On February 7th 2005 Macrovision were once again successful in scaring my webhost into shutting down this page. This is now the 2nd time they have decided to exercise their legal teams (unlike most protectionists who actually improve their software, heaven forbid!), the shutdown lasted about 2 weeks.
| FLEXlm, or the 'flexible lies manager' depending upon your viewpoint. With so many versions out there you might well be wondering which one you might be reversing today, or how any developer could possibly put their trust in this system, all of what I write below still applies to the current versions (v9.x), quotes taken from Macrovision (all copyrights reserved etc, etc) since they've tried before to close me down. | |
*NEW from scorpie* : Generate your own SentinelLM installation
serial numbers.
*NEW from Sp0Raw August 2007* : FLEXlm
VENDORCODE's list.
*NEW August 2006*
I have made available now the source code to Nolan Blenders Lmkg. This will allow you to generate your own vendor keys and CRO keys for any given vendor name upto v9 behaviour, trivial addition to the code will also allow generation of v10 compatible keys, download it here now (141k). As an additional bonus here is a FLEXlm v10.0 vendor key generator courtesy of tom324 (18k).
*NEW* FLEXlm Vendor Key Generator 3.0 (generates v4-v11 compatible keys (94k)).
Hey! FLEXlm afficionados, have you read my latest paper on FLEXlm v8.x & v9.x?, if not read it here now (new in 2004!) and heres a quick tip for quickly recovering the seeds!.
"The default value to clean the seeds variable is 3D4DA1D6h. A lot of vendors are lazy or foolish and don't change this default value. So, a very easy way is just search the pattern 3D4DA1D6h in disassembled codes. You'll get a lot of codes like this : mov [ebp-xxxx], 3D4DA1D6h. Just break on every instance containing this value and ....... run. If the program is checking the license, write down the value in [ebp-xxxx] when the first breakpoint is reached. It's your seed1 (not XORed with key5, it's original seed1). The second breakpoint you get, it's seed2. And trace a little back to the function entry, the keys (1~4) are in the parameters. Anyway, this method won't work for every case, but for beginner, it's easy to learn. ;-)."
"best-of-breed encryption technology" - Around v8.1 Macrovision finally managed to implement a secure product from license generators (after buying in the services of Certicom). A glorious history of well appreciated security concepts such as 'xor encryption', 'hiding keys with random data', 'security by obscurity' & 'weak random number generation' have finally been cast aside. Dare I say, try hard enough and eventually you'll get it right?. The advent of good encryption has made most safe now from license generators, the trouble is, trivial patches are still able to defeat FLEXlm.
"Using Macrovision Consulting Services to implement the optimal licensing solution for your business." - Since these guys can't even secure their own flagship product, I wouldn't let them near anything I was serious about protecting.
I encourage all potential buyers of FLEXlm to read Macrovision's page and then flick back here to my page, if you can believe anything that Macrovision says afterwards then please go ahead and use FLEXlm for your product.....In fact Macrovision has something of a glorious history in software protecting, their own Safecast and CD technologies have been cracked for years as well.
http://www.globetrotter.com & now purchased by Macrovision (or should that be Microvision ;-) ).
FLEXlm
license sniffing (courtesy of Skullcoder), v7.2
snippets of information,
FLEXlm Piracy Concerns (EDA developers
beware), FLEXlm
seeds , SentinelLM
/ ElanLM SectionMany of my readers familiar with high end or specialist applications will already know FLEXlm well, in certain markets GlobeTrotter have really started to establish themselves on the Windows platform. As there is now sufficient material I have sub classed FLEXlm into its own section. I do advise you read the FLEXlm manuals very carefully as well as downloading the SDK's and tools available below.
Released by RBS, BlastSoft's FLEXGen exploits many of the early holes identified in the FLEXlm dll's. FLEXGen is unlikely to be supported in the future due to BlastSoft's retirement from the scene. The FLEXGen link has been restored (by popular demand) and now includes the full source code (please don't abuse this ;-) ).
FLEXGen (total size approx 3.12Mb's).
Below you'll find decryption keys for older SDK's and many of the latest versions. You might like to download the following FLEXlm tools (166k) :-
Nolan Blender's lmvkey5 v1.0 & lmrecode.
prs's FLEXlm Key 5 Generator.
UCF's FlexSeedGen v0.3.
Still confused?, then read my tutorial for SDS /2 below (describes
very basic FLEXlm operation). These old modified FLEXlm
dll's are courtesy of ZiGo, his page has long since been removed
from the web, they remain here now purely for historical reference
(100k).
GlobeTrotter have removed the SDK from most of the web and their public FTP because of security concerns (only 3 months after RBS released BlastSoft's FlexGen which used holes in the dll's). Interestingly GlobeTrotter's only real response to this has been to blacklist ISSUER=BlastSoft by name (clearly visible in disassembly listings of the latest dll's), albeit there are also some algorithmic enhancements and hiding of the keys.
Due to bandwidth constraints and also my desire to encourage the community to contribute to my site the FLEXlm SDK downloads have been removed and are now only available to those granted access to the other side. Here are a list of the versions currently available, (thanks to sporaw for correcting some of my version inaccuracies).
FLEXlm SDK SUN version.
FLEXlm v5.0b, v5.0e Update, v5.12, v6.0k, v6.1g, v7.0a, v7.0b, v7.0d, v7.0e, v7.0f, v7.0g, v7.1b, v7.1c, v7.1d, v7.1e, v7.1f, v7.2a, v7.2c, v7.2d, v7.2e, v7.2f, v7.2g, v7.2h, v7.2i, v8.0b, v8.0c, v8.0d, v8.1a, v8.1b, v8.3b, v8.4a, v8.4b, v9.0, v9.2d Source Code, v9.2.2, v9.2i (total 37 SDK's).
FLEXlm v8.1 ECC Patcher
- patches return value of _l_pubkey_verify().
FLEXlm v8.x lmv8gen - generate
vendor keys for v8.x+ of FLEXlm (17k).
FLEXlm system ID changer for IRIX
6.5 (courtesy of WellMoon) (2k).
I'm sorry to say that although I possess several Linux SDK's they will not ever be placed here, thats just the way it is I'm afraid.
v5.12 - 5537-2182-6912-6163-32.
v6.0 - 7445-5305-5517-4801-06 or 2143-0909-0581-5196-06 (v6.0k).
v6.1g - 7334-3535-3425-7783-1261-6354-07 or 7461-5321-5517-4305-07.
v7.0a/b - 1631-3020-1109-7436-47.
This is the core of a very rough yet interesting text I received from Skullcoder.
Hello CrackZ, I have a lot of pleasant hours playing with VirtuoZo software license creation and have no success with license generation at all using standard methods of seed & vendor codes recovery. I already have good practice with FLEXlm deprotection but VirtuoZo implementation made me really stuck. Once I have visited your website and read really interesting issue by Acme about "alternative license generation" for FLEXlm 5.1. You may know this issue doesn't work for v6.1 and future versions but inspired by this I have discovered how a license can be created in a similar way.
I'll describe the method in few words and probably you'll bring my ideas to more people interested in FLEXlm 6.1/7.0 license keys for 1-3 features without Genlic32 or Flexgen but just with SoftICE. The software has just v6.1 FLEXlm code implemented into about 30 executables with nothing special. I've turned on FLEXlm diagnostics inside registry and discovered feature name and version. Vendor name was easy to find too. Next I have played a lot with seeds and vendor code before discovering a really interesting part of code (address .4712F0). "It really looks like license creation", I continued with tracing this part of code. Next part appears really cool (address .471538) because it looks like usual text-with-binary comparison!.
Voila! At address .4715EC you can see the best part of all FLEXlm code -- license number from license.dat and generated number comparison. That's all. You can have it directly by typing :D DS:71E1B8 or by passing all JNE 471613 with zero flag and wait while FLEXlm converts this binary to text string at .471609!. Another interesting thing has been revealed. This procedure have been called twice so not only one valid license number can be generated but some more :-).
.004712CF: push esi
.004712D0: call .0048EDA8 -------- (1)
.004712D5: add esp,00C ;""
.004712D8: jmps .004712DD -------- (2)
.004712DA: mov esi,[ebp][0000C]
.004712DD: mov d,[ebp][-0004],0 ;"
.004712E4: cmp d,[ebp][-0024],0 ;" "
.004712E8: jle .004714C9 -------- (3)
.004712EE: xor eax,eax
.004712F0: mov cl,[eax][esi] <-- Making license number
.004712F3: xor [eax][0071E1B8],cl
.004712F9: inc eax
.004712FA: cmp eax,8 ;""
.004712FD: jl .004712F0 -------- (4)
.004712FF: cmp d,[ebp][-0004],000 ;" "
.00471303: jne .004714AA -------- (5)
.00471309: mov ecx,[ebp][00008]
.0047130C: cmp d,[ecx][00000020C],000 ;" "
.00471313: jne .00471454 -------- (6)
Continuing the code :-
.00471521: mov d,[ebp][-0008],000000008 ;"
.00471528: cmp d,[ebp][00018],066D8B337 ;
.0047152F: jne .00471538 -------- (1)
.00471531: mov d,[ebp][-0008],000000006 ;"
.00471538: xor esi,esi <-- Starting to compare.
.0047153A: cmp [ebp][-0008],esi
.0047153D: jle .00471601 -------- (2)
.00471543: lea edi,[ebp][-0020]
.00471546: mov bl,[edi]
.00471548: call __p___mb_cur_max ;MSVCRTD.dll
.0047154E: cmp d,[eax],001 ;""
.00471551: jle .00471564 -------- (3)
.00471553: movsx eax,bl
.00471556: push 004
.00471558: push eax
.00471559: call _isctype ;MSVCRTD.dll
.004715D6: je .004715EC -------- (1)
.004715D8: movzx eax,bl
.004715DB: push eax
.004715DC: lea edx,[esi][00071E1B8]
.004715E2: push esi
.004715E3: push edx
.004715E4: push d,[ebp][00008]
.004715E7: call ecx
.004715E9: add esp,010 ;""
.004715EC: cmp [esi][00071E1B8],bl <- Guess what?
.004715F2: jne .00471613 -------- (2)
.004715F4: add edi,002 ;""
.004715F7: inc esi
.004715F8: cmp [ebp][-0008],esi
.004715FB: jg .00471546 -------- (3)
.00471601: push d,[ebp][00018] <-- Converting number to string
for us
.00471604: push 0071E1B8 ;" qá¸"
.00471609: call .004716AC -------- (4)
.0047160E: add esp,008 ;""
.00471611: jmps .00471615 -------- (5)
Needless to say, you should be able to find something useful amongst this snippet to search for with your hex editor.
Preliminary comments on v7.2x of FLEXlm from 2 separate individuals.
"v7.2 has several changes : (a) 4 vendor seeds; (b) CRO keys. I tried to make a daemon with specific seeds and keys, and compile a new demo.exe and lmcrypt.exe. However, the license generated from lmcrypt can not be accepted by demo.exe. I think the major problem is that the seed3 and seed4 are assigned by myself".
"Unfortunately the seeds are not stored in the daemon. The ECC specific seeds 3 and 4 are used to make the public and private keys. The daemon and/or the application reads the SIGN= from the license file and only validates the signature, not the actual key. The private key used to do the signing is only compiled into the lmcrypt binary. Retrieving seed 3 and 4 will first be an excerise in factoring the ECC, then once the private key is determined, you must reverse how the private key is generated from the seeds. Good luck with this."
So at this early stage it looks very much like we are back to patching ;-).
| Document Title | Description | Date |
| Ansoft Serenade v8.5/v8.7 | FLEXlm license generating with some help from FLAIR. | 30/12/01 |
| Crypt Filters | Describing how crypt filters are implemented and cracked using standard tools, courtesy of Nolan Blender. | 21/11/00 |
| ECC FLEXlm | Discussion of an early vulnerability in the FLEXlm ECC add-on. | Dec 2001 |
| "How to crack a PC-based license manager" | FLEXcrypt & FLEXlm cracking by pilgrim (2 essays integrated). | 30/10/98 07/01/99 |
| "FlexLock ...less secure than the rest of FLEXlm" | FlexLock cracking, third essay courtesy of pilgrim. | June 1999 |
| IMSL & ANSYS | External FLEXlm reversing. "On software reverse engineering (IMSL)" April 7, 2004. "Advanced study on FlexLM system (ANSYS)" June 23, 2004. |
April/June 2004 |
| Information hiding methods used by FLEXlm targets | Describes how newer versions of FLEXlm hide the important seed codes. By FLEXlm specialist Nolan Blender. | October 1999 |
| lc_new_job() FLEXlm v6.1 by dan | Great essay describing the obfuscating methods used by GlobeTrotter to at least make reversers work to recover the keys. | September 1999 |
| Reversing GlobeTrotter's FLEXcrypt | Key extraction and encryption algorithm reversing. By Nolan Blender. | 17/09/99 |
| SDS2 v6.112 | Simple example demonstrating how to generate FLEXlm licenses. | 28/08/99 |
| Siul+Hacky's FLEXlm Linux Cracking | A very good document describing Linux debugging / disassembling and FLEXlm weaknesses (the precursor to the floodgates). | July 1999 |
| UGFLEX - modified FLEXlm by Unigraphics | Macilaci's first foray inside Unigraphics. | 15/11/99 |
| UGFLEX2 - let UGFLEX generate the keys for you | Macilaci's second Unigraphics tutorial, this time to generate the correct keys. | 16/11/99 |
| Using FLEXlm Internal Diagnostics | Using FLEXlm Internal Diagnostics to reveal ALL courtesy of Acme. | Jul. 1999 |
| Vendor Defined Encryption (locating and reversing) | Protection customisation for developers, courtesy of Amante4. | 08/01/00 |
| Zendenc | More FLEXlm tips from Nolan Blender. | June. 2001 |
Most of this is reworked from posts I saw at Fravia's Message Board (it may however be useful even if the questions are target related) :-
Q1. I have read most all the essays I could get my hands on and the API, header files, observed lc_set_attr etc, etc. Yet I still can't seem to generate correct codes with the keys/seeds I extract. The target is Pixar Renderman, found a copy and thought it would be fun to play around with. At any rate, I'm not positive that I have the correct vendor key 5, although from previous posts, I gather that the only thing used to make the keys, is the seeds. Has this changed in Flex 6.1?.
A1. Another poster has mentioned that this product uses crypt filters. Although this makes it more difficult, it is still possible to keygen these as well. The key is to understand what the filter does. If you have the 6.1 FLEXlm SDK, start by examining what happens when you use the -filter_gen argument to lmrand1.exe. One approach may be to write your own program which incorporates the crypt filters, then examine what goes in/out of the filter subroutines.
Q2. How can I find more features in the program which was encrypted by FLEXlm? Such as Cadence Specctra, I have looked through all .exe .dll files, but I can't find similar features. Other programs which were integrated with lmgrxxx.dll, I also can't find more features. I can only find one feature prior to lc_checkout, where were the other features placed?.
A2. You can often find the features by doing a search of the executable for the feature you know - often the other features are very close to it in the binary. One thing you can do is start up the cdslmd server and see if the program is trying to check out any specific features - attempts to check out unsupported features will show up in the log file. I've found that there's usually an attempt to check out a license before it bombs; A few programs call lc_get_config and then check the returned list for features.
Either way, you find out what it is trying to do. Try searching everything for _ALL to see if you can find anything. Tell me the version of FLEXlm that cdslmd uses, plus the first two bytes of ENCRYPTION_SEED1 and I may be able to help you more.
Q3. I used IDA in conjuction with SoftICE to get a nice map of a particular vendor daemon. Everything was going great, I loaded the *.nms with Symbol Loader. I set the following breakpoints - lc_init, l_sg, l_key, lc_checkout and a memory address close to l_sg (just for the hay of it). I wrote out a dummy license file and tried both node-locked and floating models with 0'ed out encryption strings. I then tried firing up my target on both accounts and nothing. SoftICE never broke.
I spent the next 20 or so minutes trying to figure out what was wrong. I restarted and stopped the license server and made sure the dat file syntax was correct. Just as an experiment I double clicked on the vendor daemon and SoftICE broke on all of the bpx except lc_checkout and not the bpm. I got inside lc_init, then l_sg, inside l_sg was l_key I searched around in there and I managed to find the major version in memory. I read some essays, and none of them could seem to help. I already have the vc's and es's for this target, but I would like to find them myself.
A3i. Most likely the FLEXlm libs are built into the target itself (you don't need a daemon running, the target application looks at the license directly). Try putting USE_SERVER in the license file after the SERVER and DAEMON lines.
Q4. I try to make a license with 20 characters, but I can't. I have the good seeds and vendors keys and have modified lsvendor.c:ls_a_lkey_long=1 & ls_a_lkey_start_date=1, my license had 16 characters.
A4. lsvendor.c is only for building the daemon - try building lmcrypt, then use lmcrypt -verfmt 5 -longkey license.dat and see what happens.
Q5. I have utilized Amante4's essay (vendor-defined encryption / lc_set_attr $0f) to obtain valid license keys for my target. However, when I use the same method (that is, BP the exit points of the vendor-defined encryption routine) to get the keys for the next release of the target, I realize that the routine is not called at all. I assumed that it could be due to the target calling lc_set_attr to indicate a vendor-defined checkout filter; However, my disassembly didn't show a push 0000002D (if I remember correctly ;-) prior to calling lc_set_attr.
In addition, my target seems to call lc_set_attr(b) = 11 = LM_A_NORMAL_HOSTID which is undocumented. I dont like to patch lc_checkout to return a 0 always; my target detects that and though it runs initially, it is not very functional. May I kindly request for some assistance in this matter; Have you ever come across such a situation?.
A5. I recently worked on an application where I knew I had the right keys and seed, but could not get them to work. My target had checkout filters. I found that the vendor was doing something in the daemon itself. There are two daemons the lmgrd and a vendor daemon. So basically all I did was compile the vendor daemon and replace it with mine ... it worked.
Q6. I have a demo license for software protected by FLEXlm v6.1, I saw something unusual in the feature names, this particular software used special charaters like $, /, \ in the feature name, as shown below :-
FEATURE my$feature .....
FEATURE my/feature .....
I was able to extract the vendor seeds and generate licenses for features which did not contain the special charaters, but when I tried for my$feature, I got an error message saying that special characters are not allowed in feature name. Can anyone let me know, how to generate license with special characters in feature name?.
A6. I think that it may still generate correct keys even though it gives you a warning - try -verfmt 4 to lmcrypt maybe. I can't remember if that does it or not, but some Sun stuff does this.
"One alternative method of custom encryption of the FLEXlm seeds (that do not use the lm_set_attrib() function to set either user encyption or user filter) is implemented by rsinc. IDL http://www.rsinc.com uses custom encryption of all the vendor information. All the license checkouts including the FLEXlm routines are located in the idl32.dll. There is a routine that generates the VENDORCODE structure and the VendorID string prior calling lc_init. It also sets a flag into the LM_HANDLE->CONFIG structure for alternate generation of the VENDORCODE seeds (look at l_sg, l_n36_buff call in the lmgr326b.lib).
Upon the first call to the l_sg from the lc_init, a standard (l_key) routine is called to generate the crypt keys. On the second l_sg call (from the lm_checkout for instance), alternate crypt seeds are generated in a custom l_n36_buff routine, and naturally FLEMlm generates wrong key message (-8)".
"Mentor Graphics - The daemon's name is mgcld. They check the vendor string using a proprietary checksum algorithm. If you get the message "FATAL CS ERROR" it's because you don't have the checksum correct. It's not all that tough a protection - basically certain information such as the start date, number of licenses, expiry, and feature name are combined. This is run through a checksum routine, and the value compared against the one supplied in the vendor_string".
Cossap (simulation program from Synopsys) on HPUX 10.20. Older Synopsys products use vendor defined encryption, so simply getting the seeds is insufficient to generate valid licenses. You will have to firstly generate a license file containing a set of licenses without the vendor defined encryption, then set a breakpoint at the vendor defined encryption routine (this is easy to find, since lc_set_attr is used to force FLEXlm to use this routine), then look at the return values from that routine. There will be multiple calls to the routine, about 3 for every feature. Later products use SCL (Synopsys Common Licensing) which has a different vendor name, and uses user crypt filters instead.
My target is Synplify, which uses FLEXlm v6.1 linked statically. After reading Dan's essay I tried to find out the vendor codes / seeds his way, but in my target "vector call" never occurs. In _l_sg it always uses standard ^key5 method. It seems like my target calls lc_init, not lc_new_job. So I tried usual ways to get the seeds, generated license file and... nope. My target contains vendor checkout procedure, but bpx there never breaks - maybe some earlier test leads to -8?. My question is : does FLEXlm v6.1 library obfuscate keys in any way if the client simply calls lc_init, not lc_new_job?.
Think this one needs a special vendor defined hostid - also there was something that had to be in the vendor string. It's now solved, it actually was the problem with vendor-defined hostid, I simply didn't know that I need to include the vendor-defined hostid functions in my key generator, I thought (how stupid I was), that it's needed only by client side. I've included a function from examples modified to return label = 'SKEY' and type=1003. The actual value returned doesn't matter and voila! My key generator works.
'SKEY' type=1003 is used for evaluation licenses (thus length SKEY = %.8X) and type=1001 for dongle based licenses (thus length SKEY = %.4X).
Just an interesting publicity snippet (this refers to a very well known message board in the east ;-) ).
SAN JOSE, Calif. — An online EDA discussion group is circulating tips on how to get free software by illegally cracking FLEXlm license managers, EE Times has learned. The group has come to the attention of EDA activist John Cooley, who says he'll reactivate his "Stealthnet" mailing list to warn EDA vendors about the potential thefts.
FLEXlm, from Globetrotter Software, is used by nearly all EDA vendors to manage a variety of licensing schemes. Although it's not positioned as a security system, many vendors rely on FLEXlm to protect their software from piracy. But FLEXlm has been attacked by hackers in the past, prompting Cooley to launch Stealthnet in 1999, a private mailing list for EDA vendor representatives to share information about hacking activity.
The latest attacks come from a discussion group that Cooley has declined to publicly identify, on the grounds that anyone who finds it will have immediate access to a lot of illegal software. Numerous postings, some confirmed by EE Times, share tips on how to crack FLEXlm or point to Web sites containing code for breaking licenses on specific EDA products.
"Basically, these guys are doing things like downloading evaluation copies of [Model Technology] ModelSim and cracking licenses," Cooley said. "They have no intention of buying it." While some participants in the discussion group are apparently from China — where software theft is rampant — others appear to be from established U.S. or European companies like AMD and Infineon, Cooley noted.
One individual, using an anonymous Yahoo address, boasted of hacking FLEXlm licenses on products from Altera, Novas, Exemplar, Agilent EEsof, Innoveda, Synopsys and Avanti, among others. This individual offered to help readers crack licenses for other tools as well. "So if you have tools that are not listed above or newer releases, I am very glad to check them for you," wrote this helpful individual. "The purpose of me [sic] is to find a robust way for FLEXlm cracking."
Cooley, moderator of the E-Mail Synopsys User's Group (ESNUG), said he could understand why an EDA user might want to temporarily bypass a FLEXlm license. "But when the purpose is to steal the software and never pay the EDA vendor, that's problematic," he said. "I lose in the long run because they [EDA vendors] don't develop better software." Rich Mirabella, vice president of marketing at Globetrotter Software, said he wasn't aware of any new attacks on FLEXlm. But, he acknowledged, they've happened "on and off for over five years."
Mirabella emphasized that FLEXlm is positioned as a licensing manager, not a security system. "The business purpose is to allow software vendors to offer licensing models that match how people use their products," he said. "The security is there to keep honest people honest. In every release we do things to increase the security, but it's like an arms race — we do stuff, the hackers do stuff."
Mirabella said that Globetrotter has participated in several criminal prosecutions of people who have hacked FLEXlm and has helped shut down hacker Web sites in the U.S. and abroad. But the actual party injured is the software vendor, he noted; Globetrotter assists in prosecutions but is not the plaintiff in these cases. United States copyright laws, Mirabella said, provide penalties of up to five years in prison and $500,000 fines for hacking products such as FLEXlm. But people outside the U.S. are subject to the laws of the host country, he noted.
Mirabella downplayed the role of FLEXlm hacking on EDA revenues. "I'm sure it does happen on occasion, but in the high end you wouldn't see it much," he said. "The kinds of companies that use those products wouldn't engage in these kinds of practices." Some hacking does take place, he said, with "low end" products such as pc-board layout tools, which might be used by small, struggling companies.
Much more revenue loss, he said, comes from honest companies who lack the means to keep track of licenses in networked environments. When Cooley launched Stealthnet in 1999, Globetrotter was critical. Matt Christiano, Globetrotter's chief executive, wrote an angry letter to ESNUG stating that Cooley's efforts could encourage hackers and cause EDA vendors to seriously inconvenience users.
But some EDA vendor representatives lauded Cooley's efforts. "I want to thank you on behalf of the EDA industry for your handling of the situation and condemning of these hackers," wrote Rob Genco, director of software operations at Synopsys. Mirabella scoffed at Cooley's intent to relaunch Stealthnet. "If issues arise, users and software vendors should come to us directly," Mirabella said. "I don't see any value added that John Cooley brings to the situation. It's not clear what his agenda is."
Cooley responded that Globetrotter is trying to avoid any public discussion of potential problems with FLEXlm. He didn't contact Globetrotter about the EDA discussion group, he said, because of the company's negative reaction last time. Cooley will announce the relaunch of Stealthnet, open only to confirmed EDA vendor representatives, in an upcoming ESNUG bulletin. Previous bulletins, including several past discussions of FLEXlm hacking, are archived at the EDTN DeepChip Web site.
See reversers ;-), by exposing these snake oil salespeople you might 'seriously inconvenience users' by forcing developers to learn a little about protections cracking, god forbid.....
On the other side I am currently in the process of building and maintaining a FLEXlm vendor & seed database, after some consideration (from several e-mails I mighten add ;-) ) I have decided to make this list private since with these just about anyone can generate licenses.
Generating your own SLM installation serial number couldn't be easier, with these instructions by scorpie.
Assuming desired Vendor ID = 0x1ABC.
1. Form Hexadecimal numbers 1ABC1ABC
2. Find the binary equivalent of the above numbers: 0001 1010
1011 1100 0001 1010 1011 1100
3. Make a group of two bits of the numbers above: 00 01 10 10
10 11 11 00 00 01 10 10 10 11 11 00
4. Map the 2-bit group with the rule: 00 --> 01, 01 -->
11, 10 --> 00, 11 --> 10.
5. Point 3, will become: 01 11 00 00 00 10 10 01 01 11 00 00 00
10 10 01
6. Covert point 5 to HEX again: 70297029
7. Shift right (1D position) point 6: T1 = 00000003
8. Shift left (3 position) point 6: T2 = 814B8148
9. Find T1 OR T2 = 814B814B
10. From point 1 and point 9, form 4B81BC1A (this is reverse byte
of the above).
11. Repeat point 2 -- 6 for HEX number 4B81BC1A, and we get: D2172970
12. Repeat point 7 to the result of point 11: S1 = 00000006
13. Repeat point 8 to the result of point 11: S2 = 90B94B80
14. Find S1 OR S2 = 90B94B86
15. The serial number for Vendor ID=1ABC is 864BB990 (hexadecimal)
= 2253109648
SentinelLM v7.2 information (courtesy of myself) - A good indication of the version of SentinelLM being used is the actual file version info from the file lsapiw32.dll e.g. 7.2.0.0 = v7.2.
SentinelLM v7.3 information - this courtesy of FoxB (applicable to patching WlscGen.exe).
"Query/Response length is 0x10, algo cells are 0x0C, 0x20, 0x28, 0x2C. The table emulation passed - all response place in WlscGen.exe. Cell 0x0F = 0x800".
SentinelLM SDK v7.1, v7.2, v7.3 & Sentinel RMS v8.0 (Regrettably. As with the FLEXlm SDK's this download is now on the other side). Or check here.
ElanLM API Guide :-
(138k).
SentinelLM Remover :- A tool that
claims to generically remove SentinelLM (237k), I'd be pretty
interested to know which SentinelLM targets this has been tested
with because it doesn't seem to recognise SentinelLM at all.
SentinelLM v7.1 Programmer's Reference
Manual :- (692k).
SentinelLM v8.0.2 Developer's Guide
:- (1.5Mb's).
SentinelLM v8.0.2 Programmer's Reference
Manual :- (1.3Mb's).
SentinelLM [8.0.x /7.x.x] license decode
utility, v1.01 public (c)2007 by souz :- Utility to decode
SentinelLM license information (241k).
SentinelLM Signatures for IDA
:- Courtesy of Nolan Blender (40k).
SentinelLM Toolkit :- Includes
a SDK serial number generator and vendor array generator, courtesy
of me & moZfet (CROSSFiRE) (632k).
SentinelLM Vendor ID to Serial Number
:- Type in your desired Vendor ID and this little tool will give
you the SentinelLM installation serial number (619k).
Wlscgen Patch for SentinelLM
SDK v7.1 :- Remove the dongle for Wlscgen (17k).
| Document Title | Description | Date |
| Code Archaeology with ElanLM | Reviving functions from the past, courtesy of pilgrim. | Jan 2001 |
| Delphi v5.0 Trial | Cracking the SentinelLM Delphi v5.0 Trial, courtesy of CyberHeg. | 22/11/00 |
| MrSID GEOSPATIAL ENCODER v1.4 | Cracking the SentinelLM protected program MrSID GEOSPATIAL ENCODER v1.4 Desktop edition, courtesy of CyberHeg. | 22/11/00 |
| SentinelLM Cracking | Removing need for dongle in SentinelLM Wlscgen.exe, courtesy of CyberHeg. | 21/11/00 |
| SentinelLM Installation Cracking | Generating keys for SentinelLM, courtesy of Nolan Blender. | 20/11/00 |
| SentinelLM Investigation | My own generic research paper into SentinelLM. | September 2001 |
| Wlscgen.exe For You | Creating your own Wlscgen courtesy of Mayaputra. | February 2006 |
A big thanks goes to CyberHeg & Nolan Blender for providing most of the content here.
Dongles
FAQ Key Generators
Miscellaneous
Papers +ORC Return
to Main Index Time
Trials Visual Basic