PDA

View Full Version : acudata sheriff protected software


hansi123
August 19th, 2001, 04:19
hallo,

who has information how to get the 4 secret keys in acudata sheriff protected software, or how to crack it ???

http://www.sheriff-software.com

thanks

disavowed
August 19th, 2001, 13:43
don't know about acudata, but in iris, the 4 keys were in cleartext in the dump of the program, which i saw with my hex editor

Geez
August 22nd, 2001, 07:13
What is your target? :-) Maybe I can help.....

That protection is a waste of time to implement. Every implementation have to pass the product id which is a 16 char len string (4x4 group). The SDK have a utility, which generates the "secret" keys from the ID what a sheriff licenser get from acudata, but there is a good way to bypass the need of that ID....it's an easy one (took me 20 mins to make the SDK work for me)

Regards,
Geez

hansi123
August 24th, 2001, 11:11
hallo geez,

target program is too big for download (~50M).

Is it possible to get the 4 secret keys debuging the program with trw2000 or
softice - and how ?.

Please tell me more about the way to make the sdk work for you

thanks

hansi123

hansi123
August 24th, 2001, 11:13
Quote:
hansi123 (08-24-2001 09:11):
hallo geez,

target program is too big for download (~50M).

Is it possible to get the 4 secret keys debuging the program with trw2000 or
softice - and how ?.

Please tell me more about the way to make the sdk work for you

thanks

hansi123


Please tell me a correct email so that i can contact you. Thanks.

disavowed
August 24th, 2001, 11:25
dump it, then use a text scanner to "grep" out the strings, and search for 4 "keys" in a row

Kythen
August 24th, 2001, 13:15
Actually, those four secret keys will not necessarily be plain-text in the app. They only appear if the Challenge/Response feature is used, as they are a parameter to the CreateChallenge function. Otherwise you have to use a different method to get them. Also, the secret keys can be in an encrypted binary format, as they are in the sample app included in the SDK. I haven't looked at the whole thing enough yet to say how to find the keys or how the encryption affects them if they are in that format though.

hansi123
August 25th, 2001, 02:04
btw, here is an easy way to refresh the trial period

- delete the xxxx-xxxx-xxxx-xxxx licence folder
- delete the hkey - localmachine - acudata registry item
- delete the files winsusrm.dll and winsusrx.dll in windows\system folder

restart the proggy - an the trial period will be restored

toteu
September 10th, 2001, 15:54
Acudata Sheriff is a piece of crap....
You can always use their keygen to work with any application
Step by step:
1. download SDK
2. use Sheriff Administrator/Licence/Registry
to get Product Name,Product ID,Licence Path
3.use Sheriff Licence Key Generator/Register
with Product Name/Product ID
bpx messageboxa => error secret 1
trace in call before messageboxa
you will quickly find all secret codes (1,2,3,4)
++++++++
Example:
Iris Evaluation 3.5 eeye.com ( it is crippled afaik)
maybe it is working with full version !!!
You will obtain:
Product Name: Iris Evaluation
Product ID: 53588621242976415701
Secret 1: 0763198587520863
Secret 2: 1854207696431774
Secret 3: 2482159371598169
Secret 4: 3739062840623850
Obtain user reference code with ShAdmin/Licence/Confirm Buy
or by own software registering window and you can issue any type of licence with SheriffLicenceKeyGen

Now, everybody isn't Sheriff a piece of crap ?!?
Contact me if you know any other software protected by Sheriff

Solomon
September 13th, 2001, 04:07
SecureIIS(also from eEye) is also protected by it

xsion
August 7th, 2005, 16:34
hello,

i have the product id and the secret keys
but when i use the sheriff slsgen.exe it makes a key.
but that key works until i restart the program, then i have a trial version again.
can anyone give me any help with this.

productid: 5357-8661-2429-7641-5704
1: 0763198587520256
2: 1854207696431167
3: 2482159371598552
4: 3739062840623243

LaptoniC
August 7th, 2005, 17:44
Maybe sheriff is just a cover of real protection.However this thread reminded my old tool about this protection.I coded this simple application to find secret codes from product id.Just for historical purposes

goggles99
August 8th, 2005, 00:34
xsion, you may want to edit out the name of the software in your post (and link) or you may get into hot water. Just name the protection only. It's funny, I posted very similar post to yours a couple of years ago here (same thread too I think, and same software) and also mentioned the software name (oops)... My whole post was deleted in about 5 minutes because I hadn't read the rules.

Well, I pretty much got as far as you and never was able to use the slsgen'd license to work properly either. I think that it may be becasue there is additional data that comes with the "real" license, such as the "Feature Access Key", or "Publisher Data" (in the sheriff license key generator) which must be different in "Standard", "Professional", and "Professional Plus".

I eventually got around the prot though. I ended up making a signature files for IDA (from the free Sheriff SDK) and analyzing the target. It's much easier once you know the target function's locations and purposes. There is also a memory CRC type check, and a file CRC type check to take care of as well. My final solution was a loader which patched the program with a codecave and a jump (to the cave) right before the oep, and a direct patch to the CRC check conditional jmp. The codecave performs additional patches and jumps to oep.

I attached the IDA sig that I used...
Good luck

@LaptoniC, that is pretty cool... did you reverse the algos yourself or rip some functions right out to the binary?

LaptoniC
August 8th, 2005, 05:24
I just riped it from static library.I unpacked static library then dissambled the .obj files with IDA.You know in static libraries you have more meaningfull code.

xsion
August 8th, 2005, 12:59
Quote:
[Originally Posted by goggles99]

Well, I pretty much got as far as you and never was able to use the slsgen'd license to work properly either. I think that it may be becasue there is additional data that comes with the "real" license, such as the "Feature Access Key", or "Publisher Data" (in the sheriff license key generator) which must be different in "Standard", "Professional", and "Professional Plus".

I eventually got around the prot though. I ended up making a signature files for IDA (from the free Sheriff SDK) and analyzing the target. It's much easier once you know the target function's locations and purposes. There is also a memory CRC type check, and a file CRC type check to take care of as well. My final solution was a loader which patched the program with a codecave and a jump (to the cave) right before the oep, and a direct patch to the CRC check conditional jmp. The codecave performs additional patches and jumps to oep.

I attached the IDA sig that I used...
Good luck


Can you tell me how to use the signature with ida, because i never used signatures in ida.

isn't easier to find out the "feature access key or Publisher data"

something else i find strange, when i use to program. and say that i want to register. the software wil create a website and on that website it gives a reference and a status code, but that status code used there is much shorter than what the slsgen program is using.
example:
Reference code: 1674-2010-2400-0127-6453-9358
Status code: 026-6407-177

example from status code in slsgen:
Status code: 0801-6030-3638-1828-9372-9295-0864-6464-6365-7573

it is much longer, and if i input this status code on there website, i tells me to upgrade the program.

mr.x
August 13th, 2005, 07:46
Let's me know the target URL of the software protected by Sheriff

xsion
August 14th, 2005, 06:29
Quote:
[Originally Posted by mr.x]Let's me know the target URL of the software protected by Sheriff


URL AND TARGET NAME DELETED

JMI
August 14th, 2005, 09:28
xsion:

READ THE FRIGGEN FAQ

You had already been warned once about posting the URL of your target and after Posting "Target specific code" you were STUPID enough to do it AGAIN.

Which part of:

DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET: this means do not post code that shows where and how to patch/keygen blah blah blah on a specific target. Keep your code snippets as generic as possible while explaining your problem.

did YOU NOT UNDERSTAND?????

Get with the program; Pay attention to our Rules OR GO AWAY!!!

Regards,

xsion
August 14th, 2005, 10:05
sorry for that, since someone asked it i thought why whould he ask if it is not allowed.

JMI
August 14th, 2005, 15:38
Many people "ask for things" which are not allowed. It is permitted to respond by PM, but NOT in the Public Forums!

Regards,

Solomon
October 26th, 2005, 22:39
Sheriff license system is very lame. With Sheriff SDK, a keygen can call the (undocumented) functions from the SDK to generate keys without secrets.
Pay attention to the AccessKey and PublisherData, which are vendor-defined parameters.
Code:

#include "C:\\Sheriff\\API\\API\\VC\\lictype.h"
#include "C:\\Sheriff\\API\\API\\VC\\SlsApi.h"

#ifdef _DEBUG
#pragma comment(lib, "C:\\Sheriff\\API\\API\\VC\\SheriffVCLibs\\SlsLibdMFC.lib"
#else
#pragma comment(lib, "C:\\Sheriff\\API\\API\\VC\\SheriffVCLibs\\SlsLibMFC.lib"
#endif

//the following are functions discovered from sdk lib/obj.
void __cdecl CreateLicence(char const *, struct _SLS_LICENCE, char *, int, int);
struct _SLS_SECRET * __cdecl GetSecrets(char const *,int &;
long __cdecl IssueLicence(char const *,struct _SLS_LICENCE);
int __cdecl VerifyReference(char const *ReferenceCode);
int __cdecl AuthenticateUpidReference(char const *ProductID, char const *ReferenceCode);
void __cdecl AddDashToText(char const *,char *,int);

void CKeygenDlg::OnGenerate()
{
//UpdateData(TRUE);

char s[128];
char ReferenceCode[128];
char Temp[128];
int r;

char WinDir[MAX_PATH];
::GetWindowsDirectory(WinDir, sizeof(WinDir));

const static char *ProductID = "1111-2222-3333-4444-5555";
const static char *ProductName = "MyProduct";
r = SLS_Register(ProductID, ProductName, WinDir);
r = SLS_GetReference(ProductID, ReferenceCode);

struct _SLS_LICENCE lic;
ZeroMemory(&lic, sizeof(lic));
lic.AccessKey = 9999;
::CreateLicence(ReferenceCode, lic, s, 0, 0);
char Key[128];
::AddDashToText(s, Key, 4);

r = SLS_SetLicence(ProductID, ReferenceCode, Key);

SLS_SetPublisherData(ProductID, "1024";
}

xsion
October 27th, 2005, 12:30
my current problem is the following:
I get a reference code from the software.
if i use that code with the keygen, it does not work.

If i want to activate through the internet, i get a 10 digit status code.(without yet makeing connection through the internet).
the format of the code is:
xxx-xxxx-xxx

i wonder if there is an other encryption involved with this.
can someone give me some more information on this

maloney
December 16th, 2005, 20:09
I have a similar problem to the above. I'm able to obtain the secret codes but the target (released in 2001) from the key applet provides a reference code which is 20 digits, rather than the 24 provided by slsadmin. So this does not work with SLSgen. Generation of a reference code and subsequent licensing by SLSadmin is also unsuccessful. As I understand the reference code provides machine specific information which may have been "loosened" by the original coder of the target to allow export (this is in the SLS help file). Any ideas?

Further study of the reference code suggests it used a product ID, then a machine and runtime signatures. Can someone point me in the right direction studying these signature codes?

Another thing is my target is using an old slsapi.dll, updating it manually crashes the proggie. anyone have an old version?

filespace
January 20th, 2011, 23:35
in order to get a correct ref code. you need to look it up in the slsadmin tool sometimes... for me most of the time the program give a diffrent code i feel there might be some sort of post proccessing on the devolopers side when generating a code... however its still useless sheriff is a shame...

filespace
January 21st, 2011, 00:21
see here for my instructions

http://www.woodmann.com/forum/showthread.php?14045-Acudata-Sheriff-licences&p=89202&posted=1#post89202

JMI
January 21st, 2011, 02:05
filespace:

While I recognize you are attempting to be helpful with Acudata Sherill information, you are posting into a Thread where there has been no follow-up by the posters since DECEMBER 2005!!!

It is sufficient that you post in the other "current" Thread.

Regards,