#1
|
|||
|
|||
Sentinel RMS Lock Code Identify ?
Hi
I have used RMSToolkit86 to decode license. Inside license - Quote:
Please suggest. Thank you |
#2
|
|||
|
|||
> lock code for any machine.
use unlocked license scheme - it done. |
The Following User Says Thank You to FoxB For This Useful Post: | ||
#3
|
|||
|
|||
Hi
Did not want to make a new thread for this question. The software am using has some features disabled. How can I find these features and enable them ? Is it possible ? Regards |
#4
|
|||
|
|||
> How can I find these features and enable them ? Is it possible ?
double YES. by digging the target software. |
The Following User Says Thank You to FoxB For This Useful Post: | ||
#5
|
|||
|
|||
Okay , so its possible.
Any existing post where similar digging the binary has been done ? So I can follow and debug the binary I have What/Where should I look for ? Regards |
#7
|
|||
|
|||
I guess there is a prob in debugging those routine in the binary I want to.
This is the flow of the app. It loads and gives a pop up to enter the username , organization and serial key. I entered the one I have and had BPs around the _LSRequest routine/ I saw the feature name and version in the registers. So to get to the routine I need to have valid serial key combo which decides the feature name and key . Any idea how to tackle this ? Regards |
#8
|
|||
|
|||
software download link & sample / expired / demo serial?
|
#9
|
|||
|
|||
Attached is link .
Thank you Last edited by devwhatsapp; 11-20-2017 at 04:24. Reason: Deleted the other thread and uploaded the link as attachment , sorry for the confusion. |
#10
|
|||
|
|||
your vendor identification
Code:
27 30 7D 7C-65 3B 4A 43-39 76 42 22-31 34 2B 49 69 78 36 6D-2F 36 27 28-3B F4 03 F9-A5 6D 9C CF 61 6D A1 0F-6E AE C7 92-27 30 7D 7C-65 3B 4A 43 39 76 42 22-31 34 2B 49-69 78 36 6D-2F 36 27 28 62 58 75 2A-29 33 2A 50-26 64 7D 3D-75 65 76 00 |
The Following User Says Thank You to FoxB For This Useful Post: | ||
#11
|
|||
|
|||
@FoxB , I really do not know what to do with the above info you gave.
Is vendor identification the same as "vendor_code :" - in the decoded license. What should I do ahead ? Does this help in finding the feature names ? Edit- sub_100517DD - this function relates to what u posted and I can see the hex you posted in IDA. Also about LSRequest - this is the only place where its mentioned Code:
int __cdecl sub_10062A0F(int a1, int a2, int a3, int a4, char a5) { int v5; // ebx int result; // eax char *v7; // eax int v8; // eax int v9; // edi signed int v10; // edi char *v11; // ebx DWORD v12; // ebx int v13; // eax int v14; // eax int v15; // ebx int v16; // eax int v17; // eax int v18; // eax int v19; // ebx int v20; // ebx int v21; // ebx int v22; // ebx unsigned int v23; // ebx const CHAR *v24; // eax CHAR *v25; // edi int v26; // eax int v27; // eax int v28; // edi int v29; // eax int v30; // ebx int v31; // eax int v32; // eax signed int v33; // eax int v34; // ebx int v35; // eax int v36; // edi int v37; // eax int v38; // eax int v39; // ebx int v40; // ST3C_4 char v41; // [esp+Ch] [ebp-ADCh] HANDLE hMutex; // [esp+14h] [ebp-AD4h] int v43; // [esp+18h] [ebp-AD0h] int v44; // [esp+1Ch] [ebp-ACCh] int v45; // [esp+20h] [ebp-AC8h] char *Format; // [esp+24h] [ebp-AC4h] va_list ArgList; // [esp+28h] [ebp-AC0h] int v48; // [esp+2Ch] [ebp-ABCh] LPCSTR lpText; // [esp+30h] [ebp-AB8h] char v50; // [esp+34h] [ebp-AB4h] char DstBuf; // [esp+8Ch] [ebp-A5Ch] char v52; // [esp+A4Fh] [ebp-99h] char v53; // [esp+A50h] [ebp-98h] int v54; // [esp+A90h] [ebp-58h] int v55; // [esp+AD8h] [ebp-10h] char v56; // [esp+B18h] [ebp+30h] char v57[20]; // [esp+B3Ch] [ebp+54h] v48 = a2; v5 = -1; v44 = 0; v43 = 0; j_memset(&v56, 0, 34); if ( a1 == 4 ) { v5 = a4; sub_1004F72B(a4); } result = sub_1004F7E9(); if ( result == 7 || result > 0 && result & a1 ) { ArgList = (va_list)&a4; if ( a1 == 4 ) { v7 = (char *)au_re_malloc(512); Format = v7; if ( v7 ) { j_memset(v7, 0, 512); if ( v5 > 318 ) snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, byte_1012F658); else snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, off_10149300[v5]); } } else { ArgList = &a5; Format = (char *)a4; } j_memset(&DstBuf, 0, 2500); j_memset(v57, 0, 18); result = (int)Format; if ( Format && *Format ) { if ( strstr(v48, "VLS") || !j_strcmp(v48, "LSRelease") || !j_strcmp(v48, "LSRequest") || !j_strcmp(v48, "LSUpdate") || !j_strcmp(v48, "LSGetMessage") ) { snprintf(&v56, 34, "%s", v48); goto LABEL_25; } sub_100810B0(&v50); v8 = j_strlen(v48); sub_100817C9(&v50, v48, v8); result = au_re_malloc(16); v9 = result; v44 = result; if ( result ) { j_memset(result, 0, 16); sub_10062885("16762CC486099AFC1CA0F177123C28CE", v9); sub_100817C9(&v50, v9, 16); sub_100817C9(&v50, v9, 16); sub_10081862(v57, &v50); v10 = 0; v11 = &v56; do { snprintf(v11, 3, "%2.2X", (unsigned __int8)v57[v10]); v11 += 2; ++v10; } while ( v10 < 8 ); LABEL_25: v12 = j_GetCurrentThreadId(); if ( a1 == 4 ) snprintf(&DstBuf, 2499, Format); else vsnprintf(&DstBuf, 0x9C3u, Format, ArgList); v52 = 0; result = au_re_malloc(256); v45 = result; if ( result ) { j_memset(result, 0, 256); snprintf(v45, 255, "Process(%lu) :", v12); j_memset(&v54, 0, 69); j_memset(&v53, 0, 64); strncpy(&v54, " ", 3); if ( au_re__time64(&v41) != -1 ) { v13 = au_re__ctime64(&v41); if ( v13 ) { sub_10063575(&v55, v13, 64); v14 = strchr(&v55, 32); if ( v14 ) { v15 = v14 + 1; v16 = j_strlen(v14 + 1); v48 = au_re_malloc(v16 + 1); if ( v48 ) { v17 = j_strlen(v15); sub_10063575(v48, v15, v17 + 1); sub_10063575(&v55, v48, 64); free(v48); v18 = strrchr(&v55, 32); if ( v18 ) *(_BYTE *)(v18 + 1) = 0; } } } } snprintf(&v54, 68, "%s:", &v55); v19 = j_strlen(v45); v20 = j_strlen("Sentinel RMS") + v19; v21 = j_strlen(&v54) + v20; v22 = j_strlen(&DstBuf) + v21; v23 = j_strlen(&v56) + v22 + 259; v24 = (const CHAR *)au_re_malloc(v23); lpText = v24; if ( v24 ) { j_memset(v24, 0, v23); snprintf(lpText, v23, "%s :", "Sentinel RMS"); sub_100635BF(lpText, &v54, v23); sub_100635BF(lpText, (_BYTE *)v45, v23); sub_100635BF(lpText, &v56, v23); if ( a1 != 4 ) { j_memset(v45, 0, 256); snprintf(v45, 256, ", Line : %d\n", a3); sub_100635BF(lpText, (_BYTE *)v45, 0x100u); } v25 = (CHAR *)lpText; sub_100635BF(lpText, &DstBuf, v23); if ( a1 != 4 ) sub_100635BF(v25, &unk_10130728, v23); v26 = j_strlen(v25); v48 = v26; if ( dword_10170834 ) { if ( v26 > 0 ) { ArgList = &v25[-v26]; do { if ( j_strlen(lpText) >= 512 ) v27 = 512; else v27 = j_strlen(lpText); v28 = v27 + 1; v29 = au_re_malloc(v27 + 1); v30 = v29; if ( !v29 ) break; j_memset(v29, 0, v28); v31 = j_strlen(lpText); strncpy(v30, &ArgList[v31], v28 - 1); v32 = j_strlen(v30); dword_10170834(a1, v30, v32); free(v30); v48 -= 512; ArgList += 512; } while ( v48 > 0 ); } } else if ( dword_10170830 || byte_10170420 ) { if ( v26 > 0 ) { ArgList = &v25[-v26]; do { v33 = j_strlen(lpText) >= 512 ? 512 : j_strlen(lpText); v34 = v33 + 1; v35 = au_re_malloc(v33 + 1); v36 = v35; if ( !v35 ) break; j_memset(v35, 0, v34); v37 = j_strlen(lpText); strncpy(v36, &ArgList[v37], v34 - 1); v43 = j_strlen(v36); if ( sub_100B91C6() ) { free(v36); break; } if ( dword_10170830 ) { fprintf(dword_10170830, "%s", v36); } else if ( byte_10170420 && !sub_10062963() ) { v38 = sub_1006362E(&byte_10170420, (int)"a"); v39 = v38; if ( v38 ) { fprintf(v38, "%s", v36); fclose(v39); } sub_1007B2B0(hMutex); } free(v36); v48 -= 512; ArgList += 512; v43 = 0; if ( *(_DWORD *)((int (__thiscall *)(int))errno)(v40) && *(_DWORD *)((int (*)(void))errno)() != 17 && *(_DWORD *)((int (*)(void))errno)() != 2 ) { if ( !dword_10170838 ) dword_10170838 = 1; } else { dword_10170838 = 0; } } while ( v48 > 0 ); } } else if ( sub_100B91C6() != 1 ) { MessageBoxA(0, v25, "Information", 0x40u); } free(lpText); } result = free(v45); } if ( v44 ) result = free(v44); goto LABEL_80; } } LABEL_80: if ( a1 == 4 ) { if ( Format ) result = free(Format); } } return result; } I have found activation codes in the binary using static analysis(HEX). Decoding them found a lot of feature names. So now to activate the feature , you need to have the proper serial key , username and org details to match the feature. All data like the RSA keys , <ProductLicenseInfo><Products><Product Id><License Id><Component Id><Certificate Id> etc are in the binary available. Any idea how we can generate those data with these info and activate the features? Update 12-6-2017--- Is the "serial key , username and org details" some part of sentinel or its totally a custom lic generation. One thing is sure the function is inside the binary , not online. Thanks and Regards Last edited by devwhatsapp; 12-06-2017 at 22:37. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Sentinel EMu with fingerprint and time lock | learner38 | General Discussion | 6 | 03-03-2006 21:23 |
Code-Lock 2.35 | The Boss | General Discussion | 5 | 01-06-2005 05:33 |
$200 for Code-Lock - a joke? | dynio | General Discussion | 1 | 07-30-2003 23:50 |