EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-14-2017, 19:06
devwhatsapp devwhatsapp is offline
Friend
 
Join Date: Nov 2017
Posts: 6
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 0 Times in 0 Posts
devwhatsapp Reputation: 0
Sentinel RMS Lock Code Identify ?

Hi

I have used RMSToolkit86 to decode license.

Inside license -

Quote:
Lock code depends on : Disk ID in hexadecimal
: Extended Custom in hexadecimal
How to find whats the change in generation of the lock code ? so that we can generate lock code for any machine.

Please suggest.

Thank you
Reply With Quote
  #2  
Old 11-14-2017, 22:41
FoxB FoxB is online now
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 561
Rept. Given: 12
Rept. Rcvd 99 Times in 65 Posts
Thanks Given: 3
Thanks Rcvd at 205 Times in 69 Posts
FoxB Reputation: 99
> lock code for any machine.
use unlocked license scheme - it done.
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
devwhatsapp (11-14-2017)
  #3  
Old 11-16-2017, 03:48
devwhatsapp devwhatsapp is offline
Friend
 
Join Date: Nov 2017
Posts: 6
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 0 Times in 0 Posts
devwhatsapp Reputation: 0
Hi
Did not want to make a new thread for this question.

The software am using has some features disabled.

How can I find these features and enable them ? Is it possible ?

Regards
Reply With Quote
  #4  
Old 11-16-2017, 15:17
FoxB FoxB is online now
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 561
Rept. Given: 12
Rept. Rcvd 99 Times in 65 Posts
Thanks Given: 3
Thanks Rcvd at 205 Times in 69 Posts
FoxB Reputation: 99
> How can I find these features and enable them ? Is it possible ?
double YES. by digging the target software.
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
devwhatsapp (11-16-2017)
  #5  
Old 11-16-2017, 15:21
devwhatsapp devwhatsapp is offline
Friend
 
Join Date: Nov 2017
Posts: 6
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 0 Times in 0 Posts
devwhatsapp Reputation: 0
Okay , so its possible.

Any existing post where similar digging the binary has been done ? So I can follow and debug the binary I have

What/Where should I look for ?

Regards
Reply With Quote
  #6  
Old 11-17-2017, 00:35
FoxB FoxB is online now
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 561
Rept. Given: 12
Rept. Rcvd 99 Times in 65 Posts
Thanks Given: 3
Thanks Rcvd at 205 Times in 69 Posts
FoxB Reputation: 99
may be CrackZ site help you sample
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
devwhatsapp (11-17-2017)
  #7  
Old 11-18-2017, 16:40
devwhatsapp devwhatsapp is offline
Friend
 
Join Date: Nov 2017
Posts: 6
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 0 Times in 0 Posts
devwhatsapp Reputation: 0
I guess there is a prob in debugging those routine in the binary I want to.

This is the flow of the app.

It loads and gives a pop up to enter the username , organization and serial key.

I entered the one I have and had BPs around the _LSRequest routine/

I saw the feature name and version in the registers.

So to get to the routine I need to have valid serial key combo which decides the feature name and key .

Any idea how to tackle this ?

Regards
Reply With Quote
  #8  
Old 11-18-2017, 20:45
raduga_fb raduga_fb is offline
Family
 
Join Date: Nov 2012
Posts: 34
Rept. Given: 3
Rept. Rcvd 98 Times in 11 Posts
Thanks Given: 0
Thanks Rcvd at 29 Times in 9 Posts
raduga_fb Reputation: 98
software download link & sample / expired / demo serial?
Reply With Quote
  #9  
Old 11-20-2017, 01:29
devwhatsapp devwhatsapp is offline
Friend
 
Join Date: Nov 2017
Posts: 6
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 0 Times in 0 Posts
devwhatsapp Reputation: 0
Attached is link .

Thank you
Attached Files
File Type: txt Download.txt (101 Bytes, 2 views)

Last edited by devwhatsapp; 11-20-2017 at 04:24. Reason: Deleted the other thread and uploaded the link as attachment , sorry for the confusion.
Reply With Quote
  #10  
Old 11-20-2017, 15:45
FoxB FoxB is online now
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 561
Rept. Given: 12
Rept. Rcvd 99 Times in 65 Posts
Thanks Given: 3
Thanks Rcvd at 205 Times in 69 Posts
FoxB Reputation: 99
your vendor identification
Code:
27 30 7D 7C-65 3B 4A 43-39 76 42 22-31 34 2B 49
69 78 36 6D-2F 36 27 28-3B F4 03 F9-A5 6D 9C CF
61 6D A1 0F-6E AE C7 92-27 30 7D 7C-65 3B 4A 43
39 76 42 22-31 34 2B 49-69 78 36 6D-2F 36 27 28
62 58 75 2A-29 33 2A 50-26 64 7D 3D-75 65 76 00
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
devwhatsapp (11-20-2017)
  #11  
Old 11-20-2017, 16:34
devwhatsapp devwhatsapp is offline
Friend
 
Join Date: Nov 2017
Posts: 6
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 0 Times in 0 Posts
devwhatsapp Reputation: 0
@FoxB , I really do not know what to do with the above info you gave.

Is vendor identification the same as "vendor_code :" - in the decoded license.

What should I do ahead ? Does this help in finding the feature names ?

Edit-

sub_100517DD - this function relates to what u posted and I can see the hex you posted in IDA.

Also about LSRequest - this is the only place where its mentioned

Code:
int __cdecl sub_10062A0F(int a1, int a2, int a3, int a4, char a5)
{
  int v5; // ebx
  int result; // eax
  char *v7; // eax
  int v8; // eax
  int v9; // edi
  signed int v10; // edi
  char *v11; // ebx
  DWORD v12; // ebx
  int v13; // eax
  int v14; // eax
  int v15; // ebx
  int v16; // eax
  int v17; // eax
  int v18; // eax
  int v19; // ebx
  int v20; // ebx
  int v21; // ebx
  int v22; // ebx
  unsigned int v23; // ebx
  const CHAR *v24; // eax
  CHAR *v25; // edi
  int v26; // eax
  int v27; // eax
  int v28; // edi
  int v29; // eax
  int v30; // ebx
  int v31; // eax
  int v32; // eax
  signed int v33; // eax
  int v34; // ebx
  int v35; // eax
  int v36; // edi
  int v37; // eax
  int v38; // eax
  int v39; // ebx
  int v40; // ST3C_4
  char v41; // [esp+Ch] [ebp-ADCh]
  HANDLE hMutex; // [esp+14h] [ebp-AD4h]
  int v43; // [esp+18h] [ebp-AD0h]
  int v44; // [esp+1Ch] [ebp-ACCh]
  int v45; // [esp+20h] [ebp-AC8h]
  char *Format; // [esp+24h] [ebp-AC4h]
  va_list ArgList; // [esp+28h] [ebp-AC0h]
  int v48; // [esp+2Ch] [ebp-ABCh]
  LPCSTR lpText; // [esp+30h] [ebp-AB8h]
  char v50; // [esp+34h] [ebp-AB4h]
  char DstBuf; // [esp+8Ch] [ebp-A5Ch]
  char v52; // [esp+A4Fh] [ebp-99h]
  char v53; // [esp+A50h] [ebp-98h]
  int v54; // [esp+A90h] [ebp-58h]
  int v55; // [esp+AD8h] [ebp-10h]
  char v56; // [esp+B18h] [ebp+30h]
  char v57[20]; // [esp+B3Ch] [ebp+54h]

  v48 = a2;
  v5 = -1;
  v44 = 0;
  v43 = 0;
  j_memset(&v56, 0, 34);
  if ( a1 == 4 )
  {
    v5 = a4;
    sub_1004F72B(a4);
  }
  result = sub_1004F7E9();
  if ( result == 7 || result > 0 && result & a1 )
  {
    ArgList = (va_list)&a4;
    if ( a1 == 4 )
    {
      v7 = (char *)au_re_malloc(512);
      Format = v7;
      if ( v7 )
      {
        j_memset(v7, 0, 512);
        if ( v5 > 318 )
          snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, byte_1012F658);
        else
          snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, off_10149300[v5]);
      }
    }
    else
    {
      ArgList = &a5;
      Format = (char *)a4;
    }
    j_memset(&DstBuf, 0, 2500);
    j_memset(v57, 0, 18);
    result = (int)Format;
    if ( Format && *Format )
    {
      if ( strstr(v48, "VLS")
        || !j_strcmp(v48, "LSRelease")
        || !j_strcmp(v48, "LSRequest")
        || !j_strcmp(v48, "LSUpdate")
        || !j_strcmp(v48, "LSGetMessage") )
      {
        snprintf(&v56, 34, "%s", v48);
        goto LABEL_25;
      }
      sub_100810B0(&v50);
      v8 = j_strlen(v48);
      sub_100817C9(&v50, v48, v8);
      result = au_re_malloc(16);
      v9 = result;
      v44 = result;
      if ( result )
      {
        j_memset(result, 0, 16);
        sub_10062885("16762CC486099AFC1CA0F177123C28CE", v9);
        sub_100817C9(&v50, v9, 16);
        sub_100817C9(&v50, v9, 16);
        sub_10081862(v57, &v50);
        v10 = 0;
        v11 = &v56;
        do
        {
          snprintf(v11, 3, "%2.2X", (unsigned __int8)v57[v10]);
          v11 += 2;
          ++v10;
        }
        while ( v10 < 8 );
LABEL_25:
        v12 = j_GetCurrentThreadId();
        if ( a1 == 4 )
          snprintf(&DstBuf, 2499, Format);
        else
          vsnprintf(&DstBuf, 0x9C3u, Format, ArgList);
        v52 = 0;
        result = au_re_malloc(256);
        v45 = result;
        if ( result )
        {
          j_memset(result, 0, 256);
          snprintf(v45, 255, "Process(%lu) :", v12);
          j_memset(&v54, 0, 69);
          j_memset(&v53, 0, 64);
          strncpy(&v54, "  ", 3);
          if ( au_re__time64(&v41) != -1 )
          {
            v13 = au_re__ctime64(&v41);
            if ( v13 )
            {
              sub_10063575(&v55, v13, 64);
              v14 = strchr(&v55, 32);
              if ( v14 )
              {
                v15 = v14 + 1;
                v16 = j_strlen(v14 + 1);
                v48 = au_re_malloc(v16 + 1);
                if ( v48 )
                {
                  v17 = j_strlen(v15);
                  sub_10063575(v48, v15, v17 + 1);
                  sub_10063575(&v55, v48, 64);
                  free(v48);
                  v18 = strrchr(&v55, 32);
                  if ( v18 )
                    *(_BYTE *)(v18 + 1) = 0;
                }
              }
            }
          }
          snprintf(&v54, 68, "%s:", &v55);
          v19 = j_strlen(v45);
          v20 = j_strlen("Sentinel RMS") + v19;
          v21 = j_strlen(&v54) + v20;
          v22 = j_strlen(&DstBuf) + v21;
          v23 = j_strlen(&v56) + v22 + 259;
          v24 = (const CHAR *)au_re_malloc(v23);
          lpText = v24;
          if ( v24 )
          {
            j_memset(v24, 0, v23);
            snprintf(lpText, v23, "%s :", "Sentinel RMS");
            sub_100635BF(lpText, &v54, v23);
            sub_100635BF(lpText, (_BYTE *)v45, v23);
            sub_100635BF(lpText, &v56, v23);
            if ( a1 != 4 )
            {
              j_memset(v45, 0, 256);
              snprintf(v45, 256, ", Line : %d\n", a3);
              sub_100635BF(lpText, (_BYTE *)v45, 0x100u);
            }
            v25 = (CHAR *)lpText;
            sub_100635BF(lpText, &DstBuf, v23);
            if ( a1 != 4 )
              sub_100635BF(v25, &unk_10130728, v23);
            v26 = j_strlen(v25);
            v48 = v26;
            if ( dword_10170834 )
            {
              if ( v26 > 0 )
              {
                ArgList = &v25[-v26];
                do
                {
                  if ( j_strlen(lpText) >= 512 )
                    v27 = 512;
                  else
                    v27 = j_strlen(lpText);
                  v28 = v27 + 1;
                  v29 = au_re_malloc(v27 + 1);
                  v30 = v29;
                  if ( !v29 )
                    break;
                  j_memset(v29, 0, v28);
                  v31 = j_strlen(lpText);
                  strncpy(v30, &ArgList[v31], v28 - 1);
                  v32 = j_strlen(v30);
                  dword_10170834(a1, v30, v32);
                  free(v30);
                  v48 -= 512;
                  ArgList += 512;
                }
                while ( v48 > 0 );
              }
            }
            else if ( dword_10170830 || byte_10170420 )
            {
              if ( v26 > 0 )
              {
                ArgList = &v25[-v26];
                do
                {
                  v33 = j_strlen(lpText) >= 512 ? 512 : j_strlen(lpText);
                  v34 = v33 + 1;
                  v35 = au_re_malloc(v33 + 1);
                  v36 = v35;
                  if ( !v35 )
                    break;
                  j_memset(v35, 0, v34);
                  v37 = j_strlen(lpText);
                  strncpy(v36, &ArgList[v37], v34 - 1);
                  v43 = j_strlen(v36);
                  if ( sub_100B91C6() )
                  {
                    free(v36);
                    break;
                  }
                  if ( dword_10170830 )
                  {
                    fprintf(dword_10170830, "%s", v36);
                  }
                  else if ( byte_10170420 && !sub_10062963() )
                  {
                    v38 = sub_1006362E(&byte_10170420, (int)"a");
                    v39 = v38;
                    if ( v38 )
                    {
                      fprintf(v38, "%s", v36);
                      fclose(v39);
                    }
                    sub_1007B2B0(hMutex);
                  }
                  free(v36);
                  v48 -= 512;
                  ArgList += 512;
                  v43 = 0;
                  if ( *(_DWORD *)((int (__thiscall *)(int))errno)(v40)
                    && *(_DWORD *)((int (*)(void))errno)() != 17
                    && *(_DWORD *)((int (*)(void))errno)() != 2 )
                  {
                    if ( !dword_10170838 )
                      dword_10170838 = 1;
                  }
                  else
                  {
                    dword_10170838 = 0;
                  }
                }
                while ( v48 > 0 );
              }
            }
            else if ( sub_100B91C6() != 1 )
            {
              MessageBoxA(0, v25, "Information", 0x40u);
            }
            free(lpText);
          }
          result = free(v45);
        }
        if ( v44 )
          result = free(v44);
        goto LABEL_80;
      }
    }
LABEL_80:
    if ( a1 == 4 )
    {
      if ( Format )
        result = free(Format);
    }
  }
  return result;
}
Update -

I have found activation codes in the binary using static analysis(HEX). Decoding them found a lot of feature names.

So now to activate the feature , you need to have the proper serial key , username and org details to match the feature.

All data like the RSA keys , <ProductLicenseInfo><Products><Product Id><License Id><Component Id><Certificate Id> etc are in the binary available.

Any idea how we can generate those data with these info and activate the features?

Thanks and Regards

Last edited by devwhatsapp; 11-21-2017 at 00:01.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 02:30.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX