Cracking version of Wslcgen.exe (Reference)

Thảo luận trong 'Phần mềm khác ngành may' bắt đầu bởi vunguyenthanh07, 28 Tháng tám 2012.

Chia sẻ trang này

  1. vunguyenthanh07


    Tham gia ngày:
    4 Tháng mười hai 2010
    Bài viết:
    Đã được thích:
    Điểm thành tích:
    Giới tính:
    Nghề nghiệp:
    Tạp vụ .
    Nơi ở:
    Quỳnh Bá,Quỳnh Lưu,Nghệ An (Quê choa)
    A cracked version of Wslcgen.exe (which is a part of Sentinel LM SDK) or a meter key, Sentinel LM SDK, IDA v4.04+, Softice v4.05, filemon and Sentinel LM flirt sigs for IDA.

    Uncertain - this appears to be a descendant of the earlier Sentinel License Manager and the Elan license manager. The models for licensing appear to come from the ancient "netls" package, but the key generation appears to be totally different. Delphi - you all know what it is.

    Sentinel LM licensing is very similar to FLEXlm. It also has both features and
    version numbers which are needed in order to make licenses. Instead of seed codes
    each vendor gets a Vendor ID which is encoded into the installation serial of
    the SDK.

    This Vendor ID is the return value of the function computevendorvode() which is
    built into every application.

    There are 2 ways for a developer to protect a program - the custom API
    implementation or the Sentinel LM Shell. With custom implementation you add the
    protection directly into the source code, while with the Shell the file(s) will
    get packed and a shell will suround them. With the Shell there exists a Client
    Activator which is a vbox type screen. With this protection you have access to
    various options that allow end users try out the program, such as demo mode,
    time limited trial, or the option to unlock the program completely by supplying
    a valid license code. SentinelLM is very easy to adjust for your needs.

    When running the Delphi installer we see that it wants a serial number to get
    the installation going. I won't comment this as it is not really interesting for
    this project. Either fix it yourself or read in macilaci's or Nolan Blender's
    essay how it can be done.

    After installation we run the program which starts up the executable -
    delphi32.exe. It will show up with a Vbox type screen - the Client Activator.
    You have the option to try out the program and doing so will of course start up
    the real program. As macilaci also concluded this program is packed and since
    it uses Client Activator too we know by now that Sentinel LM Shell was used as
    the protection.

    Loading the program with filemon running in the background shows that it reads
    the file lservrc before the Client Activator shows up. This is not really
    surprising as the default filename of the SentinelLM license file is lservrc.

    Opening the file with notepad gave me this result:

    #Lic for Delphi 5 RTM, expires on Jun 31, 2002

    We see here that it uses some kind of license file. We will explore the key
    later but for now we will only concentrate on the necessary info needed to make
    a new license file. Looking at this key shows that its encrypted as we can't see
    any meaningful info from those numbers. It is a short key since a long key would be
    about 3 times the length and standalone.
    Reading the Sentinel LM SDK manual we know that short keys are checked
    out by the api LSRequest().

    Here is the description of LSRequest():
    LS_STATUS_CODE LSRequest (
    char *licenseSystem,
    char *publisherName,
    char *featureName,
    char *version,
    long *unitsReqd,
    char *logComment,
    LS_CHALLENGE *challenge,
    LS_HANDLE *lshandle);

    We now disassemble the delphi32.exe using IDA and apply the static flirt sig.
    Once it's done we will see that the sig identified many functions. We
    now make a map and convert it for use with symbol loader and we are ready to

    By setting a breakpoint on _LSRequest we will see it break a few times.

    Here is one of the queries explained:

    00493130 mov edx, [eax]
    00493132 push edx ; *lshandle
    00493133 mov edx, [eax+4]
    00493136 push edx ; *challenge
    00493137 mov edx, [eax+8]
    0049313A push edx ; *logComment
    0049313B mov edx, [eax+0Ch]
    0049313E push edx ; *unitsReqd
    0049313F mov edx, [eax+10h]
    00493142 push edx ; *version
    00493143 mov edx, [eax+14h]
    00493146 push edx ; *featureName
    00493147 mov edx, [eax+18h]
    0049314A push edx ; *publisherName
    0049314B mov eax, [ebx]
    0049314D push eax ; *licenseSystem
    0049314E call dword ptr [ecx] ; _LSRequest

    By checking out what gets pushed onto the stack we will see that most of the
    variables are NULL pointers. This is because short licenses have less options to
    choose from.

    By doing so with all of the license queries we will get the features "02" and "45".

    Now we need to find the Vendor ID otherwise our licenses won't have the ID of the
    program. The licenses require the same Vendor ID as the program in order to

    We set a break point on _computevendorcode and run the program once more.
    The return code in eax is 0x9CF and this is the Vendor for this program/company.

    Now we have all information needed to make licenses with Wlscgen.
    I explained most of the license details above and of course we choose to make it
    non-expiring and non-nodelocked. Using the edi pointer at 41F0C0 at the license
    generation stage (described more carefully in a essay by Nolan Blender) we can
    mark our licenses to the specific Vendor ID.

    We now have two license keys now which we place in lservrc and remove the
    original one. Run the program again and we will see that both _LSRequest call's
    will give a return code zero as required meaning LS_SUCCESS. But now we won't
    see the Client Activator anymore. Why? It should come up if it was a trial
    version, shouldn't it?

    Lets explore the license key which was supplied. In the Sentinel LM SDK there is
    a program named lsdecode which is used for license decoding. It does not show
    all information like Challenge/response and Vendor ID as this could be abused
    even if you had no skills, but for our needs it is sufficient.
    Lets run this on the key which was allready supplied by Borland:

    SentinelLM 7.1.0 License Decoding Utility
    Copyright (C) 2000 Rainbow Technologies, Inc.

    Reading license codes from file: "C:\Program Files\Rainbow Technologies\Sentinel

    License code: "0904167652371261"

    License Type : Trial Standalone
    Trial period : 60
    Feature name : "02"

    Max concurrent users : Unlimited.
    Soft limit on users : Unlimited.
    License start date : Morning of Jul 1, 1998
    Expiration date : Midnight of Jun 30, 2002

    Additive/exclusive : Exclusive license (overrides additive licenses).
    Held licenses : Allowed, hold time set by license.
    Token lifetime (heartbeat): 300 secs (5 min(s))
    Action on clock tamper : No more fresh licenses will be issued.

    We see that this is a trial key valid for 60 days! So the trial part is actually
    stuck into a license and not in the program. So now we can conclude that the
    Rainbow Trial it is really a special time limited license. As a quick test try to
    remove the license file completely. Will the program still start up? No, instead
    we will get a error about missing licenses. Lets just imagine now that Borland
    would change their license policy and do not distribute 60 day trial versions
    anymore. Instead a full version is availble for download and to enable it you
    will need a Computer ID (Sentinel dongle). Would it still be "Rainbow Trials"
    then? No! Since you would not be able to start up the program without that
    dongle. However both versions (trial and dongled) would still use Client
    Activator and still be encrypted by Sentinel LM Shell. This is just a small
    difference in the settings used at license generation and program protection time.

    The target is working now. No more trial, no more expiring and no more shaky
    patches which might make the program expire after a longer period of time.

    Final Notes

    Sentinel LM has a big weakness as the only thing which prevents anyone from making
    licenses for other companys products is the Vendor ID, and we just saw it is
    very easy to find that by using the method above. Even lsdecode can be used for
    grabbing information out of existing licenses to make new ones.

    Finally you don't call expiring flexlm licenses for "GlobeTrotter Trials" and
    likewise you dont call Sentinel LM Shelled executables for Rainbow Trials.


    Easiest way to do it (Without DCA File)
    1- Put a file called lservrc with lsdecode in same folder
    2- this lservrc will have inside the license you want to decode (so maybe open a txt file , paste the license inside, save and then rename it from xxx.txt to lservrc)
    3- open olly and from load lsdecode inside it
    4- when loaded go to ( ctrl+g) address 0042107E then put a BP (F2)
    5- now press run
    6- Notice the output in olly

    Easiest way to do it (With DCA File)
    1- put the license you want to decode in a txt file and put it in the same folder where lsdecode from DCA exists
    2- go to run, type cmd, and using command line browse to the location where lsdecode of DCA exists
    3- Now run this command " lsdec104.exe -s "name of you txt file having the license"
    4- Notice the output

    "Hướng dẫn này tuy hơi cũ nhưng đây cũng là phương pháp cơ bản cần hiểu về phần tạo licence cho khóa ảo.Với phương pháp mới có đơn giản hơn một chút .Nhưng về cơ bản thì hoàn toàn giống nhau.Bài tham khảo này cũng là một phần cần thiết cho ai thích học hỏi. Cảm ơn."
    VTT "Sưu tầm"
  2. luan3


    Tham gia ngày:
    17 Tháng bảy 2012
    Bài viết:
    Đã được thích:
    Điểm thành tích:
  3. anhnhoem


    Tham gia ngày:
    31 Tháng mười 2010
    Bài viết:
    Đã được thích:
    Điểm thành tích:
    Có Bạn nào biết nữa không ?
    Xin chỉ dạy thêm cho mình với .
    Hic đọc mãi đọc đi đọc lại bài của Bác vẫn chưa nắm được cái chi chi gì hic .Kiến thức vẫn rất mơ hồ ......
    buockhaptrangian thích bài này.