|
Cracking the Sentinel LM protected program Delphi v5.0 trial |
| |
|
|
|
|
|
|
|
by +Tsehp |
| fra_00xx 98xxxx handle 1100 NA PC |
Simple, easy to apply and working also with inprise's c++ builder 5. Tsehp |
|
|
|
||
|
|
Using the essay "Rainbow trials Delphi five enterprise trial edition by macilaci" as a background we will study an easier and better method for making this program work than patching.
|
|
|
|
|
|
|
|
Sentinel LM licensing is very similar to FLEXlm. It also has both features and
version numbers which are needed in order to make licenses. Instead of seed codes
each vendor gets a Vendor ID which is encoded into the installation serial of
the SDK.
This Vendor ID is the return value of the function computevendorvode() which is
built into every application.
There are 2 ways for a developer to protect a program - the custom API
implementation or the Sentinel LM Shell. With custom implementation you add the
protection directly into the source code, while with the Shell the file(s) will
get packed and a shell will suround them. With the Shell there exists a Client
Activator which is a vbox type screen. With this protection you have access to
various options that allow end users try out the program, such as demo mode,
time limited trial, or the option to unlock the program completely by supplying
a valid license code. SentinelLM is very easy to adjust for your needs.
When running the Delphi installer we see that it wants a serial number to get
the installation going. I won't comment this as it is not really interesting for
this project. Either fix it yourself or read in macilaci's or Nolan Blender's
essay how it can be done.
After installation we run the program which starts up the executable -
delphi32.exe. It will show up with a Vbox type screen - the Client Activator.
You have the option to try out the program and doing so will of course start up
the real program. As macilaci also concluded this program is packed and since
it uses Client Activator too we know by now that Sentinel LM Shell was used as
the protection.
Loading the program with filemon running in the background shows that it reads
the file lservrc before the Client Activator shows up. This is not really
surprising as the default filename of the SentinelLM license file is lservrc.
Opening the file with notepad gave me this result:
---------------------
#Lic for Delphi 5 RTM, expires on Jun 31, 2002
0904167652371261
---------------------
We see here that it uses some kind of license file. We will explore the key
later but for now we will only concentrate on the necessary info needed to make
a new license file. Looking at this key shows that its encrypted as we can't see
any meaningful info from those numbers. It is a short key since a long key would be
about 3 times the length and standalone.
Reading the Sentinel LM SDK manual we know that short keys are checked
out by the api LSRequest().
Here is the description of LSRequest():
LS_STATUS_CODE LSRequest (
unsigned char *licenseSystem,
unsigned char *publisherName,
unsigned char *featureName,
unsigned char *version,
unsigned long *unitsReqd,
unsigned char *logComment,
LS_CHALLENGE *challenge,
LS_HANDLE *lshandle);
We now disassemble the delphi32.exe using IDA and apply the static flirt sig.
Once it's done we will see that the sig identified many functions. We
now make a map and convert it for use with symbol loader and we are ready to
explore.
By setting a breakpoint on _LSRequest we will see it break a few times.
Here is one of the queries explained:
00493130 mov edx, [eax]
00493132 push edx ; *lshandle
00493133 mov edx, [eax+4]
00493136 push edx ; *challenge
00493137 mov edx, [eax+8]
0049313A push edx ; *logComment
0049313B mov edx, [eax+0Ch]
0049313E push edx ; *unitsReqd
0049313F mov edx, [eax+10h]
00493142 push edx ; *version
00493143 mov edx, [eax+14h]
00493146 push edx ; *featureName
00493147 mov edx, [eax+18h]
0049314A push edx ; *publisherName
0049314B mov eax, [ebx]
0049314D push eax ; *licenseSystem
0049314E call dword ptr [ecx] ; _LSRequest
By checking out what gets pushed onto the stack we will see that most of the
variables are NULL pointers. This is because short licenses have less options to
choose from.
By doing so with all of the license queries we will get the features "02" and "45".
Now we need to find the Vendor ID otherwise our licenses won't have the ID of the
program. The licenses require the same Vendor ID as the program in order to
work.
We set a break point on _computevendorcode and run the program once more.
The return code in eax is 0x9CF and this is the Vendor for this program/company.
Now we have all information needed to make licenses with Wlscgen.
I explained most of the license details above and of course we choose to make it
non-expiring and non-nodelocked. Using the edi pointer at 41F0C0 at the license
generation stage (described more carefully in a essay by Nolan Blender) we can
mark our licenses to the specific Vendor ID.
We now have two license keys now which we place in lservrc and remove the
original one. Run the program again and we will see that both _LSRequest call's
will give a return code zero as required meaning LS_SUCCESS. But now we won't
see the Client Activator anymore. Why? It should come up if it was a trial
version, shouldn't it?
Lets explore the license key which was supplied. In the Sentinel LM SDK there is
a program named lsdecode which is used for license decoding. It does not show
all information like Challenge/response and Vendor ID as this could be abused
even if you had no skills, but for our needs it is sufficient. Lets run this on
the key which was allready supplied by Borland:
---------------------
SentinelLM 7.1.0 License Decoding Utility
Copyright (C) 2000 Rainbow Technologies, Inc.
Reading license codes from file: "C:\Program Files\Rainbow Technologies\Sentinel
LM\7.1.0\English\Tools\lservrc"
License code: "0904167652371261"
License Type : Trial Standalone
Trial period : 60
Feature name : "02"
Max concurrent users : Unlimited.
Soft limit on users : Unlimited.
License start date : Morning of Jul 1, 1998
Expiration date : Midnight of Jun 30, 2002
Additive/exclusive : Exclusive license (overrides additive licenses).
Held licenses : Allowed, hold time set by license.
Token lifetime (heartbeat): 300 secs (5 min(s))
Action on clock tamper : No more fresh licenses will be issued.
---------------------
We see that this is a trial key valid for 60 days! So the trial part is actually
stuck into a license and not in the program. So now we can conclude that the
Rainbow Trial it is really a special time limited license. As a quick test try to
remove the license file completely. Will the program still start up? No, instead
we will get a error about missing licenses. Lets just imagine now that Borland
would change their license policy and do not distribute 60 day trial versions
anymore. Instead a full version is availble for download and to enable it you
will need a Computer ID (Sentinel dongle). Would it still be "Rainbow Trials"
then? No! Since you would not be able to start up the program without that
dongle. However both versions (trial and dongled) would still use Client
Activator and still be encrypted by Sentinel LM Shell. This is just a small
difference in the settings used at license generation and program protection time.
The target is working now. No more trial, no more expiring and no more shaky
patches which might make the program expire after a longer period of time.
|
|
Sentinel LM has a big weakness as the only thing which prevents anyone from making licenses for other companys products is the Vendor ID, and we just saw it is very easy to find that by using the method above. Even lsdecode can be used for grabbing information out of existing licenses to make new ones. Finally you don't call expiring flexlm licenses for "GlobeTrotter Trials" and likewise you dont call Sentinel LM Shelled executables for Rainbow Trials.
|
|
homepage
links
search_forms
+ORC
how
to protect academy
database reality
cracking how
to search javascript
wars tools
anonymity
academy cocktails
antismut
CGI-scripts mail_Fravia+
Is
reverse engineering legal?