Alias/3 patch

Ginzanix

Member
Aug 28, 2019
35
54
18
Finally I have an Indy for old software Irix6.2 and 5.x test. I'd Install Alias6 with patch, application launch but give an error when load project , object or simply try to create a new project.
I had a look, and it seems my removing some licensing function calls completely caused the problem after Alias switched to dynamic libraries in v5.1. Now it's patched at a lower level, and seems to work. Please test out the various functions, and see if they work... At least file loading is OK now.


alias6a.PNG
 
  • Like
Reactions: kikems

kikems

Member
Jul 22, 2020
72
23
8
Spain
Ginzanix congratulations for your work with the patch v3 of Alias6a is awesome, all works very good. Tested with my Indy IRIX 5.3.
Model, render, animation all works very good. Maybe some part of app can fail but I'm not find until now.
This days I'll try more intensive testing. As always thanks for share your hard work with us and lets me play with this iconic and historial apps of CGI.

Alias6a_indy4600.jpeg
 
Last edited:
  • Like
Reactions: Elf

kikems

Member
Jul 22, 2020
72
23
8
Spain
I found 2 external apps of Alias6 unpatched. One is MS2 and the other one is LipSync or MotionSync ( I'm not remember now). This 2 apps was separate and independent modules from Alias6 executable. If you create the aldemo user during installation and later login, you can view the icons in desktop.
MS2 ( Motion System 2 ) was the app for make, edit and manage motion captures to characters.
Lipsync was a small tool for syncronize morphs or bones with an audio track.

This was small apps, I hope no need much additional work to patch.
 
Last edited:
  • Like
Reactions: indigofan

Ginzanix

Member
Aug 28, 2019
35
54
18
I've had a look at further patches, though I will only post it once it's finished, so there will not be too many versions...

Another interesting tidbit I found by accident, is that the Alias 6a software helpfile, actually includes a checksum valid "template" license (it is published there, so it can't hurt to repost here I guess): Axyz987uvw987tuvbcd456abc. Two other licenses are also provided in the helpfile, but they are not checksum valid.

The license passes the license checksum check, however fails due to incorrect software version and then wrong hostid. By patching those checks, it is possible to get some further info about the string though...

It seems the license was set to expire 95-07-12 07:00:00 (local time), and includes Alias Studio, with only the options "PowerTracer" and "Sega". This does not seem like a practical combination of features, so probably it was just meant as a template license string with a valid checksum, and not for any real use.

Regarding the software version, it seems Alias 6 checks for a license starting with "I", Alias 5 checks for "G", Alias 4 for "E", and by interpolation probably Alias 3 for "C" and Alias 2 for "A". This would mean that the template license is made for Alias 2, which again makes no sense, other than providing a checksum valid license in the manual which would fail on both the hostid and version checks.

The interesting thing is that you can relatively easily manipulate the template license and checksum... I will leave the discussion here at that, though someone more knowledgeable than me, could probably quite easily make a license generator...
 

Ginzanix

Member
Aug 28, 2019
35
54
18
I spent some time studying the license string data. I thought it would be easier to post this somewhere else, so for anyone interested, please see here:


This contains notes on how the encrypted string checksum is calculated, and how to manipulate it. It also explains how you can upgrade an older version license to a newer version (e.g. v4 to v6), while keeping your encrypted features/time/hostid data intact. I haven't been able to do much further with the encrypted data, though I hope someone else might have a look at it.

Finally I provide a table for viewing the obfuscated strings in older Alias binaries. A simple substition algorithm is used for "sensitive" strings, so that they are not immediately apparent when using a hex editor, Ghidra etc. Just use this table with windhex or similar hex editor which can use tables to read the strings. Naturally having all the "sensitive"/encryption related strings readable makes studying the code/error messages easier.

This is all meant for further study/research of some very very old licensing systems (25 or more years old!), and I can see no harm in posting, though feel free to delete if any objections...
 

Attachments

Last edited:

Ginzanix

Member
Aug 28, 2019
35
54
18
After lots and lots of tracing and dbx-work, through layers of obfuscation, I finally figured out the licensing, and how to make keys for Alias v6 and earlier. I still need to do some of it by hand, however I understand the process and just need to figure out which of the decrypted switches turn on/off which feature. It should be possible to implement an automatic key generator without too much trouble (the DES key is easily readable from within the software).

Basically the normal key type is 136 bits and contains, hostid/MAC, expiry and feature flags. This key would be encrypted by Alias using a standard DES encryption in (probably) CFB 1-bit mode. The encrypted result is then encoded to the limited license string charset, very similar to the base58 encoding (used for Bitcoin of all things), and this string would be provided to the user.

Currently I can make keys by patching the DES function argument in the software from 1 (decrypt) to 0 (encrypt). I then encode the unencrypted key I want to use (following a specific order of hostid, features etc.) using a modified base58 implementation (custom alphabet used by Alias, with certain similar characters removed). I then read the encrypted value which the software makes from memory (using dbx). Then the encrypted value is run through the modified base58 encoder again, to make the "user key". Finally I have to update the CRC (as explained in the document I provided above). When run with the original unpatched software (which decrypts the key).. it works!

(forget about the previously posted test license, it lacked several features. Here is a fully licensed PA6 for hostid 69123456). (screenshot removed, the license had beta/pre-release splash screens enabled)
 
Last edited:

Ginzanix

Member
Aug 28, 2019
35
54
18
If you change the Hostid to 69123456 (using the setenv command if you have an Indy, or one of the software tools for this purpose for other SGIs, or edit it directly in NVRAM if using Mame), you can simply use the license string in the screenshot above when installing the software. So, no more patching needed. This should also work with all versions of Alias 6 (6.0, 6.0a 6.0b), so there is no more need for custom patches for each version...

I can also generate licenses for any specific hostid, but its a bit of work, so I prefer to try to make some kind of automated key generator... If someone has the skills to implement/program a command line DES encryptor in 1-bit CFB mode, and a simple character encoding scheme for IRIX, just PM me for the details needed...!
 

Ginzanix

Member
Aug 28, 2019
35
54
18
Finally, here are valid licenses for PowerAnimator 6 (including StudioPaint 2), PowerAnimator 5 (including StudioPaint 1) and PowerAnimator 4 (also know as Alias (Studio/Designer) 3), all for hostid 69123456.


It took some time to make, as it is not enough to change the license version "prefix character" (I for v6, J for v6 beta, G for v5 and so on), as I thought above. Actually Alias changed the DES key between each release. Furthermore, the license I posted above had all features enabled, including the Beta/Pre-release splash screens. It took some time to find the correct features and disable them - the beta/pre-release flag positions changed between releases.

I also investigated if it is possible to make hostid "ANY" licenses. There is a FLK flag (floating key probably) in the license string which can be set and the hostid set to 00000000, which allows any hostid to pass the hostid check. However, the software then seems to check if the key was provided by the provided "skd" (security key daemon), which requires a dongle to run. The key check fails if the FLK-key (hostid ANY) is read from a local text file instead. This is easy to bypass via patching, but there seems to be no way to make a hostid "ANY" key in a "clean" way, at least from my investigation so far. It should be possible to make a patched version of the "skd" daemon which provides hostid ANY keys, though a general key generator would probably be more useful.

If anyone has an Onyx or similar, and want to test out StudioPaint 1 or 2 (which requires RE or GTX graphics I believe), please PM me - as I'm not sure there is any hostid change tool for Onyx.

alias4.PNG
 

Ginzanix

Member
Aug 28, 2019
35
54
18
Haha... this kind of software licensing archaeology is strangely satisfying... it doesn't require intelligence as much as patience and notekeeping - like a large puzzle... I understand the motivation of "4am" who has a similar project where he makes "re-patches" of Apple II software without intro screens etc... In a similar way this is kind of useless at this point in time, but for documentation and software history its pretty cool... and just interesting to practice...
 
  • Like
Reactions: gijoe77 and kikems

indigofan

Member
Jun 8, 2020
50
19
8
For some reason I get an error when trying to get the license plumed in on an Indigo running 5.3. I put in the license+host string generated and it says it fails every time for Alias 3.
 

Ginzanix

Member
Aug 28, 2019
35
54
18
For some reason I get an error when trying to get the license plumed in on an Indigo running 5.3. I put in the license+host string generated and it says it fails every time for Alias 3.
You should only enter the encrypted string into the license file. You need to use one of the change-sysid programs which are available to change the sysid/hostid of your SGI to 69123456. For the SGI Indy you can simply change the sysid/hostid using the "setenv" command on booting. I am not sure if there is a program to change the sysid for Indigo1, it should be possible to make one.
 

About us

  • Silicon Graphics User Group (SGUG) is a community for users, developers, and admirers of Silicon Graphics (SGI) products. We aim to be a friendly hobbyist community for discussing all aspects of SGIs, including use, software development, the IRIX Operating System, and troubleshooting, as well as facilitating hardware exchange.

User Menu