"Only a few words from me regarding this tutorial. Imho this essay demonstrates what reverse engineering is really about, finding solutions to problems when you don't have all the answers and resources readily spoonfed and available too you, so you don't have the SDK you need, no problem, there is surely some resource on the web somewhere that you can *adapt*".

Searching for Wlscgen.exe?

I am just start learning about a dongle cracking. I have read some good tutorials about Sentinel dongle cracking, but some of them required "Wslcgen.exe from the SentinelLM SDK". So I searched for the SentinelLM SDK on the NET, but after a whole week of searching and following hundreds of links I still didn't get it.

Finally I GAVE UP! I just came back to CrackZ's Reverse Engineering Page and downloaded some tools related to Sentinel dongles.
BUT LOOK WHAT I FOUND...! a Wlscgen.exe (v7.1.0) in SentinelLM SDK Serial # Generator & SentinelLM Toolkit.

Run SLMtoolkit.exe, menu File -> Compute Vendor Array... and then press the "BUILD an undongled WlscGen.exe" button.
Now you have your Wlscgen.exe!. The next good news is that it's already been patched based on the Removing need for dongle in SentinelLM Wlscgen tutorial by CyberHeg. Now let's run the program! (This program needs the Sentinel System Driver, make sure you have it installed on your system).

There will be an error MessageBox says that it can not open a file named LMLICGEN.USR. So... just create an empty text file and rename it to LMLICGEN.USR in the same folder with the program, then run the program again. It shows a Login window, but if we try to Login with any Username and Password it says that "User not found". OK, now load the program into debugger and start/run the process (F9 in W32Dasm and IDA). Set a Breakpoint on the following two addresses.

BreakPoint Address What to modify Original Value New Value Description
00414746 eax (register) 0xFFFFFFFF 0x00000000 Username and password is valid
004147EE edx (register) 0x00000000 0x00000001 Administrator rights flag (menu)
[00574199] (memory address) 0x43000000 0x43000001 Administrator rights flag (create user)

After those two Breakpoints are set, press the OK button. (you can leave the username and password blank). Each time the debugger breaks, change the value of a register or memory addresss with a new value as the above table shows and then continue the process. The main window is shown. Create a new user, menu User -> New... Enter your username and password, and don't forget to set the User Type to Administrator, OK. Now you can exit the debugger. Run the program again and login with an account you've just created.

Hard-Coding The Vendor ID

By reading Nolan Blender's tutorial, we know that we can use Wlscgen.exe to generate a license which is valid for a specific VendorID.
To change the default VendorID (which is 0x2A0A for our Wlscgen.exe), we must break at 0041F0C0 and change the value of the data at [esi+650h]. Well..., CrackZ has already deeply describe about the VendorID Array Table in SentinelLM Investigation. But why do we bother changing the whole array table (16 bytes) if 2 bytes replacement will be enough?.

There is only 2 bytes differences for a different VendorID (15C8DE and 15C8DF), which makes sense because the VendorID is a WORD value. So... this MUST be the ENCODED VendorID. In our Wlscgen.exe, the vendor array table is like this (start form offset 15C8D0) :

D01FE812 7346AE6B 776C6F2D AE80C3C4

It will be pushed as a parameter to _DencVendId() function.

:004299F4 lea eax, dword ptr [esp]
:004299F8 push eax  <-- Result Buffer
:004299F9 mov eax, [esp+0C]
:004299FD add eax, 18h
:00429A00 push eax  <-- VendorId Array
:00429A01 call _DencVendId

is just a signature, it will not be used to decode the VendorId.

Affter returning from VLM_deMorphId(morphedId) function, the last 3 DWORD will become :

0043AE64 : 7346AE6B -> 373E4064
0043AE6F : 776C6F2D -> F774E470
0043AE7A : AE80C3C4 -> C04A8E1E

and the final step, xored :

0043AE82 : C04A8E1E xor F774E470 = 373E6A6E
0043AE84 : 373E6A6E xor 373E4064 = 00002A0A <-- Our Current VendorID

Now, if we want to get the encoded version of our specific VendorID, just simply reverse the xored step. REMEMBER, for whatever VendorID we want to use, 373E4064 and F774E470 will always be a constants.

For example, The VendorId is 09FE :
1. 09FE xor 373E4064     = 373E499A
2. 373E499A xor F774E470 = C04AADEA
3. VLM_morphId(C04AADEA) = AE805C04          <-- Our Patch Word

Done, just hard-coded the WORD to the file. After that, our Wlscgen.exe VendorID is 09FE

Before : D01FE812 7346AE6B 776C6F2D AE80C3C4
After    : D01FE812 7346AE6B 776C6F2D AE805C04

If you don't know how to get VLM_morphId(C04AADEA), here is a simple way :

1. Load Wlscgen.exe into W32Dasm.
2. At the Entry Point, patch the code to :

:0045D530 68EAAD4AC0      push C04AADEA
:0045D535 E800FFFDFF      call 0043D43A      <-- _VLM_morphId()

3. Execute the "Single Step Thru" (F8) twice.
4. After the call, eax will hold the result.
5. Terminate the Process.


Return to Dongles Return to Main Index

© 1998-2006 CrackZ. 6th February 2006, courtesy of Mayaputra.