pflexlo1.htm: pilgrim

	FlexLock "... less secure than the rest of FLEXlm"	Not Assigned
June 1999	by pilgrim
	Courtesy of Fravia's page of reverse engineering	slightly edited by fravia+
fra_00xx 980621 Pilgrim 0100 NA PC	The words "a shareware demo protection that can easily be licensed" spell doom, as any reverser will immediately 'feel'... Flex protectors are advised to head the words of the world best kenner of this protection scheme: "FlexLock seems trivial to crack due to the simple pass/fail return from the single API function call. A chain is only as strong as it's weakest link. FlexLm is fairly strong. The single API function call is laughably weak.". Enjoy!
	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner (x)Intermediate ( )Advanced ( )Expert

Here's a quick way to understand FlexLocked applications, and a more detailed analysis of FlexLock license generation.

FlexLock
"... less secure than the rest of FLEXlm"
Written by pilgrim

Introduction

We've looked at FlexLm and FlexCrypt, here another FlexLm based 'security' program bites the dust: FlexLock. It's intended as a shareware demo protection that can easily be licensed.

Here's a snippet from the release note for FlexLock:

NOTE: We've made every effort to make the FLEXlock feature secure.
However, due to the type of security technology used for FLEXlock, it is less secure than the rest of FLEXlm. This is why it is disabled by default. You should only enable FLEXLOCK if the convenience of FLEXlock licensing is more important than the reduced security it exposes your product to.

Tools required

W32DASM, your favourite hex editor ( I favour HIEW )

Target's URL/FTP

The FlexLock SDK is available at ftp.globes.com, or www.globetrotter.com
An example FlexLocked application, Hotz Translator II, is at www.hotz.com

Program History

FlexLock 1.0 started as a standalone product utilising FlexLm V6
FlexLock 2.0 has been integrated into FlexLm V7

Essay

Before you read this, I'd first read Siul+Hackys essay ( siulflex.htm which started all this ), my further essays (pilgrim.htm & pilgrim2.htm & flexm11.htm), and Vox's (flexm.htm) too.

The quick crack:
================

Install Hotz Translator II. We see flock.dll which is the flex-lock DLL. Looking for calls to the DLL we find only one in tranfl.exe. Here's the edited dissassembly with detailed notes for the analysis later:

:00409160 push eax                    
So patch the first push eax to be jmp 00409234
This by-passes all license checking and we're done!



Deeper analysis of the crack

============================




First we'd better download the FlexLock 1.0 SDK.
We see it's 32 bit cryptwin encrypted, see previous
essays on how to
crack.

( note this has the extra checksum at the front of the
Z file to bypass).

Once it's installed we see an example of how to call
the API 
in csamples\main.c
Here's the edited highlights:
#define FL_MASK 0x24f96f82
#define FL_MASKED_CODE (0x33333333 ^ FL_MASK)
#define FL_INSTANCE_NAME "47123001"
	challengeVal = rand();
	localVal = challengeVal;
	intReturned = 
	  FL_FLEXlockAPI( FL_INSTANCE_NAME, &challengeVal, &modeVal );
	if( intReturned == 0 )
		exit( -1 );
	if ( modeVal != FL_PURCHASED )
		exit( -1 );
	challengeVal ^= FL_MASK;
	localVal ^= FL_MASKED_CODE;
	if( localVal != challengeVal )
		exit( -1 );

So we first see a check to ensure the API function ran
OK.

Then another on modeVal to ensure we're using the
'purchased' mode.

Then some sneaky XORs to ensure we've not fiddled with
data.



The main thing to note is that 0x33333333 is the users
'secret code'
This is used to ensure valid users of the FlexLock SDK
cannot easily 
generate licenses for another FlexLock application
without knowing the 
other 'secret key'.



So we can see the secret key = FL_MASKED_CODE ^ FL_MASK


Looking at Hotz above we see:
:004091DE xor edi, 40646F84           
For Hotz this gives secret code = 0x40646F84 XOR 0x40687EA9 = 0x0000C112D



As we'll see later, the key is entered in decimal, 
which in this case is 79 08 29. What's this? Someones
birthday?



So we can see why the first quick crack had to bypass
both the function
call
and the sneaky checks.



Get the FlexLock SDK to work

============================




The FlexLock SDK consists of two components:
configedit and
makelicence.

Reading the accompanying documentation we see they
need a FlexLm
license
stored in \licenses\license.lic
We also see an example license:
FEATURE FLConfigEdit gsi 1.0 1-jan-0000 0EC3505C1AE9C5EE1D977 
\ VENDOR_STRING=OR5358 HOSTID=123456
ISSUER="GLOBEtrotter 
\ Software, Inc." ck=48 
FEATURE FLMakeLicense gsi 1.0 1-jan-0000 00C65F5710DFEF9B33F77 
\ HOSTID=123456 ISSUER="GLOBEtrotter Software, Inc."ck=39 

We can see: the vendor name is gsi ( Globetrotter
Software Inc );
the two feature names; configedit requires a vendor
string.



Let's make a license for the FlexLock SDK.
We can see lmgr326a.dll in the FlexLock SDK, 
so why not try the genlic32 program
that comes with the FlexLm 6.1 SDK? 

Because it doesn't work, that's why not.

It generates HOSTID=ANY which the flexlock programs
don't like.

But if you make your own license generator, as Vox
shows you, 
then we just get "ANY" which works.



What's the VENDOR_ID for? Well, it seems that the
FlexLock tools
read the vendor ID and use it as a feature name for
the FlexLock key.

Finding it is easy, according to the documentation:
After the FLEXlock operation is activated, an entry is
generated in the
registry.  It is located at:

HKEY_LOCAL_MACHINE->SOFTWARE->GLOBEtrotter Software Inc.->FLEXlock

So run your flexlocked application then look in the
registry for the
feature name.

In the case of Hotz Translator it's OR5289000
But it's not that easy, the last three digits are the
product number.

So the vendor id we require is OR5289 



We eventually end up with the licence we need to get
FlexLock to run:



FEATURE FLMakeLicense gsi 1.000 permanent uncounted 2CF67BC10C7B17A4222B "" ANY 

FEATURE FLConfigEdit gsi 1.000 permanent uncounted 3C264B61C254B643EAED "OR5289" ANY



Generate a license

==================




Follow the FlexLock SDK instructions and make a
FlexLock license for
your target.

Note in the case of Hotz the product number needs to
be 000 to give the
desired 
feature name. And the secret code is the one we found
above.

Run configedit first, then makelicence to generate a
key for the
FlexLocked target.



I ended up with this for Hotz: 

FLEXlock-OR5289000-15937-42877-61858-06522-46939-34028-8035



This can be entered when prompted, or saved in a
license.dat file in
the 
targets root directory.



Further analysis

================




As usual, I dug a little deeper.

These are just a few discoveries which may help you.
Please feel free to fill in the missing gaps ;-)



The FlexLock licence above is in what Globetrotter
call decimal format.

It's generated by lc_cryptstr, when passed a flag LM_CRYPT_DECIMAL, 0x20.
 
If we break on the call to lc_cryptstr during licence
generation,
remove 
the LM_CRYPT_DECIMAL we get the readable format of the
license file:
FEATURE OR5289000 FLEXlock 1.000 permanent uncounted
3454EFA72F5E \
	VENDOR_STRING=1889375979 HOSTID=ANY

When saved in the license.dat file this works fine
instead of the
decimal format.
So the feature is defined by our application, vendor
name is FLEXlock.
But what's the vendor string for? 



Deeper still...



We can easily find the seeds and keys used by FlexLock
by breaking
on lc_init and finding the key 5 XORs.

But looking at lc_set_attr calls we see FlexLock uses
a vendor-defined
checkout filter. 
Maybe this has something to do with vendor string?





Final
Notes

It seems the basics behind FlexLm aren't changing,
there are just more and more 'value-added' wrappers
applied around the
core.


Understand the core and you've won.


However, FlexLm _is_ flexible, with lots of sneaky
tricks such as
vendor-
defined encryption. I'm sure this isn't the end of
FlexLm.



FlexLock seems trivial to crack due to the simple
pass/fail return from
the
single API function call. A chain is only as strong as
it's weakest
link.
FlexLm is fairly strong. The single API function call
is laughably
weak.



Thanks go out to all you good people who continue
sharing the
knowledge.



pilgrim






Ob
Duh
I wont even
bother explaining you
   that you should BUY this target program if you
intend to use it for
a 
   longer period than the allowed one. Should you want
to STEAL this 
   software instead, you don't need to crack its
protection scheme at
all: 
   you'll find it on most Warez sites, complete and
already regged, 
   farewell, don't come back.


You are deep inside fravia's page of reverse engineering, 
choose your way out:






homepage
links
search_forms
+ORC
students'
essays
academy
database


reality
cracking
how to
search
java-script
wars


tools
anonymity
academy
cocktails
antismut
CGI-scripts
mail_fravia+


Is reverse
engineering legal?