Log in

View Full Version : public-key based Delphi components protection: SLockPK


Solomon
May 10th, 2002, 04:57
here is the component:
h**p://www.crypto-central.com/slock/slock_pk.html

and it is used by this baby(Beyond Compare 2.0):
h**p://www.scootersoftware.com/bc20beta.exe

I have not figure out how to patch it.

Lbolt99
May 11th, 2002, 05:05
I saw someone talking about this in one of the usenet groups.. basically the general consensus there is that ASPR and SlockPK are the best protectors..

Found them by doing a search for ASprotect on google groups (dejanews for the old-schoolers , just for kicks when I was bored, just to see what people were talking about..

found lots of bragging about asprotect and all cracks etc stopping after the authors switched. Downloaded most of them (helpjotter, system cleaner, handy productions stuff, etc), no problem cracking

Is ASPR really that hard? that it stops most crackers in their tracks?

Found SlockPK discussion too. several people were praising it.

Going to take a look at it this weekend. BTW where are you stuck at? were you able to get it unpacked? (Not sure if it's even a "packer" like ASPR"

BTW one funny thread I found was one titled "Playing dirty" in the alt.comp.shareware.authors newsgroup. Aparantly Alexey has been promoting asprotect by emailing ppl recommending other protections (armadillo, etc) and sending them the crack

Solomon
May 11th, 2002, 05:39
hehe, interesting about Alex

I have read the documents of SLockPK and the header file "slock.hpp" in its SDK. This header file reveals most of the secrets. The EXE hash calculation is done in GetHashSelf( ) and it may be defeated just like what I did with CommView 3.0. The certificate check is in CheckProtectionCore( ). I will try to patch this with a disassembling of slock.obj.

If the shareware author puts a key in the certificate, then use this key to decrypt some code/data in their software(just as what Alex does), it may be hard to defeat without a valid certificate.

goatass
May 13th, 2002, 13:57
I took a quick look at this program and it doesn't look too bad. It uses RSA for the certificates. The values you see in the license file are encoded in some lame coder. The best thing is that the certificate builder is written in Delphi so with DeDe you can decompile it and figure out everything they do pretty easily.

I'm gonna look at it some more today when I get the chance.

goatass

goatass
May 15th, 2002, 00:54
OK, after looking more into it it's not as lame as I initially thought. The entries in the file are encrypted with RC4, some with a static password and some with the hash of the username as the password. It uses RSA 384 I think for the certificates. I have to do some more work to figure out how it generates the public key and understand the RNG it uses.

Solomon, how did you get the SDK? can I get a copy of it from you?

goatass

Solomon
May 15th, 2002, 12:53
thx goatass for your help.

It is RSA-1024 mentioned in their web page. The trial version of this component can be d/l from their web for free. But the certificate builder itself in this trial will not work without a valid certificate.

There is sth wrong with my ISP, so I will lose connection to this forum for a few weeks.

goatass
May 15th, 2002, 23:09
ok I knew it was the stronger RSA, I can never figure out how many bits it is. When I get some more time I'll continue working on it. If anyone else with more crypto knowledge would like to help us out that would be great.

goatass

Solomon
August 5th, 2002, 14:08
Now Beyond Compare v2.0 is successfully patched. No need to reverse the algo, just patch the 30-day time check

Lbolt99
August 5th, 2002, 20:20
I just downloaded it, this looks pretty interesting. As goatass said, it loads into Dede (!!)

gutica
August 6th, 2005, 09:01
Well, I look at SlockPk sometimes ago (some program I use is protected with it). Basicly, You need to patch return values from CheckProtection (I think CheckProtectionCore too) to get appropiate values (don't remember values, think 3 - registered). In their help file (SlockPK) there are explanation of functions they use. So just study functions they use in program and patch values they return. It's for simple programms, I didn't find programms which encrypt portion of code with SlockPK, so I can't talk about reversing them.
Greets !
Gutica

nikolatesla20
August 6th, 2005, 10:04
Holy cow a resurrection of the dead !

Speaking of Beyond Compare, my company uses it for everything nowdays..

-nt

gutica
August 6th, 2005, 10:12
Ha, ha, ha .. Nice Nikola Tesla (well, my favorite scientist, also from my motherland). To correct my previous post, CheckProtection return value 3 if RegistrationCertificate found. GetStatus return 3 if You are registered, GetExtendedStatus return 7 if registration certificate is found and application is registered, Isregistered same as GetStatus, and so on ... Yes, there are more functions (methods, properties) which You can examine, but why attack protection where is strongest (decode and encode certificate) instead of weakest point ?
Greets to all,
Gutica

SKiLLa
June 2nd, 2006, 11:29
just defeated a (PECompact 2.x +) SLockPK 3.0 protected tool and yes, it's easy ... couldn't find the obvious 'CheckProtection' names, but the license-status IDs are all over the place The author's website also talks about 'protects program integrity', but I haven't noticed that

Just patching in some fixed '3' status and NOPping some routines was quite painless ...thought I'd inform you guys about it, since I also found some topics/sites rating it 'as good as ASPRotect' and that's absolutely not the case.

PS: 2nd resurrection for this thread

The_Elysian
July 4th, 2006, 05:11
Hello fellow-reversers! First post and alreadt a question:

I am also trying to break a slockpk protected target, but I can't find the mentioned function names anywhere. Can you tell me how to find where to find references to these function?

Thanks a lot!

SKiLLa
July 4th, 2006, 06:52
Well I don't have my notes here and my target also didn't have the obvious function-names mentioned earlier in this thread, but as a hint:

Look for functions (calls) which return [EAX] (AL ?) = 1, I believe 1 is 'non-expired trial', 2 is 'expired trial', '3 = registered'. Please also note that there are 'extended statuses with the range [1, 7]. Don't recall which is the 'goodboy' status in that case (7 ?).

There is this obvious routine with a loop modifying & comparing EAX & EBX (from just above 0 (000 0xxx) to just below 0 (= FFFF Fxxx) the whole time, it's quite different from most other code. If you spot that routine you know you're close.

Perhaps I still have my notes somewhere at home, just let me know if you want them

The_Elysian
July 4th, 2006, 08:02
Wow! Thanks for the quick answer
Well, in this case it's not that easy I guess...
The target has a filesize around 8,5Mb and is written in Delphi 6. I used DeDe to analyse the thing, but it cannot analyse the protection routines. I also used IDA (with vcl6 sigs) and Olly to see what's going on. I found some references in the dead listing to protection stuff, but when I hex edit the file I get a dialog stating that this program is of a newer version and has to be registered again (so even the trial period won't work anymore).
My guess is that all the protection routines are part of the program but are unpacked somehow. This is based on the fact that some of the error messages cannot be found anywhere in the dead listings (yet all the other strings from the program itself do), and on the fact that there's some kind of modification check.
I tried to break on the GetFileSize API calls, but so much are made that it is pointless.
So my target is quite difficult to tame (well, at least for a recreational reverser like me ).

Looking forward for more pointers,

The Elysian.

The_Elysian
July 5th, 2006, 06:33
Could it be you patched an older version? I discovered a lot of security 'hooks', but when I change one the program doesnt start anymore (an error is displayed). I downloaded the trial sdk of slockpk from their website and saw this snippet:

Quote:

As mentioned previously, you can in theory patch anything to anything else. In its simplest form, the attacker changes a jump instruction so that the an unregistered application becomes registered – a simple one byte change which registers your application. SLockPK provides protection against this by using the cryptographic hash (which is similar to a checksum) of the executable file (using the SHA algorithm) and then combines this with the Certificate before trying to decrypt it. The result of the combination of the cryptographic hash with the Certificate can be decrypted, because this operation undoes the operation you perform in the Certificate Builder while creating the Certificate. Any change in the executable will immediately invalidate the Certificate and it can no longer be decrypted.

This means that the attacker can not hack the application “bit by bit”, which is the usual way that an attack is performed. Instead the attacker must immediately produce a complete crack at once. This will obviously not happen.

SLockPK also implements a “time-out” in the decryption of the Certificate. If the process takes too long – for example if a program is being debugged – the decryption of the Certificate will produce incorrect results.


I'll continue my research and when I get additional info I'll let you know. Tips and suggestions are always welcome ofcourse

gutica
July 8th, 2006, 16:05
A little help from Slock help file :

"CheckProtection

(SLock and SLockPK)

This is the main trigger for SLock, and will usually be called from the 'Form Create' Event of the main form in the application and triggers the processing of the registration information. This method must be called, or SLockPK will take no action and have no way to protect your application.

CheckProtection checks the Certificate for validity, and if the Certificate is valid, loads the information from the Certificate into the internal variables of SLockPK. If the Certificate is not found or is invalid, SLockPK triggers the OnNoInitCert event to tell the user that it requires a certificate before it can proceed. The further processing depends on the status of the Certificate.
"

" "

The_Elysian
August 2nd, 2006, 09:13
Yeah, I've seen the documentation. I can't find that function name in IDA however. I used DeDe to find the functions in the formCreate events of the splash form and the registrationform and tried to disable those functions... But then a message appears that another version of the software is installed.

This is a very difficult target. When an internet connection is available it uses time servers to verify the system date. So I disabled that. Then I set the date forward and the target did not work anymore. Then I set the date back and it still did not work. I used a file and registry spy but no results... Very tricky stuff. It is software based on subscriptions per year handled by SlockPK. I even tried to remove that time checking from an original bought license but I cannot get it to work. There's little references to slockpk cracked apps by others. *sigh*
But I will not give up Any other suggestions?

Thanks!

gutica
August 2nd, 2006, 15:02
Well, my guess is that you dealing with Certificate server (from slockpk help file about certificate server : ... The Certificate Server tells your application what the date is. This stops “clock tamperers” from messing with the trial period by playing with the clock...). Check documentation about conversation between server and application, to see what is valid responses (ie. LoadCertURL ... "If the communication with the Certificate Server was successful, the method returns a result of “True”, otherwise the result is “False”".). Send me url of application, 'couse I'm interested in that kind of Slock protection.
Greetings,
Gutica

The_Elysian
August 3rd, 2006, 04:02
Well, I think the protection uses more tricks... I used a personal firewall (sunbelt) to block all communications from the target to the internet. So I'm sure there hasn't been any communication between slockpk and it's certificate server.
The program is here:
<REMOVED>
Unfortunatelly it's only in Dutch, but I think it's easy to understand, apparently contrary to the FAQ of this place. Once installed it will create a temporary license automatically for 30 days.
Thanks for the help!

The_Elysian
August 4th, 2006, 04:11
Damn, I'm sorry... Won't do it again

DeViaN
April 30th, 2007, 13:26
Sorry fo ressurecting this topic But do anybody know about this protection more ??? Can anybody tell me any tips and tricks how to break this protection ?
Thank you guys

JMI
April 30th, 2007, 13:31
If you've actually READ THE FRIGGIN FAQ, how about you tell US what YOU have done to attempt to find the answer to YOUR question, besides revive this more than year old Thread??????

This is not a Kindergarten for folks too lazy to do their own homework! If you are NOT too lazy, then actually READ THE FAQ and provide the information you are supposed to post with a proper question of this type.

Regards,

DeViaN
April 30th, 2007, 16:38
I am sorry I"ll explain that problem more.... Problem is that I cannot patched it normally,code is changed when program is launched and when I just changed some jumps or something noped,then another procedure wont work.

Program is loaded and checked step by step ,when I tried to patch nag screen then whole program wont work because that code to show nag screen was used exactly same as to show main form.

Or if I patched something then many functions are not accessible,many buttons were invisible.

I used DeDe to analyse that procedures but It didnt help me too much.

Ill explain it much more tomorrow,good night.