View Full Version : Help: An interesting ActiveX Server protection used by SolarWinds 2000
Solomon
February 16th, 2001, 02:30
http://solarwinds.net/
SolarWinds is a good network management tool package(or hacking toolkit or whatever). One of my friends asked me to reverse it.
I noticed that all the tools in this package are written in VB6. Each needs a unlock key when launched, it loads SolarWinds2000.exe to check the license code, which seems to be a ActiveX server. There is a Terminal Service Edition released by some warez group. I checked their crack. They replaced the original SolarWinds2000.exe(224KB) with a very small program(28KB). Perhaps they wrote their own ActiveX server.
I'm not a ActiveX or COM guru. Would u please give me some help? My version is "SolarWinds 2000 Professional Plus Edition", which can't be directly downloaded from their web site. I can't make the URL public here for some reason. If u r interested I can mail the URL to u. File size is 40MB.
Thx
solomon2000@gmx.net
Solomon
February 17th, 2001, 02:13
Does anyone know which API is used in QueryInterface( )? So I can set a breakpoint. Thx
Solomon
March 29th, 2001, 00:14
Today I get some hints when reading this security advisory:
http://razor.bindview.com/publish/advisories/adv_vbtsql.html
So I use ExeScope to examine the TypeLib of SolarWinds2000.exe. Interesting. The next step is to locate the entry point of each functions through CoCreateInstance/CoIntialize/... ? Seems that keygen is possible.
-------------------------------------------------------------------
SolarWinds2000; // SolarWinds 2000 Network Interface
Dispatch _Versions;
GUID={88ACBD6F-E6D8-4B1E-9302-599BF0D50377};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get Item(out vntIndexKey:^variant): BSTR;
property-get Count: I4;
property-get NewEnum: ^IUnknown;
function LoadVersions;
function ShowVersions(out Index:^BSTR; Application_Name:BSTR; Package_ID:BSTR; DaysLeft:I2; Distributor:BSTR; Release:BSTR);
function About(out Component:^BSTR): bool;
property-get SerialNumber(out Component:^BSTR): BSTR;
property-get ComputerName: BSTR;
Class Versions;
GUID={32C50C99-5DCC-481A-A409-F85CF456A788};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get Item(out vntIndexKey:^variant): BSTR;
property-get Count: I4;
property-get NewEnum: ^IUnknown;
function LoadVersions;
function ShowVersions(out Index:^BSTR; Application_Name:BSTR; Package_ID:BSTR; DaysLeft:I2; Distributor:BSTR; Release:BSTR);
function About(out Component:^BSTR): bool;
property-get SerialNumber(out Component:^BSTR): BSTR;
property-get ComputerName: BSTR;
Dispatch _Serial;
GUID={6910475C-6460-49FB-BBBB-41806D7EBF41};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get SerialNumber: BSTR;
function MoveOldLicense;
property-get VID: BSTR;
property-put PID(^BSTR);
function NewSerial: BSTR;
function CalculateCheckSum(out Serial:^BSTR): BSTR;
function ValidSerial(out Serial:^BSTR): bool;
function GenerateKey(out Serial:^BSTR): BSTR;
function ExtractPackageID(out Serial:^BSTR): BSTR;
function ValidKey(out Key:^BSTR): bool;
property-get KeyError: BSTR;
property-put Key(^BSTR);
property-get Key: BSTR;
function Licensed(out ID:^BSTR): variant;
function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;
Class Serial;
GUID={354731A4-7649-4273-B655-51796630CA4F};
function QueryInterface(riid:^GUID; out ppvObj:^^void);
function AddRef: UI4;
function Release: UI4;
function GetTypeInfoCount(out pctinfo:^UINT);
function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
property-get SerialNumber: BSTR;
function MoveOldLicense;
property-get VID: BSTR;
property-put PID(^BSTR);
function NewSerial: BSTR;
function CalculateCheckSum(out Serial:^BSTR): BSTR;
function ValidSerial(out Serial:^BSTR): bool;
function GenerateKey(out Serial:^BSTR): BSTR;
function ExtractPackageID(out Serial:^BSTR): BSTR;
function ValidKey(out Key:^BSTR): bool;
property-get KeyError: BSTR;
property-put Key(^BSTR);
property-get Key: BSTR;
function Licensed(out ID:^BSTR): variant;
function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;
Solomon
April 26th, 2001, 21:45
hehe, I successfully managed to crack the full version, only a 3-byte patch.
My breakpoints are:
rtcCreateObject2 // to launch Local COM Server
__vbaLateMemCallId // call a method in the Local COM Server
__vbaBoolVar // Licensed = TRUE or FALSE?
disavowed
April 27th, 2001, 09:48
glad we could help

machgun
April 28th, 2001, 12:35
Quote:
Solomon (03-28-2001 13:14):
So I use ExeScope to examine the TypeLib of SolarWinds2000.exe. Interesting. The next step is to locate the entry point of each functions through CoCreateInstance/CoIntialize/... ? Seems that keygen is possible.
Class Serial;
property-get SerialNumber: BSTR;
property-get VID: BSTR;
property-put PID(^BSTR);
function NewSerial: BSTR;
function CalculateCheckSum(out Serial:^BSTR): BSTR;
function ValidSerial(out Serial:^BSTR): bool;
function GenerateKey(out Serial:^BSTR): BSTR;
function ExtractPackageID(out Serial:^BSTR): BSTR;
function ValidKey(out Key:^BSTR): bool;
property-get KeyError: BSTR;
property-put Key(^BSTR);
property-get Key: BSTR;
function Licensed(out ID:^BSTR): variant;
function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool; |
I would recommend to play with this interface a little bit more (for example, CreateObject with a VBScript and run it with wsh, call all these methods and peek all these properties, try and see what will come out) - seems to me they have a keygen embedded right in.

Solomon
April 28th, 2001, 22:30
yeah machgun, your good suggestion reminds me of the convenient way of script. I will try it. Several days ago I tried the way of C++ Builder. I wrote a COM server with C++ Builder to replace the original SolarWinds2000.exe, but it's not easy for me to let it work correctly. I have not try writing a COM client to call it.
BTW: The TypeLib definition produced by ExeScope is slightly different from that produced by C++ Builder though the target is the same SolarWinds2000.exe. Don't know whose bug it is.
Thanks.
Solomon
May 8th, 2001, 23:54
It works!
Just call GenerateKey( ), a valid key will be generated.
qferret
May 10th, 2001, 21:04
now that's a protection....call their own "GenerateKey()" function....they coulda just as well named it "CreateWarez()" }>
nchanta
May 13th, 2001, 07:58
on the same note sa this discussion, i have been playing with a softlocx5.ocx protection...
the target uses a computer generated serial code, registration key, and an unlock code. i have keygenned the registration key (programmers own routine), but after it checks this it traces down to two __vbacalllateid calls. i have no idea what these do...
is there an easy way to trace into the code that these calls are executing ?
thanks
NchantA
Solomon
May 13th, 2001, 20:55
Hi,
Try TLBDBG. It can generate symbolic info for COM interfaces, so this may help us to locate the entry point of each method in the interfaces. It only works with In-Process servers(DLL/OCX).
h**p://w*w.microsoft.com/msj/0399/comtype/comtype.htm
regards
SirMicha
May 27th, 2001, 02:09
I'm glad to see I'm not the only one that has taken their time on this however; I seemed to be stuck. I've wrote a simple VBS script that will pullout most of the information from the COM, but no serial. Anyone have any ideas?
'Simple query query.vbs
dim comp1
set comp1 = WScript.CreateObject("Solarwinds2000.Serial", IDispatch)
myStr1 = comp1.GenerateKey()
WScript.Echo "Text: " & myStr1
Solomon
May 27th, 2001, 20:20
hi,
You can get the serial from the registration dialog and pass it as a parameter to GenerateKey( ). Here is my script:
'This has been tested with SolarWinds 2001 Engineering's Edition FULL version
Option Explicit
Dim SolarWinds, Serial, Key
If Wscript.Arguments.Count = 0 Then
Wscript.echo("Usage: KeyGen.vbs SerialNumber"

WScript.echo("Example: KeyGen.vbs SWEE-7C4-D2Z6-Y2RQ-YK56-69Y6-Y786"

Else
Serial = Wscript.arguments.Item(0)
Set SolarWinds = CreateObject("SolarWinds2001.Serial"
If CBool(SolarWinds.ValidSerial(CStr(Serial))) = True Then
Key = SolarWinds.GenerateKey(CStr(Serial))
WScript.echo("Your serial: " & Serial)
WScript.echo("Your key: " & Key)
Else
WScript.echo("Your serial " & Serial & " is invalid!"

End If
End If
thriller
August 30th, 2001, 22:51
solomon. i'm intersested in knowig more about this crack.
quick thin tho, is there anyway i can download 'solarwinds 2000 edition Engineering version...?????'
please write back,,and let me knwo if u can or cannot..
Quote:
Solomon (02-15-2001 23:30):
http://solarwinds.net/
SolarWinds is a good network management tool package(or hacking toolkit or whatever). One of my friends asked me to reverse it.
I noticed that all the tools in this package are written in VB6. Each needs a unlock key when launched, it loads SolarWinds2000.exe to check the license code, which seems to be a ActiveX server. There is a Terminal Service Edition released by some warez group. I checked their crack. They replaced the original SolarWinds2000.exe(224KB) with a very small program(28KB). Perhaps they wrote their own ActiveX server.
I'm not a ActiveX or COM guru. Would u please give me some help? My version is "SolarWinds 2000 Professional Plus Edition", which can't be directly downloaded from their web site. I can't make the URL public here for some reason. If u r interested I can mail the URL to u. File size is 40MB.
Thx
solomon2000@gmx.net |
goatass
August 31st, 2001, 08:00
Solomon, great work man. I've keygened an earlier version and it was the same way as it is now but I'm sure they changed the algo a bit. I just took the keygen code out and wrote my own keygen but your way is just as good.
If you have the extra time you should write a paper explaining your method a bit more and possiblly talking about your findings on COM objects. Give us all something good to read
good job
goatass
Solomon
September 13th, 2001, 07:42
hi thriller,
please leave your mail or drop me a mail, I will send the URL for SolarWinds 2001 EE(June 2001).
and thank you goatass for your suggestion.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.