PDA

View Full Version : help! sentinel superpro


boxx
July 6th, 2001, 14:55
i found the app commucate with the dongle only by ReadFile().and the the length of returned data read is zero. i 'm really confused.
what's going on?
Thanks .

Crayser
July 6th, 2001, 16:33
how could you communicate with the dongle. I want to crack a prog protected with the sentinal superpro dongle too but I don't know how to begin.

boxx
July 6th, 2001, 23:55
bpio 378,and F12 to get into the app code

Crayser
July 7th, 2001, 05:40
Does 378 stands for LP1? In my application it doesn't break when there is no dongle.
Is the function of every dongle of sentinel superpro the same?

the analyst / ucf
July 7th, 2001, 15:21
hey,

i advise you to get the sentinel manual
and read about the api.
it will help a lotta more than bpio and such wanks.
it describes the api, what they do return , error code ..
Also get the IDA's sigs files of sentinel
you will see what api is called in the code, and just read the manual.
who said RTFM ? ;-)
you gotta read CrackZ's dongles tutorials.
w**.zencrack2.cjb.net

my 2 cents.
regards,

the analyst

Crayser
July 8th, 2001, 10:16
is it possible to crack a program protected with a dongle by checking when and where it tries to connect the dongle.
i built to the LPT port an oscilloscope with memory that shows me if there was a connection with the lpt port. than i set a bp where it was checkes first the port. from there on i compare the assembler code with and without a dongle. and i want to change the points where they differ from each other. makes it a sence? the sentinel superpro dongle is checked only at the beginning of the program.
i think i can't set a bp on the input/output because the programm doesn't use the important driver of win and maybe there is a self written driver in the program that sice can't detect.
i know it's circular but i don't know how to crack it in another way.

ps: sorry for my english it's not my motherlanguage

xiaoxiaoc
July 15th, 2001, 13:24
i can crack it,but I know English a little,Sorry,
you can FTP the soft,E-mail to i the address

xiaoxiaoc
July 15th, 2001, 13:42
i can crack it,but I know English a little,Sorry,
you can FTP the soft,E-mail to i the address
I think BPIO 378 or 278 are not be used,because the "dog"has used VXD technology. It's work in zero especially grade ,so we can't stop it.But the anti-vocabulary VXD can find out the problem in silent .

Crayser
July 15th, 2001, 15:58
ok i will send you the files i thing you need to crack the programm to your e-mail..
after a very long time of tracing through the code here the results of my work.. i found a call where is only a jump after kernel uses the deviceiocontrol. and after that the dongle is checked. but i expacted something like a test and a conditional jump. what should i change there? it still jumps back and comunicates with the dongle but where?

everybody tells me to read the manual. i just found some tutorials and programms for sspro but not a manual on zencrack site.

the analyst / ucf
July 15th, 2001, 18:15
Quote:
Crayser (07-15-2001 13:58):
ok i will send you the files i thing you need to crack the programm to your e-mail..
after a very long time of tracing through the code here the results of my work.. i found a call where is only a jump after kernel uses the deviceiocontrol. and after that the dongle is checked. but i expacted something like a test and a conditional jump. what should i change there? it still jumps back and comunicates with the dongle but where?

everybody tells me to read the manual. i just found some tutorials and programms for sspro but not a manual on zencrack site.


i would like to have it too.
is it possible ?
as i said above, you should really get the sentinel API guide.
You wouldn't loose your time, and you would understand what's going on actually.
First time i cracked a sentinel, i didn't really understood what happened, and i just patched around , and used deviceiocontrol.
get the doc, RTFM , get IDA's sig files, fire up soft ice and let's rock
nothing much actually.

my 2 cents,

the analyst

Crayser
July 17th, 2001, 02:59
no problem but first you must tell me which files do you need. I can't send you the whole program because it's too big (about 400mb). But the check is only at the beginning and the program loads a few dll's before it comes to the messagebox. I used only 3 files to come to the deviceiocontrol. And there is an other file with messageboxa (but that's too late). Or maybe you need the vxd file. I'm not sure if the way I took was right.

Where do I get the doc and the manual? on zencrack2.cjb.net there are only some older tutz and some programs.

crayser

goatass
July 17th, 2001, 07:51
Hey Crayser, you need to get those old papers, and some of them are not that old and they are still very valid. Check out my paper on FlexiSign PRO it will help you alot since I explain almost everything in there and I have a link to the sspro manuals in there aswell. You can get it at zencrack2.cjb.net and on tsehp.cjb.net and I suggest you read them all before continuing because from what I read in your posts you don't understand what's going on in the protection and your approach is not wrong but not a very good one. When it comes to the new sspro version you need to do some reading before trying to reverse it.

You must read, don't try reversing it before you read the manuals, trust they help A LOT.

goatass

the analyst / ucf
July 17th, 2001, 08:13
Quote:
Crayser (07-17-2001 00:59):
no problem but first you must tell me which files do you need. I can't send you the whole program because it's too big (about 400mb). But the check is only at the beginning and the program loads a few dll's before it comes to the messagebox. I used only 3 files to come to the deviceiocontrol. And there is an other file with messageboxa (but that's too late). Or maybe you need the vxd file. I'm not sure if the way I took was right.

Where do I get the doc and the manual? on zencrack2.cjb.net there are only some older tutz and some programs.

crayser



setup a FTP server
and i leech it from there
actually , as goatass said (hey mate btw , forget that stuff and read manual, essays ..
you better emulate the dongle , instead of patching around, with some lucky guess.
;-)
look around for that manual.
really, it helps a LOT.

regards,

the analyst

Morlac.
July 17th, 2001, 09:15
Crayser,

Although your method is valid and can lead to a good results, its a waste of time. The Readfile() and DeviceIOControl() functions are located inside the dongle object file that gets linked to the app it self. When you patch there, you are actually patching the dongle driver that is linked to the app. If you go up in the calling heirarchy, you will come to the dongle documented apis used by the app. So, as everyone is telling you, you should get the API documentation ( availalbe from http://www.rainbow.com/tech/files/SentinelSuperPro/Manual/SentinelSP6DevelopersGuide.pdf )
This PDF will explain alot. And you need the Signature file from zencrack2.cjb.net.

The reason why you need to do this is because the app is quite huge and that can mean lots of checks. Some are hidden.
Once you apply the sig files to you assembly, you will see which part of the code is checking the dongle.
And then making an emulator for the dongle will be quite easy if you can intercept each and every call made to the dongle.

...only my 2 cents.

everybody,
Morlac

Crayser
July 18th, 2001, 14:32
thank you for all your tips.
I will read the manual and some tutz I've also read but my personal experience is that I learn better by cracking a program than only by reading. If there are many information I often forget what I read at the beginning. But with practical learning (for example communication with you guys and describing some questions with regard to the code itself) would help me understanding much more.

Now to the files:
I will make a file server but not until 1 maybe 2 weeks. On my second pc there is much to do and now I've few time. Maybe I can upload is somewhere but if you want I'll send it to your E-Mail account the first for cracking necessary files.
Ok now I know that my way is a wrong one but I don't know which one is the right. But before you answer the question I will read some doc etc. and maybe find the answer alone ;-) .

Crayser

Crayser
July 19th, 2001, 05:24
when I want to emulate the dongle, I must know the answers of it. I know every call that communicates with the dongle but I don't know what it sends me back. I could compare (with and without the dongle) on every call the values and change them but I think there is a better way to find it out. To emulate the dongle I need every answer of it. It took me much time to find all the calls.

Morlac.
July 19th, 2001, 08:42
Crayser,

Well, you can always find what is expected from the dongle by looking at the code that follows the call to the dongle even if you dont have the dongle.
You will either find a direct check of the results, or, you can see that the code manipulates the value and then checks it.
You can always reverse that and you should get the actual results.
So, you dont really need the whole content of the dongle. But if you like to write a full emulator, then, use a dumper utility and then write your emulator. This has advantages in that if you missed one call, then itll work becuase you supplied the whole dongle contents.
Otherwise, you have to keep looking.

Molrac

shark
March 21st, 2002, 04:31
i think u may be a chinese!
place add me to friend by QQ.
my number :5080518
may be u can hlep me!
thank you!