Cracking the Sentinel LM protected program MrSID GEOSPATIAL ENCODER V1.4 Desktop edition |
||
by +Tsehp | ||
fra_00xx 98xxxx handle 1100 NA PC | ||
This program is protected by Sentinel LM. The program itself is of very little interest since we want to explore The LM part in it. One program would be as good as another since the method we will use can be used on many other programs protected by Sentinel LM. Understand how FLEXlm works will aid in understanding how SentinelLM works, since they are implemented in a similar manner.
Sentinel LM uses features and version numbers just like FLEXlm. You can use a Sentinel dongle called a Computer ID to lock license files to a specific host. Locking by ID prom, IP address or network card id is available too. There are some ways Sentinel LM differs from FLEXlm though. There are no hidden seeds which the developer must provide and you can't make a unlimited number of licenses. Issuing of licenses is controlled by a meter key (dongle with a counter) for the license generator program and once you have exhausted your key you must buy a new one from Rainbow Technologies. Instead of hidden seeds, Rainbow Technology provides every company with a specific serial number for use with the SDK. Once you run the installer it will tag all vendor specific files including the license generator wlscgen with that serial. This serial holds a special Vendor ID encoded which makes it imposible to make license keys for other vendors products even if you have all the required information to make those licenses. At least they want people to believe that. License querying is done with the api VLSrequestExt(). There are more calls for use with both license server, standalone, short license keys and extended ones. Here is one of these calls which we will make use of later: LS_STATUS_CODE VLSrequestExt ( unsigned char *licenseSystem, unsigned char *publisherName, unsigned char *featureName, unsigned char *version, unsigned long *unitsReqd, unsigned char *logComment, LS_CHALLENGE *challenge, LS_HANDLE *lshandle, VLSserverInfo *serverInfo); If any of these parameters are not used then a NULL pointer will be passed for that parameter. If the request is valid, then LS_SUCCESS will be returned. If the call fails, a non-zero error code will be returned, which can be looked up in the SDK manual. A valid request is one where a valid license is available. When license querying is done the program has to find its Vendor ID code and compare it with the one extracted from the license file. If they are not equal, an error will occur - no license string matched the feature. This part was left undocumented by Rainbow Technologies so there was no other way other than to try out and do alot of debugging. It was found that the api ComputeVendorCode() is used to get the Vendor ID. And now on with the real essay... After installing the app you will want to run it to see how it behaves. We see that the application starts up, then says it is missing a license file. Reading the manual of this program tells that it wants a dongle and a license key. So by now we can already conclude that the license file should be a standalone license. Since Sentinel LM is as flexible as FLEXlm we will have no need for a dongle once we are done. Trying out the Encode feature of this app shows the missing license dialog again. However cancelling this gives a license error in the status window and we wont be able to encode a file. By breaking in Softice on the dialog we will discover that it comes from the file SIDEPro.Exe. So lets look at it in IDA. Load this file and apply the Sentinel LM signatures. We see that a great number of Sentinel functions will be found. Once IDA is done we start to look for those api's mentioned in the past section. Here is what is found and by identifying the parameters we see the following: 00500FB3 loc_500FB3: ; CODE XREF: _LSRequest+2Aj 00500FB3 ; _LSRequest+2Ej 00500FB3 push 0 ; serverInfo 00500FB5 push [ebp+arg_1C] ; lshandle 00500FB8 push [ebp+arg_18] ; challenge 00500FBB push edi ; logComment 00500FBC push [ebp+arg_10] ; unitsReqd 00500FBF push [ebp+arg_C] ; version 00500FC2 push [ebp+arg_8] ; featureName 00500FC5 push [ebp+arg_4] ; publisherName 00500FC8 push esi ; licenseSystem 00500FC9 call _VLSrequestExt 00500FCE add esp, 24h 00500FD1 pop edi 00500FD2 pop esi 00500FD3 pop ebp 00500FD4 retn 00500FD4 _LSRequest endp By making a map file and converting it for use with symbol loader we will see that memory addresses are pushed on the stack. This matches with our theory since it is pointers which are supposed to be passed to that license call. We can get each address out of the pushes and check them out individually. After that we will have a lot of good information: The following will be found that way: feature name: edesk version: 140 units required: 1 challenge: null So far so good. To be able to make valid licenses we also need to find the Vendor ID for this program. Breaking on _computeVendorCode will get us what we want. When we step out of the call again we check the return code in EAX which is 0x237. This is the Vendor ID. Now we are ready to make our license. First we make a new license using that info which we found. To get both features and version number we need to make a long license key. It will be a standalone key and floating not locked to any dongle or ip. Now we need to mark our version of Wlscgen. This is done by breaking on the address 41f0c0 at license generation and changing the value in memory using the edi pointer. This is described in Nolan Blenders essay. Once generated we start the program once more and run activation, enter the key and the program gives us no more errors. Mission completed!
FLEXlm and Sentinel LM has both their strengths. Sentinel LM however has some weaknesses as the only thing which holds anyone from make licenses for other companies product is the Vendor ID and like we just saw it is very easy to find by using the method above.