PDA

View Full Version : SentinelLM with no lsapi*.dll?


FrankRizzo
April 17th, 2012, 21:15
I see lots of discussions here about attacking the protection through it's lsapi*.dll, but what if your target doesn't HAVE one?

I have a target that I'm tinkering with that doesn't. Searched the installation, and loaded it in IDA with "Break on DLL load" enabled, and watched the libs it loaded.

Has anyone seen this?

Any hints?

FoxB
April 18th, 2012, 09:04
he can be hide with the other dll name =)

FrankRizzo
April 19th, 2012, 23:01
FoxB, thanks for the suggestion, but I checked EACH of them, and they're legit MS dlls.

Any other ideas? Could they have statically linked the whole glob of code in each of the protected .exes? There are 3-4 or them.

Aimless
April 20th, 2012, 01:12
Or,

you could:

1. Download "The Dependency Walker" (NOT the one available in Microsoft Studio versions)
2. Ensure that all profiling is on in that software
3. Run the target
4. Check for any 'odd' named DLLs.
5. Check for perfectly named DLLs, such as MSVCRT50.dll but in folders on the disk that seem... out of place. TDW shows you the path to that dll also.
6. Get a fresh system. Checksum the DLLs you've listed in TDW on the fresh system. Then Checksum them on your own (assuming you are using the same version of everything), this should let you find out if a so called "system dll" is actually one in disguise
7. And many other ways....

As for your last post, yes, you can have embedded 'executables'. And embedded 'Dlls'. Some small links for you---

http://geekswithblogs.net/TechTwaddle/archive/2009/10/16/how-to-embed-an-exe-inside-another-exe-as-a.aspx

http://stackoverflow.com/questions/798655/embedding-an-external-executable-inside-a-c-sharp-program (should you want to do with .NET programs)

And many more links on google...


Have Phun

zementmischer
April 20th, 2012, 05:16
It's quite common to statically link against lsapiw32.lib.
lsapiw32.lib comes in two flavors - as a DLL import library and as a static library (actually there are more than 2 due to different compiler flags).
Just grab the SDK, make an IDA signature from lsapiw32.lib and use it to analyze your target.
Or even simpler, just use Gerbay's obj/lib plugin

FoxB
April 20th, 2012, 09:35
just search string "Sentinel RMS" inside all exe/dll/ocx/etc.

FrankRizzo
April 20th, 2012, 22:54
"Sentinel RMS Development Kit User"

I assume that all the instructions for what to look for in the DLL might now apply to the static lib linked in?

Is there an easy way to determine what version this is? It's the latest version of an expensive package, I would *ASSUME* it's the latest version, but who knows?

FoxB
April 20th, 2012, 23:48
if packed - search for section name in the PE-header like 0000001 0000002 0000003 etc.

FrankRizzo
April 21st, 2012, 14:04
OK, found the 16-bit vendorcode. (as described in the tutorials), used the SLMtoolkit to make myself a shiny Wlscgen.exe, modified it with the permuted vendorcode as described in tut, but I have a problem.

It generates a license key that is 51 characters, not counting the #.
The trial license I have for the app is 175 characters, again not counting the #.

I'm ASSUMING that this is because the SLMtoolkit makes an older version of Wlscgen, and my target is using something newer?

FWIW, the target exes aren't packed, compressed, encrypted, any of that. (So that means no envelope, just the API method?)

FoxB
April 22nd, 2012, 00:41
you can show trial license?