Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: Help: An interesting ActiveX Server protection used by SolarWinds 2000

Hybrid View

  1. #1
    Solomon
    Guest

    Help: An interesting ActiveX Server protection used by SolarWinds 2000

    http://solarwinds.net/

    SolarWinds is a good network management tool package(or hacking toolkit or whatever). One of my friends asked me to reverse it.

    I noticed that all the tools in this package are written in VB6. Each needs a unlock key when launched, it loads SolarWinds2000.exe to check the license code, which seems to be a ActiveX server. There is a Terminal Service Edition released by some warez group. I checked their crack. They replaced the original SolarWinds2000.exe(224KB) with a very small program(28KB). Perhaps they wrote their own ActiveX server.

    I'm not a ActiveX or COM guru. Would u please give me some help? My version is "SolarWinds 2000 Professional Plus Edition", which can't be directly downloaded from their web site. I can't make the URL public here for some reason. If u r interested I can mail the URL to u. File size is 40MB.
    Thx

    solomon2000@gmx.net
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Solomon
    Guest
    Does anyone know which API is used in QueryInterface( )? So I can set a breakpoint. Thx
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Solomon
    Guest
    Today I get some hints when reading this security advisory:
    http://razor.bindview.com/publish/advisories/adv_vbtsql.html

    So I use ExeScope to examine the TypeLib of SolarWinds2000.exe. Interesting. The next step is to locate the entry point of each functions through CoCreateInstance/CoIntialize/... ? Seems that keygen is possible.

    -------------------------------------------------------------------
    SolarWinds2000; // SolarWinds 2000 Network Interface

    Dispatch _Versions;
    GUID={88ACBD6F-E6D8-4B1E-9302-599BF0D50377};
    function QueryInterface(riid:^GUID; out ppvObj:^^void);
    function AddRef: UI4;
    function Release: UI4;
    function GetTypeInfoCount(out pctinfo:^UINT);
    function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
    function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
    function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
    property-get Item(out vntIndexKey:^variant): BSTR;
    property-get Count: I4;
    property-get NewEnum: ^IUnknown;
    function LoadVersions;
    function ShowVersions(out Index:^BSTR; Application_Name:BSTR; Package_ID:BSTR; DaysLeft:I2; Distributor:BSTR; Release:BSTR);
    function About(out Component:^BSTR): bool;
    property-get SerialNumber(out Component:^BSTR): BSTR;
    property-get ComputerName: BSTR;

    Class Versions;
    GUID={32C50C99-5DCC-481A-A409-F85CF456A788};
    function QueryInterface(riid:^GUID; out ppvObj:^^void);
    function AddRef: UI4;
    function Release: UI4;
    function GetTypeInfoCount(out pctinfo:^UINT);
    function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
    function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
    function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
    property-get Item(out vntIndexKey:^variant): BSTR;
    property-get Count: I4;
    property-get NewEnum: ^IUnknown;
    function LoadVersions;
    function ShowVersions(out Index:^BSTR; Application_Name:BSTR; Package_ID:BSTR; DaysLeft:I2; Distributor:BSTR; Release:BSTR);
    function About(out Component:^BSTR): bool;
    property-get SerialNumber(out Component:^BSTR): BSTR;
    property-get ComputerName: BSTR;

    Dispatch _Serial;
    GUID={6910475C-6460-49FB-BBBB-41806D7EBF41};
    function QueryInterface(riid:^GUID; out ppvObj:^^void);
    function AddRef: UI4;
    function Release: UI4;
    function GetTypeInfoCount(out pctinfo:^UINT);
    function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
    function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
    function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
    property-get SerialNumber: BSTR;
    function MoveOldLicense;
    property-get VID: BSTR;
    property-put PID(^BSTR);
    function NewSerial: BSTR;
    function CalculateCheckSum(out Serial:^BSTR): BSTR;
    function ValidSerial(out Serial:^BSTR): bool;
    function GenerateKey(out Serial:^BSTR): BSTR;
    function ExtractPackageID(out Serial:^BSTR): BSTR;
    function ValidKey(out Key:^BSTR): bool;
    property-get KeyError: BSTR;
    property-put Key(^BSTR);
    property-get Key: BSTR;
    function Licensed(out ID:^BSTR): variant;
    function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;

    Class Serial;
    GUID={354731A4-7649-4273-B655-51796630CA4F};
    function QueryInterface(riid:^GUID; out ppvObj:^^void);
    function AddRef: UI4;
    function Release: UI4;
    function GetTypeInfoCount(out pctinfo:^UINT);
    function GetTypeInfo(itinfo:UINT; lcid:UI4; out pptinfo:^^void);
    function GetIDsOfNames(riid:^GUID; rgszNames:^^I1; cNames:UINT; lcid:UI4; out rgdispid:^I4);
    function Invoke(dispidMember:I4; riid:^GUID; lcid:UI4; wFlags:UI2; pdispparams:^DISPPARAMS; out pvarResult:^variant; out pexcepinfo:^EXCEPINFO; out puArgErr:^UINT);
    property-get SerialNumber: BSTR;
    function MoveOldLicense;
    property-get VID: BSTR;
    property-put PID(^BSTR);
    function NewSerial: BSTR;
    function CalculateCheckSum(out Serial:^BSTR): BSTR;
    function ValidSerial(out Serial:^BSTR): bool;
    function GenerateKey(out Serial:^BSTR): BSTR;
    function ExtractPackageID(out Serial:^BSTR): BSTR;
    function ValidKey(out Key:^BSTR): bool;
    property-get KeyError: BSTR;
    property-put Key(^BSTR);
    property-get Key: BSTR;
    function Licensed(out ID:^BSTR): variant;
    function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Solomon
    Guest
    hehe, I successfully managed to crack the full version, only a 3-byte patch.

    My breakpoints are:
    rtcCreateObject2 // to launch Local COM Server
    __vbaLateMemCallId // call a method in the Local COM Server
    __vbaBoolVar // Licensed = TRUE or FALSE?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    disavowed
    Guest
    glad we could help
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    machgun
    Guest
    Solomon (03-28-2001 13:14):

    So I use ExeScope to examine the TypeLib of SolarWinds2000.exe. Interesting. The next step is to locate the entry point of each functions through CoCreateInstance/CoIntialize/... ? Seems that keygen is possible.

    Class Serial;
    property-get SerialNumber: BSTR;
    property-get VID: BSTR;
    property-put PID(^BSTR);
    function NewSerial: BSTR;
    function CalculateCheckSum(out Serial:^BSTR): BSTR;
    function ValidSerial(out Serial:^BSTR): bool;
    function GenerateKey(out Serial:^BSTR): BSTR;
    function ExtractPackageID(out Serial:^BSTR): BSTR;
    function ValidKey(out Key:^BSTR): bool;
    property-get KeyError: BSTR;
    property-put Key(^BSTR);
    property-get Key: BSTR;
    function Licensed(out ID:^BSTR): variant;
    function MatchedKey(out Key:^BSTR; out Serial:^BSTR): bool;
    I would recommend to play with this interface a little bit more (for example, CreateObject with a VBScript and run it with wsh, call all these methods and peek all these properties, try and see what will come out) - seems to me they have a keygen embedded right in.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Solomon
    Guest
    yeah machgun, your good suggestion reminds me of the convenient way of script. I will try it. Several days ago I tried the way of C++ Builder. I wrote a COM server with C++ Builder to replace the original SolarWinds2000.exe, but it's not easy for me to let it work correctly. I have not try writing a COM client to call it.

    BTW: The TypeLib definition produced by ExeScope is slightly different from that produced by C++ Builder though the target is the same SolarWinds2000.exe. Don't know whose bug it is.

    Thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Solomon
    Guest
    It works!

    Just call GenerateKey( ), a valid key will be generated.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    qferret
    Guest
    now that's a protection....call their own "GenerateKey()" function....they coulda just as well named it "CreateWarez()" }>
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    nchanta
    Guest
    on the same note sa this discussion, i have been playing with a softlocx5.ocx protection...

    the target uses a computer generated serial code, registration key, and an unlock code. i have keygenned the registration key (programmers own routine), but after it checks this it traces down to two __vbacalllateid calls. i have no idea what these do...

    is there an easy way to trace into the code that these calls are executing ?

    thanks

    NchantA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Solomon
    Guest
    Hi,

    Try TLBDBG. It can generate symbolic info for COM interfaces, so this may help us to locate the entry point of each method in the interfaces. It only works with In-Process servers(DLL/OCX).
    h**p://w*w.microsoft.com/msj/0399/comtype/comtype.htm

    regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    SirMicha
    Guest
    I'm glad to see I'm not the only one that has taken their time on this however; I seemed to be stuck. I've wrote a simple VBS script that will pullout most of the information from the COM, but no serial. Anyone have any ideas?

    'Simple query query.vbs
    dim comp1

    set comp1 = WScript.CreateObject("Solarwinds2000.Serial", IDispatch)
    myStr1 = comp1.GenerateKey()

    WScript.Echo "Text: " & myStr1
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Solomon
    Guest
    hi,
    You can get the serial from the registration dialog and pass it as a parameter to GenerateKey( ). Here is my script:

    'This has been tested with SolarWinds 2001 Engineering's Edition FULL version

    Option Explicit

    Dim SolarWinds, Serial, Key

    If Wscript.Arguments.Count = 0 Then

    Wscript.echo("Usage: KeyGen.vbs SerialNumber")
    WScript.echo("Example: KeyGen.vbs SWEE-7C4-D2Z6-Y2RQ-YK56-69Y6-Y786")
    Else

    Serial = Wscript.arguments.Item(0)
    Set SolarWinds = CreateObject("SolarWinds2001.Serial")

    If CBool(SolarWinds.ValidSerial(CStr(Serial))) = True Then
    Key = SolarWinds.GenerateKey(CStr(Serial))
    WScript.echo("Your serial: " & Serial)
    WScript.echo("Your key: " & Key)
    Else
    WScript.echo("Your serial " & Serial & " is invalid!")
    End If

    End If
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    thriller
    Guest
    solomon. i'm intersested in knowig more about this crack.
    quick thin tho, is there anyway i can download 'solarwinds 2000 edition Engineering version...?????'
    please write back,,and let me knwo if u can or cannot..


    Solomon (02-15-2001 23:30):
    http://solarwinds.net/

    SolarWinds is a good network management tool package(or hacking toolkit or whatever). One of my friends asked me to reverse it.

    I noticed that all the tools in this package are written in VB6. Each needs a unlock key when launched, it loads SolarWinds2000.exe to check the license code, which seems to be a ActiveX server. There is a Terminal Service Edition released by some warez group. I checked their crack. They replaced the original SolarWinds2000.exe(224KB) with a very small program(28KB). Perhaps they wrote their own ActiveX server.

    I'm not a ActiveX or COM guru. Would u please give me some help? My version is "SolarWinds 2000 Professional Plus Edition", which can't be directly downloaded from their web site. I can't make the URL public here for some reason. If u r interested I can mail the URL to u. File size is 40MB.
    Thx

    solomon2000@gmx.net
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    goatass
    Guest
    Solomon, great work man. I've keygened an earlier version and it was the same way as it is now but I'm sure they changed the algo a bit. I just took the keygen code out and wrote my own keygen but your way is just as good.
    If you have the extra time you should write a paper explaining your method a bit more and possiblly talking about your findings on COM objects. Give us all something good to read

    good job
    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. ActiveX - Active Exploitation
    By Uninformed Journal in forum Blogs Forum
    Replies: 0
    Last Post: January 28th, 2008, 23:03
  2. Post-Exploitation on Windows using ActiveX Controls
    By Uninformed Journal in forum Blogs Forum
    Replies: 0
    Last Post: October 22nd, 2007, 12:22
  3. Here is a good tool for ActiveX cracking: TLBDBG
    By Solomon in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: May 28th, 2004, 15:43
  4. Hmm interesting new protection....
    By Test2000 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: February 22nd, 2004, 18:36
  5. Anyone can give insights on InterLok 3.0.7 ActiveX API?
    By machun in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 16th, 2002, 20:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •