|
Cracking the SentinelLM protected program Delphi v5.0 trial |
||
|
|
|
|
|
|
||
|
|
|
The target audience for this essay is reasonably experienced crackers who wish to generate keys for Sentinel License Manager protected products.
|
|
Using the essay "Rainbow trials Delphi five enterprise trial edition by macilaci" as a background we will study an easier and better method for making this program work than patching.
|
|
A cracked version of Wslcgen.exe (which is a part of SentinelLM SDK) or a meter key, SentinelLM SDK, IDA v4.04+, SoftICE v4.05, filemon and SentinelLM flirt sigs for IDA.
|
|
http://www.borland.com and http://www.rainbow.com
|
|
Uncertain - this appears to be a descendant of the earlier Sentinel License Manager and the Elan License Manager. The models for licensing appear to come from the ancient "netls" package, but the key generation appears to be totally different. Delphi - you all know what it is.
|
|
SentinelLM licensing is very similar to FLEXlm. It also has both features and version numbers which are needed in order to make licenses. Instead of seed codes each vendor gets a Vendor ID which is encoded into the installation serial of the SDK. This Vendor ID is the return value of the function computevendorvode() which is built into every application.
There are 2 ways for a developer to protect a program - the custom API implementation or the SentinelLM Shell. With custom implementation you add the protection directly into the source code, while with the Shell the file(s) will get packed and a shell will surround them. With the Shell there exists a Client Activator which is a VBox type screen. With this protection you have access to various options that allow end users try out the program, such as demo mode, time limited trial, or the option to unlock the program completely by supplying a valid license code. SentinelLM is very easy to adjust for your needs.
When running the Delphi installer we see that it wants a serial number to get the installation going. I won't comment this as it is not really interesting for this project. Either fix it yourself or read Nolan Blender's essay how it can be done. After installation we run the program which starts up the executable - delphi32.exe. It will show up with a VBox type screen - the Client Activator. You have the option to try out the program and doing so will of course start up the real program. As macilaci also concluded this program is packed and since it uses Client Activator too we know by now that SentinelLM Shell was used as the protection.
Loading the program with filemon running in the background shows that it reads the file lservrc before the Client Activator shows up. This is not really surprising as the default filename of the SentinelLM license file is lservrc. Opening the file with notepad gave me this result :-
--------------------- #Lic for Delphi 5 RTM, expires on Jun 31, 2002 0904167652371261 ---------------------
We see here that it uses some kind of license file. We will explore the key later but for now we will only concentrate on the necessary info needed to make a new license file. Looking at this key shows that its encrypted as we can't see any meaningful info from those numbers. It is a short key since a long key would be about 3 times the length and standalone. Reading the SentinelLM SDK manual we know that short keys are checked out by the API LSRequest(). Here is the description of LSRequest() :-
LS_STATUS_CODE LSRequest ( unsigned char *licenseSystem, unsigned char *publisherName, unsigned char *featureName, unsigned char *version, unsigned long *unitsReqd, unsigned char *logComment, LS_CHALLENGE *challenge, LS_HANDLE *lshandle);
We now disassemble the delphi32.exe using IDA and apply the static flirt sig. Once it's done we will see that the sig identified many functions. We now make a map and convert it for use with symbol loader and we are ready to explore. By setting a breakpoint on _LSRequest we will see it break a few times. Here is one of the queries explained :-
:00493130 mov edx, [eax]
:00493132 push edx ; *lshandle
:00493133 mov edx, [eax+4]
:00493136 push edx ; *challenge
:00493137 mov edx, [eax+8]
:0049313A push edx ; *logComment
:0049313B mov edx, [eax+0Ch]
:0049313E push edx ; *unitsReqd
:0049313F mov edx, [eax+10h]
:00493142 push edx ; *version
:00493143 mov edx, [eax+14h]
:00493146 push edx ; *featureName
:00493147 mov edx, [eax+18h]
:0049314A push edx ; *publisherName
:0049314B mov eax, [ebx]
:0049314D push eax ; *licenseSystem
:0049314E call dword ptr [ecx] ; _LSRequest
By checking out what gets pushed onto the stack we will see that most of the variables are NULL pointers. This is because short licenses have less options to choose from. By doing so with all of the license queries we will get the features "02" and "45". Now we need to find the Vendor ID otherwise our licenses won't have the ID of the program. The licenses require the same Vendor ID as the program in order to work.
We set a break point on _computevendorcode and run the program once more. The return code in eax is 0x9CF and this is the Vendor for this program/company. Now we have all information needed to make licenses with Wlscgen. I explained most of the license details above and of course we choose to make it non-expiring and non-nodelocked. Using the EDI pointer at 41F0C0 at the license generation stage (described more carefully in a essay by Nolan Blender) we can mark our licenses to the specific Vendor ID.
We now have two license keys now which we place in lservrc and remove the original one. Run the program again and we will see that both _LSRequest call's will give a return code zero as required meaning LS_SUCCESS. But now we won't see the Client Activator anymore. Why? It should come up if it was a trial version, shouldn't it?. Lets explore the license key which was supplied. In the SentinelLM SDK there is a program named lsdecode which is used for license decoding. It does not show all information like Challenge/response and Vendor ID as this could be abused even if you had no skills, but for our needs it is sufficient. Lets run this on the key which was already supplied by Borland :-
---------------------
SentinelLM 7.1.0 License Decoding Utility
Copyright (C) 2000 Rainbow Technologies, Inc.
Reading license codes from file: "C:\Program Files\Rainbow Technologies\Sentinel
LM\7.1.0\English\Tools\lservrc"
License code: "0904167652371261"
License Type : Trial Standalone
Trial period : 60
Feature name : "02"
Max concurrent users : Unlimited.
Soft limit on users : Unlimited.
License start date : Morning of Jul 1, 1998
Expiration date : Midnight of Jun 30, 2002
Additive/exclusive : Exclusive license (overrides additive licenses).
Held licenses : Allowed, hold time set by license.
Token lifetime (heartbeat): 300 secs (5 min(s))
Action on clock tamper : No more fresh licenses will be issued.
---------------------
We see that this is a trial key valid for 60 days! So the trial part is actually stuck into a license and not in the program. So now we can conclude that the Rainbow Trial is really a special time limited license. As a quick test try to remove the license file completely. Will the program still start up? No, instead we will get a error about missing licenses. Lets just imagine now that Borland would change their license policy and do not distribute 60 day trial versions anymore. Instead a full version is available for download and to enable it you will need a Computer ID (Sentinel dongle).
Would it still be "Rainbow Trials" then? No! Since you would not be able to start up the program without that dongle. However both versions (trial and dongled) would still use Client Activator and still be encrypted by Sentinel LM Shell. This is just a small difference in the settings used at license generation and program protection time. The target is working now. No more trial, no more expiring and no more shaky patches which might make the program expire after a longer period of time.
|
|
SentinelLM has a big weakness as the only thing which prevents anyone from making licenses for other companys products is the Vendor ID, and we just saw it is very easy to find that by using the method above. Even lsdecode can be used for grabbing information out of existing licenses to make new ones. Finally you don't call expiring FLEXlm licenses for "GlobeTrotter Trials" and likewise you don't call SentinelLM Shelled executables for Rainbow Trials.
|
|