Those Rediculous LPK Files

ActiveX technology is very important to Microsoft. And when it comes to internet domination, it is an important part of their browser technology. It seemed like a natural transition to take OLE technology that they already had developed, rename it to something cool like ActiveX technology and integrate it right into their web browser. But that transition was plagued with problems, one of which was licensing.

Microsoft had this to say about the problem:

Like the other containers, Internet Explorer 4.0 also calls the IClassFactory2 methods to verify that an ActiveX control is licensed. However, unlike Visual Basic or Microsoft Access, which embed ActiveX Controls within the binary code of their application's executable files, Internet Explorer 4.0 uses a different model. This unique model is a necessary response to the following factors:

The openness of the browser (the ability to view the HTML source file).

Client/server issues imposed by the Internet (or corporate intranet).

Because any Internet Explorer 4.0 user can view the HTML source code for a given Web page, and because an ActiveX control is copied to a user's computer before it is displayed, a level of indirection is required to "hide" the license for an ActiveX control from the user. This prevents an Internet Explorer 4.0 user from pirating and reusing a control that they have not purchased. Microsoft addresses these run-time licensing issues with a new file called the license package file (or LPK file).

Well, let's see how good this LPK file keeps people from pirating and reusing controls that they haven't purchased. First of all, let's take a look at the format of a LPK file:

Element	Description
.lpk header	This header identifies the file type: "LPK License Package"
Copyright text or other legal statement	"Legalese" to dissuade casual copying of .lpk files
LPK version GUID	In plain-text on a line by itself. This GUID is used to mark the beginning of the real license package data; it is also used to identify the LPK file format version.
Uuencoded(Base64) license package	struct { UUID uuidLPKFile; // unique per LPK DWORD dwLicenses; // number of licenses in the file LICENSEPAIR aLicenses[]; // array of license pairs } LICENSEPACKAGE; struct { CLSID clsid; // clsid of object DWORD cchLic; // number of characters in the license WCHAR ach[]; // license (saved as UNICODE characters) } LICENSEPAIR;

And, the contents of a sample LPK file:

LPK License Package

//////////////////////////////////////////////////////////////////////////////

// WARNING: The information in this file is protected by copyright law //

// and international treaty provisions. Unauthorized reproduction or //

// distribution of this file, or any portion of it, may result in severe //

// criminal and civil penalties, and will be prosecuted to the maximum //

// extent possible under the law. Further, you may not reverse engineer, //

// decompile, or disassemble the file. //

//////////////////////////////////////////////////////////////////////////////

{3d25aba1-caec-11cf-b34a-00aa00a28331}

ILIsJYLG0hGmSQCgJNYYII=

AQAAAA=

ICgoghfA0BGofACgyQ8p/BcAAAB

5AHkAdAB0AGgAeABpAHUAaQBvAHEAcgBlAGQAdABmAGgAZwBkAHIANAB0AGYA=

Now is it just me, or is there something seriously wrong with this scheme? Now I haven't fully tested these ideas, so if anyone sees any flaws with these ideas please let me know.

By looking at the file format, we see that the file itself isn't even encrypted, other than being uuencoded. That doesn't seem like much of a deterrent. I guess that's why they felt the need to stick in the copyright warning. They obviously knew this method isn't that great. That alone is a huge weakness. But thinking about it, I realized that this form of protection is even more ridiculous than it appears to be on the surface. I doesn’t really matter if they use Quadruple-DES 1024-bit encryption, because all Internet Explorer needs is the file itself. We don’t need to ever see the unencrypted contents ourselves.

When an ActiveX control is placed on a web page, there is a reference to the LPK file in the HTML code. Internet Explorer will look for that LPK file and retrieve the license string for the control. So all it really needs is the LPK file. So all we need to do is grab the LPK file as well as the control to have our own licensed versions. In essence, all Microsoft did with LPK files is make us download two things instead of one. What kind of protection is that?

So let's look at an example. I'm going to pick on DameWare Development again because I know they have online samples of their controls. If you go their web page at www.dameware.com and look at the online sample of say DameWare Ping and look at the HTML source, you will see a reference to a DCal.lpk file. Now the DLL file is named DCal.dll so we could have even guessed the name of the LPK file.

Now a little bit lower in the page, you will see a reference to the DLL file. You will see that the DLL is located at www.dameware.com/bin/dcal.dll. And as you can guess, there will be an LPK file at www.dameware.com/bin/dcal.lpk. All you need to do is download this file and now you have your own runtime license to put on your own web pages. And if you feel like uudecoding the file, you can also probably get the license string that you would put in a .LIC file or in the registry so you can also have a development license. In the case of DameWare, the LPK file is actually for the demo version, but there are plenty others out there that are licensed ActiveX controls.

Now I imagine that with proper configuration and some clever permission settings, one could keep someone from downloading their LPK file, but how interested is the developer in protecting someone else's license? I am certainly not going to spend even 5 minutes to protect an LPK file to keep someone else from having a license.

Someone at Microsoft forgot to do something very import thing here—think. But I wish I had been at the meeting where the developers presented this great new ActiveX licensing scheme. I would have had a lot of fun.

.sozni

Disclaimer: This information must only be used for academic purposes to study different licensing techniques and must not be used to infring the copyrights of these companies. It must not be used to pirate software or encourage software piracy or to engage in any illegal activity. All instructions are provided as-is and are not supported by either the software producers or the owners or operators of this web site or anyone else for that matter. Before using any of these licensing techniques you must first get approval from the softare producer and/or have already purchased this software. Please refer to the Terms of Use for more information.

All trademarked names are registered trademarks of their respective companies.