电路设计

Zuken CADSTAR 16 破解过程

2019-07-14 12:42发布

站内文章 / 电路设计
12673 0 1025

1.什么是CADSTAR?

Home Page: https://www.zuken.com What's New in CADSTAR 16: https://www.zuken.com/en/products/pcb-design/cadstar/whats-new/cadstar-whats-new/cadstar-16-features

2.授权方式

网上之前有流传CADSTAR13的破解文件,经分析后v13采用FlexNet授权保护,破解文件Patch了ECC校验,用FlexNet SDK编写了生成License的程序。Patch的文件有一下.
engineer.exe
impulse.exe
Log.txt
pred.dll
rdr2adv.exe
scs.exe
senario.exe
sysutils.dll
gradianWXinwinntgradian.EXE
经对比分析后,CADSTAR16采用FlexNet 11.11.1 授权保护,要写注册机首先得有SDK,网上公开的有FlexNet SDK 11.9.1

3.破解过程

3.1 找VENDOR_NAME
OD加载engineer.exe,搜索常量0x87654321.定位到附近有0x12345678的位置,在其上面一个CALL下断,F9运行至断点即可看到VENDOR_NAME任然还是zuken.
这里写图片描述
3.2 找FEATURE_NAME
主要是寻找lc_checkout函数,IDA加载11.9.1 SDK中的lmgr.lib库文件中的lm_ckout.obj文件,定位到_lc_checkout函数,先观察一下11.9.1中该函数的造型,然后在定位11.11.1中的lc_checkout函数。
这里写图片描述
肉眼观察有一个0x20000常量,被 & 和 ^ 一次,在OD中搜索命令序列”and ecx, 0x20000”,找到4处,经肉眼比对,第一处函数过程基本与IDA中的一致,基本可以确定该函数就是新版11.11.1中的lc_checkout函数。
也可以根据sdk 11.11.1 的IDA SIG文件直接定位到lc_checkout函数
在函数入口下断后F9运行至函数入口.
这里写图片描述
寄存器以及堆栈中已经显示出了FEATURE_NAME和FEATURE_VERSION。且在数据窗口中能观察到其他的FEATURE.经过多次调试观察发现,FEATURE_NAME基本上都在存储于PE文件的data段,且都是类似”name version epxxxx”,因此在OD中ALT+M打开窗口找到PE文件的data段,双击打开其数据窗体,在数据窗体内搜索”ep2”、”ep3”、”ep4”类似字符,观察是否以”name version epxxxx”存储,即可找到全部的FEATURE.
这里写图片描述 同理处理其他文件,得到的feature如下表 filename feature version unkonw enginer.exe emc_server 25.0 ep4416 emc_front_loaded 25.0 ep4418 dc_analysis 25.0 ep4454 sysutils.dll cadstar_gold 19.0 ep2553 cadstar_silver 19.0 ep2554 cadstar_bronze 19.0 ep2555 emcrules_auth 4.0 ep2698 cadstar_eval 19.0 ep2998 cadstar_beta 19.0 ep2999 cadstar_field_solver 19.0 ep3085 cadstar_library_editor 19.0 ep3099 cadstar_schematics 19.0 ep3103 freedom 9.0 ep3314 cstar_viewer_plus 19.0 ep3675 cadstar_des_view_ppr 19.0 ep3690 cadstar_des_view_rep_gen 19.0 ep3691 embedded_router 19.0 ep3876 emd_2dcheck 4.0 ep3942 cadstar_variants 19.0 ep3953 pred_ibase 25.0 ep4191 pred_cbase 25.0 ep4194 pred_interactive 25.0 ep4195 pred_2000 25.0 ep4196 pred_5000 25.0 ep4197 pred_single_pass_batch 25.0 ep4205 pred_multi_pass_batch 25.0 ep4206 pred_memory_batch 25.0 ep4209 pred_mitre_batch 25.0 ep4210 cadstar_ds1_interface 3.0 ep4372 pred_pattern_batch 25.0 ep4211 hs_route 25.0 ep4213 hs_place_and_route 25.0 ep4214 cadstar_scm_variants 19.0 ep4263 hotstage_verify 25.0 ep4297 pred_2000_s 25.0 ep4304 pred_2000_hs 25.0 ep4305 cadstar_datasheet_pub 19.0 ep4323 cadstar_shape_trim 19.0 ep4324 pred_six_layer_enh 25.0 ep4336 pred_max_layer_enh 25.0 ep4337 viewer_cadif_import 19.0 ep4377 lightning_spice_gen 25.0 ep4463 cadstar_rules_by_area 19.0 ep4492 cadstar_migration_link 1.0 ep4543 cstar_idf_link 4.0 ep4569 cstar_constraint_browser 25.0 ep4577 analysis_results_viewer 2.0 ep4593 cadstar_copper 19.0 ep4599 cadstar_scm_copper 19.0 ep4600 impulse.exe idem_model_import 6.0 ep4534 sim_lib_manager 6.0 ep4222 scs.exe si_interactive_simulation 25.0 ep4221 si_batch_simulation 25.0 ep4417 lightning_spice_gen 25.0 ep4463 pred.dll pred_ibase 25.0 ep4191 pred_vbase 14.0 ep4192 pred_bbase 25.0 ep4193 pred_cbase 25.0 ep4194 pred_interactive 25.0 ep4195 pred_2000 25.0 ep4196 pred_5000 25.0 ep4197 pred_floorplanner 25.0 ep4198 pred_assembly 25.0 ep4199 pred_rules_by_area 25.0 ep4200 pred_radial_router 25.0 ep4201 pred_thermal 25.0 ep4202 pred_widis 14.0 ep4203 pred_batch_upgrade 25.0 ep4204 pred_single_pass_batch 25.0 ep4205 pred_multi_pass_batch 25.0 ep4206 pred_smooth_batch 25.0 ep4207 pred_optimum_batch 25.0 ep4208 pred_memory_batch 25.0 ep4209 pred_mitre_batch 25.0 ep4210 pred_pattern_batch 25.0 ep4211 preditor11_adv_plc_tools 14.0 ep4212 hs_route 25.0 ep4213 hs_place_and_route 25.0 ep4214 hs_realize 25.0 ep4215 hs_prototype 25.0 ep4216 hs_scenario 25.0 ep4217 hotstage_verify 25.0 ep4297 hotstage_verify_plus 25.0 ep4298 hotstage_verify_elite 25.0 ep4299 pred_rbase 25.0 ep4300 pred_2000_s 25.0 ep4304 pred_2000_hs 25.0 ep4305 pred_2000_floorplanner 25.0 ep4312 pred_beta 25.0 ep4329 hs_scenario_plus 25.0 ep4332 pred_six_layer_enh 25.0 ep4336 pred_max_layer_enh 25.0 ep4337 pred_conc_placement 25.0 ep4343 multi_board 25.0 ep4415 emc_server 25.0 ep4416 lightning_spice_gen 25.0 ep4463 cp_heavy_cluster 25.0 ep4469 zx0301 13.0 ep4511 pred_classic_autorouter 25.0 ep4512 pred_dragon_autorouter 25.0 ep4513 pred_dragon_strategy 25.0 ep4514 pred_dragon_consultant 25.0 ep4515 pred_intelligent_obj 25.0 ep4516 zx0501 15.0 ep4526 dragon_smart_fanout 25.0 ep4532 dragon_escape_routing 25.0 ep4533 zx1601 10.0 ep4561 pred_smart_fanout 21.0 ep4574 cstar_constraint_browser 25.0 ep4577 pred_netless_router 25.0 ep4584 zx3201 2013.0 ep4585 gradian.exe gradian 2.0 ep4420 rdr2adv.exe emcrules_auth 4.0 ep2698 adviser_dfm_rules 4.0 ep3020 fastrule_auth 4.0 ep3073 senario.exe 3.3 找SEED1和SEED2
依据以上找到的feature,伪造一个enginer.exe文件的license文件如下:
INCREMENT emc_server zuken 25.0 1-jan-2100 uncounted HOSTID=ANY SIGN=0
INCREMENT emc_front_loaded zuken 25.0 1-jan-2100 uncounted HOSTID=ANY SIGN=0
INCREMENT dc_analysis zuken 25.0 1-jan-2100 uncounted HOSTID=ANY SIGN=0
保存为license.dat至C:flexlm目录下.OD重新加载enginer.exe文件。根据第一步找VENDOR_NAME的方式找到的关键CALL,在该函数内部第一个跳转的位置下断点,未跳转的第一个CALL下断点,F9运行直至断在未跳转的第一个CALL的位置。F8运行该CALL结束,如下图
这里写图片描述
然后在命令分别输入以下命令,数据窗口分别得到以下数据 命令 数据 dd [esp+8] 013DECC8 00000004
013DECCC B745B072 data[0]
013DECD0 B75B6161 data[1]
013DECD4 5CD988E0
013DECD8 946F3B1E
013DECDC 9BB0D61F
013DECE0 08B17561
013DECE4 000B000B ver 11.11
013DECE8 31310000 ver 11
dd [esp] 01707100 00000000
01707104 00FBFFF9
01707108 014D20FE job+08
0170710C ED9CB784 job+0c
01707110 AE36D371 job+10
打开calcseed.exe,输入以上信息,得到seed1:0x00089003,seed2:0x00164110,如下图。 这里写图片描述 3.4 Patch ECC校验 用FlexNet ECC Patch工具去掉需要补丁文件的ECC校验,如下图。
这里写图片描述
Patch的完整Log如下:
ECC 32bit signature found in gradian.EXE
File size 2396160 bytes
Patched at 00135050h
Patch verification at 00135050h
File is patched.
ECC 32bit signature found in engineer.exe
File size 9965056 bytes
Patched at 006F64E0h
Patch verification at 006F64E0h
File is patched.
ECC 32bit signature found in impulse.exe
File size 3153920 bytes
Patched at 0020C0E0h
Patch verification at 0020C0E0h
File is patched.
ECC 32bit signature found in pred.dll
File size 21173760 bytes
Patched at 00EF48E0h
Patch verification at 00EF48E0h
File is patched.
ECC 32bit signature found in rdr2adv.exe
File size 2577408 bytes
Patched at 001BBAE0h
Patch verification at 001BBAE0h
File is patched.
ECC 32bit signature found in scs.exe
File size 13082624 bytes
Patched at 00926EE0h
Patch verification at 00926EE0h
File is patched.
ECC 32bit signature found in senario.exe
File size 15472640 bytes
Patched at 00B71200h
Patch verification at 00B71200h
File is patched.
ECC 32bit signature found in sysutils.dll
File size 1526272 bytes
Patched at 000E70E0h
Patch verification at 000E70E0h
File is patched.
3.5 计算SIGN
前面位置了一个License.dat文件,里面的SIGN内容为0,并不能通过授权的验证,通过编译 FlexNET SDK 11.9.1来计算正确的SIGN以及HOSTID。
通过lmkg3依据VENDOR_NAME计算出VENDOR_KEY以及TRL_KEY的值,如下图:
这里写图片描述
使用sdk中的lmrand1.exe工具,命令行中运行lmrand1 -seed,生成LM_SEED的值,如下图:
这里写图片描述
在sdk中的lm_code.h文件中替换输入以下内容: #define VENDOR_KEY1 0xd4c8bbc2 #define VENDOR_KEY2 0xc592f46a #define VENDOR_KEY3 0x753a8c1c #define VENDOR_KEY4 0x2a195ac8 #define VENDOR_KEY5 0x7b065bc0 #define TRL_KEY1 0x9f1896c6 #define TRL_KEY2 0x789f90a0 #define VENDOR_NAME "zuken" #define ENCRYPTION_SEED1 0x00089003 #define ENCRYPTION_SEED2 0x00164110 #define LM_SEED1 0xcb469f78 #define LM_SEED2 0x60610e5a #define LM_SEED3 0x5c576721 #define LM_STRENGTH LM_STRENGTH_239BIT 将makefile文件中的VENDORNAME的值demo修改为zuken,采用VS2013的命令行,运行build.bat,编译完成。
这里写图片描述
通过sdk中的lmhostid.exe工具获取到本机的hostid。
在Excel中依据上面位置的license的格式,通过公式连接出所有的feature。如下图
这里写图片描述
将license列复制到txt文件中,保存为license.txt.
在命令行中运行sdk中编译生成的lmcrypt.exe,输入lmcrypt -i license.txt -o license.dat,即输出为文件license.dat,用记事本打开license.dat文件,无误的话已经计算出了正确的SIGN。将此license.dat复制至CADSTAR的Programs目录内,启动程序所有的功能已经授权了。
3.6 编写KEYGEN
这个就没什么难度了,主要是在sdk中lmcrypt.c文件的基础之上增加一个获取hostid的功能。以下是主要代码。 #include "stdafx.h" #include "lm_code.h" #include "lmclient.h" #include "lm_attr.h" #include "lmprikey.h" #include LM_CODE_NEW(site_code, ENCRYPTION_SEED1, ENCRYPTION_SEED2, VENDOR_KEY1, VENDOR_KEY2, VENDOR_KEY3, VENDOR_KEY4, VENDOR_KEY5, FLEXLM_VERSION, FLEXLM_REVISION, FLEXLM_PATCH, LM_VER_BEHAVIOR, TRL_KEY1, TRL_KEY2, LM_STRENGTH); #define FEATURE_COUNT 93 char feature[FEATURE_COUNT][255] = { "cadstar_gold", "cadstar_silver", "cadstar_bronze", "emcrules_auth", "cadstar_eval", "cadstar_beta", "adviser_dfm_rules", "fastrule_auth", "cadstar_field_solver", "cadstar_library_editor", "cadstar_schematics", "freedom", "cstar_viewer_plus", "cadstar_des_view_ppr", "cadstar_des_view_rep_gen", "embedded_router", "emd_2dcheck", "cadstar_variants", "pred_ibase", "pred_vbase", "pred_bbase", "pred_cbase", "pred_interactive", "pred_2000", "pred_5000", "pred_floorplanner", "pred_assembly", "pred_rules_by_area", "pred_radial_router", "pred_thermal", "pred_widis", "pred_batch_upgrade", "pred_single_pass_batch", "pred_multi_pass_batch", "pred_smooth_batch", "pred_optimum_batch", "pred_memory_batch", "pred_mitre_batch", "pred_pattern_batch", "preditor11_adv_plc_tools", "hs_route", "hs_place_and_route", "hs_realize", "hs_prototype", "hs_scenario", "si_interactive_simulation", "sim_lib_manager", "cadstar_scm_variants", "hotstage_verify", "hotstage_verify_plus", "hotstage_verify_elite", "pred_rbase", "pred_2000_s", "pred_2000_hs", "pred_2000_floorplanner", "cadstar_datasheet_pub", "cadstar_shape_trim", "pred_beta", "hs_scenario_plus", "pred_six_layer_enh", "pred_max_layer_enh", "pred_conc_placement", "cadstar_ds1_interface", "viewer_cadif_import", "multi_board", "emc_server", "si_batch_simulation", "emc_front_loaded", "gradian", "dc_analysis", "lightning_spice_gen", "cp_heavy_cluster", "cadstar_rules_by_area", "zx0301", "pred_classic_autorouter", "pred_dragon_autorouter", "pred_dragon_strategy", "pred_dragon_consultant", "pred_intelligent_obj", "zx0501", "dragon_smart_fanout", "dragon_escape_routing", "idem_model_import", "cadstar_migration_link", "zx1601", "cstar_idf_link", "pred_smart_fanout", "cstar_constraint_browser", "pred_netless_router", "zx3201", "analysis_results_viewer", "cadstar_copper", "cadstar_scm_copper" }; int _tmain(int argc, _TCHAR* argv[]) { LM_CODE_GEN_INIT_NEW(&site_code, ENCRYPTION_SEED1, ENCRYPTION_SEED2, l_priseedcnt, lm_prikey, lm_prisize); VENDORCODE *code = &site_code; LM_HANDLE *lm_job = (LM_HANDLE *)NULL; if (lc_init((LM_HANDLE *)0, VENDOR_NAME, code, &lm_job)) { lc_perror(lm_job, "lc_init failed"); printf("1"); exit(-1); } char hostid[MAX_CONFIG_LINE] = { 0 }; if (0 != lc_hostid(lm_job, HOSTID_DEFAULT, hostid)) { lc_get_errno(lm_job); printf("2"); exit(-1); } else { if (strlen(hostid) > 0) { if (*hostid == '"') memmove(hostid, hostid + 1, MAX_CONFIG_LINE - 1); for (size_t i = 0; i < strlen(hostid); i++) { if ((hostid[i] == 0x20) || (hostid[i] == 0x00)) { hostid[i] = 0x00; break; } } } } char lic_txt[1024 * 512] = {}; char tmp[512] = { 0 }; for (size_t i = 0; i < FEATURE_COUNT; i++) { sprintf(tmp, "INCREMENT %s %s 25.0 1-jan-2100 uncounted HOSTID=%s TS_OK SIGN=0 ", feature[i], VENDOR_NAME, hostid); strcat(lic_txt, tmp); } char *lic_data = NULL, *err = NULL; if (0 != lc_cryptstr(lm_job, lic_txt, &lic_data, code, LM_CRYPT_FORCE, "", &err)) { lc_get_errno(lm_job); printf("3"); exit(-1); } else { printf(lic_data); lc_free_mem(lm_job, lic_data); } return 0; } 3.7 附件
Zuken CADSTAR 16 安装文件:http://download.csdn.net/download/chivalrys/10009620
Zuken CADSTAR 16 破解文件:http://download.csdn.net/download/chivalrys/10009618
FlexLM SDK: FlexLM-SDK-11-9-1 链接: https://pan.baidu.com/s/1geULxWR 密码: pjqq
FlexLM SDK 11.11.1 SIG:https://pan.baidu.com/s/1bpKu10j 密码: k8na
lmkg3:http://www.woodmann.com/crackz/FLEXlm/Flexvkg3.rar
calcseed:http://www.woodmann.com/crackz/Tutorials/Nolflex3.zip
ECCPatcher-v2015.04.10:引自 链接: https://pan.baidu.com/s/1bpKu10j 密码: k8na

热门文章