lm_mrsid.htm: Cracking a Sentinel License Manager target

	Sentinel License Manager Cracking Cracking the Sentinel LM protected program MrSID GEOSPATIAL ENCODER V1.4 Desktop edition
22-Nov-2000	by CyberHeg
	Courtesy of Fravia's page of reverse engineering	slightly edited by +Tsehp
fra_00xx 98xxxx handle 1100 NA PC	This essay is helpful in understanding how SentinelLM is implemented. Methods of extracting feature names, versions, and Vendor IDs are shown.
	There is a crack, a crack in everything That's how the light gets in
Rating	( )Beginner (X)Intermediate ( )Advanced ( )Expert

The target audience for this essay is reasonably experienced crackers who wish to generate keys for Sentinel License Manger protected products.

Cracking a Sentinel License Manager target
Cracking the Sentinel LM protected program MrSID GEOSPATIAL ENCODER V1.4 Desktop edition
Written by CyberHeg

Introduction

This program is protected by Sentinel LM. The program itself is of very little 
interest since we want to explore The LM part in it. One program would be as 
good as another since the method we will use can be used on many other programs 
protected by Sentinel LM.



Understand how FLEXlm works will aid in understanding how SentinelLM works, 
since they are implemented in a similar manner.

Tools required

A cracked version of Wslcgen.exe (which is a part of Sentinel LM SDK) or a meter key, IDA v4.04+, Softice v4.05 and Sentinel LM flirt sigs for IDA.

Target's URL/FTP

www.lizardtech.com and www.rainbow.com

Program History

Uncertain - this appears to be a descendant of the earlier Sentinel License Manager and the Elan license manager. The models for licensing appear to come from the ancient "netls" package, but the key generation appears to be totally different.

Essay

Sentinel LM uses features and version numbers just like FLEXlm. You can use a 
Sentinel dongle called a Computer ID to lock license files to a specific host. 
Locking by ID prom, IP address or network card id is available too. There are 
some ways Sentinel LM differs from FLEXlm though.  There are no hidden seeds 
which the developer must provide and you can't make a unlimited number of 
licenses.  Issuing of licenses is controlled by a meter key (dongle with a 
counter) for the license generator program and once you have exhausted your key 
you must buy a new one from Rainbow Technologies. Instead of hidden seeds, 
Rainbow Technology provides every company with a specific serial number for use 
with the SDK.  Once you run the installer it will tag all vendor specific files 
including the license generator wlscgen with that serial.  This serial holds a 
special Vendor ID encoded which makes it imposible to make license keys for 
other vendors products even if you have all the required information to make 
those licenses.
At least they want people to believe that.

License querying is done with the api VLSrequestExt().  There are more calls for
use with both license server, standalone, short license keys and extended ones.

Here is one of these calls which we will make use of later:

LS_STATUS_CODE VLSrequestExt (
	unsigned char *licenseSystem,
	unsigned char *publisherName,
	unsigned char *featureName,
	unsigned char *version,
	unsigned long *unitsReqd,
	unsigned char *logComment,
	LS_CHALLENGE *challenge,
	LS_HANDLE *lshandle,
	VLSserverInfo *serverInfo);

If any of these parameters are not used then a NULL pointer will be passed for
that parameter. If the request is valid, then LS_SUCCESS will be returned. If
the call fails, a non-zero error code will be returned, which can be looked up
in the SDK manual. A valid request is one where a valid license is available.

When license querying is done the program has to find its Vendor ID code and
compare it with the one extracted from the license file. If they are not equal,
an error will occur - no license string matched the feature. This part was left
undocumented by Rainbow Technologies so there was no other way other than to
try out and do alot of debugging. It was found that the api
ComputeVendorCode() is used to get the Vendor ID.

And now on with the real essay...

After installing the app you will want to run it to see how it behaves. We see 
that the application starts up, then says it is missing a license file. Reading 
the manual of this program tells that it wants a dongle and a license key. So by 
now we can already conclude that the license file should be a standalone 
license. Since Sentinel LM is as flexible as FLEXlm we will have no need for a 
dongle once we are done. Trying out the Encode feature of this app shows the 
missing license dialog again. However cancelling this gives a license error in 
the status window and we wont be able to encode a file. By breaking in Softice 
on the dialog we will discover that it comes from the file SIDEPro.Exe.

So lets look at it in IDA. Load this file and apply the Sentinel LM signatures. 
We see that a great number of Sentinel functions will be found. Once IDA is done 
we start to look for those api's mentioned in the past section.

Here is what is found and by identifying the parameters we see the following:

00500FB3 loc_500FB3:      		  ; CODE XREF: _LSRequest+2Aj
00500FB3                 		  ; _LSRequest+2Ej
00500FB3             push 0   		 ; serverInfo
00500FB5             push [ebp+arg_1C]	 ; lshandle
00500FB8             push [ebp+arg_18] 	 ; challenge
00500FBB             push edi    	 ; logComment
00500FBC             push [ebp+arg_10] 	 ; unitsReqd
00500FBF             push [ebp+arg_C]    ; version
00500FC2             push [ebp+arg_8]    ; featureName
00500FC5             push [ebp+arg_4]    ; publisherName
00500FC8             push esi            ; licenseSystem
00500FC9             call _VLSrequestExt
00500FCE             add  esp, 24h
00500FD1             pop  edi
00500FD2             pop  esi
00500FD3             pop  ebp
00500FD4             retn
00500FD4 _LSRequest  endp

By making a map file and converting it for use with symbol loader we will see 
that memory addresses are pushed on the stack. This matches with our theory 
since it is pointers which are supposed to be passed to that license call. We can 
get each address out of the pushes and check them out individually. After that 
we will have a lot of good information:

The following will be found that way:

feature name: edesk
version: 140
units required: 1
challenge: null

So far so good. To be able to make valid licenses we also need to find the 
Vendor ID for this program.

Breaking on _computeVendorCode will get us what we want. When we step out of the 
call again we check the return code in EAX which is 0x237. This is the Vendor 
ID.

Now we are ready to make our license.

First we make a new license using that info which we found. To get both features 
and version number we need to make a long license key. It will be a standalone 
key and floating not locked to any dongle or ip. Now we need to mark our version 
of Wlscgen. This is done by breaking on the address 41f0c0 at license generation 
and changing the value in memory using the edi pointer. This is described in 
Nolan Blenders essay. Once generated we start the program once more and run 
activation, enter the key and the program gives us no more errors.
Mission completed!

Final Notes

FLEXlm and Sentinel LM has both their strengths. Sentinel LM however has some 
weaknesses as the only thing which holds anyone from make licenses for other 
companies product is the Vendor ID and like we just saw it is very easy to find 
by using the method above.

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside Fravia's page of reverse engineering, choose your way out:

links

Is reverse engineering legal?