Cracking the Sentinel LM protected program Delphi v5.0 trial |
| |
|
|
|
|
|
by +Tsehp |
fra_00xx 98xxxx handle 1100 NA PC |
Simple, easy to apply and working also with inprise's c++ builder 5. Tsehp |
|
|
||
|
Using the essay "Rainbow trials Delphi five enterprise trial edition by macilaci" as a background we will study an easier and better method for making this program work than patching.
|
|
|
|
Sentinel LM licensing is very similar to FLEXlm. It also has both features and version numbers which are needed in order to make licenses. Instead of seed codes each vendor gets a Vendor ID which is encoded into the installation serial of the SDK. This Vendor ID is the return value of the function computevendorvode() which is built into every application. There are 2 ways for a developer to protect a program - the custom API implementation or the Sentinel LM Shell. With custom implementation you add the protection directly into the source code, while with the Shell the file(s) will get packed and a shell will suround them. With the Shell there exists a Client Activator which is a vbox type screen. With this protection you have access to various options that allow end users try out the program, such as demo mode, time limited trial, or the option to unlock the program completely by supplying a valid license code. SentinelLM is very easy to adjust for your needs. When running the Delphi installer we see that it wants a serial number to get the installation going. I won't comment this as it is not really interesting for this project. Either fix it yourself or read in macilaci's or Nolan Blender's essay how it can be done. After installation we run the program which starts up the executable - delphi32.exe. It will show up with a Vbox type screen - the Client Activator. You have the option to try out the program and doing so will of course start up the real program. As macilaci also concluded this program is packed and since it uses Client Activator too we know by now that Sentinel LM Shell was used as the protection. Loading the program with filemon running in the background shows that it reads the file lservrc before the Client Activator shows up. This is not really surprising as the default filename of the SentinelLM license file is lservrc. Opening the file with notepad gave me this result: --------------------- #Lic for Delphi 5 RTM, expires on Jun 31, 2002 0904167652371261 --------------------- We see here that it uses some kind of license file. We will explore the key later but for now we will only concentrate on the necessary info needed to make a new license file. Looking at this key shows that its encrypted as we can't see any meaningful info from those numbers. It is a short key since a long key would be about 3 times the length and standalone. Reading the Sentinel LM SDK manual we know that short keys are checked out by the api LSRequest(). Here is the description of LSRequest(): LS_STATUS_CODE LSRequest ( unsigned char *licenseSystem, unsigned char *publisherName, unsigned char *featureName, unsigned char *version, unsigned long *unitsReqd, unsigned char *logComment, LS_CHALLENGE *challenge, LS_HANDLE *lshandle); We now disassemble the delphi32.exe using IDA and apply the static flirt sig. Once it's done we will see that the sig identified many functions. We now make a map and convert it for use with symbol loader and we are ready to explore. By setting a breakpoint on _LSRequest we will see it break a few times. Here is one of the queries explained: 00493130 mov edx, [eax] 00493132 push edx ; *lshandle 00493133 mov edx, [eax+4] 00493136 push edx ; *challenge 00493137 mov edx, [eax+8] 0049313A push edx ; *logComment 0049313B mov edx, [eax+0Ch] 0049313E push edx ; *unitsReqd 0049313F mov edx, [eax+10h] 00493142 push edx ; *version 00493143 mov edx, [eax+14h] 00493146 push edx ; *featureName 00493147 mov edx, [eax+18h] 0049314A push edx ; *publisherName 0049314B mov eax, [ebx] 0049314D push eax ; *licenseSystem 0049314E call dword ptr [ecx] ; _LSRequest By checking out what gets pushed onto the stack we will see that most of the variables are NULL pointers. This is because short licenses have less options to choose from. By doing so with all of the license queries we will get the features "02" and "45". Now we need to find the Vendor ID otherwise our licenses won't have the ID of the program. The licenses require the same Vendor ID as the program in order to work. We set a break point on _computevendorcode and run the program once more. The return code in eax is 0x9CF and this is the Vendor for this program/company. Now we have all information needed to make licenses with Wlscgen. I explained most of the license details above and of course we choose to make it non-expiring and non-nodelocked. Using the edi pointer at 41F0C0 at the license generation stage (described more carefully in a essay by Nolan Blender) we can mark our licenses to the specific Vendor ID. We now have two license keys now which we place in lservrc and remove the original one. Run the program again and we will see that both _LSRequest call's will give a return code zero as required meaning LS_SUCCESS. But now we won't see the Client Activator anymore. Why? It should come up if it was a trial version, shouldn't it? Lets explore the license key which was supplied. In the Sentinel LM SDK there is a program named lsdecode which is used for license decoding. It does not show all information like Challenge/response and Vendor ID as this could be abused even if you had no skills, but for our needs it is sufficient. Lets run this on the key which was allready supplied by Borland: --------------------- SentinelLM 7.1.0 License Decoding Utility Copyright (C) 2000 Rainbow Technologies, Inc. Reading license codes from file: "C:\Program Files\Rainbow Technologies\Sentinel LM\7.1.0\English\Tools\lservrc" License code: "0904167652371261" License Type : Trial Standalone Trial period : 60 Feature name : "02" Max concurrent users : Unlimited. Soft limit on users : Unlimited. License start date : Morning of Jul 1, 1998 Expiration date : Midnight of Jun 30, 2002 Additive/exclusive : Exclusive license (overrides additive licenses). Held licenses : Allowed, hold time set by license. Token lifetime (heartbeat): 300 secs (5 min(s)) Action on clock tamper : No more fresh licenses will be issued. --------------------- We see that this is a trial key valid for 60 days! So the trial part is actually stuck into a license and not in the program. So now we can conclude that the Rainbow Trial it is really a special time limited license. As a quick test try to remove the license file completely. Will the program still start up? No, instead we will get a error about missing licenses. Lets just imagine now that Borland would change their license policy and do not distribute 60 day trial versions anymore. Instead a full version is availble for download and to enable it you will need a Computer ID (Sentinel dongle). Would it still be "Rainbow Trials" then? No! Since you would not be able to start up the program without that dongle. However both versions (trial and dongled) would still use Client Activator and still be encrypted by Sentinel LM Shell. This is just a small difference in the settings used at license generation and program protection time. The target is working now. No more trial, no more expiring and no more shaky patches which might make the program expire after a longer period of time.
|
Sentinel LM has a big weakness as the only thing which prevents anyone from making licenses for other companys products is the Vendor ID, and we just saw it is very easy to find that by using the method above. Even lsdecode can be used for grabbing information out of existing licenses to make new ones. Finally you don't call expiring flexlm licenses for "GlobeTrotter Trials" and likewise you dont call Sentinel LM Shelled executables for Rainbow Trials.
|