Analysis of OsiSoft’s PI License Mechanism

The licensing mechanism in OsiSoft’s PI is governed by a service called “PI License Manager” or pilicmgr.exe. This application can be activated as a service or a command line program.

If it is invoked without a parameter, it will behave as a service and if it is invoked via command line, it will perform the task based on given parameter.

Let’s perform some command line task on this application:

One of the important information is the license expiration date above which determine how long all the PI application is active before the user should by the program.

You can see that the pilicmgr.exe will use the pilicense.dat file for its licensing information.

Here is the portion of the pilicense.dat viewed using hex editor such as WinHex:

You can see that is already in encrypted format, but how strong is the integrity of the security method ?

To answer the above question, I decided to perform detailed analysis of this application, especially when it tries to parse, decrypt and display the licensing information above.

Then, I arrived at the piece of data that will be used by pilicmgr.exe to process the licensing information, in decrypted format as follow:

The bytes portion in red color which is 0x5b7c6130 or 1534878000 in decimal format is the license expiration date in the form of the stamp. This data can be decoded into the actual date using the epoch converter website (https://www.epochconverter.com) and I will get Wednesday, August 22, 2018 2:00:00 AM GMT+07:00.

You can see this is in accordance with the license expiration date as shown by pilicmgr.exe program.

Then I perform an in depth analysis for assessment of how strong the security mechanism involved in encryption and decryption process. At first, I presumed that it will use the key pair mechanism, so although I know how to perform decryption, I can’t possibly perform encryption of the data.

But, I was surprised that security mechanism is very weak, so that I can perform decryption AND also encryption process. So, it is possible to perform modification of the data, such as license expiration date, perform encryption and let the pilicmgr.exe use the modified file.

The fact that I can still used the modified data also indicates the application do not use the checksum mechanism as one of the security measure.

So, I hope that OsiSoft PI personnel, after acknowledged this issue, will perform some improvement on its next version. I think that’s enough for now.

You can leave a response, or trackback from your own site.

Leave a Reply

Powered by WordPress and Bootstrap4