View Full Version : SSPRO - sproQuery() help required

February 9th, 2008, 15:57
Hello everybody

I'm working on a Sentinel Super Pro Crackme and I do have access to the dongle.
At first I used to TORO Sentinel Monitor to capture the values.
Here is the result:

TORO Sentinel Info File

0000,3 XXXX,1 ------ ------ ------ ------ ------ ------
0000,3 ------ ------ ------ ------ ------ ------ ------
------ ------ ------ ------ ------ ------ ------ ------
------ ------ ------ ------ ------ ------ ------ ------
------ ------ ------ ------ ------ ------ ------ ------
------ ------ ------ ------ ------ ------ ------ ------
0210,0 ------ ------ ------ 21C2,0 ------ ------ ------
0301,0 ------ ------ ------ 0000,0 ------ ------ ------

Next step: using IDA to identify the sspro functions:
(1) sproFormatPacket 00430800
(2) sproFindFirstUnit 004309F0
(3) sproWrite 00430DB0
(4) sproFindNextUnit 00430CB0
(5) sproRead 00430D20

(1) - (5) trival emulation, not a problem.

(6) sproQuery 00430E60

00430E60 56 PUSH ESI ; sproQUERY()
00430E61 57 PUSH EDI
00430E62 8B7424 0C MOV ESI, DWORD PTR SS:[ESP+C]
00430E66 85F6 TEST ESI, ESI
00430E68 75 09 JNZ SHORT crkme.00430E73
00430E6A 66:B8 1000 MOV AX, 10
00430E6E 5F POP EDI
00430E6F 5E POP ESI
00430E70 C2 1800 RETN 18

I found an emulation code in the tutorial of ArTeam, but I still don't know how to find the values for sproquery.
When I'm at 00430E62 EBP shows 00421350 crkme.00421350

At 00421350 I have got the following code:

0042134F 00B7 22D50300 ADD BYTE PTR DS:[EDI+3D522], DH
00421355 0000 ADD BYTE PTR DS:[EAX], AL
00421357 0011 ADD BYTE PTR DS:[ECX], DL
00421359 06 PUSH ES
0042135A 8E02 MOV ES, WORD PTR DS:[EDX] ; Modification of segment register
0042135C 68 12420003 PUSH 3004212
00421361 CD 34 INT 34
00421363 0258 CA ADD BL, BYTE PTR DS:[EAX-36]
00421366 42 INC EDX
00421367 00BB 7434027C ADD BYTE PTR DS:[EBX+7C023474], BH
0042136D B8 42001106 MOV EAX, 6110042
00421372 34 02 XOR AL, 2
00421374 68 12420003 PUSH 3004212
00421379 CD 8E INT 8E
0042137B 0296 B8420004 ADD DL, BYTE PTR DS:[ESI+40042B8]
00421381 91 XCHG EAX, ECX
00421382 D5 03 AAD 3
00421384 3D 71000092 CMP EAX, 92000071
00421389 108E 029CB842 ADC BYTE PTR DS:[ESI+42B89C02], CL
0042138F 000491 ADD BYTE PTR DS:[ECX+EDX*4], AL
00421392 D5 03 AAD 3
00421394 095B 00 OR DWORD PTR DS:[EBX], EBX
00421397 0092 108E02C2 ADD BYTE PTR DS:[EDX+C2028E10], DL
0042139D BC 42004533 MOV ESP, 33450042
004213A2 D5 03 AAD 3
004213A4 F3: PREFIX REP: ; Superfluous prefix
004213A5 0100 ADD DWORD PTR DS:[EAX], EAX
004213A7 0092 19340288 ADD BYTE PTR DS:[EDX+88023419], DL
004213AD B8 4200441A MOV EAX, 1A440042
004213B2 0000 ADD BYTE PTR DS:[EAX], AL
004213B4 00E6 ADD DH, AH
004213B6 42 INC EDX
004213B7 00BB 74D503D6 ADD BYTE PTR DS:[EBX+D603D574], BH
004213BD 99 CDQ

I guess I will need the red marked codes, because ArTeam got the values from a similar place. I can't really find any compares for the queryvalues in the crackme.
So I need some help on the sproquery() function to solve that crackme.

I read the tutorials on CrackZ page, the FAQ and also searched on the forum for information.

Thanks for help.

Best regards

February 12th, 2008, 17:26
I'm confused;

i). When I'm at 00430E62 EBP shows 00421350 crkme.00421350

Why is it relevant what EBP shows?, at this point you should be looking at the arguments on the stack, at [esp+14] will be a pointer to the query data, [esp+18] will be a pointer to where the response should be placed and [esp+1ch] a pointer to a dword where the last 32-bits of the query response will be returned, finally [esp+20h] holds the length of the query, typically it is the response32 [esp+1ch] that is checked more often than not on the application side.

Trivial query code can be used to fake the responses/fill the response buffer(s) as you require, remember to clear also the status (eax=0) then look for the checks on this data on the application side and perhaps patch there.

Another possibility is to patch in complete emulation of the query by *solving* the query descriptors, since this is a crackme I presume it isn't expected you do this ;-).

421350 looks like complete junk to me.



February 29th, 2008, 16:21
Thank you CrackZ for your answer.

I read Cyberhegs Tutorial about breaking the shell, but I haven't gone further with the crackme.
The crackme is protected by the sentinel shell. According to Cyberhegs essay there are two tables and two xor values. I was tracing the sproQuery-function for hours, but didn't find the queries.

I also studied some postings on this board and maybe this part might be interesting (does it help to emulate the sproQuery?):

0042FABB . 66:85C0 TEST AX, AX
0042FABE . 75 29 JNZ SHORT sproREAD.0042FAE9
0042FAC0 . 66:817C24 04 >CMP WORD PTR SS:[ESP+4], 0DE9B
0042FAC7 . 75 20 JNZ SHORT sproREAD.0042FAE9
0042FAC9 . 66:817C24 08 >CMP WORD PTR SS:[ESP+8], 0A17C
0042FAD0 . 75 17 JNZ SHORT sproREAD.0042FAE9
0042FAD2 . 66:817C24 0C >CMP WORD PTR SS:[ESP+C], 9A8F
0042FAD9 . 75 0E JNZ SHORT sproREAD.0042FAE9
0042FADB . 66:817C24 10 >CMP WORD PTR SS:[ESP+10], 74BE
0042FAE2 . 75 05 JNZ SHORT sproREAD.0042FAE9
0042FAE4 . BE 01000000 MOV ESI, 1
0042FAE9 > 8BC6 MOV EAX, ESI
0042FAEC . 83C4 10 ADD ESP, 10
0042FAEF . C3 RETN

Is it always possible to find the querries in sentinel shell protected exe-files?
Does this crackme require bruteforcing or a real dongle?

I attached a graph overview of the sproQuery. Maybe anyone could give me some hints which call should be analyzed carefully.

If anyone wants the crackme (it's just a keygen protected by the shell) let me know.

Thanks for your help.

Best regards