Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-14-2017, 19:06
devwhatsapp
 
Posts: n/a
Sentinel RMS Lock Code Identify ?

Hi

I have used RMSToolkit86 to decode license.

Inside license -

Quote:
Lock code depends on : Disk ID in hexadecimal
: Extended Custom in hexadecimal
How to find whats the change in generation of the lock code ? so that we can generate lock code for any machine.

Please suggest.

Thank you
Reply With Quote
  #2  
Old 11-14-2017, 22:41
FoxB FoxB is offline
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 934
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 20
Thanks Rcvd at 675 Times in 278 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
> lock code for any machine.
use unlocked license scheme - it done.
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
  #3  
Old 11-16-2017, 03:48
devwhatsapp
 
Posts: n/a
Hi
Did not want to make a new thread for this question.

The software am using has some features disabled.

How can I find these features and enable them ? Is it possible ?

Regards
Reply With Quote
  #4  
Old 11-16-2017, 15:17
FoxB FoxB is offline
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 934
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 20
Thanks Rcvd at 675 Times in 278 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
> How can I find these features and enable them ? Is it possible ?
double YES. by digging the target software.
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
  #5  
Old 11-16-2017, 15:21
devwhatsapp
 
Posts: n/a
Okay , so its possible.

Any existing post where similar digging the binary has been done ? So I can follow and debug the binary I have

What/Where should I look for ?

Regards
Reply With Quote
  #6  
Old 11-17-2017, 00:35
FoxB FoxB is offline
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 934
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 20
Thanks Rcvd at 675 Times in 278 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
may be CrackZ site help you sample
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
  #7  
Old 11-18-2017, 16:40
devwhatsapp
 
Posts: n/a
I guess there is a prob in debugging those routine in the binary I want to.

This is the flow of the app.

It loads and gives a pop up to enter the username , organization and serial key.

I entered the one I have and had BPs around the _LSRequest routine/

I saw the feature name and version in the registers.

So to get to the routine I need to have valid serial key combo which decides the feature name and key .

Any idea how to tackle this ?

Regards
Reply With Quote
  #8  
Old 11-18-2017, 20:45
raduga_fb raduga_fb is offline
Family
 
Join Date: Nov 2012
Posts: 69
Rept. Given: 3
Rept. Rcvd 121 Times in 21 Posts
Thanks Given: 1
Thanks Rcvd at 128 Times in 32 Posts
raduga_fb Reputation: 100-199 raduga_fb Reputation: 100-199
software download link & sample / expired / demo serial?
Reply With Quote
  #9  
Old 11-20-2017, 01:29
devwhatsapp
 
Posts: n/a
Attached is link .

Thank you
Attached Files
File Type: txt Download.txt (101 Bytes, 9 views)

Last edited by devwhatsapp; 11-20-2017 at 04:24. Reason: Deleted the other thread and uploaded the link as attachment , sorry for the confusion.
Reply With Quote
  #10  
Old 11-20-2017, 15:45
FoxB FoxB is offline
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 934
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 20
Thanks Rcvd at 675 Times in 278 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
your vendor identification
Code:
27 30 7D 7C-65 3B 4A 43-39 76 42 22-31 34 2B 49
69 78 36 6D-2F 36 27 28-3B F4 03 F9-A5 6D 9C CF
61 6D A1 0F-6E AE C7 92-27 30 7D 7C-65 3B 4A 43
39 76 42 22-31 34 2B 49-69 78 36 6D-2F 36 27 28
62 58 75 2A-29 33 2A 50-26 64 7D 3D-75 65 76 00
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
  #11  
Old 11-20-2017, 16:34
devwhatsapp
 
Posts: n/a
@FoxB , I really do not know what to do with the above info you gave.

Is vendor identification the same as "vendor_code :" - in the decoded license.

What should I do ahead ? Does this help in finding the feature names ?

Edit-

sub_100517DD - this function relates to what u posted and I can see the hex you posted in IDA.

Also about LSRequest - this is the only place where its mentioned

Code:
int __cdecl sub_10062A0F(int a1, int a2, int a3, int a4, char a5)
{
  int v5; // ebx
  int result; // eax
  char *v7; // eax
  int v8; // eax
  int v9; // edi
  signed int v10; // edi
  char *v11; // ebx
  DWORD v12; // ebx
  int v13; // eax
  int v14; // eax
  int v15; // ebx
  int v16; // eax
  int v17; // eax
  int v18; // eax
  int v19; // ebx
  int v20; // ebx
  int v21; // ebx
  int v22; // ebx
  unsigned int v23; // ebx
  const CHAR *v24; // eax
  CHAR *v25; // edi
  int v26; // eax
  int v27; // eax
  int v28; // edi
  int v29; // eax
  int v30; // ebx
  int v31; // eax
  int v32; // eax
  signed int v33; // eax
  int v34; // ebx
  int v35; // eax
  int v36; // edi
  int v37; // eax
  int v38; // eax
  int v39; // ebx
  int v40; // ST3C_4
  char v41; // [esp+Ch] [ebp-ADCh]
  HANDLE hMutex; // [esp+14h] [ebp-AD4h]
  int v43; // [esp+18h] [ebp-AD0h]
  int v44; // [esp+1Ch] [ebp-ACCh]
  int v45; // [esp+20h] [ebp-AC8h]
  char *Format; // [esp+24h] [ebp-AC4h]
  va_list ArgList; // [esp+28h] [ebp-AC0h]
  int v48; // [esp+2Ch] [ebp-ABCh]
  LPCSTR lpText; // [esp+30h] [ebp-AB8h]
  char v50; // [esp+34h] [ebp-AB4h]
  char DstBuf; // [esp+8Ch] [ebp-A5Ch]
  char v52; // [esp+A4Fh] [ebp-99h]
  char v53; // [esp+A50h] [ebp-98h]
  int v54; // [esp+A90h] [ebp-58h]
  int v55; // [esp+AD8h] [ebp-10h]
  char v56; // [esp+B18h] [ebp+30h]
  char v57[20]; // [esp+B3Ch] [ebp+54h]

  v48 = a2;
  v5 = -1;
  v44 = 0;
  v43 = 0;
  j_memset(&v56, 0, 34);
  if ( a1 == 4 )
  {
    v5 = a4;
    sub_1004F72B(a4);
  }
  result = sub_1004F7E9();
  if ( result == 7 || result > 0 && result & a1 )
  {
    ArgList = (va_list)&a4;
    if ( a1 == 4 )
    {
      v7 = (char *)au_re_malloc(512);
      Format = v7;
      if ( v7 )
      {
        j_memset(v7, 0, 512);
        if ( v5 > 318 )
          snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, byte_1012F658);
        else
          snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, off_10149300[v5]);
      }
    }
    else
    {
      ArgList = &a5;
      Format = (char *)a4;
    }
    j_memset(&DstBuf, 0, 2500);
    j_memset(v57, 0, 18);
    result = (int)Format;
    if ( Format && *Format )
    {
      if ( strstr(v48, "VLS")
        || !j_strcmp(v48, "LSRelease")
        || !j_strcmp(v48, "LSRequest")
        || !j_strcmp(v48, "LSUpdate")
        || !j_strcmp(v48, "LSGetMessage") )
      {
        snprintf(&v56, 34, "%s", v48);
        goto LABEL_25;
      }
      sub_100810B0(&v50);
      v8 = j_strlen(v48);
      sub_100817C9(&v50, v48, v8);
      result = au_re_malloc(16);
      v9 = result;
      v44 = result;
      if ( result )
      {
        j_memset(result, 0, 16);
        sub_10062885("16762CC486099AFC1CA0F177123C28CE", v9);
        sub_100817C9(&v50, v9, 16);
        sub_100817C9(&v50, v9, 16);
        sub_10081862(v57, &v50);
        v10 = 0;
        v11 = &v56;
        do
        {
          snprintf(v11, 3, "%2.2X", (unsigned __int8)v57[v10]);
          v11 += 2;
          ++v10;
        }
        while ( v10 < 8 );
LABEL_25:
        v12 = j_GetCurrentThreadId();
        if ( a1 == 4 )
          snprintf(&DstBuf, 2499, Format);
        else
          vsnprintf(&DstBuf, 0x9C3u, Format, ArgList);
        v52 = 0;
        result = au_re_malloc(256);
        v45 = result;
        if ( result )
        {
          j_memset(result, 0, 256);
          snprintf(v45, 255, "Process(%lu) :", v12);
          j_memset(&v54, 0, 69);
          j_memset(&v53, 0, 64);
          strncpy(&v54, "  ", 3);
          if ( au_re__time64(&v41) != -1 )
          {
            v13 = au_re__ctime64(&v41);
            if ( v13 )
            {
              sub_10063575(&v55, v13, 64);
              v14 = strchr(&v55, 32);
              if ( v14 )
              {
                v15 = v14 + 1;
                v16 = j_strlen(v14 + 1);
                v48 = au_re_malloc(v16 + 1);
                if ( v48 )
                {
                  v17 = j_strlen(v15);
                  sub_10063575(v48, v15, v17 + 1);
                  sub_10063575(&v55, v48, 64);
                  free(v48);
                  v18 = strrchr(&v55, 32);
                  if ( v18 )
                    *(_BYTE *)(v18 + 1) = 0;
                }
              }
            }
          }
          snprintf(&v54, 68, "%s:", &v55);
          v19 = j_strlen(v45);
          v20 = j_strlen("Sentinel RMS") + v19;
          v21 = j_strlen(&v54) + v20;
          v22 = j_strlen(&DstBuf) + v21;
          v23 = j_strlen(&v56) + v22 + 259;
          v24 = (const CHAR *)au_re_malloc(v23);
          lpText = v24;
          if ( v24 )
          {
            j_memset(v24, 0, v23);
            snprintf(lpText, v23, "%s :", "Sentinel RMS");
            sub_100635BF(lpText, &v54, v23);
            sub_100635BF(lpText, (_BYTE *)v45, v23);
            sub_100635BF(lpText, &v56, v23);
            if ( a1 != 4 )
            {
              j_memset(v45, 0, 256);
              snprintf(v45, 256, ", Line : %d\n", a3);
              sub_100635BF(lpText, (_BYTE *)v45, 0x100u);
            }
            v25 = (CHAR *)lpText;
            sub_100635BF(lpText, &DstBuf, v23);
            if ( a1 != 4 )
              sub_100635BF(v25, &unk_10130728, v23);
            v26 = j_strlen(v25);
            v48 = v26;
            if ( dword_10170834 )
            {
              if ( v26 > 0 )
              {
                ArgList = &v25[-v26];
                do
                {
                  if ( j_strlen(lpText) >= 512 )
                    v27 = 512;
                  else
                    v27 = j_strlen(lpText);
                  v28 = v27 + 1;
                  v29 = au_re_malloc(v27 + 1);
                  v30 = v29;
                  if ( !v29 )
                    break;
                  j_memset(v29, 0, v28);
                  v31 = j_strlen(lpText);
                  strncpy(v30, &ArgList[v31], v28 - 1);
                  v32 = j_strlen(v30);
                  dword_10170834(a1, v30, v32);
                  free(v30);
                  v48 -= 512;
                  ArgList += 512;
                }
                while ( v48 > 0 );
              }
            }
            else if ( dword_10170830 || byte_10170420 )
            {
              if ( v26 > 0 )
              {
                ArgList = &v25[-v26];
                do
                {
                  v33 = j_strlen(lpText) >= 512 ? 512 : j_strlen(lpText);
                  v34 = v33 + 1;
                  v35 = au_re_malloc(v33 + 1);
                  v36 = v35;
                  if ( !v35 )
                    break;
                  j_memset(v35, 0, v34);
                  v37 = j_strlen(lpText);
                  strncpy(v36, &ArgList[v37], v34 - 1);
                  v43 = j_strlen(v36);
                  if ( sub_100B91C6() )
                  {
                    free(v36);
                    break;
                  }
                  if ( dword_10170830 )
                  {
                    fprintf(dword_10170830, "%s", v36);
                  }
                  else if ( byte_10170420 && !sub_10062963() )
                  {
                    v38 = sub_1006362E(&byte_10170420, (int)"a");
                    v39 = v38;
                    if ( v38 )
                    {
                      fprintf(v38, "%s", v36);
                      fclose(v39);
                    }
                    sub_1007B2B0(hMutex);
                  }
                  free(v36);
                  v48 -= 512;
                  ArgList += 512;
                  v43 = 0;
                  if ( *(_DWORD *)((int (__thiscall *)(int))errno)(v40)
                    && *(_DWORD *)((int (*)(void))errno)() != 17
                    && *(_DWORD *)((int (*)(void))errno)() != 2 )
                  {
                    if ( !dword_10170838 )
                      dword_10170838 = 1;
                  }
                  else
                  {
                    dword_10170838 = 0;
                  }
                }
                while ( v48 > 0 );
              }
            }
            else if ( sub_100B91C6() != 1 )
            {
              MessageBoxA(0, v25, "Information", 0x40u);
            }
            free(lpText);
          }
          result = free(v45);
        }
        if ( v44 )
          result = free(v44);
        goto LABEL_80;
      }
    }
LABEL_80:
    if ( a1 == 4 )
    {
      if ( Format )
        result = free(Format);
    }
  }
  return result;
}
Update -

I have found activation codes in the binary using static analysis(HEX). Decoding them found a lot of feature names.

So now to activate the feature , you need to have the proper serial key , username and org details to match the feature.

All data like the RSA keys , <ProductLicenseInfo><Products><Product Id><License Id><Component Id><Certificate Id> etc are in the binary available.

Any idea how we can generate those data with these info and activate the features?

Update 12-6-2017---

Is the "serial key , username and org details" some part of sentinel or its totally a custom lic generation. One thing is sure the function is inside the binary , not online.

Thanks and Regards

Last edited by devwhatsapp; 12-06-2017 at 22:37.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sentinel EMu with fingerprint and time lock learner38 General Discussion 6 03-03-2006 21:23
Code-Lock 2.35 The Boss General Discussion 5 01-06-2005 05:33
$200 for Code-Lock - a joke? dynio General Discussion 1 07-30-2003 23:50


All times are GMT +8. The time now is 16:56.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )