I am just start learning about a dongle cracking. I have read some good tutorials about Sentinel dongle cracking, but some of them required "Wslcgen.exe from the SentinelLM SDK". So I searched for the SentinelLM SDK on the NET, but after a whole week of searching and following hundreds of links I still didn't get it.
Finally I GAVE UP! I just came back to CrackZ's
Reverse Engineering Page and downloaded some tools related
to Sentinel dongles.
BUT LOOK WHAT I FOUND...! a Wlscgen.exe (v7.1.0) in SentinelLM SDK Serial # Generator & SentinelLM Toolkit.
Run SLMtoolkit.exe, menu File -> Compute Vendor Array... and then press the "BUILD an undongled WlscGen.exe" button.
Now you have your Wlscgen.exe!. The next good news is that it's already been patched based on the Removing need for dongle in SentinelLM Wlscgen tutorial by CyberHeg. Now let's run the program! (This program needs the Sentinel System Driver, make sure you have it installed on your system).
There will be an error MessageBox says that it can not open a file named LMLICGEN.USR. So... just create an empty text file and rename it to LMLICGEN.USR in the same folder with the program, then run the program again. It shows a Login window, but if we try to Login with any Username and Password it says that "User not found". OK, now load the program into debugger and start/run the process (F9 in W32Dasm and IDA). Set a Breakpoint on the following two addresses.
|BreakPoint Address||What to modify||Original Value||New Value||Description|
|00414746||eax (register)||0xFFFFFFFF||0x00000000||Username and password is valid|
|004147EE||edx (register)||0x00000000||0x00000001||Administrator rights flag (menu)|
| (memory address)||0x43000000||0x43000001||Administrator rights flag (create user)|
After those two Breakpoints are set, press the OK button. (you can leave the username and password blank). Each time the debugger breaks, change the value of a register or memory addresss with a new value as the above table shows and then continue the process. The main window is shown. Create a new user, menu User -> New... Enter your username and password, and don't forget to set the User Type to Administrator, OK. Now you can exit the debugger. Run the program again and login with an account you've just created.
By reading Nolan
Blender's tutorial, we know that we can use Wlscgen.exe to
generate a license which is valid for a specific VendorID.
To change the default VendorID (which is
our Wlscgen.exe), we must break at
0041F0C0 and change
the value of the data at
[esi+650h]. Well..., CrackZ
has already deeply describe about the VendorID Array Table in
Investigation. But why do we bother changing the whole array
table (16 bytes) if 2 bytes replacement will be enough?.
There is only 2 bytes differences for a different VendorID
15C8DE and 15C8DF), which makes sense because the
VendorID is a WORD value. So... this MUST be the ENCODED VendorID.
In our Wlscgen.exe, the vendor array table is like this (start
form offset 15C8D0) :
D01FE812 7346AE6B 776C6F2D AE80C3C4
It will be pushed as a parameter to _DencVendId() function.
:004299F4 lea eax, dword ptr [esp] is just a signature, it will not be used to decode
:004299F8 push eax <-- Result Buffer
:004299F9 mov eax, [esp+0C]
:004299FD add eax, 18h
:00429A00 push eax <-- VendorId Array
:00429A01 call _DencVendId
Affter returning from VLM_deMorphId(morphedId) function, the last 3 DWORD will become :
0043AE64 : 7346AE6B -> 373E4064
0043AE6F : 776C6F2D -> F774E470
0043AE7A : AE80C3C4 -> C04A8E1E
and the final step, xored :
0043AE82 : C04A8E1E xor F774E470 = 373E6A6E
0043AE84 : 373E6A6E xor 373E4064 = 00002A0A <-- Our Current VendorID
Now, if we want to get the encoded version of our specific VendorID, just simply reverse the xored step. REMEMBER, for whatever VendorID we want to use,
will always be a constants.
For example, The VendorId is 09FE :
1. 09FE xor 373E4064 = 373E499A
2. 373E499A xor F774E470 = C04AADEA
3. VLM_morphId(C04AADEA) = AE805C04 <-- Our Patch Word
Done, just hard-coded the WORD to the file. After that, our Wlscgen.exe VendorID is 09FE
D01FE812 7346AE6B 776C6F2D AE80C3C4
D01FE812 7346AE6B 776C6F2D AE805C04
If you don't know how to get VLM_morphId(C04AADEA), here is a simple way :
1. Load Wlscgen.exe into W32Dasm.
2. At the Entry Point, patch the code to :
:0045D530 68EAAD4AC0 push C04AADEA3. Execute the "Single Step Thru" (F8) twice.
:0045D535 E800FFFDFF call 0043D43A <-- _VLM_morphId()
4. After the call, eax will hold the result.
5. Terminate the Process.