Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 03-16-2009, 08:33 AM
knr knr is offline
Member
 
Join Date: Mar 2009
Posts: 16
Default sentinelpro; no dongles only lservrc available

hi all,
this is my first post and i think it is better to give some background information; i have used and been using protected software with legitimate original keys and was blissfully unaware of patching. i was thus surprised when a western (read USA) customer came with some protected software in his laptop without any dongle and that was my first introduction to emulators and patches.

recently i have been using a protected software with patched strgxi2.dll, lsaspiw32.dll and lservrc files. essentially i think they are patches where the calls to the dongle are routed to the respective patched dlls "processing" them; and two particularly useful software with original lservrc are unusable as the dongle are not there. they all use superpro dongles

i have been going through the various "post"s in this forum as well in woodmann, crackz, nb pages to identify the way to make them usable. i understand that using suitable emulators and lservrc files they can be used without dongles.

with only lservrc i have tried to use SOUz's slmdec103 with no success ( probably because i am using PIV and dual core machines?). even within win98 emulated windows they are not opening. i have however managed to have a look at them using the lsdecode.exe which doesnot give vendor id explicitly.

i have managed to get the SDK complete (!) and have been going through the rainbows helpful files to the developers (these files are not to be passed to the clients and end custiomers!) which gives the insturctions to the developers how to generate a license file using the meterkey or license file. my understanding is that using the full template i can create the new license using the wlscgen and meterkey once the program version, vendor id, computer id is available. (my first question: am i right?)

using lsdecode or the slmdecode i hope to get the vendor id from the lservrc file. i have seen the postings regarding this and am going to start on this.
(second question: has slmdecode now patched for working in modern machiens or virtualboxes? or should i use the lsdecode only?)

but the main issue is alas i dont have a meterkey; however, my understanding is that using slmkit i can generate a wlscgen which can be patched with necessary vendor id that can work with a full template file. i have managed to get the necessay tools IDA. s/ice and api readables. .(third question: IS my assumption right that i need to patch the wlscgen to create the license?)

i have seen many "seniors" frowing on others asking for software. but i am sure they wont frown when somebody is asking for answers! i have googled enough and the only two suitable posts (for my case) are cyberheg's "Removing need for dongle in Sentinel LM Wlscgen" which tells how to patch wlscgen for working without meterkey. and "sentinelLM investigation by crackz" which talks about getting the vendor id. Though sprow has listed the devid i intend to get into this myself and see if i am on right track. so some answers to my questions above would be a highboost for my work.

finally, about the emulators; my understanding in reading all these posts and "order an emulator" advertisers, that i need the original dongle first to dump the contents and then need to create an emulation file for the same. my third question: is it possible to use the emulators (say edgeprofix11 or hasp2008) without the dongle in firstplace? this question is because when i tried to run a protected software (which works with the patched lservrc) without the lservrc, selecting sentinel keygen and posting the same to the license window of the sentemul2007 (the window says the sentinel is fully licensed), the software fails to kick in. so the last question is "is it possible to use the emulators if only a demo (and expired) lservrc or a patched lservrc is available?

thanks for your answers and suggestions...

rnk (reversed knr)
Reply With Quote
  #2  
Old 03-16-2009, 01:53 PM
BfoX BfoX is offline
Senior Member
 
Join Date: Aug 2007
Posts: 2,234
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

it may be sentinel LM shell
simply will be removed or keygened

need software and lic file
__________________
... Either you work well or you work much ....
Reply With Quote
  #3  
Old 03-30-2009, 03:23 PM
knr knr is offline
Member
 
Join Date: Mar 2009
Posts: 16
Default No dongles only lservc

hi all!
i received more personal messages (all apparently having solution for $$$ !) than answers in the forum. (thanks Bfox for the answer: however i dont know how to remove the shell without original dongl)

i have managed(!) to do the following:
a) use slmdec103 (with NT compatibility) to read the lservrc file; from this i got the critical information (vendor id and feature name /version)
b) using the vendor id i used the slmkit to get the no-dongle wlscgen
c) and then use mayaputra suggestions to patch it for the vendor id (in fact the administrator / new user patch is already done)
(information: mayaputra mentions that only a 2-byte change is required for patching the wlsgen to match the vendor id; however I found that in my case the Morphed_vendid gave a word which is different from the default value:

Default (2A0A):
1. 2A0A xor 373E4064 = 373E6A6E
2. 373E6A6E xor F774E470 = C04A8E1E
3. VLM_morphId(C04A8E1E) = AE80C3C4

In my case The VendorId is 43B7 : ( you can message me for the program name)
1. 43B7 xor 373E4064 = 373E03D3
2. 373E03D3 xor F774E470 = C04AE7A3
3. VLM_morphId(C04AE7A3) = AE847034

4) using the "no dongled" WLSCGEN i have made a trial license for 120 days ( the software allows trial use without a dongle and with no functions disabled!). So the program is up and running
=====================

some questions of my previous post is answered thus:
1. slmdec103 can be used in xp dual core machines using "compatibility with NT 4.0" option.
2. Wlscgen can be patched for the vlm_moprhid and it generates correct working licenses.
(info: there is a vid2sn.zip file with an executable and serial.wri file; the executable , which is supposed to search the wri file, flags virus alert in both avast (Win32:Trojan-gen-Other})and symantec; the serial.wri file is essentially a list of vendor id and the generated serial numbers.

the original vid2sn.exe cannot handle Capital case for the vendor id (for example if you type 43B7, it will say the search failed; you have to type 43b7). simply opening the file in wordpad and using search option one can easily get the the serial number. i have also written a rudimentary program with no GUI ( can only be used as a command line utitility); i can mail the same if somebody finds that their antivirus program is crying hoarse against the original.

the wri file is roughly 1 mb long; if somebody knows the algorithm for generation of the serial number from the vend id please let us know)

=================
i have some questions now! i am sure i wil get more responses this time:

1) the wlscgen limits the trial license to 120 days; how to patch it for say 365 days. I generated two license templates: one for 60 days trial and one for 120 days trial and using file compare in hexedit i found only two bytes (at two different locations) changed. I am sure one location represents the days and the second location possibly the crc of the file which would be obviously different. I tried brute force of changing the particular byte, and got corrupt file message.

2) i am using IDA and w32dasm. the executable has isdebuggerpresent routine.. when i first ran the program i kept getting error messages about the wrong memory location. however by breakpointing at two points i am able to jump the call and move to the main program. i google and found a "python" patch. how to use that? i am not good at C language. is there any simple plug-ins or executable patches?

3) after step-2 above, the program goes to rainbow activator (no license found, do you want to start the activator?). i have already patched the sproformatpacket, sprofindfirstunit, sprofindnextunit, sprooverwrite. i thought with these patches i will go into the sproread where it could point to the memory location to be patched. my understanding was that sprofindfirstunit is the first api routine to be called. but the program exits even before going there. any ideas?

4) how to identify the memory location if it is dynamically changed each time the sproread and sproquery subroutines are called?
Reply With Quote
  #4  
Old 03-31-2009, 06:14 AM
farzad23 farzad23 is offline
Member
 
Join Date: Mar 2006
Posts: 24
Default

@knr
1S:U CAN USE lsdecode to find all data in any lservrc u should use a debugger and stop in proper point
2nd:u dont need to use slmdecode (it will not show all data about lic) just use lsdecode
3rd:for generating proper lic u can use an emulator and sdk(read sdk doc and use 1st part information(your data from lservrc) to find out your proper lic type) realy now u dont need to patch wlscgen

------------------------------------------------
some developer let the soft to use many way that slm can protect ,for example some soft can run with local dongle and a server or machine lock and......i think in your case strgxi2.dll file was patched for specific donge(dongel id=sn) so if u use patched strgxi2.dll file u should use slm to make lic with that dongle id=sn.


BR

Last edited by farzad23 : 03-31-2009 at 06:22 AM.
Reply With Quote
  #5  
Old 03-31-2009, 06:28 AM
kiki kiki is offline
Senior Member
 
Join Date: Jun 2007
Posts: 186
Default interesting!

interesting
Reply With Quote
  #6  
Old 03-31-2009, 12:15 PM
knr knr is offline
Member
 
Join Date: Mar 2009
Posts: 16
Default no dongle only lservrc file

hi
thanks farzad and kiki!

@Farzad: in my second posting i forgot to mention about three software which i mentioned in the first posting; here it goes:
1)i have one working software with patched lsapiw32.dll and strgxi2.dll with matching lservrc. the license is set to expire soon, but i can regenerate new licenses and continue to use the software.
2) i have two other engineering software (one with an lservrc but no dongle, and does not start; and the second with no lservrc and no dongle, only the software)
=====
the exercise done was for the second software, where i used the lservrc and slmdec103 and lsdecode (it doesnot give vendor id!) to get the required information and generated a trial license.
as the software proudly declares that a trial license doesnot require a dongle, the lservrc i generated is working, but only for 120 days. btw, it doesnot have strgxi2.dll

i am looking at making a standalone license which shall work without a dongle. (one way is to convert the trial license limit to say 999 days! or patch the apiw32.dll where the routing the trial days are exhausted is found)

for the third software where i dont have a lservrc file, i dont have the vendor id. i tried to use lsapiw32.dll and go to _computevendorcode; but ida fails to start as isdebuggerpresent is crashing it. i can separately disassemble the exe file, and skip the isdebuggerpresent by modifiying eax on kernel32.dll retn step.
i tried to patch the jmp statement which goes to the particular location but obviously, it is a straight call to kernel to produce a file table. so i cannot step over the call, but need to modify the table, ( i am planning to use idastealth and shall revert on the outcome)

meanwhile the main issue is that of patching the second software which is running under trial license. which way is better? patching lsapiw32.dll or the exe? also, even after patching the sproformatpacket, sprofindfirst, sprofindnextunit, without the lservrc file, it falls into the "no license found" without going to these api calls. why??

hope i shall get answers from the forum, instead of myself again finding the way myself! (need to re-invent the wheel?)

regards
knr

(PS: i have seen woodmans article on creating the serialnumber from vendor id; let me write a prog snippet / applet and see how it goes!)
Reply With Quote
  #7  
Old 04-01-2009, 05:31 AM
kaka.enine kaka.enine is offline
Member
 
Join Date: Jan 2009
Posts: 28
Default

Quote:
Originally Posted by knr View Post

Default (2A0A):
1. 2A0A xor 373E4064 = 373E6A6E
2. 373E6A6E xor F774E470 = C04A8E1E
3. VLM_morphId(C04A8E1E) = AE80C3C4

In my case The VendorId is 43B7 : ( you can message me for the program name)
1. 43B7 xor 373E4064 = 373E03D3
2. 373E03D3 xor F774E470 = C04AE7A3
3. VLM_morphId(C04AE7A3) = AE847034
oh my god ...

yu have intention to manipulate Mentum Planet SW ???



BR,

-kaka-
Reply With Quote
  #8  
Old 04-01-2009, 04:20 PM
knr knr is offline
Member
 
Join Date: Mar 2009
Posts: 16
Default no dongles only lservrc

hi all,

(to Kaka: no it is not mentum planet sw; nothing to do with mobile telephony at all; it is a chemical engineering software)

the software installaion file says that the trial software doesnot need a dongle key; and that a standalone / network installation requires one. However, by clearing the Application-server locking criteria option in the license type, i generated a standalone license. (the locking criteria is 0x0). and copying the license code to in the rainbow activator, the lservrc is installed and running.

this means that an engineering software, published as late as 2006 May, has no protection except for the belief that the user wont have access to the vendor id, feature name and a patched license generator (wlscgen.exe).

thus no real patching of lsapiw32.dll or exe file is required.

BTW advice is required: i have made a word document containing the list of activities done and the snapshots as they were done. obviosuly, it clearly gives the program name, version etc. should i add it to the general essays available in this board?

let me continue with the next software and i shall re-count my trials and tribulations and success if any!

cheers
knr
Reply With Quote
  #9  
Old 04-01-2009, 11:47 PM
kaka.enine kaka.enine is offline
Member
 
Join Date: Jan 2009
Posts: 28
Default

Quote:
Originally Posted by knr View Post
hi all,

(to Kaka: no it is not mentum planet sw; nothing to do with mobile telephony at all; it is a chemical engineering software)

the software installaion file says that the trial software doesnot need a dongle key; and that a standalone / network installation requires one. However, by clearing the Application-server locking criteria option in the license type, i generated a standalone license. (the locking criteria is 0x0). and copying the license code to in the rainbow activator, the lservrc is installed and running.

this means that an engineering software, published as late as 2006 May, has no protection except for the belief that the user wont have access to the vendor id, feature name and a patched license generator (wlscgen.exe).

thus no real patching of lsapiw32.dll or exe file is required.

BTW advice is required: i have made a word document containing the list of activities done and the snapshots as they were done. obviosuly, it clearly gives the program name, version etc. should i add it to the general essays available in this board?

let me continue with the next software and i shall re-count my trials and tribulations and success if any!

cheers
knr
ohya ...
sorry ... wrong on me ... the vendor id quite similar with MP ...

great job buddy ...


BR,

-kaka-
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.