Log in

View Full Version : Help: An interesting ActiveX Server protection used by SolarWinds 2000


Solomon
February 16th, 2001, 02:30
http://solarwinds.net/

SolarWinds is a good network management tool package(or hacking toolkit or whatever). One of my friends asked me to reverse it.

I noticed that all the tools in this package are written in VB6. Each needs a unlock key when launched, it loads SolarWinds2000.exe to check the license code, which seems to be a ActiveX server. There is a Terminal Service Edition released by some warez group. I checked their crack. They replaced the original SolarWinds2000.exe(224KB) with a very small program(28KB). Perhaps they wrote their own ActiveX server.

I'm not a ActiveX or COM guru. Would u please give me some help? My version is "SolarWinds 2000 Professional Plus Edition", which can't be directly downloaded from their web site. I can't make the URL public here for some reason. If u r interested I can mail the URL to u. File size is 40MB.
Thx

solomon2000@gmx.net

Solomon
February 17th, 2001, 02:13
Does anyone know which API is used in QueryInterface( )? So I can set a breakpoint. Thx

Solomon
March 29th, 2001, 00:14
Today I get some hints when reading this security advisory:
http://razor.bindview.com/publish/advisories/adv_vbtsql.html

So I use ExeScope to examine the TypeLib of SolarWinds2000.exe. Interesting. The next step is to locate the entry point of each functions through CoCreateInstance/CoIntialize/... ? Seems that keygen is possible.

-------------------------------------------------------------------
SolarWinds2000; // SolarWinds 2000 Network Interface

Dispatch _Versions;
GUID={88ACBD6F-E6D8-4B1E-9302-599BF0D50377};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get Item(out vntIndexKey:^variant): BSTR;
property-get Count: I4;
property-get NewEnum: ^IUnknown;
function LoadVersions;
function ShowVersions(out Index:^BSTR; Application_Name:BSTR; Package_ID:BSTR; DaysLeft:I2; Distributor:BSTR; Release:BSTR);
function About(out Component:^BSTR): bool;
property-get SerialNumber(out Component:^BSTR): BSTR;
property-get ComputerName: BSTR;

Class Versions;
GUID={32C50C99-5DCC-481A-A409-F85CF456A788};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get Item(out vntIndexKey:^variant): BSTR;
property-get Count: I4;
property-get NewEnum: ^IUnknown;
function LoadVersions;
function ShowVersions(out Index:^BSTR; Application_Name:BSTR; Package_ID:BSTR; DaysLeft:I2; Distributor:BSTR; Release:BSTR);
function About(out Component:^BSTR): bool;
property-get SerialNumber(out Component:^BSTR): BSTR;
property-get ComputerName: BSTR;

Dispatch _Serial;
GUID={6910475C-6460-49FB-BBBB-41806D7EBF41};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get SerialNumber: BSTR;
function MoveOldLicense;
property-get VID: BSTR;
property-put PID(^BSTR);
function NewSerial: BSTR;
function CalculateCheckSum(out Serial:^BSTR): BSTR;
function ValidSerial(out Serial:^BSTR): bool;
function GenerateKey(out Serial:^BSTR): BSTR;
function ExtractPackageID(out Serial:^BSTR): BSTR;
function ValidKey(out Key:^BSTR): bool;
property-get KeyError: BSTR;
property-put Key(^BSTR);
property-get Key: BSTR;
function Licensed(out ID:^BSTR): variant;
function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;

Class Serial;
GUID={354731A4-7649-4273-B655-51796630CA4F};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get SerialNumber: BSTR;
function MoveOldLicense;
property-get VID: BSTR;
property-put PID(^BSTR);
function NewSerial: BSTR;
function CalculateCheckSum(out Serial:^BSTR): BSTR;
function ValidSerial(out Serial:^BSTR): bool;
function GenerateKey(out Serial:^BSTR): BSTR;
function ExtractPackageID(out Serial:^BSTR): BSTR;
function ValidKey(out Key:^BSTR): bool;
property-get KeyError: BSTR;
property-put Key(^BSTR);
property-get Key: BSTR;
function Licensed(out ID:^BSTR): variant;
function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;

Solomon
April 26th, 2001, 21:45
hehe, I successfully managed to crack the full version, only a 3-byte patch.

My breakpoints are:
rtcCreateObject2 // to launch Local COM Server
__vbaLateMemCallId // call a method in the Local COM Server
__vbaBoolVar // Licensed = TRUE or FALSE?

disavowed
April 27th, 2001, 09:48
glad we could help

machgun
April 28th, 2001, 12:35
Quote:
Solomon (03-28-2001 13:14):

So I use ExeScope to examine the TypeLib of SolarWinds2000.exe. Interesting. The next step is to locate the entry point of each functions through CoCreateInstance/CoIntialize/... ? Seems that keygen is possible.

Class Serial;
property-get SerialNumber: BSTR;
property-get VID: BSTR;
property-put PID(^BSTR);
function NewSerial: BSTR;
function CalculateCheckSum(out Serial:^BSTR): BSTR;
function ValidSerial(out Serial:^BSTR): bool;
function GenerateKey(out Serial:^BSTR): BSTR;
function ExtractPackageID(out Serial:^BSTR): BSTR;
function ValidKey(out Key:^BSTR): bool;
property-get KeyError: BSTR;
property-put Key(^BSTR);
property-get Key: BSTR;
function Licensed(out ID:^BSTR): variant;
function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;


I would recommend to play with this interface a little bit more (for example, CreateObject with a VBScript and run it with wsh, call all these methods and peek all these properties, try and see what will come out) - seems to me they have a keygen embedded right in.

Solomon
April 28th, 2001, 22:30
yeah machgun, your good suggestion reminds me of the convenient way of script. I will try it. Several days ago I tried the way of C++ Builder. I wrote a COM server with C++ Builder to replace the original SolarWinds2000.exe, but it's not easy for me to let it work correctly. I have not try writing a COM client to call it.

BTW: The TypeLib definition produced by ExeScope is slightly different from that produced by C++ Builder though the target is the same SolarWinds2000.exe. Don't know whose bug it is.

Thanks.

Solomon
May 8th, 2001, 23:54
It works!

Just call GenerateKey( ), a valid key will be generated.

qferret
May 10th, 2001, 21:04
now that's a protection....call their own "GenerateKey()" function....they coulda just as well named it "CreateWarez()" }>

nchanta
May 13th, 2001, 07:58
on the same note sa this discussion, i have been playing with a softlocx5.ocx protection...

the target uses a computer generated serial code, registration key, and an unlock code. i have keygenned the registration key (programmers own routine), but after it checks this it traces down to two __vbacalllateid calls. i have no idea what these do...

is there an easy way to trace into the code that these calls are executing ?

thanks

NchantA

Solomon
May 13th, 2001, 20:55
Hi,

Try TLBDBG. It can generate symbolic info for COM interfaces, so this may help us to locate the entry point of each method in the interfaces. It only works with In-Process servers(DLL/OCX).
h**p://w*w.microsoft.com/msj/0399/comtype/comtype.htm

regards

SirMicha
May 27th, 2001, 02:09
I'm glad to see I'm not the only one that has taken their time on this however; I seemed to be stuck. I've wrote a simple VBS script that will pullout most of the information from the COM, but no serial. Anyone have any ideas?

'Simple query query.vbs
dim comp1

set comp1 = WScript.CreateObject("Solarwinds2000.Serial", IDispatch)
myStr1 = comp1.GenerateKey()

WScript.Echo "Text: " & myStr1

Solomon
May 27th, 2001, 20:20
hi,
You can get the serial from the registration dialog and pass it as a parameter to GenerateKey( ). Here is my script:

'This has been tested with SolarWinds 2001 Engineering's Edition FULL version

Option Explicit

Dim SolarWinds, Serial, Key

If Wscript.Arguments.Count = 0 Then

Wscript.echo("Usage: KeyGen.vbs SerialNumber"
WScript.echo("Example: KeyGen.vbs SWEE-7C4-D2Z6-Y2RQ-YK56-69Y6-Y786"
Else

Serial = Wscript.arguments.Item(0)
Set SolarWinds = CreateObject("SolarWinds2001.Serial"

If CBool(SolarWinds.ValidSerial(CStr(Serial))) = True Then
Key = SolarWinds.GenerateKey(CStr(Serial))
WScript.echo("Your serial: " & Serial)
WScript.echo("Your key: " & Key)
Else
WScript.echo("Your serial " & Serial & " is invalid!"
End If

End If

thriller
August 30th, 2001, 22:51
solomon. i'm intersested in knowig more about this crack.
quick thin tho, is there anyway i can download 'solarwinds 2000 edition Engineering version...?????'
please write back,,and let me knwo if u can or cannot..


Quote:
Solomon (02-15-2001 23:30):
http://solarwinds.net/

SolarWinds is a good network management tool package(or hacking toolkit or whatever). One of my friends asked me to reverse it.

I noticed that all the tools in this package are written in VB6. Each needs a unlock key when launched, it loads SolarWinds2000.exe to check the license code, which seems to be a ActiveX server. There is a Terminal Service Edition released by some warez group. I checked their crack. They replaced the original SolarWinds2000.exe(224KB) with a very small program(28KB). Perhaps they wrote their own ActiveX server.

I'm not a ActiveX or COM guru. Would u please give me some help? My version is "SolarWinds 2000 Professional Plus Edition", which can't be directly downloaded from their web site. I can't make the URL public here for some reason. If u r interested I can mail the URL to u. File size is 40MB.
Thx

solomon2000@gmx.net

goatass
August 31st, 2001, 08:00
Solomon, great work man. I've keygened an earlier version and it was the same way as it is now but I'm sure they changed the algo a bit. I just took the keygen code out and wrote my own keygen but your way is just as good.
If you have the extra time you should write a paper explaining your method a bit more and possiblly talking about your findings on COM objects. Give us all something good to read

good job
goatass

Solomon
September 13th, 2001, 07:42
hi thriller,

please leave your mail or drop me a mail, I will send the URL for SolarWinds 2001 EE(June 2001).

and thank you goatass for your suggestion.