Sentinel License Manager Cracking
Cracking the Sentinel LM protected program Delphi v5.0 trial
by CyberHeg
Courtesy of Fravia's page of reverse engineering
slightly edited
by +Tsehp
This essay will provide the reader with the knowledge required to defeat the SentinelLM shell. A very helpful essay. --nb.

Simple, easy to apply and working also with inprise's c++ builder 5.
There is a crack, a crack in everything That's how the light gets in
( )Beginner (X)Intermediate ( )Advanced ( )Expert

The target audience for this essay is reasonably experienced crackers who wish to generate keys for Sentinel License Manger protected products.
No more Rainbow Trials
Cracking the Sentinel LM protected program Delphi v5.0 trial
Written by CyberHeg

Using the essay "Rainbow trials Delphi five enterprise trial edition by macilaci" as a background
we will study an easier and better method for making this program work than patching.

Tools required
A cracked version of Wslcgen.exe (which is a part of Sentinel LM SDK) or a meter key, Sentinel LM SDK, IDA v4.04+, Softice v4.05, filemon and Sentinel LM flirt sigs for IDA.

Target's URL/FTP and

Program History
Uncertain - this appears to be a descendant of the earlier Sentinel License Manager and the Elan license manager. The models for licensing appear to come from the ancient "netls" package, but the key generation appears to be totally different. Delphi - you all know what it is.

Sentinel LM licensing is very similar to FLEXlm. It also has both features and 
version numbers which are needed in order to make licenses. Instead of seed codes 
each vendor gets a Vendor ID which is encoded into the installation serial of 
the SDK.

This Vendor ID is the return value of the function computevendorvode() which is 
built into every application.

There are 2 ways for a developer to protect a program - the custom API 
implementation or the Sentinel LM Shell. With custom implementation you add the 
protection directly into the source code, while with the Shell the file(s) will 
get packed and a shell will suround them. With the Shell there exists a Client 
Activator which is a vbox type screen.  With this protection you have access to 
various options that allow end users try out the program, such as demo mode, 
time limited trial, or the option to unlock the program completely by supplying 
a valid license code.  SentinelLM is very easy to adjust for your needs.

When running the Delphi installer we see that it wants a serial number to get 
the installation going. I won't comment this as it is not really interesting for 
this project. Either fix it yourself or read in macilaci's or Nolan Blender's 
essay how it can be done.

After installation we run the program which starts up the executable - 
delphi32.exe. It will show up with a Vbox type screen - the Client Activator. 
You have the option to try out the program and doing so will of course start up 
the real program. As macilaci also concluded this program is packed and since 
it uses Client Activator too we know by now that Sentinel LM Shell was used as 
the protection.

Loading the program with filemon running in the background shows that it reads 
the file lservrc before the Client Activator shows up. This is not really 
surprising as the default filename of the SentinelLM license file is lservrc.

Opening the file with notepad gave me this result:

#Lic for Delphi 5 RTM, expires on Jun 31, 2002

We see here that it uses some kind of license file. We will explore the key 
later but for now we will only concentrate on the necessary info needed to make 
a new license file. Looking at this key shows that its encrypted as we can't see 
any meaningful info from those numbers. It is a short key since a long key would be 
about 3 times the length and standalone.
Reading the Sentinel LM SDK manual we know that short keys are checked 
out by the api LSRequest().

Here is the description of LSRequest():
		unsigned char *licenseSystem,
		unsigned char *publisherName,
		unsigned char *featureName,
		unsigned char *version,
		unsigned long *unitsReqd,
		unsigned char *logComment,
		LS_CHALLENGE *challenge,
		LS_HANDLE *lshandle);

We now disassemble the delphi32.exe using IDA and apply the static flirt sig. 
Once it's done we will see that the sig identified many functions. We 
now make a map and convert it for use with symbol loader and we are ready to 

By setting a breakpoint on _LSRequest we will see it break a few times.

Here is one of the queries explained:

00493130                 mov     edx, [eax]
00493132                 push    edx             ; *lshandle
00493133                 mov     edx, [eax+4]
00493136                 push    edx             ; *challenge
00493137                 mov     edx, [eax+8]
0049313A                 push    edx             ; *logComment
0049313B                 mov     edx, [eax+0Ch]
0049313E                 push    edx             ; *unitsReqd
0049313F                 mov     edx, [eax+10h]
00493142                 push    edx             ; *version
00493143                 mov     edx, [eax+14h]
00493146                 push    edx	         ; *featureName
00493147                 mov     edx, [eax+18h]
0049314A                 push    edx		 ; *publisherName
0049314B                 mov     eax, [ebx]      
0049314D                 push    eax		 ; *licenseSystem
0049314E                 call    dword ptr [ecx] ; _LSRequest

By checking out what gets pushed onto the stack we will see that most of the 
variables are NULL pointers. This is because short licenses have less options to 
choose from.

By doing so with all of the license queries we will get the features "02" and "45".

Now we need to find the Vendor ID otherwise our licenses won't have the ID of the 
program.  The licenses require the same Vendor ID as the program in order to 

We set a break point on _computevendorcode and run the program once more.
The return code in eax is 0x9CF and this is the Vendor for this program/company.

Now we have all information needed to make licenses with Wlscgen.
I explained most of the license details above and of course we choose to make it 
non-expiring and non-nodelocked. Using the edi pointer at 41F0C0 at the license 
generation stage (described more carefully in a essay by Nolan Blender) we can 
mark our licenses to the specific Vendor ID.

We now have two license keys now which we place in lservrc and remove the 
original one. Run the program again and we will see that both _LSRequest call's 
will give a return code zero as required meaning LS_SUCCESS. But now we won't 
see the Client Activator anymore. Why? It should come up if it was a trial 
version, shouldn't it?

Lets explore the license key which was supplied. In the Sentinel LM SDK there is 
a program named lsdecode which is used for license decoding. It does not show 
all information like Challenge/response and Vendor ID as this could be abused 
even if you had no skills, but for our needs it is sufficient. Lets run this on 
the key which was allready supplied by Borland:

     SentinelLM 7.1.0 License Decoding Utility
  Copyright (C) 2000 Rainbow Technologies, Inc.

Reading license codes from file: "C:\Program Files\Rainbow Technologies\Sentinel

License code: "0904167652371261"

 License Type              : Trial       Standalone
 Trial period              : 60
 Feature name              : "02"

 Max concurrent users      : Unlimited.
 Soft limit on users       : Unlimited.
 License start date        : Morning of Jul 1, 1998
 Expiration date           : Midnight of Jun 30, 2002

 Additive/exclusive        : Exclusive license (overrides additive licenses).
 Held licenses             : Allowed, hold time set by license.
 Token lifetime (heartbeat): 300 secs (5 min(s))
 Action on clock tamper    : No more fresh licenses will be issued.

We see that this is a trial key valid for 60 days! So the trial part is actually 
stuck into a license and not in the program. So now we can conclude that the 
Rainbow Trial it is really a special time limited license. As a quick test try to 
remove the license file completely. Will the program still start up? No, instead 
we will get a error about missing licenses. Lets just imagine now that Borland 
would change their license policy and do not distribute 60 day trial versions 
anymore. Instead a full version is availble for download and to enable it you 
will need a Computer ID (Sentinel dongle). Would it still be "Rainbow Trials" 
then? No! Since you would not be able to start up the program without that 
dongle. However both versions (trial and dongled) would still use Client 
Activator and still be encrypted by Sentinel LM Shell. This is just a small 
difference in the settings used at license generation and program protection time.

The target is working now. No more trial, no more expiring and no more shaky 
patches which might make the program expire after a longer period of time.

Final Notes
Sentinel LM has a big weakness as the only thing which prevents anyone from making 
licenses for other companys products is the Vendor ID, and we just saw it is 
very easy to find that by using the method above. Even lsdecode can be used for 
grabbing information out of existing licenses to make new ones.

Finally you don't call expiring flexlm licenses for "GlobeTrotter Trials" and 
likewise you dont call Sentinel LM Shelled executables for Rainbow Trials.

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside Fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia+
redIs reverse engineering legal?