Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Sentinel RMS Lock Code Identify ? (https://forum.exetools.com/showthread.php?t=18519)

devwhatsapp 11-14-2017 19:06
Sentinel RMS Lock Code Identify ?
 
Hi

I have used RMSToolkit86 to decode license.

Inside license -

Quote:
Lock code depends on : Disk ID in hexadecimal
: Extended Custom in hexadecimal
How to find whats the change in generation of the lock code ? so that we can generate lock code for any machine.

Please suggest.

Thank you

FoxB 11-14-2017 22:41
> lock code for any machine.
use unlocked license scheme - it done.

devwhatsapp 11-16-2017 03:48
Hi
Did not want to make a new thread for this question.

The software am using has some features disabled.

How can I find these features and enable them ? Is it possible ?

Regards

FoxB 11-16-2017 15:17
> How can I find these features and enable them ? Is it possible ?
double YES. by digging the target software.

devwhatsapp 11-16-2017 15:21
Okay , so its possible.

Any existing post where similar digging the binary has been done ? So I can follow and debug the binary I have

What/Where should I look for ?

Regards

FoxB 11-17-2017 00:35
may be CrackZ site help you sample

devwhatsapp 11-18-2017 16:40
I guess there is a prob in debugging those routine in the binary I want to.

This is the flow of the app.

It loads and gives a pop up to enter the username , organization and serial key.

I entered the one I have and had BPs around the _LSRequest routine/

I saw the feature name and version in the registers.

So to get to the routine I need to have valid serial key combo which decides the feature name and key .

Any idea how to tackle this ?

Regards

raduga_fb 11-18-2017 20:45
software download link & sample / expired / demo serial?

devwhatsapp 11-20-2017 01:29
1 Attachment(s)
Attached is link .

Thank you

FoxB 11-20-2017 15:45
your vendor identification
Code:
27 30 7D 7C-65 3B 4A 43-39 76 42 22-31 34 2B 49
69 78 36 6D-2F 36 27 28-3B F4 03 F9-A5 6D 9C CF
61 6D A1 0F-6E AE C7 92-27 30 7D 7C-65 3B 4A 43
39 76 42 22-31 34 2B 49-69 78 36 6D-2F 36 27 28
62 58 75 2A-29 33 2A 50-26 64 7D 3D-75 65 76 00

devwhatsapp 11-20-2017 16:34
@FoxB , I really do not know what to do with the above info you gave.

Is vendor identification the same as "vendor_code :" - in the decoded license.

What should I do ahead ? Does this help in finding the feature names ?

Edit-

sub_100517DD - this function relates to what u posted and I can see the hex you posted in IDA.

Also about LSRequest - this is the only place where its mentioned

Code:
int __cdecl sub_10062A0F(int a1, int a2, int a3, int a4, char a5)
{
  int v5; // ebx
  int result; // eax
  char *v7; // eax
  int v8; // eax
  int v9; // edi
  signed int v10; // edi
  char *v11; // ebx
  DWORD v12; // ebx
  int v13; // eax
  int v14; // eax
  int v15; // ebx
  int v16; // eax
  int v17; // eax
  int v18; // eax
  int v19; // ebx
  int v20; // ebx
  int v21; // ebx
  int v22; // ebx
  unsigned int v23; // ebx
  const CHAR *v24; // eax
  CHAR *v25; // edi
  int v26; // eax
  int v27; // eax
  int v28; // edi
  int v29; // eax
  int v30; // ebx
  int v31; // eax
  int v32; // eax
  signed int v33; // eax
  int v34; // ebx
  int v35; // eax
  int v36; // edi
  int v37; // eax
  int v38; // eax
  int v39; // ebx
  int v40; // ST3C_4
  char v41; // [esp+Ch] [ebp-ADCh]
  HANDLE hMutex; // [esp+14h] [ebp-AD4h]
  int v43; // [esp+18h] [ebp-AD0h]
  int v44; // [esp+1Ch] [ebp-ACCh]
  int v45; // [esp+20h] [ebp-AC8h]
  char *Format; // [esp+24h] [ebp-AC4h]
  va_list ArgList; // [esp+28h] [ebp-AC0h]
  int v48; // [esp+2Ch] [ebp-ABCh]
  LPCSTR lpText; // [esp+30h] [ebp-AB8h]
  char v50; // [esp+34h] [ebp-AB4h]
  char DstBuf; // [esp+8Ch] [ebp-A5Ch]
  char v52; // [esp+A4Fh] [ebp-99h]
  char v53; // [esp+A50h] [ebp-98h]
  int v54; // [esp+A90h] [ebp-58h]
  int v55; // [esp+AD8h] [ebp-10h]
  char v56; // [esp+B18h] [ebp+30h]
  char v57[20]; // [esp+B3Ch] [ebp+54h]

  v48 = a2;
  v5 = -1;
  v44 = 0;
  v43 = 0;
  j_memset(&v56, 0, 34);
  if ( a1 == 4 )
  {
    v5 = a4;
    sub_1004F72B(a4);
  }
  result = sub_1004F7E9();
  if ( result == 7 || result > 0 && result & a1 )
  {
    ArgList = (va_list)&a4;
    if ( a1 == 4 )
    {
      v7 = (char *)au_re_malloc(512);
      Format = v7;
      if ( v7 )
      {
        j_memset(v7, 0, 512);
        if ( v5 > 318 )
          snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, byte_1012F658);
        else
          snprintf(Format, 511, ", Line : %d\n\tError# : %d : %s \n", a3, v5, off_10149300[v5]);
      }
    }
    else
    {
      ArgList = &a5;
      Format = (char *)a4;
    }
    j_memset(&DstBuf, 0, 2500);
    j_memset(v57, 0, 18);
    result = (int)Format;
    if ( Format && *Format )
    {
      if ( strstr(v48, "VLS")
        || !j_strcmp(v48, "LSRelease")
        || !j_strcmp(v48, "LSRequest")
        || !j_strcmp(v48, "LSUpdate")
        || !j_strcmp(v48, "LSGetMessage") )
      {
        snprintf(&v56, 34, "%s", v48);
        goto LABEL_25;
      }
      sub_100810B0(&v50);
      v8 = j_strlen(v48);
      sub_100817C9(&v50, v48, v8);
      result = au_re_malloc(16);
      v9 = result;
      v44 = result;
      if ( result )
      {
        j_memset(result, 0, 16);
        sub_10062885("16762CC486099AFC1CA0F177123C28CE", v9);
        sub_100817C9(&v50, v9, 16);
        sub_100817C9(&v50, v9, 16);
        sub_10081862(v57, &v50);
        v10 = 0;
        v11 = &v56;
        do
        {
          snprintf(v11, 3, "%2.2X", (unsigned __int8)v57[v10]);
          v11 += 2;
          ++v10;
        }
        while ( v10 < 8 );
LABEL_25:
        v12 = j_GetCurrentThreadId();
        if ( a1 == 4 )
          snprintf(&DstBuf, 2499, Format);
        else
          vsnprintf(&DstBuf, 0x9C3u, Format, ArgList);
        v52 = 0;
        result = au_re_malloc(256);
        v45 = result;
        if ( result )
        {
          j_memset(result, 0, 256);
          snprintf(v45, 255, "Process(%lu) :", v12);
          j_memset(&v54, 0, 69);
          j_memset(&v53, 0, 64);
          strncpy(&v54, "  ", 3);
          if ( au_re__time64(&v41) != -1 )
          {
            v13 = au_re__ctime64(&v41);
            if ( v13 )
            {
              sub_10063575(&v55, v13, 64);
              v14 = strchr(&v55, 32);
              if ( v14 )
              {
                v15 = v14 + 1;
                v16 = j_strlen(v14 + 1);
                v48 = au_re_malloc(v16 + 1);
                if ( v48 )
                {
                  v17 = j_strlen(v15);
                  sub_10063575(v48, v15, v17 + 1);
                  sub_10063575(&v55, v48, 64);
                  free(v48);
                  v18 = strrchr(&v55, 32);
                  if ( v18 )
                    *(_BYTE *)(v18 + 1) = 0;
                }
              }
            }
          }
          snprintf(&v54, 68, "%s:", &v55);
          v19 = j_strlen(v45);
          v20 = j_strlen("Sentinel RMS") + v19;
          v21 = j_strlen(&v54) + v20;
          v22 = j_strlen(&DstBuf) + v21;
          v23 = j_strlen(&v56) + v22 + 259;
          v24 = (const CHAR *)au_re_malloc(v23);
          lpText = v24;
          if ( v24 )
          {
            j_memset(v24, 0, v23);
            snprintf(lpText, v23, "%s :", "Sentinel RMS");
            sub_100635BF(lpText, &v54, v23);
            sub_100635BF(lpText, (_BYTE *)v45, v23);
            sub_100635BF(lpText, &v56, v23);
            if ( a1 != 4 )
            {
              j_memset(v45, 0, 256);
              snprintf(v45, 256, ", Line : %d\n", a3);
              sub_100635BF(lpText, (_BYTE *)v45, 0x100u);
            }
            v25 = (CHAR *)lpText;
            sub_100635BF(lpText, &DstBuf, v23);
            if ( a1 != 4 )
              sub_100635BF(v25, &unk_10130728, v23);
            v26 = j_strlen(v25);
            v48 = v26;
            if ( dword_10170834 )
            {
              if ( v26 > 0 )
              {
                ArgList = &v25[-v26];
                do
                {
                  if ( j_strlen(lpText) >= 512 )
                    v27 = 512;
                  else
                    v27 = j_strlen(lpText);
                  v28 = v27 + 1;
                  v29 = au_re_malloc(v27 + 1);
                  v30 = v29;
                  if ( !v29 )
                    break;
                  j_memset(v29, 0, v28);
                  v31 = j_strlen(lpText);
                  strncpy(v30, &ArgList[v31], v28 - 1);
                  v32 = j_strlen(v30);
                  dword_10170834(a1, v30, v32);
                  free(v30);
                  v48 -= 512;
                  ArgList += 512;
                }
                while ( v48 > 0 );
              }
            }
            else if ( dword_10170830 || byte_10170420 )
            {
              if ( v26 > 0 )
              {
                ArgList = &v25[-v26];
                do
                {
                  v33 = j_strlen(lpText) >= 512 ? 512 : j_strlen(lpText);
                  v34 = v33 + 1;
                  v35 = au_re_malloc(v33 + 1);
                  v36 = v35;
                  if ( !v35 )
                    break;
                  j_memset(v35, 0, v34);
                  v37 = j_strlen(lpText);
                  strncpy(v36, &ArgList[v37], v34 - 1);
                  v43 = j_strlen(v36);
                  if ( sub_100B91C6() )
                  {
                    free(v36);
                    break;
                  }
                  if ( dword_10170830 )
                  {
                    fprintf(dword_10170830, "%s", v36);
                  }
                  else if ( byte_10170420 && !sub_10062963() )
                  {
                    v38 = sub_1006362E(&byte_10170420, (int)"a");
                    v39 = v38;
                    if ( v38 )
                    {
                      fprintf(v38, "%s", v36);
                      fclose(v39);
                    }
                    sub_1007B2B0(hMutex);
                  }
                  free(v36);
                  v48 -= 512;
                  ArgList += 512;
                  v43 = 0;
                  if ( *(_DWORD *)((int (__thiscall *)(int))errno)(v40)
                    && *(_DWORD *)((int (*)(void))errno)() != 17
                    && *(_DWORD *)((int (*)(void))errno)() != 2 )
                  {
                    if ( !dword_10170838 )
                      dword_10170838 = 1;
                  }
                  else
                  {
                    dword_10170838 = 0;
                  }
                }
                while ( v48 > 0 );
              }
            }
            else if ( sub_100B91C6() != 1 )
            {
              MessageBoxA(0, v25, "Information", 0x40u);
            }
            free(lpText);
          }
          result = free(v45);
        }
        if ( v44 )
          result = free(v44);
        goto LABEL_80;
      }
    }
LABEL_80:
    if ( a1 == 4 )
    {
      if ( Format )
        result = free(Format);
    }
  }
  return result;
}
Update -

I have found activation codes in the binary using static analysis(HEX). Decoding them found a lot of feature names.

So now to activate the feature , you need to have the proper serial key , username and org details to match the feature.

All data like the RSA keys , <ProductLicenseInfo><Products><Product Id><License Id><Component Id><Certificate Id> etc are in the binary available.

Any idea how we can generate those data with these info and activate the features?

Update 12-6-2017---

Is the "serial key , username and org details" some part of sentinel or its totally a custom lic generation. One thing is sure the function is inside the binary , not online.

Thanks and Regards


All times are GMT +8. The time now is 22:52.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX