|
Sentinel License Manager Cracking Cracking the Sentinel LM protected program MrSID GEOSPATIAL
ENCODER V1.4 Desktop edition |
|
22-Nov-2000
|
by CyberHeg
|
|
|
Courtesy of reverser's page of reverse engineering |
slightly
edited by +Tsehp |
fra_00xx 98xxxx handle 1100 NA PC
|
This essay is helpful
in understanding how SentinelLM is implemented. Methods of extracting
feature names, versions, and Vendor IDs are shown. |
|
|
There is a crack, a crack in everything That's how the light
gets in |
|
Rating |
(
)Beginner (X)Intermediate ( )Advanced (
)Expert |
|
The
target audience for this essay is reasonably experienced crackers who wish to
generate keys for Sentinel License Manger protected products.
Cracking a Sentinel License
Manager target
Cracking
the Sentinel LM protected program MrSID GEOSPATIAL ENCODER V1.4 Desktop edition
Written by
CyberHeg
This program is protected by Sentinel LM. The program itself is of very little
interest since we want to explore The LM part in it. One program would be as
good as another since the method we will use can be used on many other programs
protected by Sentinel LM.
Understand how FLEXlm works will aid in understanding how SentinelLM works,
since they are implemented in a similar manner.
A cracked version of Wslcgen.exe
(which is a part of Sentinel LM SDK) or a meter key, IDA v4.04+, Softice v4.05
and Sentinel LM flirt sigs for IDA.
www.lizardtech.com
and www.rainbow.com
Uncertain
- this appears to be a descendant of the earlier Sentinel License Manager and
the Elan license manager. The models for licensing appear to come from the
ancient "netls" package, but the key generation appears to be totally different.
Sentinel LM uses features and version numbers just like FLEXlm. You can use a
Sentinel dongle called a Computer ID to lock license files to a specific host.
Locking by ID prom, IP address or network card id is available too. There are
some ways Sentinel LM differs from FLEXlm though. There are no hidden seeds
which the developer must provide and you can't make a unlimited number of
licenses. Issuing of licenses is controlled by a meter key (dongle with a
counter) for the license generator program and once you have exhausted your key
you must buy a new one from Rainbow Technologies. Instead of hidden seeds,
Rainbow Technology provides every company with a specific serial number for use
with the SDK. Once you run the installer it will tag all vendor specific files
including the license generator wlscgen with that serial. This serial holds a
special Vendor ID encoded which makes it imposible to make license keys for
other vendors products even if you have all the required information to make
those licenses.
At least they want people to believe that.
License querying is done with the api VLSrequestExt(). There are more calls for
use with both license server, standalone, short license keys and extended ones.
Here is one of these calls which we will make use of later:
LS_STATUS_CODE VLSrequestExt (
unsigned char *licenseSystem,
unsigned char *publisherName,
unsigned char *featureName,
unsigned char *version,
unsigned long *unitsReqd,
unsigned char *logComment,
LS_CHALLENGE *challenge,
LS_HANDLE *lshandle,
VLSserverInfo *serverInfo);
If any of these parameters are not used then a NULL pointer will be passed for
that parameter. If the request is valid, then LS_SUCCESS will be returned. If
the call fails, a non-zero error code will be returned, which can be looked up
in the SDK manual. A valid request is one where a valid license is available.
When license querying is done the program has to find its Vendor ID code and
compare it with the one extracted from the license file. If they are not equal,
an error will occur - no license string matched the feature. This part was left
undocumented by Rainbow Technologies so there was no other way other than to
try out and do alot of debugging. It was found that the api
ComputeVendorCode() is used to get the Vendor ID.
And now on with the real essay...
After installing the app you will want to run it to see how it behaves. We see
that the application starts up, then says it is missing a license file. Reading
the manual of this program tells that it wants a dongle and a license key. So by
now we can already conclude that the license file should be a standalone
license. Since Sentinel LM is as flexible as FLEXlm we will have no need for a
dongle once we are done. Trying out the Encode feature of this app shows the
missing license dialog again. However cancelling this gives a license error in
the status window and we wont be able to encode a file. By breaking in Softice
on the dialog we will discover that it comes from the file SIDEPro.Exe.
So lets look at it in IDA. Load this file and apply the Sentinel LM signatures.
We see that a great number of Sentinel functions will be found. Once IDA is done
we start to look for those api's mentioned in the past section.
Here is what is found and by identifying the parameters we see the following:
00500FB3 loc_500FB3: ; CODE XREF: _LSRequest+2Aj
00500FB3 ; _LSRequest+2Ej
00500FB3 push 0 ; serverInfo
00500FB5 push [ebp+arg_1C] ; lshandle
00500FB8 push [ebp+arg_18] ; challenge
00500FBB push edi ; logComment
00500FBC push [ebp+arg_10] ; unitsReqd
00500FBF push [ebp+arg_C] ; version
00500FC2 push [ebp+arg_8] ; featureName
00500FC5 push [ebp+arg_4] ; publisherName
00500FC8 push esi ; licenseSystem
00500FC9 call _VLSrequestExt
00500FCE add esp, 24h
00500FD1 pop edi
00500FD2 pop esi
00500FD3 pop ebp
00500FD4 retn
00500FD4 _LSRequest endp
By making a map file and converting it for use with symbol loader we will see
that memory addresses are pushed on the stack. This matches with our theory
since it is pointers which are supposed to be passed to that license call. We can
get each address out of the pushes and check them out individually. After that
we will have a lot of good information:
The following will be found that way:
feature name: edesk
version: 140
units required: 1
challenge: null
So far so good. To be able to make valid licenses we also need to find the
Vendor ID for this program.
Breaking on _computeVendorCode will get us what we want. When we step out of the
call again we check the return code in EAX which is 0x237. This is the Vendor
ID.
Now we are ready to make our license.
First we make a new license using that info which we found. To get both features
and version number we need to make a long license key. It will be a standalone
key and floating not locked to any dongle or ip. Now we need to mark our version
of Wlscgen. This is done by breaking on the address 41f0c0 at license generation
and changing the value in memory using the edi pointer. This is described in
Nolan Blenders essay. Once generated we start the program once more and run
activation, enter the key and the program gives us no more errors.
Mission completed!
FLEXlm and Sentinel LM has both their strengths. Sentinel LM however has some
weaknesses as the only thing which holds anyone from make licenses for other
companies product is the Vendor ID and like we just saw it is very easy to find
by using the method above.
I wont even bother explaining you that you should BUY this target
program if you intend to use it for a longer period than the allowed one. Should
you want to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll find it on most Warez sites, complete and already regged,
farewell, don't come back.