|
Cracking the SentinelLM protected program MrSID GEOSPATIAL ENCODER v1.4 Desktop edition |
||
|
|
|
|
|
|
||
|
|
||
|
|
|
The target audience for this essay is reasonably experienced crackers who wish to generate keys for Sentinel License Manager protected products.
|
|
This program is protected by SentinelLM. The program itself
is of very little interest since we want to explore The LM part
in it. One program would be as good as another since the method
we will use can be used on many other programs protected by SentinelLM.
Understanding how FLEXlm works will aid in understanding how SentinelLM
works, since they are implemented in a similar manner.
|
|
A cracked version of Wslcgen.exe (which is a part of SentinelLM
SDK) or a meter key, IDA v4.04+, SoftICE v4.05 and SentinelLM
flirt sigs for IDA.
|
|
http://www.lizardtech.com
and http://www.rainbow.com
|
|
Uncertain - this appears to be a descendant of the earlier
Sentinel License Manager and the Elan license manager. The models
for licensing appear to come from the ancient "netls"
package, but the key generation appears to be totally different.
|
|
SentinelLM uses features and version numbers just like FLEXlm. You can use a Sentinel dongle called a Computer ID to lock license files to a specific host. Locking by ID prom, IP address or network card ID is available too. There are some ways SentinelLM differs from FLEXlm though. There are no hidden seeds which the developer must provide and you can't make a unlimited number of licenses. Issuing of licenses is controlled by a meter key (dongle with a counter) for the license generator program and once you have exhausted your key you must buy a new one from Rainbow Technologies.
Instead of hidden seeds, Rainbow Technology provides every company with a specific serial number for use with the SDK. Once you run the installer it will tag all vendor specific files including the license generator wlscgen with that serial. This serial holds a special Vendor ID encoded which makes it imposible to make license keys for other vendors products even if you have all the required information to make those licenses. At least they want people to believe that.
License querying is done with the API VLSrequestExt(). There are more calls for use with both license server, standalone, short license keys and extended ones. Here is one of these calls which we will make use of later :-
LS_STATUS_CODE VLSrequestExt ( unsigned char *licenseSystem, unsigned char *publisherName, unsigned char *featureName, unsigned char *version, unsigned long *unitsReqd, unsigned char *logComment, LS_CHALLENGE *challenge, LS_HANDLE *lshandle, VLSserverInfo *serverInfo);
If any of these parameters are not used then a NULL pointer will be passed for that parameter. If the request is valid, then LS_SUCCESS will be returned. If the call fails, a non-zero error code will be returned, which can be looked up in the SDK manual. A valid request is one where a valid license is available.
When license querying is done the program has to find its Vendor ID code and compare it with the one extracted from the license file. If they are not equal, an error will occur - no license string matched the feature. This part was left undocumented by Rainbow Technologies so there was no other way other than to try out and do alot of debugging. It was found that the API ComputeVendorCode() is used to get the Vendor ID.
And now on with the real essay...
After installing the app you will want to run it to see how it behaves. We see that the application starts up, then says it is missing a license file. Reading the manual of this program tells that it wants a dongle and a license key. So by now we can already conclude that the license file should be a standalone license. Since SentinelLM is as flexible as FLEXlm we will have no need for a dongle once we are done. Trying out the Encode feature of this app shows the missing license dialog again. However cancelling this gives a license error in the status window and we wont be able to encode a file. By breaking in SoftICE on the dialog we will discover that it comes from the file SIDEPro.Exe.
So lets look at it in IDA. Load this file and apply the SentinelLM signatures. We see that a great number of Sentinel functions will be found. Once IDA is done we start to look for those API's mentioned in the past section. Here is what is found and by identifying the parameters we see the following :-
:00500FB3 loc_500FB3; ; CODE XREF: _LSRequest+2Aj
:00500FB3 ; _LSRequest+2Ej
:00500FB3 push 0 ; serverInfo
:00500FB5 push [ebp+arg_1C] ; lshandle
:00500FB8 push [ebp+arg_18] ; challenge
:00500FBB push edi ; logComment
:00500FBC push [ebp+arg_10] ; unitsReqd
:00500FBF push [ebp+arg_C] ; version
:00500FC2 push [ebp+arg_8] ; featureName
:00500FC5 push [ebp+arg_4] ; publisherName
:00500FC8 push esi ; licenseSystem
:00500FC9 call _VLSrequestExt
:00500FCE add esp, 24h
:00500FD1 pop edi
:00500FD2 pop esi
:00500FD3 pop ebp
:00500FD4 retn
:00500FD4 _LSRequest endp
By making a map file and converting it for use with symbol loader we will see that memory addresses are pushed on the stack. This matches with our theory since it is pointers which are supposed to be passed to that license call. We can get each address out of the pushes and check them out individually. After that we will have a lot of good information. The following will be found that way :-
feature name: edesk version: 140 units required: 1 challenge: null
So far so good. To be able to make valid licenses we also need to find the Vendor ID for this program. Breaking on _computeVendorCode will get us what we want. When we step out of the call again we check the return code in EAX which is 0x237. This is the Vendor ID. Now we are ready to make our license.
First we make a new license using that info which we found. To get both features and version number we need to make a long license key. It will be a standalone key and floating not locked to any dongle or ip. Now we need to mark our version of Wlscgen. This is done by breaking on the address 41F0C0 at license generation and changing the value in memory using the EDI pointer. This is described in Nolan Blenders essay. Once generated we start the program once more and run activation, enter the key and the program gives us no more errors. Mission completed!.
|
|
FLEXlm and SentinelLM have their strengths. SentinelLM however
has some weaknesses as the only thing which holds anyone from
make licenses for other companies product is the Vendor ID and
like we just saw it is very easy to find by using the method above.
|
|