20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

Esta es la memoria caché de Google de http://www.woodmann.com/crackz/Flexlm.htm. Es una instantánea de la

página según apareció el 14 Mar 2018 06:11:21 GMT.
Se puede haber cambiado la página actual mientras tanto. Más información

Versión completa Versión de sólo texto Ver origen

Consejo: para encontrar tu término de búsqueda rápido en esta página, presiona Ctrl+F o ⌘-F (Mac) y usa la barra
de búsqueda.

FLEXlm - (License Management for the commercial fools)

On February 7th 2005 Macrovision were once again successful in scaring my webhost into shutting down this
page. This is now the 2nd time they have decided to exercise their legal teams (unlike most protectionists who
actually improve their software, heaven forbid!), the shutdown lasted about 2 weeks.

FLEXlm, or the 'flexible lies manager' depending upon your

viewpoint. With so many versions out there you might well be
wondering which one you might be reversing today, or how any
developer could possibly put their trust in this system, all of what
I write below still applies to the current versions (v9.x), quotes
taken from Macrovision (all copyrights reserved etc, etc) since
they've tried before to close me down.

*NEW from scorpie* : Generate your own SentinelLM installation serial numbers.
*NEW from Sp0Raw August 2007* : FLEXlm VENDORCODE's list.

*NEW August 2006*

I have made available now the source code to Nolan Blenders Lmkg. This will allow you to generate your own
vendor keys and CRO keys for any given vendor name upto v9 behaviour, trivial addition to the code will also
allow generation of v10 compatible keys, download it here now (141k). As an additional bonus here is a FLEXlm
v10.0 vendor key generator courtesy of tom324 (18k).

*NEW* FLEXlm Vendor Key Generator 3.0 (generates v4-v11 compatible keys (94k)).

Hey! FLEXlm afficionados, have you read my latest paper on FLEXlm v8.x & v9.x?, if not read it here now (new
in 2004!) and heres a quick tip for quickly recovering the seeds!.

"The default value to clean the seeds variable is 3D4DA1D6h. A lot of vendors are lazy or foolish and don't change
this default value. So, a very easy way is just search the pattern 3D4DA1D6h in disassembled codes. You'll get a
lot of codes like this : mov [ebp-xxxx], 3D4DA1D6h. Just break on every instance containing this value and .......
run. If the program is checking the license, write down the value in [ebp-xxxx] when the first breakpoint is
reached. It's your seed1 (not XORed with key5, it's original seed1). The second breakpoint you get, it's seed2. And
trace a little back to the function entry, the keys (1~4) are in the parameters. Anyway, this method won't work for
every case, but for beginner, it's easy to learn. ;-)."

FLEXlm 'speak'

http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 1/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

"best-of-breed encryption technology" - Around v8.1 Macrovision finally managed to implement a secure product
from license generators (after buying in the services of Certicom). A glorious history of well appreciated security
concepts such as 'xor encryption', 'hiding keys with random data', 'security by obscurity' & 'weak random number
generation' have finally been cast aside. Dare I say, try hard enough and eventually you'll get it right?. The advent
of good encryption has made most safe now from license generators, the trouble is, trivial patches are still able to
defeat FLEXlm.

"Using Macrovision Consulting Services to implement the optimal licensing solution for your business." - Since
these guys can't even secure their own flagship product, I wouldn't let them near anything I was serious about
protecting.

I encourage all potential buyers of FLEXlm to read Macrovision's page and then flick back here to my page, if you
can believe anything that Macrovision says afterwards then please go ahead and use FLEXlm for your
product.....In fact Macrovision has something of a glorious history in software protecting, their own Safecast and
CD technologies have been cracked for years as well.

http://www.globetrotter.com & now purchased by Macrovision (or should that be Microvision ;-) ).

"FLEXlm is the most popular license manager used in the software industry. FLEXlm is best known for its ability
to allow software licenses to be available (or float) anywhere on a network, instead of being tied to specific
machines. Floating licensing benefits both users and license administrators. Users can make more efficient use of
fewer licenses by sharing them on the network. License administrators can control who uses the licensed
application, and the node(s) where the licenses will be available". "Or should I say it used to be the most
popular".....

FLEXlm license sniffing (courtesy of Skullcoder), v7.2 snippets of information, FLEXlm Piracy Concerns
(EDA developers beware), FLEXlm seeds , SentinelLM / ElanLM Section

Many of my readers familiar with high end or specialist applications will already know FLEXlm well, in certain
markets GlobeTrotter have really started to establish themselves on the Windows platform. As there is now
sufficient material I have sub classed FLEXlm into its own section. I do advise you read the FLEXlm manuals very
carefully as well as downloading the SDK's and tools available below.

FLEXGen
Released by RBS, BlastSoft's FLEXGen exploits many of the early holes identified in the FLEXlm dll's. FLEXGen
is unlikely to be supported in the future due to BlastSoft's retirement from the scene. The FLEXGen link has been
restored (by popular demand) and now includes the full source code (please don't abuse this ;-) ).

FLEXGen (total size approx 3.12Mb's).

FLEXlm SDK + Utilities

Below you'll find decryption keys for older SDK's and many of the latest versions. You might like to download the
following FLEXlm tools (166k) :-

Nolan Blender's lmvkey5 v1.0 & lmrecode.

prs's FLEXlm Key 5 Generator.
UCF's FlexSeedGen v0.3.

Still confused?, then read my tutorial for SDS /2 below (describes very basic FLEXlm operation). These old
modified FLEXlm dll's are courtesy of ZiGo, his page has long since been removed from the web, they remain here
now purely for historical reference (100k).

http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 2/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

GlobeTrotter have removed the SDK from most of the web and their public FTP because of security concerns (only
3 months after RBS released BlastSoft's FlexGen which used holes in the dll's). Interestingly GlobeTrotter's only
real response to this has been to blacklist ISSUER=BlastSoft by name (clearly visible in disassembly listings of the
latest dll's), albeit there are also some algorithmic enhancements and hiding of the keys.

SDK's (September 2003)

Due to bandwidth constraints and also my desire to encourage the community to contribute to my site the FLEXlm
SDK downloads have been removed and are now only available to those granted access to the other side. Here are
a list of the versions currently available, (thanks to sporaw for correcting some of my version inaccuracies).

FLEXlm SDK SUN version.

FLEXlm v5.0b, v5.0e Update, v5.12, v6.0k, v6.1g, v7.0a, v7.0b, v7.0d, v7.0e, v7.0f, v7.0g, v7.1b, v7.1c, v7.1d,
v7.1e, v7.1f, v7.2a, v7.2c, v7.2d, v7.2e, v7.2f, v7.2g, v7.2h, v7.2i, v8.0b, v8.0c, v8.0d, v8.1a, v8.1b, v8.3b, v8.4a,
v8.4b, v9.0, v9.2d Source Code, v9.2.2, v9.2i (total 37 SDK's).

FLEXlm v8.1 ECC Patcher - patches return value of _l_pubkey_verify().

FLEXlm v8.x lmv8gen - generate vendor keys for v8.x+ of FLEXlm (17k).
FLEXlm system ID changer for IRIX 6.5 (courtesy of WellMoon) (2k).

I'm sorry to say that although I possess several Linux SDK's they will not ever be placed here, thats just the way it
is I'm afraid.

License Keys (as required)

v5.12 - 5537-2182-6912-6163-32.
v6.0 - 7445-5305-5517-4801-06 or 2143-0909-0581-5196-06 (v6.0k).
v6.1g - 7334-3535-3425-7783-1261-6354-07 or 7461-5321-5517-4305-07.
v7.0a/b - 1631-3020-1109-7436-47.

FLEXlm license sniffing

This is the core of a very rough yet interesting text I received from Skullcoder.

Hello CrackZ, I have a lot of pleasant hours playing with VirtuoZo software license creation and have no success
with license generation at all using standard methods of seed & vendor codes recovery. I already have good
practice with FLEXlm deprotection but VirtuoZo implementation made me really stuck. Once I have visited your
website and read really interesting issue by Acme about "alternative license generation" for FLEXlm 5.1. You may
know this issue doesn't work for v6.1 and future versions but inspired by this I have discovered how a license can
be created in a similar way.

I'll describe the method in few words and probably you'll bring my ideas to more people interested in FLEXlm
6.1/7.0 license keys for 1-3 features without Genlic32 or Flexgen but just with SoftICE. The software has just v6.1
FLEXlm code implemented into about 30 executables with nothing special. I've turned on FLEXlm diagnostics
inside registry and discovered feature name and version. Vendor name was easy to find too. Next I have played a
lot with seeds and vendor code before discovering a really interesting part of code (address .4712F0). "It really
looks like license creation", I continued with tracing this part of code. Next part appears really cool (address
.471538) because it looks like usual text-with-binary comparison!.

Voila! At address .4715EC you can see the best part of all FLEXlm code -- license number from license.dat and
generated number comparison. That's all. You can have it directly by typing :D DS:71E1B8 or by passing all JNE
471613 with zero flag and wait while FLEXlm converts this binary to text string at .471609!. Another interesting

http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 3/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

thing has been revealed. This procedure have been called twice so not only one valid license number can be
generated but some more :-).
.004712CF: push esi
.004712D0: call .0048EDA8 -------- (1)
.004712D5: add esp,00C ;""
.004712D8: jmps .004712DD -------- (2)
.004712DA: mov esi,[ebp][0000C]
.004712DD: mov d,[ebp][-0004],0 ;"
.004712E4: cmp d,[ebp][-0024],0 ;" "
.004712E8: jle .004714C9 -------- (3)
.004712EE: xor eax,eax
.004712F0: mov cl,[eax][esi] <-- Making license number
.004712F3: xor [eax][0071E1B8],cl
.004712F9: inc eax
.004712FA: cmp eax,8 ;""
.004712FD: jl .004712F0 -------- (4)
.004712FF: cmp d,[ebp][-0004],000 ;" "
.00471303: jne .004714AA -------- (5)
.00471309: mov ecx,[ebp][00008]
.0047130C: cmp d,[ecx][00000020C],000 ;" "
.00471313: jne .00471454 -------- (6)

Continuing the code :-

.00471521: mov d,[ebp][-0008],000000008 ;"
.00471528: cmp d,[ebp][00018],066D8B337 ;
.0047152F: jne .00471538 -------- (1)
.00471531: mov d,[ebp][-0008],000000006 ;"
.00471538: xor esi,esi <-- Starting to compare.
.0047153A: cmp [ebp][-0008],esi
.0047153D: jle .00471601 -------- (2)
.00471543: lea edi,[ebp][-0020]
.00471546: mov bl,[edi]
.00471548: call __p___mb_cur_max ;MSVCRTD.dll
.0047154E: cmp d,[eax],001 ;""
.00471551: jle .00471564 -------- (3)
.00471553: movsx eax,bl
.00471556: push 004
.00471558: push eax
.00471559: call _isctype ;MSVCRTD.dll

.004715D6: je .004715EC -------- (1)

.004715D8: movzx eax,bl
.004715DB: push eax
.004715DC: lea edx,[esi][00071E1B8]
.004715E2: push esi
.004715E3: push edx
.004715E4: push d,[ebp][00008]
.004715E7: call ecx
.004715E9: add esp,010 ;""
.004715EC: cmp [esi][00071E1B8],bl <- Guess what?
.004715F2: jne .00471613 -------- (2)
.004715F4: add edi,002 ;""
.004715F7: inc esi
.004715F8: cmp [ebp][-0008],esi
.004715FB: jg .00471546 -------- (3)
.00471601: push d,[ebp][00018] <-- Converting number to string for us
.00471604: push 0071E1B8 ;" qá¸"
.00471609: call .004716AC -------- (4)
.0047160E: add esp,008 ;""
.00471611: jmps .00471615 -------- (5)

http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 4/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

Needless to say, you should be able to find something useful amongst this snippet to search for with your hex
editor.

v7.2 Snippets
Preliminary comments on v7.2x of FLEXlm from 2 separate individuals.

"v7.2 has several changes : (a) 4 vendor seeds; (b) CRO keys. I tried to make a daemon with specific seeds and
keys, and compile a new demo.exe and lmcrypt.exe. However, the license generated from lmcrypt can not be
accepted by demo.exe. I think the major problem is that the seed3 and seed4 are assigned by myself".

"Unfortunately the seeds are not stored in the daemon. The ECC specific seeds 3 and 4 are used to make the public
and private keys. The daemon and/or the application reads the SIGN= from the license file and only validates the
signature, not the actual key. The private key used to do the signing is only compiled into the lmcrypt binary.
Retrieving seed 3 and 4 will first be an excerise in factoring the ECC, then once the private key is determined, you
must reverse how the private key is generated from the seeds. Good luck with this."

So at this early stage it looks very much like we are back to patching ;-).

Document Title Description Date

Ansoft Serenade v8.5/v8.7 FLEXlm license generating with some help from FLAIR. 30/12/01
Describing how crypt filters are implemented and cracked using standard
Crypt Filters 21/11/00
tools, courtesy of Nolan Blender.
ECC FLEXlm Discussion of an early vulnerability in the FLEXlm ECC add-on. Dec 2001
"How to crack a PC-based 30/10/98
FLEXcrypt & FLEXlm cracking by pilgrim (2 essays integrated).
license manager" 07/01/99
"FlexLock ...less secure
FlexLock cracking, third essay courtesy of pilgrim. June 1999
than the rest of FLEXlm"
External FLEXlm reversing.
April/June
IMSL & ANSYS "On software reverse engineering (IMSL)" April 7, 2004.
2004
"Advanced study on FlexLM system (ANSYS)" June 23, 2004.
Information hiding
Describes how newer versions of FLEXlm hide the important seed codes. October
methods used by FLEXlm
By FLEXlm specialist Nolan Blender. 1999
targets
lc_new_job() FLEXlm Great essay describing the obfuscating methods used by GlobeTrotter to September
v6.1 by dan at least make reversers work to recover the keys. 1999
Reversing GlobeTrotter's
Key extraction and encryption algorithm reversing. By Nolan Blender. 17/09/99
FLEXcrypt
SDS2 v6.112 Simple example demonstrating how to generate FLEXlm licenses. 28/08/99
Siul+Hacky's FLEXlm A very good document describing Linux debugging / disassembling and
July 1999
Linux Cracking FLEXlm weaknesses (the precursor to the floodgates).
UGFLEX - modified
Macilaci's first foray inside Unigraphics. 15/11/99
FLEXlm by Unigraphics
UGFLEX2 - let UGFLEX Macilaci's second Unigraphics tutorial, this time to generate the correct
16/11/99
generate the keys for you keys.
Using FLEXlm Internal
Using FLEXlm Internal Diagnostics to reveal ALL courtesy of Acme. Jul. 1999
Diagnostics
Vendor Defined
Encryption (locating and Protection customisation for developers, courtesy of Amante4. 08/01/00
reversing)

http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 5/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

Zendenc More FLEXlm tips from Nolan Blender. June. 2001

FLEXlm Crypt Filters & Other Questions

Most of this is reworked from posts I saw at Fravia's Message Board (it may however be useful even if the
questions are target related) :-

Q1. I have read most all the essays I could get my hands on and the API, header files, observed lc_set_attr etc, etc.
Yet I still can't seem to generate correct codes with the keys/seeds I extract. The target is Pixar Renderman, found a
copy and thought it would be fun to play around with. At any rate, I'm not positive that I have the correct vendor
key 5, although from previous posts, I gather that the only thing used to make the keys, is the seeds. Has this
changed in Flex 6.1?.

A1. Another poster has mentioned that this product uses crypt filters. Although this makes it more difficult, it is
still possible to keygen these as well. The key is to understand what the filter does. If you have the 6.1 FLEXlm
SDK, start by examining what happens when you use the -filter_gen argument to lmrand1.exe. One approach may
be to write your own program which incorporates the crypt filters, then examine what goes in/out of the filter
subroutines.

Q2. How can I find more features in the program which was encrypted by FLEXlm? Such as Cadence Specctra, I
have looked through all .exe .dll files, but I can't find similar features. Other programs which were integrated with
lmgrxxx.dll, I also can't find more features. I can only find one feature prior to lc_checkout, where were the other
features placed?.

A2. You can often find the features by doing a search of the executable for the feature you know - often the other
features are very close to it in the binary. One thing you can do is start up the cdslmd server and see if the program
is trying to check out any specific features - attempts to check out unsupported features will show up in the log file.
I've found that there's usually an attempt to check out a license before it bombs; A few programs call lc_get_config
and then check the returned list for features.

Either way, you find out what it is trying to do. Try searching everything for _ALL to see if you can find anything.
Tell me the version of FLEXlm that cdslmd uses, plus the first two bytes of ENCRYPTION_SEED1 and I may be
able to help you more.

Q3. I used IDA in conjuction with SoftICE to get a nice map of a particular vendor daemon. Everything was going
great, I loaded the *.nms with Symbol Loader. I set the following breakpoints - lc_init, l_sg, l_key, lc_checkout
and a memory address close to l_sg (just for the hay of it). I wrote out a dummy license file and tried both node-
locked and floating models with 0'ed out encryption strings. I then tried firing up my target on both accounts and
nothing. SoftICE never broke.

I spent the next 20 or so minutes trying to figure out what was wrong. I restarted and stopped the license server and
made sure the dat file syntax was correct. Just as an experiment I double clicked on the vendor daemon and
SoftICE broke on all of the bpx except lc_checkout and not the bpm. I got inside lc_init, then l_sg, inside l_sg was
l_key I searched around in there and I managed to find the major version in memory. I read some essays, and none
of them could seem to help. I already have the vc's and es's for this target, but I would like to find them myself.

A3i. Most likely the FLEXlm libs are built into the target itself (you don't need a daemon running, the target
application looks at the license directly). Try putting USE_SERVER in the license file after the SERVER and
DAEMON lines.

Q4. I try to make a license with 20 characters, but I can't. I have the good seeds and vendors keys and have
modified lsvendor.c:ls_a_lkey_long=1 & ls_a_lkey_start_date=1, my license had 16 characters.

http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 6/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

A4. lsvendor.c is only for building the daemon - try building lmcrypt, then use lmcrypt -verfmt 5 -longkey
license.dat and see what happens.

Q5. I have utilized Amante4's essay (vendor-defined encryption / lc_set_attr $0f) to obtain valid license keys for
my target. However, when I use the same method (that is, BP the exit points of the vendor-defined encryption
routine) to get the keys for the next release of the target, I realize that the routine is not called at all. I assumed that
it could be due to the target calling lc_set_attr to indicate a vendor-defined checkout filter; However, my
disassembly didn't show a push 0000002D (if I remember correctly ;-) prior to calling lc_set_attr.

In addition, my target seems to call lc_set_attr(b) = 11 = LM_A_NORMAL_HOSTID which is undocumented. I

dont like to patch lc_checkout to return a 0 always; my target detects that and though it runs initially, it is not very
functional. May I kindly request for some assistance in this matter; Have you ever come across such a situation?.

A5. I recently worked on an application where I knew I had the right keys and seed, but could not get them to
work. My target had checkout filters. I found that the vendor was doing something in the daemon itself. There are
two daemons the lmgrd and a vendor daemon. So basically all I did was compile the vendor daemon and replace it
with mine ... it worked.

Q6. I have a demo license for software protected by FLEXlm v6.1, I saw something unusual in the feature names,
this particular software used special charaters like $, /, \ in the feature name, as shown below :-

FEATURE my$feature .....

FEATURE my/feature .....

I was able to extract the vendor seeds and generate licenses for features which did not contain the special charaters,
but when I tried for my$feature, I got an error message saying that special characters are not allowed in feature
name. Can anyone let me know, how to generate license with special characters in feature name?.

A6. I think that it may still generate correct keys even though it gives you a warning - try -verfmt 4 to lmcrypt
maybe. I can't remember if that does it or not, but some Sun stuff does this.

...& yet more FLEXlm Snippets...

"One alternative method of custom encryption of the FLEXlm seeds (that do not use the lm_set_attrib() function to
set either user encyption or user filter) is implemented by rsinc. IDL http://www.rsinc.com uses custom encryption
of all the vendor information. All the license checkouts including the FLEXlm routines are located in the idl32.dll.
There is a routine that generates the VENDORCODE structure and the VendorID string prior calling lc_init. It also
sets a flag into the LM_HANDLE->CONFIG structure for alternate generation of the VENDORCODE seeds (look
at l_sg, l_n36_buff call in the lmgr326b.lib).

Upon the first call to the l_sg from the lc_init, a standard (l_key) routine is called to generate the crypt keys. On the
second l_sg call (from the lm_checkout for instance), alternate crypt seeds are generated in a custom l_n36_buff
routine, and naturally FLEMlm generates wrong key message (-8)".

"Mentor Graphics - The daemon's name is mgcld. They check the vendor string using a proprietary checksum
algorithm. If you get the message "FATAL CS ERROR" it's because you don't have the checksum correct. It's not
all that tough a protection - basically certain information such as the start date, number of licenses, expiry, and
feature name are combined. This is run through a checksum routine, and the value compared against the one
supplied in the vendor_string".

Specific Targets (to be extended)

Cossap (simulation program from Synopsys) on HPUX 10.20. Older Synopsys products use vendor defined
encryption, so simply getting the seeds is insufficient to generate valid licenses. You will have to firstly generate a
http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 7/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

license file containing a set of licenses without the vendor defined encryption, then set a breakpoint at the vendor
defined encryption routine (this is easy to find, since lc_set_attr is used to force FLEXlm to use this routine), then
look at the return values from that routine. There will be multiple calls to the routine, about 3 for every feature.
Later products use SCL (Synopsys Common Licensing) which has a different vendor name, and uses user crypt
filters instead.

My target is Synplify, which uses FLEXlm v6.1 linked statically. After reading Dan's essay I tried to find out the
vendor codes / seeds his way, but in my target "vector call" never occurs. In _l_sg it always uses standard ^key5
method. It seems like my target calls lc_init, not lc_new_job. So I tried usual ways to get the seeds, generated
license file and... nope. My target contains vendor checkout procedure, but bpx there never breaks - maybe some
earlier test leads to -8?. My question is : does FLEXlm v6.1 library obfuscate keys in any way if the client simply
calls lc_init, not lc_new_job?.

Think this one needs a special vendor defined hostid - also there was something that had to be in the vendor string.
It's now solved, it actually was the problem with vendor-defined hostid, I simply didn't know that I need to include
the vendor-defined hostid functions in my key generator, I thought (how stupid I was), that it's needed only by
client side. I've included a function from examples modified to return label = 'SKEY' and type=1003. The actual
value returned doesn't matter and voila! My key generator works.

'SKEY' type=1003 is used for evaluation licenses (thus length SKEY = %.8X) and type=1001 for dongle based
licenses (thus length SKEY = %.4X).

FLEXlm Piracy Concerns

Just an interesting publicity snippet (this refers to a very well known message board in the east ;-) ).

SAN JOSE, Calif. — An online EDA discussion group is circulating tips on how to get free software by illegally
cracking FLEXlm license managers, EE Times has learned. The group has come to the attention of EDA activist
John Cooley, who says he'll reactivate his "Stealthnet" mailing list to warn EDA vendors about the potential thefts.

FLEXlm, from Globetrotter Software, is used by nearly all EDA vendors to manage a variety of licensing schemes.
Although it's not positioned as a security system, many vendors rely on FLEXlm to protect their software from
piracy. But FLEXlm has been attacked by hackers in the past, prompting Cooley to launch Stealthnet in 1999, a
private mailing list for EDA vendor representatives to share information about hacking activity.

The latest attacks come from a discussion group that Cooley has declined to publicly identify, on the grounds that
anyone who finds it will have immediate access to a lot of illegal software. Numerous postings, some confirmed by
EE Times, share tips on how to crack FLEXlm or point to Web sites containing code for breaking licenses on
specific EDA products.

"Basically, these guys are doing things like downloading evaluation copies of [Model Technology] ModelSim and
cracking licenses," Cooley said. "They have no intention of buying it." While some participants in the discussion
group are apparently from China — where software theft is rampant — others appear to be from established U.S.
or European companies like AMD and Infineon, Cooley noted.

One individual, using an anonymous Yahoo address, boasted of hacking FLEXlm licenses on products from Altera,
Novas, Exemplar, Agilent EEsof, Innoveda, Synopsys and Avanti, among others. This individual offered to help
readers crack licenses for other tools as well. "So if you have tools that are not listed above or newer releases, I am
very glad to check them for you," wrote this helpful individual. "The purpose of me [sic] is to find a robust way for
FLEXlm cracking."

Cooley, moderator of the E-Mail Synopsys User's Group (ESNUG), said he could understand why an EDA user
might want to temporarily bypass a FLEXlm license. "But when the purpose is to steal the software and never pay
the EDA vendor, that's problematic," he said. "I lose in the long run because they [EDA vendors] don't develop
http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 8/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

better software." Rich Mirabella, vice president of marketing at Globetrotter Software, said he wasn't aware of any
new attacks on FLEXlm. But, he acknowledged, they've happened "on and off for over five years."

Mirabella emphasized that FLEXlm is positioned as a licensing manager, not a security system. "The business
purpose is to allow software vendors to offer licensing models that match how people use their products," he said.
"The security is there to keep honest people honest. In every release we do things to increase the security, but it's
like an arms race — we do stuff, the hackers do stuff."

Mirabella said that Globetrotter has participated in several criminal prosecutions of people who have hacked
FLEXlm and has helped shut down hacker Web sites in the U.S. and abroad. But the actual party injured is the
software vendor, he noted; Globetrotter assists in prosecutions but is not the plaintiff in these cases. United States
copyright laws, Mirabella said, provide penalties of up to five years in prison and $500,000 fines for hacking
products such as FLEXlm. But people outside the U.S. are subject to the laws of the host country, he noted.

Mirabella downplayed the role of FLEXlm hacking on EDA revenues. "I'm sure it does happen on occasion, but in
the high end you wouldn't see it much," he said. "The kinds of companies that use those products wouldn't engage
in these kinds of practices." Some hacking does take place, he said, with "low end" products such as pc-board
layout tools, which might be used by small, struggling companies.

Much more revenue loss, he said, comes from honest companies who lack the means to keep track of licenses in
networked environments. When Cooley launched Stealthnet in 1999, Globetrotter was critical. Matt Christiano,
Globetrotter's chief executive, wrote an angry letter to ESNUG stating that Cooley's efforts could encourage
hackers and cause EDA vendors to seriously inconvenience users.

But some EDA vendor representatives lauded Cooley's efforts. "I want to thank you on behalf of the EDA industry
for your handling of the situation and condemning of these hackers," wrote Rob Genco, director of software
operations at Synopsys. Mirabella scoffed at Cooley's intent to relaunch Stealthnet. "If issues arise, users and
software vendors should come to us directly," Mirabella said. "I don't see any value added that John Cooley brings
to the situation. It's not clear what his agenda is."

Cooley responded that Globetrotter is trying to avoid any public discussion of potential problems with FLEXlm.
He didn't contact Globetrotter about the EDA discussion group, he said, because of the company's negative
reaction last time. Cooley will announce the relaunch of Stealthnet, open only to confirmed EDA vendor
representatives, in an upcoming ESNUG bulletin. Previous bulletins, including several past discussions of FLEXlm
hacking, are archived at the EDTN DeepChip Web site.

See reversers ;-), by exposing these snake oil salespeople you might 'seriously inconvenience users' by forcing
developers to learn a little about protections cracking, god forbid.....

Seeds
On the other side I am currently in the process of building and maintaining a FLEXlm vendor & seed database,
after some consideration (from several e-mails I mighten add ;-) ) I have decided to make this list private since
with these just about anyone can generate licenses.

SentinelLM / ElanLM
Generating your own SLM installation serial number couldn't be easier, with these instructions by scorpie.

Assuming desired Vendor ID = 0x1ABC.

1. Form Hexadecimal numbers 1ABC1ABC

2. Find the binary equivalent of the above numbers: 0001 1010 1011 1100 0001 1010 1011 1100
3. Make a group of two bits of the numbers above: 00 01 10 10 10 11 11 00 00 01 10 10 10 11 11 00
http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 9/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

4. Map the 2-bit group with the rule: 00 --> 01, 01 --> 11, 10 --> 00, 11 --> 10.
5. Point 3, will become: 01 11 00 00 00 10 10 01 01 11 00 00 00 10 10 01
6. Covert point 5 to HEX again: 70297029
7. Shift right (1D position) point 6: T1 = 00000003
8. Shift left (3 position) point 6: T2 = 814B8148
9. Find T1 OR T2 = 814B814B
10. From point 1 and point 9, form 4B81BC1A (this is reverse byte of the above).
11. Repeat point 2 -- 6 for HEX number 4B81BC1A, and we get: D2172970
12. Repeat point 7 to the result of point 11: S1 = 00000006
13. Repeat point 8 to the result of point 11: S2 = 90B94B80
14. Find S1 OR S2 = 90B94B86
15. The serial number for Vendor ID=1ABC is 864BB990 (hexadecimal) = 2253109648

SentinelLM v7.2 information (courtesy of myself) - A good indication of the version of SentinelLM being used is
the actual file version info from the file lsapiw32.dll e.g. 7.2.0.0 = v7.2.

SentinelLM v7.3 information - this courtesy of FoxB (applicable to patching WlscGen.exe).

"Query/Response length is 0x10, algo cells are 0x0C, 0x20, 0x28, 0x2C. The table emulation passed - all response
place in WlscGen.exe. Cell 0x0F = 0x800".

SentinelLM SDK v7.1, v7.2, v7.3 & Sentinel RMS v8.0 (Regrettably. As with the FLEXlm SDK's this download is
now on the other side). Or check here.

ElanLM API Guide :- (138k).

SentinelLM Remover :- A tool that claims to generically remove SentinelLM (237k), I'd be pretty interested to
know which SentinelLM targets this has been tested with because it doesn't seem to recognise SentinelLM at all.
SentinelLM v7.1 Programmer's Reference Manual :- (692k).
SentinelLM v8.0.2 Developer's Guide :- (1.5Mb's).
SentinelLM v8.0.2 Programmer's Reference Manual :- (1.3Mb's).
SentinelLM [8.0.x /7.x.x] license decode utility, v1.01 public (c)2007 by souz :- Utility to decode SentinelLM
license information (241k).
SentinelLM Signatures for IDA :- Courtesy of Nolan Blender (40k).
SentinelLM Toolkit :- Includes a SDK serial number generator and vendor array generator, courtesy of me &
moZfet (CROSSFiRE) (632k).
SentinelLM Vendor ID to Serial Number :- Type in your desired Vendor ID and this little tool will give you the
SentinelLM installation serial number (619k).
Wlscgen Patch for SentinelLM SDK v7.1 :- Remove the dongle for Wlscgen (17k).

Document Title Description Date

Code Archaeology with
Reviving functions from the past, courtesy of pilgrim. Jan 2001
ElanLM
Delphi v5.0 Trial Cracking the SentinelLM Delphi v5.0 Trial, courtesy of CyberHeg. 22/11/00
MrSID GEOSPATIAL Cracking the SentinelLM protected program MrSID GEOSPATIAL
22/11/00
ENCODER v1.4 ENCODER v1.4 Desktop edition, courtesy of CyberHeg.
Removing need for dongle in SentinelLM Wlscgen.exe, courtesy of
SentinelLM Cracking 21/11/00
CyberHeg.
SentinelLM Installation
Generating keys for SentinelLM, courtesy of Nolan Blender. 20/11/00
Cracking
September
SentinelLM Investigation My own generic research paper into SentinelLM.
2001
February
Wlscgen.exe For You Creating your own Wlscgen courtesy of Mayaputra.
2006
http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 10/11
20/3/2018 FLEXlm - "Dubious License Management", & SentinelLM / ElanLM.

A big thanks goes to CyberHeg & Nolan Blender for providing most of the content here.

Quickly choose your next destination here.

Dongles FAQ Key Generators GMiscellaneous Papers

+ORC Return to Main Index Time Trials Visual Basic

© 1998-2007 CrackZ. 7th October 2007.

http://webcache.googleusercontent.com/search?q=cache:BY5nWrBF9UsJ:www.woodmann.com/crackz/Flexlm.htm+&cd=6&hl=es-419&ct=clnk&gl=ar 11/11