http://solarwinds.net/

SolarWinds is a good network management tool package(or hacking toolkit or whatever). One of my friends asked me to reverse it.

I noticed that all the tools in this package are written in VB6. Each needs a unlock key when launched, it loads SolarWinds2000.exe to check the license code, which seems to be a ActiveX server. There is a Terminal Service Edition released by some warez group. I checked their crack. They replaced the original SolarWinds2000.exe(224KB) with a very small program(28KB). Perhaps they wrote their own ActiveX server.

I'm not a ActiveX or COM guru. Would u please give me some help? My version is "SolarWinds 2000 Professional Plus Edition", which can't be directly downloaded from their web site. I can't make the URL public here for some reason. If u r interested I can mail the URL to u. File size is 40MB.
Thx

solomon2000@gmx.net

Does anyone know which API is used in QueryInterface( )? So I can set a breakpoint. Thx

Today I get some hints when reading this security advisory:
http://razor.bindview.com/publish/advisories/adv_vbtsql.html

So I use ExeScope to examine the TypeLib of SolarWinds2000.exe. Interesting. The next step is to locate the entry point of each functions through CoCreateInstance/CoIntialize/... ? Seems that keygen is possible.

-------------------------------------------------------------------
SolarWinds2000; // SolarWinds 2000 Network Interface

Dispatch _Versions;
GUID={88ACBD6F-E6D8-4B1E-9302-599BF0D50377};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get Item(out vntIndexKey:^variant): BSTR;
property-get Count: I4;
property-get NewEnum: ^IUnknown;
function LoadVersions;
function ShowVersions(out Index:^BSTR; Application_Name:BSTR; Package_ID:BSTR; DaysLeft:I2; Distributor:BSTR; Release:BSTR);
function About(out Component:^BSTR): bool;
property-get SerialNumber(out Component:^BSTR): BSTR;
property-get ComputerName: BSTR;

Class Versions;
GUID={32C50C99-5DCC-481A-A409-F85CF456A788};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get Item(out vntIndexKey:^variant): BSTR;
property-get Count: I4;
property-get NewEnum: ^IUnknown;
function LoadVersions;
function ShowVersions(out Index:^BSTR; Application_Name:BSTR; Package_ID:BSTR; DaysLeft:I2; Distributor:BSTR; Release:BSTR);
function About(out Component:^BSTR): bool;
property-get SerialNumber(out Component:^BSTR): BSTR;
property-get ComputerName: BSTR;

Dispatch _Serial;
GUID={6910475C-6460-49FB-BBBB-41806D7EBF41};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get SerialNumber: BSTR;
function MoveOldLicense;
property-get VID: BSTR;
property-put PID(^BSTR);
function NewSerial: BSTR;
function CalculateCheckSum(out Serial:^BSTR): BSTR;
function ValidSerial(out Serial:^BSTR): bool;
function GenerateKey(out Serial:^BSTR): BSTR;
function ExtractPackageID(out Serial:^BSTR): BSTR;
function ValidKey(out Key:^BSTR): bool;
property-get KeyError: BSTR;
property-put Key(^BSTR);
property-get Key: BSTR;
function Licensed(out ID:^BSTR): variant;
function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;

Class Serial;
GUID={354731A4-7649-4273-B655-51796630CA4F};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get SerialNumber: BSTR;
function MoveOldLicense;
property-get VID: BSTR;
property-put PID(^BSTR);
function NewSerial: BSTR;
function CalculateCheckSum(out Serial:^BSTR): BSTR;
function ValidSerial(out Serial:^BSTR): bool;
function GenerateKey(out Serial:^BSTR): BSTR;
function ExtractPackageID(out Serial:^BSTR): BSTR;
function ValidKey(out Key:^BSTR): bool;
property-get KeyError: BSTR;
property-put Key(^BSTR);
property-get Key: BSTR;
function Licensed(out ID:^BSTR): variant;
function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;

hehe, I successfully managed to crack the full version, only a 3-byte patch.

My breakpoints are:
rtcCreateObject2 // to launch Local COM Server
__vbaLateMemCallId // call a method in the Local COM Server
__vbaBoolVar // Licensed = TRUE or FALSE?

glad we could help

I would recommend to play with this interface a little bit more (for example, CreateObject with a VBScript and run it with wsh, call all these methods and peek all these properties, try and see what will come out) - seems to me they have a keygen embedded right in.

yeah machgun, your good suggestion reminds me of the convenient way of script. I will try it. Several days ago I tried the way of C++ Builder. I wrote a COM server with C++ Builder to replace the original SolarWinds2000.exe, but it's not easy for me to let it work correctly. I have not try writing a COM client to call it.

BTW: The TypeLib definition produced by ExeScope is slightly different from that produced by C++ Builder though the target is the same SolarWinds2000.exe. Don't know whose bug it is.

Thanks.

It works!

Just call GenerateKey( ), a valid key will be generated.

now that's a protection....call their own "GenerateKey()" function....they coulda just as well named it "CreateWarez()" }>

on the same note sa this discussion, i have been playing with a softlocx5.ocx protection...

the target uses a computer generated serial code, registration key, and an unlock code. i have keygenned the registration key (programmers own routine), but after it checks this it traces down to two __vbacalllateid calls. i have no idea what these do...

is there an easy way to trace into the code that these calls are executing ?

thanks

NchantA

Hi,

Try TLBDBG. It can generate symbolic info for COM interfaces, so this may help us to locate the entry point of each method in the interfaces. It only works with In-Process servers(DLL/OCX).
h**p://w*w.microsoft.com/msj/0399/comtype/comtype.htm

regards

I'm glad to see I'm not the only one that has taken their time on this however; I seemed to be stuck. I've wrote a simple VBS script that will pullout most of the information from the COM, but no serial. Anyone have any ideas?

'Simple query query.vbs
dim comp1

set comp1 = WScript.CreateObject("Solarwinds2000.Serial", IDispatch)
myStr1 = comp1.GenerateKey()

WScript.Echo "Text: " & myStr1

hi,
You can get the serial from the registration dialog and pass it as a parameter to GenerateKey( ). Here is my script:

'This has been tested with SolarWinds 2001 Engineering's Edition FULL version

Option Explicit

Dim SolarWinds, Serial, Key

If Wscript.Arguments.Count = 0 Then

Wscript.echo("Usage: KeyGen.vbs SerialNumber"
WScript.echo("Example: KeyGen.vbs SWEE-7C4-D2Z6-Y2RQ-YK56-69Y6-Y786"
Else

Serial = Wscript.arguments.Item(0)
Set SolarWinds = CreateObject("SolarWinds2001.Serial"

If CBool(SolarWinds.ValidSerial(CStr(Serial))) = True Then
Key = SolarWinds.GenerateKey(CStr(Serial))
WScript.echo("Your serial: " & Serial)
WScript.echo("Your key: " & Key)
Else
WScript.echo("Your serial " & Serial & " is invalid!"
End If

End If

solomon. i'm intersested in knowig more about this crack.
quick thin tho, is there anyway i can download 'solarwinds 2000 edition Engineering version...?????'
please write back,,and let me knwo if u can or cannot..

Solomon, great work man. I've keygened an earlier version and it was the same way as it is now but I'm sure they changed the algo a bit. I just took the keygen code out and wrote my own keygen but your way is just as good.
If you have the extra time you should write a paper explaining your method a bit more and possiblly talking about your findings on COM objects. Give us all something good to read

good job
goatass

hi thriller,

please leave your mail or drop me a mail, I will send the URL for SolarWinds 2001 EE(June 2001).

and thank you goatass for your suggestion.