|
|
|
|
#1
11-14-2017, 19:06
|
|||
|
|||
|
Sentinel RMS Lock Code Identify ?
Hi
I have used RMSToolkit86 to decode license. Inside license - Quote:
Please suggest. Thank you 
|
|
#2
11-14-2017, 22:41
|
|||
|
|||
|
> lock code for any machine.
use unlocked license scheme - it done.
|
| The Following User Says Thank You to FoxB For This Useful Post: | ||
|
#3
11-16-2017, 03:48
|
|||
|
|||
|
Hi
Did not want to make a new thread for this question. The software am using has some features disabled. How can I find these features and enable them ? Is it possible ? Regards
|
|
#4
11-16-2017, 15:17
|
|||
|
|||
|
> How can I find these features and enable them ? Is it possible ?
double YES. by digging the target software.
|
| The Following User Says Thank You to FoxB For This Useful Post: | ||
|
#5
11-16-2017, 15:21
|
|||
|
|||
|
Okay , so its possible.
Any existing post where similar digging the binary has been done ? So I can follow and debug the binary I have What/Where should I look for ? Regards
|
|
#7
11-18-2017, 16:40
|
|||
|
|||
|
I guess there is a prob in debugging those routine in the binary I want to.
This is the flow of the app. It loads and gives a pop up to enter the username , organization and serial key. I entered the one I have and had BPs around the _LSRequest routine/ I saw the feature name and version in the registers. So to get to the routine I need to have valid serial key combo which decides the feature name and key . Any idea how to tackle this ? Regards
|
|
#9
11-20-2017, 01:29
|
|||
|
|||
|
Attached is link .
Thank you Last edited by devwhatsapp; 11-20-2017 at 04:24. Reason: Deleted the other thread and uploaded the link as attachment , sorry for the confusion.
|
|
#10
11-20-2017, 15:45
|
|||
|
|||
|
your vendor identification
Code:
27 30 7D 7C-65 3B 4A 43-39 76 42 22-31 34 2B 49 69 78 36 6D-2F 36 27 28-3B F4 03 F9-A5 6D 9C CF 61 6D A1 0F-6E AE C7 92-27 30 7D 7C-65 3B 4A 43 39 76 42 22-31 34 2B 49-69 78 36 6D-2F 36 27 28 62 58 75 2A-29 33 2A 50-26 64 7D 3D-75 65 76 00
|
| The Following User Says Thank You to FoxB For This Useful Post: | ||
|
#11
11-20-2017, 16:34
|
|||
|
|||
|
@FoxB , I really do not know what to do with the above info you gave.
Is vendor identification the same as "vendor_code :" - in the decoded license. What should I do ahead ? Does this help in finding the feature names ? Edit- sub_100517DD - this function relates to what u posted and I can see the hex you posted in IDA. Also about LSRequest - this is the only place where its mentioned Code:
int __cdecl sub_10062A0F(int a1, int a2, int a3, int a4, char a5)
{
int v5; // ebx
int result; // eax
char *v7; // eax
int v8; // eax
int v9; // edi
signed int v10; // edi
char *v11; // ebx
DWORD v12; // ebx
int v13; // eax
int v14; // eax
int v15; // ebx
int v16; // eax
int v17; // eax
int v18; // eax
int v19; // ebx
int v20; // ebx
int v21; // ebx
int v22; // ebx
unsigned int v23; // ebx
const CHAR *v24; // eax
CHAR *v25; // edi
int v26; // eax
int v27; // eax
int v28; // edi
int v29; // eax
int v30; // ebx
int v31; // eax
int v32; // eax
signed int v33; // eax
int v34; // ebx
int v35; // eax
int v36; // edi
int v37; // eax
int v38; // eax
int v39; // ebx
int v40; // ST3C_4
char v41; // [esp+Ch] [ebp-ADCh]
HANDLE hMutex; // [esp+14h] [ebp-AD4h]
int v43; // [esp+18h] [ebp-AD0h]
int v44; // [esp+1Ch] [ebp-ACCh]
int v45; // [esp+20h] [ebp-AC8h]
char *Format; // [esp+24h] [ebp-AC4h]
va_list ArgList; // [esp+28h] [ebp-AC0h]
int v48; // [esp+2Ch] [ebp-ABCh]
LPCSTR lpText; // [esp+30h] [ebp-AB8h]
char v50; // [esp+34h] [ebp-AB4h]
char DstBuf; // [esp+8Ch] [ebp-A5Ch]
char v52; // [esp+A4Fh] [ebp-99h]
char v53; // [esp+A50h] [ebp-98h]
int v54; // [esp+A90h] [ebp-58h]
int v55; // [esp+AD8h] [ebp-10h]
char v56; // [esp+B18h] [ebp+30h]
char v57[20]; // [esp+B3Ch] [ebp+54h]
v48 = a2;
v5 = -1;
v44 = 0;
v43 = 0;
j_memset(&v56, 0, 34);
if ( a1 == 4 )
{
v5 = a4;
sub_1004F72B(a4);
}
result = sub_1004F7E9();
if ( result == 7 || result > 0 && result & a1 )
{
ArgList = (va_list)&a4;
if ( a1 == 4 )
{
v7 = (char *)au_re_malloc(512);
Format = v7;
if ( v7 )
{
j_memset(v7, 0, 512);
if ( v5 > 318 )
snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, byte_1012F658);
else
snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, off_10149300[v5]);
}
}
else
{
ArgList = &a5;
Format = (char *)a4;
}
j_memset(&DstBuf, 0, 2500);
j_memset(v57, 0, 18);
result = (int)Format;
if ( Format && *Format )
{
if ( strstr(v48, "VLS")
|| !j_strcmp(v48, "LSRelease")
|| !j_strcmp(v48, "LSRequest")
|| !j_strcmp(v48, "LSUpdate")
|| !j_strcmp(v48, "LSGetMessage") )
{
snprintf(&v56, 34, "%s", v48);
goto LABEL_25;
}
sub_100810B0(&v50);
v8 = j_strlen(v48);
sub_100817C9(&v50, v48, v8);
result = au_re_malloc(16);
v9 = result;
v44 = result;
if ( result )
{
j_memset(result, 0, 16);
sub_10062885("16762CC486099AFC1CA0F177123C28CE", v9);
sub_100817C9(&v50, v9, 16);
sub_100817C9(&v50, v9, 16);
sub_10081862(v57, &v50);
v10 = 0;
v11 = &v56;
do
{
snprintf(v11, 3, "%2.2X", (unsigned __int8)v57[v10]);
v11 += 2;
++v10;
}
while ( v10 < 8 );
LABEL_25:
v12 = j_GetCurrentThreadId();
if ( a1 == 4 )
snprintf(&DstBuf, 2499, Format);
else
vsnprintf(&DstBuf, 0x9C3u, Format, ArgList);
v52 = 0;
result = au_re_malloc(256);
v45 = result;
if ( result )
{
j_memset(result, 0, 256);
snprintf(v45, 255, "Process(%lu) :", v12);
j_memset(&v54, 0, 69);
j_memset(&v53, 0, 64);
strncpy(&v54, " ", 3);
if ( au_re__time64(&v41) != -1 )
{
v13 = au_re__ctime64(&v41);
if ( v13 )
{
sub_10063575(&v55, v13, 64);
v14 = strchr(&v55, 32);
if ( v14 )
{
v15 = v14 + 1;
v16 = j_strlen(v14 + 1);
v48 = au_re_malloc(v16 + 1);
if ( v48 )
{
v17 = j_strlen(v15);
sub_10063575(v48, v15, v17 + 1);
sub_10063575(&v55, v48, 64);
free(v48);
v18 = strrchr(&v55, 32);
if ( v18 )
*(_BYTE *)(v18 + 1) = 0;
}
}
}
}
snprintf(&v54, 68, "%s:", &v55);
v19 = j_strlen(v45);
v20 = j_strlen("Sentinel RMS") + v19;
v21 = j_strlen(&v54) + v20;
v22 = j_strlen(&DstBuf) + v21;
v23 = j_strlen(&v56) + v22 + 259;
v24 = (const CHAR *)au_re_malloc(v23);
lpText = v24;
if ( v24 )
{
j_memset(v24, 0, v23);
snprintf(lpText, v23, "%s :", "Sentinel RMS");
sub_100635BF(lpText, &v54, v23);
sub_100635BF(lpText, (_BYTE *)v45, v23);
sub_100635BF(lpText, &v56, v23);
if ( a1 != 4 )
{
j_memset(v45, 0, 256);
snprintf(v45, 256, ", Line : %d\n", a3);
sub_100635BF(lpText, (_BYTE *)v45, 0x100u);
}
v25 = (CHAR *)lpText;
sub_100635BF(lpText, &DstBuf, v23);
if ( a1 != 4 )
sub_100635BF(v25, &unk_10130728, v23);
v26 = j_strlen(v25);
v48 = v26;
if ( dword_10170834 )
{
if ( v26 > 0 )
{
ArgList = &v25[-v26];
do
{
if ( j_strlen(lpText) >= 512 )
v27 = 512;
else
v27 = j_strlen(lpText);
v28 = v27 + 1;
v29 = au_re_malloc(v27 + 1);
v30 = v29;
if ( !v29 )
break;
j_memset(v29, 0, v28);
v31 = j_strlen(lpText);
strncpy(v30, &ArgList[v31], v28 - 1);
v32 = j_strlen(v30);
dword_10170834(a1, v30, v32);
free(v30);
v48 -= 512;
ArgList += 512;
}
while ( v48 > 0 );
}
}
else if ( dword_10170830 || byte_10170420 )
{
if ( v26 > 0 )
{
ArgList = &v25[-v26];
do
{
v33 = j_strlen(lpText) >= 512 ? 512 : j_strlen(lpText);
v34 = v33 + 1;
v35 = au_re_malloc(v33 + 1);
v36 = v35;
if ( !v35 )
break;
j_memset(v35, 0, v34);
v37 = j_strlen(lpText);
strncpy(v36, &ArgList[v37], v34 - 1);
v43 = j_strlen(v36);
if ( sub_100B91C6() )
{
free(v36);
break;
}
if ( dword_10170830 )
{
fprintf(dword_10170830, "%s", v36);
}
else if ( byte_10170420 && !sub_10062963() )
{
v38 = sub_1006362E(&byte_10170420, (int)"a");
v39 = v38;
if ( v38 )
{
fprintf(v38, "%s", v36);
fclose(v39);
}
sub_1007B2B0(hMutex);
}
free(v36);
v48 -= 512;
ArgList += 512;
v43 = 0;
if ( *(_DWORD *)((int (__thiscall *)(int))errno)(v40)
&& *(_DWORD *)((int (*)(void))errno)() != 17
&& *(_DWORD *)((int (*)(void))errno)() != 2 )
{
if ( !dword_10170838 )
dword_10170838 = 1;
}
else
{
dword_10170838 = 0;
}
}
while ( v48 > 0 );
}
}
else if ( sub_100B91C6() != 1 )
{
MessageBoxA(0, v25, "Information", 0x40u);
}
free(lpText);
}
result = free(v45);
}
if ( v44 )
result = free(v44);
goto LABEL_80;
}
}
LABEL_80:
if ( a1 == 4 )
{
if ( Format )
result = free(Format);
}
}
return result;
}
I have found activation codes in the binary using static analysis(HEX). Decoding them found a lot of feature names. So now to activate the feature , you need to have the proper serial key , username and org details to match the feature. All data like the RSA keys , <ProductLicenseInfo><Products><Product Id><License Id><Component Id><Certificate Id> etc are in the binary available. Any idea how we can generate those data with these info and activate the features? Update 12-6-2017--- Is the "serial key , username and org details" some part of sentinel or its totally a custom lic generation. One thing is sure the function is inside the binary , not online. Thanks and Regards Last edited by devwhatsapp; 12-06-2017 at 22:37.
|
 |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Sentinel EMu with fingerprint and time lock | learner38 | General Discussion | 6 | 03-03-2006 21:23 |
| Code-Lock 2.35 | The Boss | General Discussion | 5 | 01-06-2005 05:33 |
| $200 for Code-Lock - a joke? | dynio | General Discussion | 1 | 07-30-2003 23:50 |
Hybrid Mode
