+FFFFFE74]
:004CB525 83C101 add ecx, 00000001 ;3D4DA1D6 是清除种子的缺省值
:004CB528 898D74FEFFFF mov dword ptr [ebp+FFFFFE74], ecx ;
:004CB52E C7856CFEFFFFD6A14D3D mov dword ptr [ebp+FFFFFE6C], 3D4DA1D6 ;seed2 = [ebp+FFFFFE6C]
:004CB538 E90B010000 jmp 004CB648 ;
:004CB53D C78568FEFFFF00000000 mov dword ptr [ebp+FFFFFE68], 00000000 ;[ebp+xxxxxxxx]是种子 seed2
:004CB547 EB0F jmp 004CB558
:004CB549 8B9568FEFFFF mov edx, dword ptr [ebp+FFFFFE68]
:004CB54F 83C201 add edx, 00000001
:004CB552 899568FEFFFF mov dword ptr [ebp+FFFFFE68], edx
:004CB558 83BD68FEFFFF08 cmp dword ptr [ebp+FFFFFE68], 00000008
:004CB55F 0F8DE3000000 jnl 004CB648
:004CB565 8B8568FEFFFF mov eax, dword ptr [ebp+FFFFFE68]
:004CB56B 2503000080 and eax, 80000003
:004CB570 7905 jns 004CB577
:004CB572 48 dec eax
:004CB573 83C8FC or eax, FFFFFFFC
:004CB576 40 inc eax
:004CB577 C1E003 shl eax, 03
:004CB57A 898564FEFFFF mov dword ptr [ebp+FFFFFE64], eax
..............
:004CB7AC 50 push eax
:004CB7AD E81D000000 call 004CB7CF
:004CB7B2 83C40C add esp, 0000000C
:004CB7B5 8985A0FEFFFF mov dword ptr [ebp+FFFFFEA0], eax
:004CB7BB 8B85A0FEFFFF mov eax, dword ptr [ebp+FFFFFEA0]
:004CB7C1 5E pop esi
:004CB7C2 5B pop ebx
:004CB7C3 8BE5 mov esp, ebp
:004CB7C5 5D pop ebp
:004CB7C6 C3 ret
=====================================================================