Zuken CADSTAR 16 破解过程

1.什么是CADSTAR?

 Home Page: https://www.zuken.comWhat's New in CADSTAR 16: https://www.zuken.com/en/products/pcb-design/cadstar/whats-new/cadstar-whats-new/cadstar-16-features

2.授权方式

网上之前有流传CADSTAR13的破解文件，经分析后v13采用FlexNet授权保护，破解文件Patch了ECC校验，用FlexNet SDK编写了生成License的程序。Patch的文件有一下.

engineer.exe
impulse.exe
Log.txt
pred.dll
rdr2adv.exe
scs.exe
senario.exe
sysutils.dll
gradianWX\bin\winnt\gradian.EXE

经对比分析后，CADSTAR16采用FlexNet 11.11.1 授权保护，要写注册机首先得有SDK，网上公开的有FlexNet SDK 11.9.1

3.破解过程

3.1 找VENDOR_NAME
OD加载engineer.exe，搜索常量0x87654321.定位到附近有0x12345678的位置，在其上面一个CALL下断，F9运行至断点即可看到VENDOR_NAME任然还是zuken.

3.2 找FEATURE_NAME
主要是寻找lc_checkout函数，IDA加载11.9.1 SDK中的lmgr.lib库文件中的lm_ckout.obj文件，定位到_lc_checkout函数，先观察一下11.9.1中该函数的造型，然后在定位11.11.1中的lc_checkout函数。

肉眼观察有一个0x20000常量，被 & 和 ^ 一次，在OD中搜索命令序列”and ecx, 0x20000”,找到4处，经肉眼比对，第一处函数过程基本与IDA中的一致，基本可以确定该函数就是新版11.11.1中的lc_checkout函数。

也可以根据sdk 11.11.1 的IDA SIG文件直接定位到lc_checkout函数

在函数入口下断后F9运行至函数入口.

寄存器以及堆栈中已经显示出了FEATURE_NAME和FEATURE_VERSION。且在数据窗口中能观察到其他的FEATURE.经过多次调试观察发现，FEATURE_NAME基本上都在存储于PE文件的data段，且都是类似”name version epxxxx”，因此在OD中ALT+M打开窗口找到PE文件的data段，双击打开其数据窗体，在数据窗体内搜索”ep2”、”ep3”、”ep4”类似字符，观察是否以”name version epxxxx”存储，即可找到全部的FEATURE.

同理处理其他文件，得到的feature如下表

filename	feature	version	unkonw
enginer.exe	emc_server	25.0	ep4416
	emc_front_loaded	25.0	ep4418
	dc_analysis	25.0	ep4454
sysutils.dll	cadstar_gold	19.0	ep2553
	cadstar_silver	19.0	ep2554
	cadstar_bronze	19.0	ep2555
	emcrules_auth	4.0	ep2698
	cadstar_eval	19.0	ep2998
	cadstar_beta	19.0	ep2999
	cadstar_field_solver	19.0	ep3085
	cadstar_library_editor	19.0	ep3099
	cadstar_schematics	19.0	ep3103
	freedom	9.0	ep3314
	cstar_viewer_plus	19.0	ep3675
	cadstar_des_view_ppr	19.0	ep3690
	cadstar_des_view_rep_gen	19.0	ep3691
	embedded_router	19.0	ep3876
	emd_2dcheck	4.0	ep3942
	cadstar_variants	19.0	ep3953
	pred_ibase	25.0	ep4191
	pred_cbase	25.0	ep4194
	pred_interactive	25.0	ep4195
	pred_2000	25.0	ep4196
	pred_5000	25.0	ep4197
	pred_single_pass_batch	25.0	ep4205
	pred_multi_pass_batch	25.0	ep4206
	pred_memory_batch	25.0	ep4209
	pred_mitre_batch	25.0	ep4210
	cadstar_ds1_interface	3.0	ep4372
	pred_pattern_batch	25.0	ep4211
	hs_route	25.0	ep4213
	hs_place_and_route	25.0	ep4214
	cadstar_scm_variants	19.0	ep4263
	hotstage_verify	25.0	ep4297
	pred_2000_s	25.0	ep4304
	pred_2000_hs	25.0	ep4305
	cadstar_datasheet_pub	19.0	ep4323
	cadstar_shape_trim	19.0	ep4324
	pred_six_layer_enh	25.0	ep4336
	pred_max_layer_enh	25.0	ep4337
	viewer_cadif_import	19.0	ep4377
	lightning_spice_gen	25.0	ep4463
	cadstar_rules_by_area	19.0	ep4492
	cadstar_migration_link	1.0	ep4543
	cstar_idf_link	4.0	ep4569
	cstar_constraint_browser	25.0	ep4577
	analysis_results_viewer	2.0	ep4593
	cadstar_copper	19.0	ep4599
	cadstar_scm_copper	19.0	ep4600
impulse.exe	idem_model_import	6.0	ep4534
	sim_lib_manager	6.0	ep4222
scs.exe	si_interactive_simulation	25.0	ep4221
	si_batch_simulation	25.0	ep4417
	lightning_spice_gen	25.0	ep4463
pred.dll	pred_ibase	25.0	ep4191
	pred_vbase	14.0	ep4192
	pred_bbase	25.0	ep4193
	pred_cbase	25.0	ep4194
	pred_interactive	25.0	ep4195
	pred_2000	25.0	ep4196
	pred_5000	25.0	ep4197
	pred_floorplanner	25.0	ep4198
	pred_assembly	25.0	ep4199
	pred_rules_by_area	25.0	ep4200
	pred_radial_router	25.0	ep4201
	pred_thermal	25.0	ep4202
	pred_widis	14.0	ep4203
	pred_batch_upgrade	25.0	ep4204
	pred_single_pass_batch	25.0	ep4205
	pred_multi_pass_batch	25.0	ep4206
	pred_smooth_batch	25.0	ep4207
	pred_optimum_batch	25.0	ep4208
	pred_memory_batch	25.0	ep4209
	pred_mitre_batch	25.0	ep4210
	pred_pattern_batch	25.0	ep4211
	preditor11_adv_plc_tools	14.0	ep4212
	hs_route	25.0	ep4213
	hs_place_and_route	25.0	ep4214
	hs_realize	25.0	ep4215
	hs_prototype	25.0	ep4216
	hs_scenario	25.0	ep4217
	hotstage_verify	25.0	ep4297
	hotstage_verify_plus	25.0	ep4298
	hotstage_verify_elite	25.0	ep4299
	pred_rbase	25.0	ep4300
	pred_2000_s	25.0	ep4304
	pred_2000_hs	25.0	ep4305
	pred_2000_floorplanner	25.0	ep4312
	pred_beta	25.0	ep4329
	hs_scenario_plus	25.0	ep4332
	pred_six_layer_enh	25.0	ep4336
	pred_max_layer_enh	25.0	ep4337
	pred_conc_placement	25.0	ep4343
	multi_board	25.0	ep4415
	emc_server	25.0	ep4416
	lightning_spice_gen	25.0	ep4463
	cp_heavy_cluster	25.0	ep4469
	zx0301	13.0	ep4511
	pred_classic_autorouter	25.0	ep4512
	pred_dragon_autorouter	25.0	ep4513
	pred_dragon_strategy	25.0	ep4514
	pred_dragon_consultant	25.0	ep4515
	pred_intelligent_obj	25.0	ep4516
	zx0501	15.0	ep4526
	dragon_smart_fanout	25.0	ep4532
	dragon_escape_routing	25.0	ep4533
	zx1601	10.0	ep4561
	pred_smart_fanout	21.0	ep4574
	cstar_constraint_browser	25.0	ep4577
	pred_netless_router	25.0	ep4584
	zx3201	2013.0	ep4585
gradian.exe	gradian	2.0	ep4420
rdr2adv.exe	emcrules_auth	4.0	ep2698
	adviser_dfm_rules	4.0	ep3020
	fastrule_auth	4.0	ep3073
senario.exe

3.3 找SEED1和SEED2
依据以上找到的feature，伪造一个enginer.exe文件的license文件如下:

INCREMENT emc_server zuken 25.0 1-jan-2100 uncounted HOSTID=ANY SIGN=0
INCREMENT emc_front_loaded zuken 25.0 1-jan-2100 uncounted HOSTID=ANY SIGN=0
INCREMENT dc_analysis zuken 25.0 1-jan-2100 uncounted HOSTID=ANY SIGN=0

保存为license.dat至C:\flexlm\目录下.OD重新加载enginer.exe文件。根据第一步找VENDOR_NAME的方式找到的关键CALL，在该函数内部第一个跳转的位置下断点，未跳转的第一个CALL下断点，F9运行直至断在未跳转的第一个CALL的位置。F8运行该CALL结束，如下图

然后在命令分别输入以下命令，数据窗口分别得到以下数据

命令	数据
dd [esp+8]	013DECC8 00000004 013DECCC B745B072 data[0] 013DECD0 B75B6161 data[1] 013DECD4 5CD988E0 013DECD8 946F3B1E 013DECDC 9BB0D61F 013DECE0 08B17561 013DECE4 000B000B ver 11.11 013DECE8 31310000 ver 11
dd [esp]	01707100 00000000 01707104 00FBFFF9 01707108 014D20FE job+08 0170710C ED9CB784 job+0c 01707110 AE36D371 job+10

打开calcseed.exe,输入以上信息，得到seed1:0x00089003,seed2:0x00164110,如下图。

3.4 Patch ECC校验

用FlexNet ECC Patch工具去掉需要补丁文件的ECC校验，如下图。

Patch的完整Log如下:

ECC 32bit signature found in gradian.EXE
File size 2396160 bytes
Patched at 00135050h
Patch verification at 00135050h
File is patched.
ECC 32bit signature found in engineer.exe
File size 9965056 bytes
Patched at 006F64E0h
Patch verification at 006F64E0h
File is patched.
ECC 32bit signature found in impulse.exe
File size 3153920 bytes
Patched at 0020C0E0h
Patch verification at 0020C0E0h
File is patched.
ECC 32bit signature found in pred.dll
File size 21173760 bytes
Patched at 00EF48E0h
Patch verification at 00EF48E0h
File is patched.
ECC 32bit signature found in rdr2adv.exe
File size 2577408 bytes
Patched at 001BBAE0h
Patch verification at 001BBAE0h
File is patched.
ECC 32bit signature found in scs.exe
File size 13082624 bytes
Patched at 00926EE0h
Patch verification at 00926EE0h
File is patched.
ECC 32bit signature found in senario.exe
File size 15472640 bytes
Patched at 00B71200h
Patch verification at 00B71200h
File is patched.
ECC 32bit signature found in sysutils.dll
File size 1526272 bytes
Patched at 000E70E0h
Patch verification at 000E70E0h
File is patched.

3.5 计算SIGN
前面位置了一个License.dat文件，里面的SIGN内容为0，并不能通过授权的验证，通过编译 FlexNET SDK 11.9.1来计算正确的SIGN以及HOSTID。
通过lmkg3依据VENDOR_NAME计算出VENDOR_KEY以及TRL_KEY的值，如下图：

使用sdk中的lmrand1.exe工具,命令行中运行lmrand1 -seed，生成LM_SEED的值，如下图：

在sdk中的lm_code.h文件中替换输入以下内容：

#define VENDOR_KEY1 0xd4c8bbc2
#define VENDOR_KEY2 0xc592f46a
#define VENDOR_KEY3 0x753a8c1c
#define VENDOR_KEY4 0x2a195ac8
#define VENDOR_KEY5 0x7b065bc0
#define TRL_KEY1 0x9f1896c6
#define TRL_KEY2 0x789f90a0
#define VENDOR_NAME "zuken"
#define ENCRYPTION_SEED1 0x00089003
#define ENCRYPTION_SEED2 0x00164110
#define LM_SEED1 0xcb469f78
#define LM_SEED2 0x60610e5a
#define LM_SEED3 0x5c576721
#define LM_STRENGTH LM_STRENGTH_239BIT

将makefile文件中的VENDORNAME的值demo修改为zuken，采用VS2013的命令行，运行build.bat,编译完成。

通过sdk中的lmhostid.exe工具获取到本机的hostid。
在Excel中依据上面位置的license的格式，通过公式连接出所有的feature。如下图

将license列复制到txt文件中，保存为license.txt.
在命令行中运行sdk中编译生成的lmcrypt.exe，输入lmcrypt -i license.txt -o license.dat,即输出为文件license.dat，用记事本打开license.dat文件，无误的话已经计算出了正确的SIGN。将此license.dat复制至CADSTAR的Programs目录内，启动程序所有的功能已经授权了。
3.6 编写KEYGEN
这个就没什么难度了，主要是在sdk中lmcrypt.c文件的基础之上增加一个获取hostid的功能。以下是主要代码。

#include "stdafx.h"
#include "lm_code.h"
#include "lmclient.h"
#include "lm_attr.h"
#include "lmprikey.h"
#include <string.h>LM_CODE_NEW(site_code, ENCRYPTION_SEED1, ENCRYPTION_SEED2,VENDOR_KEY1, VENDOR_KEY2, VENDOR_KEY3,VENDOR_KEY4, VENDOR_KEY5,FLEXLM_VERSION, FLEXLM_REVISION, FLEXLM_PATCH, LM_VER_BEHAVIOR,TRL_KEY1, TRL_KEY2, LM_STRENGTH);#define FEATURE_COUNT 93
char feature[FEATURE_COUNT][255] = { "cadstar_gold", "cadstar_silver", "cadstar_bronze", "emcrules_auth", "cadstar_eval", "cadstar_beta", "adviser_dfm_rules", "fastrule_auth", "cadstar_field_solver", "cadstar_library_editor", "cadstar_schematics", "freedom", "cstar_viewer_plus", "cadstar_des_view_ppr", "cadstar_des_view_rep_gen", "embedded_router", "emd_2dcheck", "cadstar_variants", "pred_ibase", "pred_vbase", "pred_bbase", "pred_cbase", "pred_interactive", "pred_2000", "pred_5000", "pred_floorplanner", "pred_assembly", "pred_rules_by_area", "pred_radial_router", "pred_thermal", "pred_widis", "pred_batch_upgrade", "pred_single_pass_batch", "pred_multi_pass_batch", "pred_smooth_batch", "pred_optimum_batch", "pred_memory_batch", "pred_mitre_batch", "pred_pattern_batch", "preditor11_adv_plc_tools", "hs_route", "hs_place_and_route", "hs_realize", "hs_prototype", "hs_scenario", "si_interactive_simulation", "sim_lib_manager", "cadstar_scm_variants", "hotstage_verify", "hotstage_verify_plus", "hotstage_verify_elite", "pred_rbase", "pred_2000_s", "pred_2000_hs", "pred_2000_floorplanner", "cadstar_datasheet_pub", "cadstar_shape_trim", "pred_beta", "hs_scenario_plus", "pred_six_layer_enh", "pred_max_layer_enh", "pred_conc_placement", "cadstar_ds1_interface", "viewer_cadif_import", "multi_board", "emc_server", "si_batch_simulation", "emc_front_loaded", "gradian", "dc_analysis", "lightning_spice_gen", "cp_heavy_cluster", "cadstar_rules_by_area", "zx0301", "pred_classic_autorouter", "pred_dragon_autorouter", "pred_dragon_strategy", "pred_dragon_consultant", "pred_intelligent_obj", "zx0501", "dragon_smart_fanout", "dragon_escape_routing", "idem_model_import", "cadstar_migration_link", "zx1601", "cstar_idf_link", "pred_smart_fanout", "cstar_constraint_browser", "pred_netless_router", "zx3201", "analysis_results_viewer", "cadstar_copper", "cadstar_scm_copper" };
int _tmain(int argc, _TCHAR* argv[])
{LM_CODE_GEN_INIT_NEW(&site_code, ENCRYPTION_SEED1, ENCRYPTION_SEED2,l_priseedcnt, lm_prikey, lm_prisize);VENDORCODE *code = &site_code;LM_HANDLE *lm_job = (LM_HANDLE *)NULL;if (lc_init((LM_HANDLE *)0, VENDOR_NAME, code, &lm_job)){lc_perror(lm_job, "lc_init failed");printf("1");exit(-1);}char hostid[MAX_CONFIG_LINE] = { 0 };if (0 != lc_hostid(lm_job, HOSTID_DEFAULT, hostid)){lc_get_errno(lm_job);printf("2");exit(-1);}else{if (strlen(hostid) > 0){if (*hostid == '"') memmove(hostid, hostid + 1, MAX_CONFIG_LINE - 1);for (size_t i = 0; i < strlen(hostid); i++){if ((hostid[i] == 0x20) || (hostid[i] == 0x00)){hostid[i] = 0x00;break;}}}}char lic_txt[1024 * 512] = {};char tmp[512] = { 0 };for (size_t i = 0; i < FEATURE_COUNT; i++){sprintf(tmp, "INCREMENT %s %s 25.0 1-jan-2100 uncounted HOSTID=%s TS_OK SIGN=0\n", feature[i], VENDOR_NAME, hostid);strcat(lic_txt, tmp);}char *lic_data = NULL, *err = NULL;if (0 != lc_cryptstr(lm_job, lic_txt, &lic_data, code, LM_CRYPT_FORCE, "", &err)){lc_get_errno(lm_job);printf("3");exit(-1);}else{printf(lic_data);lc_free_mem(lm_job, lic_data);}return 0;
}

3.7 附件
Zuken CADSTAR 16 安装文件:http://download.csdn.net/download/chivalrys/10009620
Zuken CADSTAR 16 破解文件:http://download.csdn.net/download/chivalrys/10009618
FlexLM SDK: FlexLM-SDK-11-9-1 链接: https://pan.baidu.com/s/1geULxWR 密码: pjqq
FlexLM SDK 11.11.1 SIG:https://pan.baidu.com/s/1bpKu10j 密码: k8na
lmkg3:http://www.woodmann.com/crackz/FLEXlm/Flexvkg3.rar
calcseed:http://www.woodmann.com/crackz/Tutorials/Nolflex3.zip
ECCPatcher-v2015.04.10:引自链接: https://pan.baidu.com/s/1bpKu10j 密码: k8na