modified flexlm by UNIGRAPHICS -second part

by macilaci
Courtesy of Reverser's page of reverse engineering
slightly edited
by tsehp
There is a crack, a crack in everything That's how the light gets in
(X)Beginner (X)Intermediate ( )Advanced ( )Expert

Let work ugflex for you. UGFLEX will generate the feature keys for you!
modified flexlm by UNIGRAPHICS -second part
Written by macilaci

          If you are familiar with my previous essay, you will be able after reading this essay 
to get the whole license file for SolidEdge v7.0 for all modules. For all others they want 
to crack this target I recommend to read my previous essay on this target.
          As I recently said : a nice example to show how the software companies are stupid 
that they trust Flexlm and the Globetrotter's products. On the second week cracking this target 
I could find the place inside ugflex.dll where the license key was compared with the good one. 
Again without knowing the encryption algorithm of ugflex  /*how amazing !*/. 

Tools required
Softice or any other win32 debugger, Wdasm or IDA 3.75 brain and essays on flexlm /*S+H,pillgrim,etc.*/

Target's URL/FTP, /*ask for your free CD*/

Program History

Part One -let's continue

         From the previous essay we know the feature names. That means we can create our fake 
license file and much more.. We stopped last time at this location inside ugflex.dll:

04E53827                 push    edi
04E53828                 push    esi
04E53829                 call    sub_4E53E77                    ; check if valid
04E5382E                 add     esp, 0Ch
04E53831                 test    eax, eax        				; eax should not be zero
04E53833                 jz      loc_4E53726 				; jump if bad boy
04E53839                 cmp     dword ptr [ebp+18h], 3
04E5383D                 jz      loc_4E53924
04E53843                 push    edi					;license OK -continue

I marked the call "check if valid" because of high possibility where the check is done. 
It doesn't seemed to be done elsewhere because our fake license file worked last time we patched
the 04e53833 location. We will now continue with stepping into subroutines as we did last time.

We step into  sub_4e53e77:

04E53E77                 push    ebp
04E53E78                 mov     ebp, esp
04E53E7A                 sub     esp, 58h
04E53E7D                 mov     [ebp+var_4], 0
04E53ED2                 push    eax          ;look where this points
04E53ED3                 push    edi
04E53ED4                 push    esi
04E53ED5                 call    sub_4E54AA9
04E53EDA                add     esp, 10h      ; eax - pointer to good license /*if found*/
04E53EDD                 xor     edx, edx
04E53EDF                 test    eax, eax

The sub_4e54aa9 contains:

04E54AA9                 push    ebp
04E54AAA                 mov     ebp, esp
04E54AAC                 sub     esp, 4
04E54AAF                 push    ebx
04E54AB0                 push    esi
04E54AB1                 push    edi           ; look at the edi pointer
04E54AB2                 mov     ebx, [ebp+arg_4]
04E54AB5                 push    [ebp+arg_C]
04E54AB8                 push    [ebp+arg_8]
04E54ABB                 push    ebx
04E54ABC                 mov     esi, [ebp+arg_0]
04E54ABF                 push    esi
04E54AC0                 call    sub_4E54B6B    ;our call 
04E54AC5                 add     esp, 10h
04E54AC8                 mov     edi, eax
04E54ACA                 lea     eax, [ebx+54h]
04E54ACD                 push    eax
04E54ACE                 call    sub_4E55A7B
04E54AD3                 add     esp, 4
04E54AD6                 test    eax, eax
04E54AD8                 jz      loc_4E54B62

Our little call at 4e54ac0 returns the pointer where the good license key is stored. When you 
don't have good license key it returns zero. Therefore step in...

You will land inside this long subroutine:

04E54B6B                 push    ebp
04E54B6C                 xor     eax, eax
04E54B6E                 mov     ebp, esp
04E54B70                 sub     esp, 974h
04E54B76                 push    ebx
04E54B77                 mov     [ebp+var_18], eax
04E54B7A                 push    esi
04E54B7B                 mov     [ebp+var_24], eax
04E54B7E                 push    edi
04E54B7F                 mov     esi, [ebp+arg_4]
04E54B82                 mov     ecx, [ebp+arg_8]
04E54B85                 mov     [ebp+var_14], eax
04E54B88                 mov     edi, [esi+50h]
04E54B8B                 push    6
04E54B8D                 mov     [ebp+var_20], eax
04E54B90                 mov     [ebp+var_8], ecx
04E54B93                 push    [ebp+arg_0]
04E54B96                 mov     [ebp+var_C], eax
04E54B99                 call    sub_4E60F04
04E54B9E                 add     esp, 8
04E54BA1                 cmp     eax, 7Fh
04E54BA4                 jz      short loc_4E54BB7

We will use our old method of jump difference /*runing this sub once with the valid and once 
with the fake license*/. There are 21 jumps made with the fake key and 20 jumps with the valid key:
	4e54ba4		ok.
	4e54bdb		ok.
	4e54c07		ok.
	4e550d2		all ok.
	4e55199		oops  - the first difference

We sholud now examine what happens around the 4e55199 location.

04E55189                 push    ecx
04E5518A                 push    [ebp+arg_0]
04E5518D                 call    sub_4E55B03          ; look this time at esi poiter 
04E55192                 add     esp, 18h
04E55195                 mov     esi, eax
04E55197                 test    esi, esi
04E55199                 jnz     short loc_4E5519F	
04E5519B                 xor     eax, eax	      ; bad license
04E5519D                 jmp     short loc_4E551DD
04E5519F                 cmp     [ebp+var_C], 0       ; pointer returned - continue
04E551A3                 jz      short loc_4E551B7

Step into the sub_4e55b03. Step through this subroutine and write down the jumps. See at 
the differences. Again the same until you reach 4e55e58. Use the valid key and you will now see 
the loop:

04E55DD8                 cmp     dword_4E7FC1C, 1
04E55DDF                 mov     bl, [edi]		; edi - pointer to our key
04E55DE1                 jle     short loc_4E55DF3
04E55E52                 cmp     byte_4E80940[esi], bl	; compare something
04E55E58                 jnz     short loc_4E55E79	;jump to end loop
04E55E5A                 add     edi, 2
04E55E5D                 inc     esi
04E55E5E                 cmp     esi, [ebp+var_8]
04E55E61                 jl      loc_4E55DD8		;our loop 
04E55E67                 push    [ebp+arg_10]
04E55E6A                 push    offset byte_4E80940
04E55E6F                 call    sub_4E55F12
04E55E74                 add     esp, 8
04E55E77                 jmp     short loc_4E55E7B

As you can see our string is loaded to bl register and something at 04e55e52 is compared with....
Inside this loop you can see:

04E55DF3                 movsx   ecx, bl	;bl - our key in ASCII format, edi =pointer to the key
04E55DF6                 mov     edx, off_4E7FA10
04E55DFC                 xor     eax, eax
04E55DFE                 mov     ax, [edx+ecx*2]
04E55E02                 and     eax, 4
04E55E05                 test    eax, eax
04E55E07                 jnz     short loc_4E55E0C
04E55E09                 sub     bl, 7			
04E55E0C                 shl     bl, 4		;shift 4 bits left
04E55E0F                 mov     al, [edi+1]	;read the next character - pardon nibble
04E55E12                 cmp     dword_4E7FC1C, 1
04E55E19                 mov     byte ptr [ebp+var_4+3], al
04E55E1C                 jle     short loc_4E55E2E
04E55E2E                 movsx   ecx, byte ptr [ebp+var_4+3]
04E55E32                 mov     edx, off_4E7FA10
04E55E38                 xor     eax, eax
04E55E3A                 mov     ax, [edx+ecx*2]
04E55E3E                 and     eax, 4			; and eax
04E55E41                 test    eax, eax
04E55E43                 mov     al, byte ptr [ebp+var_4+3]
04E55E46                 jz      short loc_4E55E4E
04E55E48                 lea     ebx, [eax+ebx-30h]
04E55E4C                 jmp     short loc_4E55E52
04E55E4E                 lea     ebx, [eax+ebx-37h]
04E55E52                 cmp     byte_4E80940[esi], bl	;our compare
04E55E58                 jnz     short loc_4E55E79

In this small loop is the hexadecimal string converted to single bytes and each after other 
compared to the bytes at location 4e80940. When the byte matches - the loop continues. 
The local pointer esi is increased until it reaches the [ebp+var_8] - variable. 
Part Two - let's get them all

      What does this mean? Yes, this is the final compare... So next do  d 4e80940 and write 
down the 6 bytes /*be careful - not dwords, neither words*/. And this will be your license key 
-12 characters- of course in hexadecimal format. Do the same with other features - 
just bpx at 04e55e52 and d 4e80940 - incredible what the Globetrotters do.

Final Notes
   Engineering and reverse engineering - this will help you. Don't ask marketers or
businessmen for passwords! You see - how stupid they can be. Just to sell...
   You should pay for this - the programmers can keep on, but the businessmen too.

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside reverser's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?