Can u extraxt Unique license hash from license file?

[veso266]

Hi there, great program u did, looking at this, it seams this is made for programs where u don't already have a license file (regkey.dat or how do they call it)

What about if you already have a license file? Is unique hash or its private key maybe stored somewhere inside? and you can just extraxt it from there?

I am asking in content of WinLicense 2 in WinLicense 3 they changed Unique hash to License hash, but not sure if fundamentals changed as well

[charlesnathansmith]

The license files aren't that useful themselves as they are encrypted with the private RSA key. The protected program contains all the information needed to decrypt everything.

The current iteration of this tool extracts everything from 32-bit programs (64-bit support is a work in progress) protected with WinLicense 2 and 3 needed to fully bypass the validation. I've tested it against several different programs protected with demos and against commercial software, but there's no definitive list of program that use it so it's hard to assemble a large test base.

The license file format hasn't changed in 10+ years. There are minor differences in the verification routine between programs, and I've tried to generalize the extraction process as much as possible given the samples I've had available, but I'm sure there are some it'll fail on and it needs generalized some more. That's why I've tried to document everything that's happening as much as possible so it's not a complete mystery what's going wrong on one it can't handle yet.

There's a main_hash, which has all the keys, passwords, and check values for the inner layers of encryption, then two RSA keys for encrypting and signing everything afterward. It's possible to construct a valid main_hash from analzing the protected program without any license file required. The private RSA keys of course aren't present anywhere, but you can build a license with any RSA key you want after getting the main_hash and just hot swap in the public keys at that verification step when launching the program. Ideally we'd eventually be able to change the hardcoded keys in the program, but they're packed under several layers and that's a whole other ordeal.

If you know of more products protected with WL2 or 3, both 32-bit and 64-bit, send them my way, because I need as many as possible to keep generalizing this to be able to work on as many programs automatically as possible.

[veso266]

I see, so if I understand this corecly, the license file is encrypted with private key, which is what they call unique hash

then the app is packed with a public key, so it can decrypt the license file

So the only way is to load your own public key inside the app (which if I understand corecly whatlicense cannot yet do, at least not without some kind of emulation layer)

Here is another sample which if I remember correcly uses WinLicense 2 and is locked to FTDI USB to RS232 Serial Cables Serial Number (not realy sure how they have done that, because at least at my end this External Hardware option is blured out (even if I plug my FTDI USB to Serial adapater in) sample.zip

Also found this: https://bbs.kanxue.com/thread-96931.htm maybe it will be usefull

PS: Could you maybe share precompiled wl-lic and wl-extract.dll I have a lot of problems building this, I always get: error C2118: negative subscript (even with examples that come with Intel PIN (like tools\SimpleExamples and tools\MyPinTool), so not sure anymore whats wrong :smile: (I used this PIN: https://software.intel.com/sites/landingpage/pintool/downloads/pin-3.27-98718-gbeaa5d51e-msvc-windows.zip )

[charlesnathansmith]

I haven't necessarily looked at the absolute newest version, but it used to generate a main_hash and then two sets of RSA keys. The main_hash is used for their own custom encryption of the license, then the entire license is encrypted with one RSA key and signed with the other. The protected program itself isn't really encrypted, just highly obfuscated. If you can trick it into passing all of the validation checks, it will launch normally afterward.

There are a lot of protection options I haven't fully explored. This tool isn't actively maintained, and was designed to work on a very specific subset of protected programs (x86, with a regkey.dat style license) and can hopefully serve as a jumping off point for anyone wanting to extend it.

I thought about precompiling binaries, but then I can't redistribute Pin which is needed to run them, and they would need to run with the specific version of Pin they were built for. Plus it starts to get into dicey legal territory where I'm just distributing cracking tools at that point and I'm no longer just offering an academic study