Synopsys License Keygen
Obtaining Your License Keys. To obtain your license key file from SmartKeys. Go to the SmartKeys Web page at 2. Synopsys Saber V2004.06 Sp1 was added to DownloadKeeper this week and last updated on 17-Apr-2020. New downloads are added to the member section daily and we now have 357,713 downloads for our members, including: TV, Movies, Software, Games, Music and More. It's best if you avoid using common keywords when searching for Synopsys Saber V2004.06 Sp1.
Synopsys TCAD Sentarurus 2012 Full Version at izofile. This powerful engineering software is now available with various impressive tools, presets and features. Besides, the program offers advanced process simulation, device simulation, interconnect simulation in addition to powerful framework. It also has a powerful strcuture editor tools in addition to calivration and services section. TCAD Sentarurus Crack Free Download provides all the necessary tools to optimize process modules and integration by fully exploring the process parameter space while reducing the number of experimental wafers and development cycles.
Moreover, you can simply apply TCAD to capture and analyze the impact of process variation on device performance. Synopsys TCAD Sentarurus 2012 Keygen allows you to increase process capability, robustness and yield. This Technology Computer Aided Design “TCAD” is the only software enabling you to develop and enhance semiconductor processing technologies and devices. This engineering tool has a new interactive user interface with the most outstanding developed tools every engineer will need to apply various simulations.
The program allows you to solve a wide range of fundamental, physical partial differential equations including: diffusion and transport equations, to model the structural properties and electrical behavior of semiconductor devices.
– Lets you receive simulation predictive accuracy for a broad range of technologies.
– Works on reducing experimental runs on real wafers.
– Allows you to reduce the costly and time-consuming test wafer runs when developing and characterizing a new semiconductor device or technology.
– Intuitive workflow user interface.
– Allow engineers to explore product design alternatives.
– Meet performance goals even when experimental data is not readily available.
– Enable engineers to do simulation split runs such as Design of Experiment (DOE) to comprehensively characterize and optimize the process.
– Widely used by various manufacturings, engineers etc.
– Offers a mechanism for advanced process control during mass production, thereby improving parametric yield.
ScreenShots:
Synopsys TCAD Sentarurus 2012 Full Version System Requirements:
– Operating System: Windows 7/8/8.1/10.
– Hard disk space: 6GB free space or more.
– RAM: 4GB (8GB recommended).
– High speed internet connection.
How to install Synopsys TCAD Sentarurus 2012 Full Crack:
1- First of all, click on the direct download link below.
2- Then, download the full software directly to your windows operating system.
3- Also, run the software to install.
4- Moreover, use the given crack and keys to activate the software.
5- Also, Finalize the installation.
6- Finally, enjoy this powerful software.
FLEXlm - (License Management for the commercial fools)
On February 7th 2005 Macrovision were once again successfulin scaring my webhost into shutting down this page. This is nowthe 2nd time they have decided to exercise their legal teams (unlikemost protectionists who actually improve their software, heavenforbid!), the shutdown lasted about 2 weeks.| FLEXlm, or the 'flexible lies manager' depending upon your viewpoint. With so many versions out there you might well be wondering which one you might be reversing today, or how any developer could possibly put their trust in this system, all of what I write below still applies to the current versions (v9.x), quotes taken from Macrovision (all copyrights reserved etc, etc) since they've tried before to close me down. |
*NEW from scorpie* : Generate your own SentinelLM installationserial numbers.
*NEW from Sp0Raw August 2007* : FLEXlmVENDORCODE's list.
*NEW August 2006*
I have made available now the source code to Nolan BlendersLmkg. This will allow you to generate your own vendor keys andCRO keys for any given vendor name upto v9 behaviour, trivialaddition to the code will also allow generation of v10 compatiblekeys, download it here now (141k).As an additional bonus here isa FLEXlm v10.0 vendor key generator courtesy of tom324 (18k).
*NEW*FLEXlmVendor Key Generator 3.0 (generates v4-v11 compatible keys(94k)).
Hey! FLEXlm afficionados, have you readmy latest paper on FLEXlm v8.x & v9.x?, if not read it here now(new in 2004!) and heres a quick tip for quickly recovering theseeds!.
'The default value to clean theseeds variable is 3D4DA1D6h. A lot of vendors are lazy or foolishand don't change this default value. So, a very easy way is justsearch the pattern 3D4DA1D6h in disassembled codes. You'll geta lot of codes like this : mov [ebp-xxxx], 3D4DA1D6h. Just breakon every instance containing this value and .... run. If theprogram is checking the license, write down the value in [ebp-xxxx]when the first breakpoint is reached. It's your seed1 (not XORedwith key5, it's original seed1). The second breakpoint you get,it's seed2. And trace a little back to the function entry, thekeys (1~4) are in the parameters. Anyway, this method won't workfor every case, but for beginner, it's easy to learn. ;-).'
FLEXlm 'speak'
'best-of-breed encryption technology' - Aroundv8.1 Macrovision finally managed to implement a secure productfrom license generators (after buying in the services of Certicom).A glorious history of well appreciated security concepts suchas 'xor encryption', 'hiding keys with random data', 'securityby obscurity' & 'weak random number generation' have finallybeen cast aside. Dare I say, try hard enough and eventually you'llget it right?. The advent of good encryption has made most safenow from license generators, the trouble is, trivial patches arestill able to defeat FLEXlm.
'Using Macrovision Consulting Services to implementthe optimal licensing solution for your business.' -Since these guys can't even secure their own flagship product,I wouldn't let them near anything I was serious about protecting.
I encourage all potential buyers of FLEXlm to read Macrovision'spage and then flick back here to my page, if you can believe anythingthat Macrovision says afterwards then please go ahead and useFLEXlm for your product...In fact Macrovision has somethingof a glorious history in software protecting, their own Safecastand CD technologies have been cracked for years as well.
http://www.globetrotter.com& now purchased by Macrovision(or should that be Microvision ;-) ).
Many of my readers familiar with high end or specialist applicationswill already know FLEXlm well, in certain markets GlobeTrotterhave really started to establish themselves on the Windows platform.As there is now sufficient material I have sub classed FLEXlminto its own section. I do advise you read the FLEXlm manualsvery carefully as well as downloading the SDK's and tools availablebelow.
FLEXGen
Released by RBS, BlastSoft's FLEXGen exploits many of the earlyholes identified in the FLEXlm dll's. FLEXGen is unlikely to besupported in the future due to BlastSoft's retirement from thescene. The FLEXGen link has been restored (by popular demand)and now includes the full source code (please don't abuse this;-) ).
FLEXGen (total size approx3.12Mb's).
FLEXlm SDK + Utilities
Below you'll find decryption keys for older SDK's and manyof the latest versions. You might like to download the followingFLEXlm tools (166k) :-
Nolan Blender's lmvkey5 v1.0 & lmrecode.
prs's FLEXlm Key 5 Generator.
UCF's FlexSeedGen v0.3.
Still confused?, then read my tutorial for SDS /2 below (describesvery basic FLEXlm operation). These old modified FLEXlmdll's are courtesy of ZiGo, his page has long since been removedfrom the web, they remain here now purely for historical reference(100k).
GlobeTrotter have removed the SDK from most of the web andtheir public FTP because of security concerns (only 3 months afterRBS released BlastSoft's FlexGen which used holes in the dll's).Interestingly GlobeTrotter's only real response to this has beento blacklist ISSUER=BlastSoft by name (clearly visible in disassemblylistings of the latest dll's), albeit there are also some algorithmicenhancements and hiding of the keys.
SDK's (September 2003)
Due to bandwidth constraints and also my desire to encouragethe community to contribute to my sitethe FLEXlm SDK downloads have been removed and are now only availableto those granted access to the other side. Here are a list ofthe versions currently available, (thanks to sporaw for correctingsome of my version inaccuracies).
FLEXlm SDK SUN version.
FLEXlm v5.0b, v5.0e Update, v5.12, v6.0k, v6.1g, v7.0a, v7.0b,v7.0d, v7.0e, v7.0f, v7.0g, v7.1b, v7.1c, v7.1d, v7.1e, v7.1f,v7.2a, v7.2c, v7.2d, v7.2e, v7.2f, v7.2g, v7.2h, v7.2i, v8.0b,v8.0c, v8.0d, v8.1a, v8.1b, v8.3b, v8.4a, v8.4b, v9.0, v9.2d SourceCode, v9.2.2, v9.2i (total 37 SDK's).
FLEXlm v8.1 ECC Patcher- patches return value of _l_pubkey_verify().
FLEXlm v8.x lmv8gen - generatevendor keys for v8.x+ of FLEXlm (17k).
FLEXlm system ID changer for IRIX6.5 (courtesy of WellMoon) (2k).
I'm sorry to say that although I possess several Linux SDK'sthey will not ever be placed here, thats just the way it is I'mafraid.
License Keys (as required)
Skyrim special edition ps4 update. v5.12 - 5537-2182-6912-6163-32.
v6.0 - 7445-5305-5517-4801-06 or 2143-0909-0581-5196-06 (v6.0k).
v6.1g - 7334-3535-3425-7783-1261-6354-07 or 7461-5321-5517-4305-07.
v7.0a/b - 1631-3020-1109-7436-47.
FLEXlm license sniffing
This is the core of a very rough yet interesting text I receivedfrom Skullcoder.
Hello CrackZ, I have a lot of pleasant hours playing with VirtuoZosoftware license creation and have no success with license generationat all using standard methods of seed & vendor codes recovery.I already have good practice with FLEXlm deprotection but VirtuoZoimplementation made me really stuck. Once I have visited yourwebsite and read really interesting issue by Acme about 'alternativelicense generation' for FLEXlm 5.1. You may know this issuedoesn't work for v6.1 and future versions but inspired by thisI have discovered how a license can be created in a similar way.
I'll describe the method in few words and probably you'll bringmy ideas to more people interested in FLEXlm 6.1/7.0 license keysfor 1-3 features without Genlic32 or Flexgen but just with SoftICE.The software has just v6.1 FLEXlm code implemented into about30 executables with nothing special. I've turned on FLEXlm diagnosticsinside registry and discovered feature name and version. Vendorname was easy to find too. Next I have played a lot with seedsand vendor code before discovering a really interesting part ofcode (address .4712F0). 'It really looks like license creation',I continued with tracing this part of code. Next part appearsreally cool (address .471538) because it looks like usual text-with-binarycomparison!.
Voila! At address .4715EC you can see the best part of allFLEXlm code -- license number from license.dat and generated numbercomparison. That's all. You can have it directly by typing :DDS:71E1B8 or by passing all JNE 471613 with zero flag and waitwhile FLEXlm converts this binary to text string at .471609!.Another interesting thing has been revealed. This procedure havebeen called twice so not only one valid license number can begenerated but some more :-).
.004712CF: push esi
.004712D0: call .0048EDA8 -------- (1)
.004712D5: add esp,00C ;'
.004712D8: jmps .004712DD -------- (2)
.004712DA: mov esi,[ebp][0000C]
.004712DD: mov d,[ebp][-0004],0 ;'
.004712E4: cmp d,[ebp][-0024],0 ;' '
.004712E8: jle .004714C9 -------- (3)
.004712EE: xor eax,eax
.004712F0: mov cl,[eax][esi] <-- Making license number
.004712F3: xor [eax][0071E1B8],cl
.004712F9: inc eax
.004712FA: cmp eax,8 ;'
.004712FD: jl .004712F0 -------- (4)
.004712FF: cmp d,[ebp][-0004],000 ;' '
.00471303: jne .004714AA -------- (5)
.00471309: mov ecx,[ebp][00008]
.0047130C: cmp d,[ecx][00000020C],000 ;' '
.00471313: jne .00471454 -------- (6)
Continuing the code :-
.00471521: mov d,[ebp][-0008],000000008 ;'
.00471528: cmp d,[ebp][00018],066D8B337 ;
.0047152F: jne .00471538 -------- (1)
.00471531: mov d,[ebp][-0008],000000006 ;'
.00471538: xor esi,esi <-- Starting to compare.
.0047153A: cmp [ebp][-0008],esi
.0047153D: jle .00471601 -------- (2)
.00471543: lea edi,[ebp][-0020]
.00471546: mov bl,[edi]
.00471548: call __p___mb_cur_max ;MSVCRTD.dll
.0047154E: cmp d,[eax],001 ;'
.00471551: jle .00471564 -------- (3)
.00471553: movsx eax,bl
.00471556: push 004
.00471558: push eax
.00471559: call _isctype ;MSVCRTD.dll
.004715D6: je .004715EC -------- (1)
.004715D8: movzx eax,bl
.004715DB: push eax
.004715DC: lea edx,[esi][00071E1B8]
.004715E2: push esi
.004715E3: push edx
.004715E4: push d,[ebp][00008]
.004715E7: call ecx
.004715E9: add esp,010 ;'
.004715EC: cmp [esi][00071E1B8],bl <- Guess what?
.004715F2: jne .00471613 -------- (2)
.004715F4: add edi,002 ;'
.004715F7: inc esi
.004715F8: cmp [ebp][-0008],esi
.004715FB: jg .00471546 -------- (3)
.00471601: push d,[ebp][00018] <-- Converting number to stringfor us
.00471604: push 0071E1B8 ;' qá¸'
.00471609: call .004716AC -------- (4)
.0047160E: add esp,008 ;'
.00471611: jmps .00471615 -------- (5)
Needless to say, you should be able to find something usefulamongst this snippet to search for with your hex editor.
v7.2 Snippets
Preliminary comments on v7.2x of FLEXlm from 2 separate individuals.
'v7.2 has several changes : (a) 4 vendor seeds; (b) CROkeys. I tried to make a daemon with specific seeds and keys, andcompile a new demo.exe and lmcrypt.exe. However, the license generatedfrom lmcrypt can not be accepted by demo.exe. I think the majorproblem is that the seed3 and seed4 are assigned by myself'.
'Unfortunately the seeds are not stored in the daemon.The ECC specific seeds 3 and 4 are used to make the public andprivate keys. The daemon and/or the application reads the SIGN=from the license file and only validates the signature, not theactual key. The private key used to do the signing is only compiledinto the lmcrypt binary. Retrieving seed 3 and 4 will first bean excerise in factoring the ECC, then once the private key isdetermined, you must reverse how the private key is generatedfrom the seeds. Good luck with this.'
So at this early stage it looks very much like we are backto patching ;-).
| Document Title | Description | Date |
| Ansoft Serenade v8.5/v8.7 | FLEXlm license generating with some help from FLAIR. | 30/12/01 |
| Crypt Filters | Describing how crypt filters are implemented and cracked using standard tools, courtesy of Nolan Blender. | 21/11/00 |
| ECC FLEXlm | Discussion of an early vulnerability in the FLEXlm ECC add-on. | Dec 2001 |
| 'How to crack a PC-based license manager' | FLEXcrypt & FLEXlm cracking by pilgrim (2 essays integrated). | 30/10/98 07/01/99 |
| 'FlexLock ..less secure than the rest of FLEXlm' | FlexLock cracking, third essay courtesy of pilgrim. | June 1999 |
| IMSL & ANSYS | External FLEXlm reversing. 'On software reverse engineering (IMSL)' April 7, 2004. 'Advanced study on FlexLM system (ANSYS)' June 23, 2004. | April/June 2004 |
| Information hiding methods used by FLEXlm targets | Describes how newer versions of FLEXlm hide the important seed codes. By FLEXlm specialist Nolan Blender. | October 1999 |
| lc_new_job() FLEXlm v6.1 by dan | Great essay describing the obfuscating methods used by GlobeTrotter to at least make reversers work to recover the keys. | September 1999 |
| Reversing GlobeTrotter's FLEXcrypt | Key extraction and encryption algorithm reversing. By Nolan Blender. | 17/09/99 |
| SDS2 v6.112 | Simple example demonstrating how to generate FLEXlm licenses. | 28/08/99 |
| Siul+Hacky's FLEXlm Linux Cracking | A very good document describing Linux debugging / disassembling and FLEXlm weaknesses (the precursor to the floodgates). | July 1999 |
| UGFLEX - modified FLEXlm by Unigraphics | Macilaci's first foray inside Unigraphics. | 15/11/99 |
| UGFLEX2 - let UGFLEX generate the keys for you | Macilaci's second Unigraphics tutorial, this time to generate the correct keys. | 16/11/99 |
| Using FLEXlm Internal Diagnostics | Using FLEXlm Internal Diagnostics to reveal ALL courtesy of Acme. | Jul. 1999 |
| Vendor Defined Encryption (locating and reversing) | Protection customisation for developers, courtesy of Amante4. | 08/01/00 |
| Zendenc | More FLEXlm tips from Nolan Blender. | June. 2001 |
FLEXlm Crypt Filters & Other Questions
Most of this is reworked from posts I saw at Fravia's MessageBoard (it may however be useful even if the questions are targetrelated) :-
Q1. I have read most all the essays I could getmy hands on and the API, header files, observed lc_set_attr etc,etc. Yet I still can't seem to generate correct codes with thekeys/seeds I extract. The target is Pixar Renderman, found a copyand thought it would be fun to play around with. At any rate,I'm not positive that I have the correct vendor key 5, althoughfrom previous posts, I gather that the only thing used to makethe keys, is the seeds. Has this changed in Flex 6.1?.
A1. Another poster has mentioned that this productuses crypt filters. Although this makes it more difficult, itis still possible to keygen these as well. The key is to understandwhat the filter does. If you have the 6.1 FLEXlm SDK, start byexamining what happens when you use the -filter_gen argument tolmrand1.exe. One approach may be to write your own program whichincorporates the crypt filters, then examine what goes in/outof the filter subroutines.
Q2. How can I find more features in the programwhich was encrypted by FLEXlm? Such as Cadence Specctra, I havelooked through all .exe .dll files, but I can't find similar features.Other programs which were integrated with lmgrxxx.dll, I alsocan't find more features. I can only find one feature prior tolc_checkout, where were the other features placed?.
A2. You can often find the features by doinga search of the executable for the feature you know - often theother features are very close to it in the binary. One thing youcan do is start up the cdslmd server and see if the program istrying to check out any specific features - attempts to checkout unsupported features will show up in the log file. I've foundthat there's usually an attempt to check out a license beforeit bombs; A few programs call lc_get_config and then check thereturned list for features.
Either way, you find out what it is trying to do. Try searchingeverything for _ALL to see if you can find anything. Tell me theversion of FLEXlm that cdslmd uses, plus the first two bytes ofENCRYPTION_SEED1 and I may be able to help you more.
Q3. I used IDA in conjuction with SoftICE toget a nice map of a particular vendor daemon. Everything was goinggreat, I loaded the *.nms with Symbol Loader. I set the followingbreakpoints - lc_init, l_sg, l_key, lc_checkout and a memory addressclose to l_sg (just for the hay of it). I wrote out a dummy licensefile and tried both node-locked and floating models with 0'edout encryption strings. I then tried firing up my target on bothaccounts and nothing. SoftICE never broke.
I spent the next 20 or so minutes trying to figure out whatwas wrong. I restarted and stopped the license server and madesure the dat file syntax was correct. Just as an experiment Idouble clicked on the vendor daemon and SoftICE broke on all ofthe bpx except lc_checkout and not the bpm. I got inside lc_init,then l_sg, inside l_sg was l_key I searched around in there andI managed to find the major version in memory. I read some essays,and none of them could seem to help. I already have the vc's andes's for this target, but I would like to find them myself.
A3i. Most likely the FLEXlm libs are built intothe target itself (you don't need a daemon running, the targetapplication looks at the license directly). Try putting USE_SERVERin the license file after the SERVER and DAEMON lines.
Q4. I try to make a license with 20 characters,but I can't. I have the good seeds and vendors keys and have modifiedlsvendor.c:ls_a_lkey_long=1 & ls_a_lkey_start_date=1, my licensehad 16 characters.
A4. lsvendor.c is only for building the daemon- try building lmcrypt, then use lmcrypt -verfmt 5 -longkey license.datand see what happens.
Q5. I have utilized Amante4's essay (vendor-definedencryption / lc_set_attr $0f) to obtain valid license keys formy target. However, when I use the same method (that is, BP theexit points of the vendor-defined encryption routine) to get thekeys for the next release of the target, I realize that the routineis not called at all. I assumed that it could be due to the targetcalling lc_set_attr to indicate a vendor-defined checkout filter;However, my disassembly didn't show a push 0000002D (if I remembercorrectly ;-) prior to calling lc_set_attr.
In addition, my target seems to call lc_set_attr(b) = 11 =LM_A_NORMAL_HOSTID which is undocumented. I dont like to patchlc_checkout to return a 0 always; my target detects that and thoughit runs initially, it is not very functional. May I kindly requestfor some assistance in this matter; Have you ever come acrosssuch a situation?.
A5. I recently worked on an application whereI knew I had the right keys and seed, but could not get them towork. My target had checkout filters. I found that the vendorwas doing something in the daemon itself. There are two daemonsthe lmgrd and a vendor daemon. So basically all I did was compilethe vendor daemon and replace it with mine .. it worked.
Q6. I have a demo license for software protectedby FLEXlm v6.1, I saw something unusual in the feature names,this particular software used special charaters like $, /, inthe feature name, as shown below :-
FEATURE my$feature ...
FEATURE my/feature ...
I was able to extract the vendor seeds and generate licensesfor features which did not contain the special charaters, butwhen I tried for my$feature, I got an error message saying thatspecial characters are not allowed in feature name. Can anyonelet me know, how to generate license with special characters infeature name?.
A6. I think that it may still generate correctkeys even though it gives you a warning - try -verfmt 4 to lmcryptmaybe. I can't remember if that does it or not, but some Sun stuffdoes this.
..& yet more FLEXlm Snippets..
'One alternative method of custom encryption of the FLEXlmseeds (that do not use the lm_set_attrib() function to set eitheruser encyption or user filter) is implemented by rsinc. IDL http://www.rsinc.com uses customencryption of all the vendor information. All the license checkoutsincluding the FLEXlm routines are located in the idl32.dll. Thereis a routine that generates the VENDORCODE structure and the VendorIDstring prior calling lc_init. It also sets a flag into the LM_HANDLE->CONFIGstructure for alternate generation of the VENDORCODE seeds (lookat l_sg, l_n36_buff call in the lmgr326b.lib).
Upon the first call to the l_sg from the lc_init, a standard(l_key) routine is called to generate the crypt keys. On the secondl_sg call (from the lm_checkout for instance), alternate cryptseeds are generated in a custom l_n36_buff routine, and naturallyFLEMlm generates wrong key message (-8)'.
'Mentor Graphics - The daemon's name is mgcld. They checkthe vendor string using a proprietary checksum algorithm. If youget the message 'FATAL CS ERROR' it's because you don'thave the checksum correct. It's not all that tough a protection- basically certain information such as the start date, numberof licenses, expiry, and feature name are combined. This is runthrough a checksum routine, and the value compared against theone supplied in the vendor_string'.
Specific Targets (to be extended)
Cossap (simulation program from Synopsys) on HPUX 10.20. OlderSynopsys products use vendor defined encryption, so simply gettingthe seeds is insufficient to generate valid licenses. You willhave to firstly generate a license file containing a set of licenseswithout the vendor defined encryption, then set a breakpoint atthe vendor defined encryption routine (this is easy to find, sincelc_set_attr is used to force FLEXlm to use this routine), thenlook at the return values from that routine. There will be multiplecalls to the routine, about 3 for every feature. Later productsuse SCL (Synopsys Common Licensing) which has a different vendorname, and uses user crypt filters instead.
My target is Synplify, which uses FLEXlm v6.1 linked statically.After reading Dan's essay I tried to find out the vendor codes/ seeds his way, but in my target 'vector call' neveroccurs. In _l_sg it always uses standard ^key5 method. It seemslike my target calls lc_init, not lc_new_job. So I tried usualways to get the seeds, generated license file and.. nope. Mytarget contains vendor checkout procedure, but bpx there neverbreaks - maybe some earlier test leads to -8?. My question is: does FLEXlm v6.1 library obfuscate keys in any way if the clientsimply calls lc_init, not lc_new_job?.
Think this one needs a special vendor defined hostid - alsothere was something that had to be in the vendor string. It'snow solved, it actually was the problem with vendor-defined hostid,I simply didn't know that I need to include the vendor-definedhostid functions in my key generator, I thought (how stupid Iwas), that it's needed only by client side. I've included a functionfrom examples modified to return label = 'SKEY' and type=1003.The actual value returned doesn't matter and voila! My key generatorworks.
'SKEY' type=1003 is used for evaluation licenses (thus lengthSKEY = %.8X) and type=1001 for dongle based licenses (thus lengthSKEY = %.4X).
FLEXlm Piracy Concerns
Just an interesting publicity snippet (this refers to a verywell known message board in the east ;-) ).
SAN JOSE, Calif. — An online EDA discussion group is circulatingtips on how to get free software by illegally cracking FLEXlmlicense managers, EE Times has learned. The group has come tothe attention of EDA activist John Cooley, who says he'll reactivatehis 'Stealthnet' mailing list to warn EDA vendors aboutthe potential thefts.
FLEXlm, from Globetrotter Software, is used by nearly all EDAvendors to manage a variety of licensing schemes. Although it'snot positioned as a security system, many vendors rely on FLEXlmto protect their software from piracy. But FLEXlm has been attackedby hackers in the past, prompting Cooley to launch Stealthnetin 1999, a private mailing list for EDA vendor representativesto share information about hacking activity.
The latest attacks come from a discussion group that Cooleyhas declined to publicly identify, on the grounds that anyonewho finds it will have immediate access to a lot of illegal software.Numerous postings, some confirmed by EE Times, share tips on howto crack FLEXlm or point to Web sites containing code for breakinglicenses on specific EDA products.
'Basically, these guys are doing things like downloadingevaluation copies of [Model Technology] ModelSim and crackinglicenses,' Cooley said. 'They have no intention of buyingit.' While some participants in the discussion group areapparently from China — where software theft is rampant —others appear to be from established U.S. or European companieslike AMD and Infineon, Cooley noted.
One individual, using an anonymous Yahoo address, boasted ofhacking FLEXlm licenses on products from Altera, Novas, Exemplar,Agilent EEsof, Innoveda, Synopsys and Avanti, among others. Thisindividual offered to help readers crack licenses for other toolsas well. 'So if you have tools that are not listed aboveor newer releases, I am very glad to check them for you,'wrote this helpful individual. 'The purpose of me [sic] isto find a robust way for FLEXlm cracking.'
Cooley, moderator of the E-Mail Synopsys User's Group (ESNUG),said he could understand why an EDA user might want to temporarilybypass a FLEXlm license. 'But when the purpose is to stealthe software and never pay the EDA vendor, that's problematic,'he said. 'I lose in the long run because they [EDA vendors]don't develop better software.' Rich Mirabella, vice presidentof marketing at Globetrotter Software, said he wasn't aware ofany new attacks on FLEXlm. But, he acknowledged, they've happened'on and off for over five years.'
Mirabella emphasized that FLEXlm is positioned as a licensingmanager, not a security system. 'The business purpose isto allow software vendors to offer licensing models that matchhow people use their products,' he said. 'The securityis there to keep honest people honest. In every release we dothings to increase the security, but it's like an arms race —we do stuff, the hackers do stuff.'
Mirabella said that Globetrotter has participated in severalcriminal prosecutions of people who have hacked FLEXlm and hashelped shut down hacker Web sites in the U.S. and abroad. Butthe actual party injured is the software vendor, he noted; Globetrotterassists in prosecutions but is not the plaintiff in these cases.United States copyright laws, Mirabella said, provide penaltiesof up to five years in prison and $500,000 fines for hacking productssuch as FLEXlm. But people outside the U.S. are subject to thelaws of the host country, he noted.
Mirabella downplayed the role of FLEXlm hacking on EDA revenues.'I'm sure it does happen on occasion, but in the high endyou wouldn't see it much,' he said. 'The kinds of companiesthat use those products wouldn't engage in these kinds of practices.'Some hacking does take place, he said, with 'low end'products such as pc-board layout tools, which might be used bysmall, struggling companies.
Much more revenue loss, he said, comes from honest companieswho lack the means to keep track of licenses in networked environments.When Cooley launched Stealthnet in 1999, Globetrotter was critical.Matt Christiano, Globetrotter's chief executive, wrote an angryletter to ESNUG stating that Cooley's efforts could encouragehackers and cause EDA vendors to seriously inconvenience users.
But some EDA vendor representatives lauded Cooley's efforts.'I want to thank you on behalf of the EDA industry for yourhandling of the situation and condemning of these hackers,'wrote Rob Genco, director of software operations at Synopsys.Mirabella scoffed at Cooley's intent to relaunch Stealthnet. 'Ifissues arise, users and software vendors should come to us directly,'Mirabella said. 'I don't see any value added that John Cooleybrings to the situation. It's not clear what his agenda is.'
Cooley responded that Globetrotter is trying to avoid any publicdiscussion of potential problems with FLEXlm. He didn't contactGlobetrotter about the EDA discussion group, he said, becauseof the company's negative reaction last time. Cooley will announcethe relaunch of Stealthnet, open only to confirmed EDA vendorrepresentatives, in an upcoming ESNUG bulletin. Previous bulletins,including several past discussions of FLEXlm hacking, are archivedat the EDTN DeepChip Web site.
See reversers ;-), by exposing these snake oil salespeopleyou might 'seriously inconvenience users' by forcing developersto learn a little about protections cracking, god forbid...
Seeds
On the other side I am currently in the process of buildingand maintaining a FLEXlm vendor & seed database, after someconsideration (from several e-mails I mighten add ;-) ) I havedecided to make this list private since with these just aboutanyone can generate licenses.
SentinelLM / ElanLM
Generating your own SLM installation serial number couldn'tbe easier, with these instructions by scorpie.
Assuming desired Vendor ID = 0x1ABC.
1. Form Hexadecimal numbers 1ABC1ABC
2. Find the binary equivalent of the above numbers: 0001 10101011 1100 0001 1010 1011 1100
3. Make a group of two bits of the numbers above: 00 01 10 1010 11 11 00 00 01 10 10 10 11 11 00
4. Map the 2-bit group with the rule: 00 --> 01, 01 -->11, 10 --> 00, 11 --> 10.
5. Point 3, will become: 01 11 00 00 00 10 10 01 01 11 00 00 0010 10 01
6. Covert point 5 to HEX again: 70297029
7. Shift right (1D position) point 6: T1 = 00000003
8. Shift left (3 position) point 6: T2 = 814B8148
9. Find T1 OR T2 = 814B814B
10. From point 1 and point 9, form 4B81BC1A (this is reverse byteof the above).
11. Repeat point 2 -- 6 for HEX number 4B81BC1A, and we get: D2172970
12. Repeat point 7 to the result of point 11: S1 = 00000006
13. Repeat point 8 to the result of point 11: S2 = 90B94B80
14. Find S1 OR S2 = 90B94B86
15. The serial number for Vendor ID=1ABC is 864BB990 (hexadecimal)= 2253109648
SentinelLM v7.2 information (courtesy of myself) - A good indicationof the version of SentinelLM being used is the actual file versioninfo from the file lsapiw32.dll e.g. 7.2.0.0 = v7.2.
SentinelLM v7.3 information - this courtesy of FoxB (applicableto patching WlscGen.exe).
'Query/Response length is 0x10, algo cells are 0x0C, 0x20,0x28, 0x2C. The table emulation passed - all response place inWlscGen.exe. Cell 0x0F = 0x800'.
SentinelLM SDK v7.1, v7.2, v7.3 & Sentinel RMS v8.0 (Regrettably.As with the FLEXlm SDK's this download is now on the otherside). Or check here.
ElanLM API Guide :-(138k).
SentinelLM Remover :- A tool thatclaims to generically remove SentinelLM (237k), I'd be prettyinterested to know which SentinelLM targets this has been testedwith because it doesn't seem to recognise SentinelLM at all.
SentinelLM v7.1 Programmer's ReferenceManual :- (692k).
SentinelLM v8.0.2 Developer's Guide:- (1.5Mb's).
SentinelLM v8.0.2 Programmer's ReferenceManual :- (1.3Mb's).
SentinelLM [8.0.x /7.x.x] license decodeutility, v1.01 public (c)2007 by souz :- Utility to decodeSentinelLM license information (241k).
SentinelLM Signatures for IDA:- Courtesy of Nolan Blender (40k).
SentinelLM Toolkit :- Includesa SDK serial number generator and vendor array generator, courtesyof me & moZfet (CROSSFiRE) (632k).
SentinelLM Vendor ID to Serial Number:- Type in your desired Vendor ID and this little tool will giveyou the SentinelLM installation serial number (619k).
Wlscgen Patch for SentinelLMSDK v7.1 :- Remove the dongle for Wlscgen (17k).
| Document Title | Description | Date |
| Code Archaeology with ElanLM | Reviving functions from the past, courtesy of pilgrim. | Jan 2001 |
| Delphi v5.0 Trial | Cracking the SentinelLM Delphi v5.0 Trial, courtesy of CyberHeg. | 22/11/00 |
| MrSID GEOSPATIAL ENCODER v1.4 | Cracking the SentinelLM protected program MrSID GEOSPATIAL ENCODER v1.4 Desktop edition, courtesy of CyberHeg. | 22/11/00 |
| SentinelLM Cracking | Removing need for dongle in SentinelLM Wlscgen.exe, courtesy of CyberHeg. | 21/11/00 |
| SentinelLM Installation Cracking | Generating keys for SentinelLM, courtesy of Nolan Blender. | 20/11/00 |
| SentinelLM Investigation | My own generic research paper into SentinelLM. | September 2001 |
| Wlscgen.exe For You | Creating your own Wlscgen courtesy of Mayaputra. | February 2006 |
A big thanks goes to CyberHeg & Nolan Blender for providingmost of the content here.
+ORCReturnto Main IndexTimeTrialsVisual Basic
- суббота 02 мая
- 43