Using LIC files
by .sozni


(Courtesy of reverser's pages of reverse engineering ~ December 1998)

red

Well, oh my... another great reverser steps out of the shadows of the web... in fact .sozni seems to have gone a long way all on his own. Visit his very good site at http://www.vnam.com/sozni and you'll find a WEALTH of extremely interesting essays about OCX controls (but not only).
I have decided to reproduce one of them, because I found it particularly interesting and because I'm sure that it will work as a 'portal' to .sozni's good site. If you are interested in OCX cracking, you may find interesting also Popjack's essay about OCX Control Highlights and Licensing schemes, other information may be found inside Dr Fuhrball's essay A slightly different kind of dongle cracking.

.

Using .LIC files

Hopefully you are all by now seeing how weak ActiveX licensing really is. I have been focusing on Registry licenses up to this point but that's just one method. To protect ActiveX controls, the software will use one of these methods:

  1. Using the standard Microsoft registry licensing method
  2. Using a custom registry licensing method
  3. Using standard .Lic files
  4. Using custom .Lic files
  5. Compiling separate demo and real .OCX files

Note: Although the last one is a protection method, the real .OCX must use one of the other four methods. I have talked about these a little and will cover them more in the future.

I have already explained how to crack method #1 in my previous messages I hope you have all tried doing this by now. If not, download the real version of Janus GridEx (not the demo) and try to create a .reg file for it.

Methods #2 and #4 aren't unique to ActiveX controls. If a control uses one of these methods, you just have to crack them using your general cracking skills (that you can learn somewhere else).

So that leaves method #3, using standard .Lic files.

Remember that in order for an ActiveX control to be registered, it needs to be provided a license string. In the development environment (such as VB) an instance of the control is created but a null is passed instead of a license string. That tells the control that it needs to look on the developer's computer to find its own license string. Sometimes it looks at the registry and sometimes it looks for a .Lic file.

Usually when I first try out a control, I have RegMon and FileMon running (filtered, of course). It is usually obvious which licensing method it is using. It is probably going to look at HKCR\Licenses in the registry or <control>.lic on disk. If I see no activity at all, then I assume I have a compiled demo and go back to their web site to find the real thing.

If a control is looking for a .lic file, then it is usually using the standard .lic file licensing scheme. This is the method that has been most used in the past (starting with VBX's). Most often the control will just look at the first line of the .Lic file and return that as the license string. Sometimes it will look for some other string (such as a serial #) or check the length of the file. It is rare that a control will use a custom method (such as an encrypted .lic file).

Often, a demo control will be distributed with a demo .lic file so the .lic file might already be there. FileMon will tell you if one was found or not. It is most likely located in the same directory as the .OCX file and uses that same name with a .lic extension. For example, dcube.ocx uses a file named dcube.lic.

If you find a license file, open it up in a text editor and see what's there. Usually you will see a copyright string and then a paragraph on how it is bad to share these .lic files with your friends. If you open the file and get binary data, then you are looking at a custom .lic file and must use a different method than explained here to crack the control.

If you can't find a .lic file, create one using Notepad and just put anything you want on the first line. Just make sure the file has the same name (except the extension) and is in the same place as the .OCX file.

So right now if you create an instance of that control it will look at the .lic file, get the first line, compare that to another string, and since they don't match pop up a nag screen or something.

All we have to do is make that first line in the .lic file contain the correct string and we have a registered control.

So where do we get the correct string? There are many ways we can do that. Most controls are very easy but sometimes you have to fish a little. Here's how it's done:

USING PEEK OR HEX EDITOR - Most of the time the string is compiled right into the OCX as plaintext that is easily extracted using Peek or a Hex Editor. Peek sometimes cuts off part of the string so I prefer UtlraEdit. Depending on how the control was developed, the string will be found in different places. However, I have noticed that it is usually a Unicode string and it is usually a copyright notice. If I have trouble finding it, I use Peek to locate it and then UtlraEdit to verify it.

USING A DECOMPILER OR RESOURCE EDITOR - I rarely need to do this but sometimes it is hard to locate or there are lots of candidates and you need to find the correct one. Of course, if the string is encryted or created at runtime, then you will probably need this method to see what's going on. But you may be better off using a debugger.

USING SOFTICE - If the string isn't stored in plaintext in the OCX file, you will actually have to do some work. Softice works very well with ActiveX controls because there are a lot of triggers we can use. Here are some breakpoints (in order of preference) that usually work: lstrcmp lstrcmpi comparestring msvcrt!strcmp lstrcpy readfile lstrlen createdialog

If you can't find the right one, look what functions the OCX file is importing. If you haven't found the string by now, you may have a compiled demo or they are not using a standard .lic file.

By the way, PopJack has written a good essay on using SoftIce to crack OCX controls.

USING AN EXE - As I have explained before, the control's license string is compiled right into an executable. That way the executable can provide the string where a client doesn't have the .lic file. Just open the EXE in a Hex Editor and look for the control's class name. Right above the class name you will see the license string. Put that string into the .lic file and you are registered. Many times you can download a compiled (on their registered computers) demo EXE that can be used to extract license strings.

USING OTHER LICENSES - If you already have one registered control from a company, you can often rename that same license and use it with other controls they make. Most of the DameWare licenses I have created are just copies of the same .lic file. Just use the same name as the OCX and put it in the same location.

USING A SERIAL NUMBER - Sometimes you have a serial number you found on the net but it is registered to someone like "^KiLLer^CraCKeR666!" Now we don't want software registered to some 13-year-old and we certainly don't want this name appearing on our software prototypes (NOTE: I don't buy the control until a project is done and I know it doesn't suck).

Or maybe your friend gave you his serial and you want to share it with others. But you don't want to get him in trouble because he already sent in his registration card with that number.

So what we do is install the control using this serial number and let the software do its thing and create its license files. Then save the license file and uninstall the software. Put the license file back where it was then reinstall the software. This time it thinks it is an upgrade or reinstall and you can use your own name. And you can now give the .lic files to others to do the same.

WEB OR FTP - Although rare, every once in a while I can search the web and find a .lic file. And sometimes on the vendor's web site I come across something useful (more on this later). If all else fails, you can try this out.

One notable experience I had was when cracking VB Advantage. Their .lic file was a binary file. After digging around a bit, I found that they used a commercial protection DLL. I went to this company's web site and found their help file, tech notes, and even a demo of their software (with a license editor!).

And that's about it. For some reason very few people crack ActiveX controls. But as you can see, they are much easier and quicker to crack than most applications. If you want to play around with these concepts, try cracking controls from DameWare or DataDynamics.


Last changed: December 18, 1998

Copyright 1998 .sozni, all rights reserved.  This information must not be duplicated or reproduced without express written permission by the operator of this web site.

Disclaimer:  This information must only be used for educational purposes.   It must not be used to pirate software or encourage software piracy or to engage in any illegal activity.   All instructions are provided as-is and are not supported by either the software producers or the owners or operators of this web site or really anyone at all.   Before using any of these licensing techniques you must first get approval from the softare producer and/or have already purchased this software.  Please refer to the Terms of Use for more information.


You'r deep inside reverser's pages of reverse engineering, choose your way out
redhomepage red links red anonymity red+ORC redstudents' essays redtools redcocktails
redacademy database redantismut search_forms redmail_reverser
redis reverse engineering legal?