This repository has been archived by the owner on Dec 25, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
CodeWarrior complete FlexLM analysis.txt
154 lines (127 loc) · 7.35 KB
/
CodeWarrior complete FlexLM analysis.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
CodeWarrior for RealView Developer Suite (v2.2 FINAL)
Module: lmgr8c.dll
Version: FLEXlm v8.4a (Copyrighted 2003)
Vendor name: metrowks
License file: license.dat
CodeWarrior version: 5.5
FEATURE 1: Win32_CWIDE_Unlimited 5.5
Permanent licenses are like 1-jan-0
FEATURE name vendor version permanent uncounted code \
HOSTID=ANY
Functions to append in the (Known as dup group)
02D31564 00 00 00 00 56 45 4E 44 4F 52 5F 53 54 52 49 4E ....VENDOR_STRIN
02D31574 47 00 00 00 48 4F 53 54 49 44 00 00 44 55 50 5F G...HOSTID..DUP_
02D31584 47 52 4F 55 50 00 00 00 4F 56 45 52 44 52 41 46 GROUP...OVERDRAF
02D31594 54 00 00 00 76 65 6E 64 6F 72 5F 69 6E 66 6F 00 T...vendor_info.
02D315A4 75 73 65 72 5F 69 6E 66 6F 00 00 00 61 73 73 65 user_info...asse
02D315B4 74 5F 69 6E 66 6F 00 00 49 53 53 55 45 52 00 00 t_info..ISSUER..
02D315C4 4E 4F 54 49 43 45 00 00 63 6B 00 00 64 69 73 74 NOTICE..ck..dist
02D315D4 5F 69 6E 66 6F 00 00 00 43 4F 4D 50 4F 4E 45 4E _info...COMPONEN
02D315E4 54 53 00 00 53 4E 00 00 53 55 49 54 45 5F 44 55 TS..SN..SUITE_DU
02D315F4 50 5F 47 52 4F 55 50 00 4F 50 54 49 4F 4E 53 00 P_GROUP.OPTIONS.
02D31604 54 59 50 45 00 00 00 00 53 55 49 54 45 00 00 00 TYPE....SUITE...
02D31614 43 41 50 41 43 49 54 59 00 00 00 00 55 53 45 52 CAPACITY....USER
02D31624 5F 42 41 53 45 44 00 00 50 4C 41 54 46 4F 52 4D _BASED..PLATFORM
02D31634 53 00 00 00 48 4F 53 54 5F 42 41 53 45 44 00 00 S...HOST_BASED..
02D31644 4D 45 54 45 52 45 44 00 53 55 50 45 52 53 45 44 METERED.SUPERSED
02D31654 45 00 00 00 49 53 53 55 45 44 00 00 4C 49 4E 47 E...ISSUED..LING
02D31664 45 52 00 00 4D 49 4E 49 4D 55 4D 00 50 52 45 52 ER..MINIMUM.PRER
02D31674 45 51 00 00 53 54 41 52 54 00 00 00 73 6F 72 74 EQ..START...sort
02D31684 00 00 00 00 53 49 47 4E 00 00 00 00 42 4F 52 52 ....SIGN....BORR
02D31694 4F 57 00 00 46 4C 4F 41 54 5F 4F 4B 00 00 00 00 OW..FLOAT_OK....
02D316A4 53 55 49 54 45 5F 52 45 53 45 52 56 45 44 00 00 SUITE_RESERVED..
02D316B4 54 53 5F 4F 4B 00 00 00 77 5F 62 69 6E 61 72 79 TS_OK...w_binary
02D316C4 00 00 00 00 77 5F 61 72 67 76 00 00 77 5F 71 75 ....w_argv..w_qu
02D316D4 65 75 65 00 77 5F 74 65 72 6D 5F 73 69 67 6E 61 eue.w_term_signa
02D316E4 6C 00 00 00 57 5F 4C 49 43 5F 4C 4F 53 53 00 00 l...W_LIC_LOSS..
02D316F4 25 64 00 00 53 49 54 45 00 00 00 00 4E 4F 4E 45 %d..SITE....NONE
The "verification key" could be with the following length: 12,16,20 and can contain only number and letters
If the length is 20, then it's possible to extract the date
A mechanism with date 0 is automaticly filled up as 1-jan-1990 (l_asc_date)
Mystery on 0x2CA6573/000265C9
Note: after the date is generated, the system removes 1990 from the date, presumably to make 1990 as 0 (this only happens for date that are after 1990)
The system then, generated a presumably string to verify?
Arguments to the sprintf(buffer, "%02x%02x%-30s%03d%c%c%01d%01d%c%21.21s%08lx%08x", 64, 00, Feature, 0, 31, 30, 0, 1,31, 198dcc, da6001f10, 1)
Data of 198dcc
00198DCC 09 09 09 09 09 09 09 09 09 04 2E 04 09 09 09 09 ................
00198DDC 09 09 09 09 09 00 ......
Result in buffer:
030A2830 36 34 30 30 57 69 6E 33 32 5F 43 57 49 44 45 5F 6400Win32_CWIDE_
030A2840 4C 69 6D 69 74 65 64 20 20 20 20 20 20 20 20 20 Limited
030A2850 20 20 30 30 30 31 30 30 31 31 09 09 09 09 09 09 00010011......
030A2860 09 09 09 04 2E 04 09 09 09 09 09 09 09 09 09 64 ...............d
030A2870 61 36 30 31 66 31 30 30 30 30 30 30 30 30 31 00 a601f1000000001.
The system try to qsort this: (Where are this 4 digit came from??)
030A2B00 A0 28 0A 03 00 (....
The system loads everything from the file (function lc_init_file)
CodeWarrior for RVCP uses vendor5 (v8)
int type; /* Key type */
int (seed1)^(vendorkey5); /* seed 1 for Flexlm checksum */
int (seed2)^(vendorkey5); /* seed 2 for Flexlm checksum */
int vendorkey1; /* vendor key 1 */
int vendorkey2; /* vendor key 2 */
int vendorkey3; /* vendor key 3 */
int vendorkey4; /* vendor key 4 */
short flexlm_version; /* 08 00 */
short flexlm_revision; /* 04 00 */
Routine that sets the keys:
006E73AB . 31C0 XOR EAX,EAX
006E73AD . 8B3D 840ECA00 MOV EDI,DWORD PTR DS:[0xCA0E84]
006E73B3 . B9 9F000000 MOV ECX,0x9F
006E73B8 . F3:AB REP STOS DWORD PTR ES:[EDI]
006E73BA . A1 840ECA00 MOV EAX,DWORD PTR DS:[0xCA0E84]
006E73BF . 66:C700 0400 MOV WORD PTR DS:[EAX],0x4
006E73C4 . 8B3D 840ECA00 MOV EDI,DWORD PTR DS:[0xCA0E84]
006E73CA . C747 04 8160709B MOV DWORD PTR DS:[EDI+0x4],0x9B706081
006E73D1 . 8B15 840ECA00 MOV EDX,DWORD PTR DS:[0xCA0E84]
006E73D7 . C742 08 A0E6C801 MOV DWORD PTR DS:[EDX+0x8],0x1C8E6A0
006E73DE . 8B0D 840ECA00 MOV ECX,DWORD PTR DS:[0xCA0E84]
006E73E4 . C741 10 6E4EE0A8 MOV DWORD PTR DS:[ECX+0x10],0xA8E04E6E
006E73EB . A1 840ECA00 MOV EAX,DWORD PTR DS:[0xCA0E84]
006E73F0 . C740 0C B2B90543 MOV DWORD PTR DS:[EAX+0xC],0x4305B9B2
006E73F7 . 8B3D 840ECA00 MOV EDI,DWORD PTR DS:[0xCA0E84]
006E73FD . C747 18 7AFAD4DA MOV DWORD PTR DS:[EDI+0x18],0xDAD4FA7A
006E7404 . 8B15 840ECA00 MOV EDX,DWORD PTR DS:[0xCA0E84]
006E740A . C742 14 094DF3E1 MOV DWORD PTR DS:[EDX+0x14],0xE1F34D09
006E7411 . 8B0D 840ECA00 MOV ECX,DWORD PTR DS:[0xCA0E84]
006E7417 . 66:C741 1C 0800 MOV WORD PTR DS:[ECX+0x1C],0x8
006E741D . A1 840ECA00 MOV EAX,DWORD PTR DS:[0xCA0E84]
006E7422 . 66:C740 1E 0400 MOV WORD PTR DS:[EAX+0x1E],0x4
006E7428 . 8B3D 840ECA00 MOV EDI,DWORD PTR DS:[0xCA0E84]
006E742E . C647 20 00 MOV BYTE PTR DS:[EDI+0x20],0x0
006E7432 . 8B15 840ECA00 MOV EDX,DWORD PTR DS:[0xCA0E84]
006E7438 . C642 21 00 MOV BYTE PTR DS:[EDX+0x21],0x0
006E743C . 8B0D 840ECA00 MOV ECX,DWORD PTR DS:[0xCA0E84]
006E7442 . 83C1 22 ADD ECX,0x22
// Seed search?
#define VENDOR_CRYPTED_1 0x9B706081
#define VENDOR_CRYPTED_2 0x1C8E6A0
#define VENDOR_KEY1 0x4305B9B2
#define VENDOR_KEY2 0xA8E04E6E
#define VENDOR_KEY3 0xE1F34D09
#define VENDOR_KEY4 0xDAD4FA7A
Where is Vendor key 5?
Another interesting function:
sub_0032AC5 looks to do some kind of key generation
VENDORCODE5 *__cdecl cryptWithVendorName(char *vendor, VENDORCODE5 *code)
{
VENDORCODE5 *result; // eax
signed int i; // [esp+4h] [ebp-10h]
char _vendor[11]; // [esp+8h] [ebp-Ch]
memset(_vendor, 0, 0xBu);
strcpy(_vendor, vendor);
for ( i = 0; i < 4; ++i )
code->keys[i] = code->keys[i];
code->keys[0] ^= (_vendor[3] << 24) ^ (_vendor[2] << 16) ^ (_vendor[1] << 8) ^ _vendor[0] ^ 0x8BC0EF8;
code->keys[1] ^= (_vendor[4] << 24) ^ (_vendor[7] << 16) ^ (_vendor[5] << 8) ^ _vendor[2] ^ 0x8BC0EF8;
code->keys[2] ^= (_vendor[6] << 24) ^ (_vendor[1] << 16) ^ (_vendor[6] << 8) ^ _vendor[4] ^ 0x8BC0EF8;
result = code;
code->keys[3] ^= (_vendor[3] << 24) ^ (_vendor[2] << 16) ^ (_vendor[0] << 8) ^ _vendor[5] ^ 0x8BC0EF8;
return result;
}
char v4[16]; // [esp+4h] [ebp-10h]
char *code_4; // [esp+24h] [ebp+10h]
v3 = 0;
memset(v4, 0, 0x10u);
*(_DWORD *)&v4[4] = code->dword28;
*(_DWORD *)&v4[8] = code->dword2C