Additional research SentinelLM Shell v7.1.0

Tools

SoftICE, Tasm v3.01, Hiew, SentinelLM v7.1.0.

Initial analysis

Let's create the simple program "Hello.exe" (the text - in the end). With the help of program SlmShell.exe and protect it with parameters :
- Feature Name: 01;
- Version: 02;
- Group Licensing: Enable;
- Group Feature Name: 03;
- Version: 04;
- License Search Option: Both Standalone and Networked computers;
- License Request Option: Enable.

The size of the protected program has increased from 4K up to 533K.

Getting the decryption stage

Having loaded the program in SoftICE and tracing, we have the first call of the subroutine of decrypting : (Note: designations on essay by CyberHeg).

004A1471: mov ecx, [00466C60] <-Decrypting call
004A1477: mov ebx, [00466C5C]
004A147D: add ebx, 008
004A1480: mov eax, [00466C5C]
004A1485: add [00466C60], esi
004A148B: mov edx, [eax] <-tResponse = 0x00112532
004A148D: push edx
004A148E: mov edx, [eax] [04] <-iCounter = 0x0000029c
004A1491: push edx
004A1492: mov eax, [ebx] <-lpCryptedBuffer = 0x00460044
004A1494: push eax
004A1495: call d, [ecx]
004A1497: mov [ebx], eax <-Sum
004A1499: add d, [00466C5C], 008
004A14A0: jmp loc_4A0B21

It is tedious each time to trace the target program to search for the decryption subroutine, I have found an alternative method to find iCounter, tResponse, lpCryptedBuffer/lpUnCryptedBuffer. Search for the line " SentinelLM User ". In my example it is at 00460030. Check that from the beginning of the line +0x10 (00460040) - nonzero value is tResponse, on displacement +0x14 (00460044) - lpCryptedBuffer/lpUnCryptedBuffer, on displacement +0x2e0 - the sum of the deciphered block. The length of the ciphered block is fixed, iCounter = 0x29;.

00460030:53656E74-696E656C 4C4D2055-73657200 SentinelLM User
00460040:32251100.......
........
004602D4: ...... C3363038

If from the beginning of the line +0x10 is zero, the tResponse is on displacement +0x198, on displacement +0x19C - lpCryptedBuffer/lpUnCryptedBuffer, on displacement +0x43C - the sum of the deciphered block. The length of the ciphered block also is fixed, iCounter = 0x29C;

After decrypting (read essay CyberHeg) we have in the buffer on to displacement 00460044:

00000000:00003000-00000000-00000000-9378CA29
00000010:00010000-800A0A00-00004000-00000100
00000020:00000100-00100000-20000060-00000400
00000030:00000300-80000000-02000000-00000100
00000040:00020000-36F55598-61691083-00000000
00000050:00000200-00020000-3FF15598-905022FA
00000060:00000000-00000000-00000000-00000000
00000070:00000000-00000000-00000000-00000000
00000080:00000000-00000000-00000000-00000000
00000090:00000000-00000000-00000000-00000000
000000A0:00000000-00000000-00000000-00000000
000000B0:00000000-00000000-00000000-00000000
000000C0:00000000-00000000-00000000-00000000
000000D0:00000000-00000000-00000000-00000000
000000E0:00000000-00000000-00000000-00000000
000000F0:00000000-00000000-00000000-00000000
00000100:00000000-00000000-00000000-00000000
00000110:00000000-00000000-00000000-00000000
00000120:00000000-00000000-00000000-00000000
00000130:00000000-00000000-00000000-00000000
00000140:00000000-00000000-00000000-00000000
00000150:00000000-00000000-00000000-00000000
00000160:00000000-00000000-00000000-00000000
00000170:00000000-00000000-00000000-000E0000
00000180:FFFFFFFF-00100000-E5130000-01000000
00000190:03000000-00010000-30330000-00000000
000001A0:00000000-00000000-00000000-00000000
000001B0:00000000-00000000-00000000-00000000
000001C0:00000000-00000000-00000000-00000000
000001D0:00000000-00000000-30340000-00000000
000001E0:00000000-00000000-00000000-00000000
000001F0:00000000-00000000-00000000-00000000
00000200:00000000-00000000-00000000-00000000
00000210:00000000-00000000-30310000-00000000
00000220:00000000-00000000-00000000-00000000
00000230:00000000-00000000-00000000-00000000
00000240:00000000-00000000-00000000-00000000
00000250:00000000-00000000-30300000-00000000
00000260:00000000-00000000-00000000-00000000
00000270:00000000-00000000-00000000-00000000
00000280:00000000-00000000-00000000-00000000
00000290:00000000-00000000-00000000-

Having played with options of program SlmShell.exe, having investigated the decrypted buffer,
PE-headings of initial and ciphered file Hello.exe, we have
Mentioned below structure of the received buffer:

struct STATUS {
// It is not known.
unsigned int Header1; // 0x0000 0x00300000
// It is not known.
unsigned int Header2; // 0x0004 0x00000000
// It is not known.
unsigned int Header3; // 0x0008 0x00000000
// Can be ciphered UST???
unsigned int Unknown0; // 0x000c 0x29CA7893
// It is not known.
unsigned int Unknown1; // 0x0010 0x00000100
// Entry Point the crypted file
unsigned int EntryPoint; // 0x0014 0x000a0a80
// Image Base the crypted file
unsigned int encImageBase; // 0x0018 0x00400000
// Entry Point not crypted file
unsigned int encEntryPoint; // 0x001c 0x00010000
// RVA not crypted file
unsigned int encRVA; // 0x0020 0x00010000
// Virtual Size not crypted file
unsigned int encVirtSize; // 0x0024 0x00001000
// Flags not crypted file
unsigned int encRVAFlags; // 0x0028 0x60000020
// RVA .idata not crypted file
unsigned int idataRVA; // 0x002c 0x00040000
// RVA .reloc not crypted file
unsigned int relocRVA; // 0x0030 0x00030000
// Size .reloc section of not crypted file
unsigned int relocSize; // 0x0034 0x00000080
// Count of crypted section
unsigned int eCount; // 0x0038 0x00000002
// Note: my purposes had one or two crypted sections.
// Them can be up to 16, according to structure:
// eCount = the Counter of structures INFO
// struct INFO {
// unsigned int encRVA; // 0x003c 0x00010000
// unsigned int encPhysSize; // 0x0040 0x00000200
// unsigned int XORtResponse; // 0x0044 0x2a12c28a
// unsigned int decryptSum; // 0x0048 0x83106961
// unsigned int Zero; // 0x004c 0x00000000
// } slminfo;
// RVA crypted section 1
unsigned int encRVA1; // 0x003c 0x00010000
// Physical Size crypted section 1
unsigned int encPhysSize1; // 0x0040 0x00000200
// XOR'ed tResponce crypted section 1
unsigned int XORtResponse1; // 0x0044 0x9855F536
// Sum crypted section 1
unsigned int decryptSum1; // 0x0048 0x83106961
// Zero always
unsigned int Zero3; // 0x004c 0x00000000
// RVA crypted section 2
unsigned int encRVA2; // 0x0050 0x00020000
// Physical Size crypted section 2
unsigned int encPhysSize2; // 0x0054 0x00000200
// XOR'ed tResponce crypted section 2
unsigned int XORtResponse2; // 0x0058 0x9855F536
// Sum crypted section 2
unsigned int decryptSum2; // 0x005c 0xfa225090
// Zero always
unsigned int Zero4; // 0x0060 0x00000000
// The following structures crypted section (up to 14 pieces)
// Or zero if is not more present crypted section
unsigned int Zero5 [0x46]; // [0x0064-0x0174] 0x00000000
// It is not known. With a view of 0x0000e000 or 0x00000000
unsigned int LicVar1; // 0x017C 0x0000e000
// It is not known. With a view of 0xffffffff or 0x00000000
unsigned int LicVar2; // 0x0180 0xffffffff
// It is not known. With a view of 0x00001000 or 0x00000000
unsigned int LicVar3; // 0x0184 0x00001000
// The command 0x13E5 - is used in the main shell program
unsigned int Command; // 0x0188 0x000013e5
// The status 0x1 - is used in the main shell program
unsigned int LicVar4; // 0x018c 0x00000001
// License Search Option:
// 0x01 - Both Standalone
// 0x02 - Networked computers
// 0x03 - Both Standalone and Networked computers
unsigned int TargetSystems; // 0x0190 0x00000003
// License queuing enabled/disabled
// 0x00000000 - disable
// 0x00000100 - enable
unsigned int RuntimeOptions; // 0x0194 0x00000100
// Group Feature Name - ASCIIZ-string, max. length 0x19
// Zero - if not used
unsigned char GroupFeatureName [0x19]; // 0x0198
// Alignment up to 64 bytes
unsigned char Zero6 [0x27]; // 0x01b1 0x00000000
// Group Version - ASCIIZ-string, max. length 0x0c
// Zero - if not used
unsigned char GroupVersion [0x0c]; // 0x01d8
// Alignment up to 64 bytes
unsigned char Zero7 [0x34]; // 0x01e4 0x00000000
// Feature Name - ASCIIZ-string, max. length 0x19
unsigned char FeatureName [0x19]; // 0x0218
// Alignment up to 64 bytes
unsigned char Zero8 [0x27]; // 0x0231 0x00000000
// Feature Version - ASCIIZ-string, max. length 0x0c
// Zero - if not used
unsigned char FeatureVersion [0x0c]; // 0x0258
// Alignment up to 64 bytes
unsigned char Zero9 [0x38]; // 0x0231 0x00000000
} slmstatus;

Everything is specified in this structure, that is necessary for decrypting of ALL crypted
section. For this purpose it is necessary to calculate only tResponse for each section:

tResponse [i] = XORtResponse [i] ^ 0x7b2309a7;
0x7b2309a7 is the "magic" value used in SentinelLM 6.0, 7.1, 7.2!!!

How to use "decrypt" from essay CyberHeg for decoding all section, to correct section .reloc and entry point, I shall not describe.

Final

Who has desire, that can write UnSheller ;-) what to automate process of removal of SentinelLM Shell. I to take advantage "decrypt.cpp" from essay CyberHeg for decrypting structure and search of values Bytesize = encPhysSize, pos = offset by encRVA which I simplify the research problem of SentinelLM Shell.

P.S. After a writing of an essay at me the target with protection SentinelLM Shell v7.2.0 has appeared. All is higher written concerns and to this version. ;-)

 

Content of hello.asm
;-------------------------------=== START ===---------------------------
.386P
Locals
jumps

.Model Compact
mb_ok equ 0
hWnd equ 0

extrn ExitProcess: PROC;
extrn MessageBoxA: PROC;

.Data

caption db " Hello! ", 0
text db " This is SentinelLM Shell test ", 0

.Code
Main: push mb_ok
push offset caption
push offset text
push hWnd
call MessageBoxA
CALL ExitProcess
End Main
;-----------------------== END OF SOURCE ==----------------------------

content of hello.bat
rem - START---------------------------hello.bat
tasm32 /l/mx/m3/z/q hello
tlink32 /Tpe/aa/c hello, hello, import32.lib
rem - END----------------------------hello.bat

 

 

 

 


Return to Dongles Return to Main Index


© 1998-2004 CrackZ. September 2004.