PDA

View Full Version : SentinelLM


adg
February 12th, 2002, 04:41
I am currently working thro' SentinelLM and have reached the point where I have to set break-points in WlscGen.exe. The version of SentinelLM I have is 7.1.1, the tutorials I am referring to is 7.1.0. Following the logic and applying the relevant sig in IDA and then preparing and converting a MAP file for S/ICE I have come up against a wall.

Firstly the SYM file does not seem to work (I know I have the correct technique since I have done this for my target to get the vendor code) when I try to set BPX _gengetvendorcode the address is not recognised. When the relevant sigs are applied in IDA they do appear and they seem reasonable when I refer back to the tutorials.

Secondly, trying to set the breakpoint on an address instead of the name doesn't work either, so I have wasted quite a few licences on the dongle!!

Checking filemon output during a run of wlscgen shows that Sentinel.vxd is accessed all the time which makes me wonder :-|

Does anyone know if there was a BIG security upgrade between 7.1.0 and 7.1.1 that would stop IDA/Softice partnership from working?

If so do you have any insight into how this could be beaten yet?

Thanks in advance

ADG

nblender
February 12th, 2002, 19:19
I think there may have been some rudimentary anti-debug stuff in some versions of the program- you shouldn't even need the
dongle to do cracking on it, but it may help.

Try BPM instead.

adg
February 13th, 2002, 04:51
Thanks nblender,

I have done a little more digging and it seems that _gengetNBVendorcode is not openly referenced.

The MAP file I created did work, I checked on sprodecrement, to avoid losing any more licenses, and Softice broke in as required :-)

I'm not sure if this is right but I tried, instead of breaking on _gengetNBVendorcode, patching mov edi, (vendorcode) into the end of _gengetNBVendorcode but this didn't cause any changes to the license generated. I did a run before and after and the licenses are identical. HMMM

While I was tracing things through the other night I noticed that WlscGen spent most of its time referencing into acpi.sys and vmm32.sys (I think) during the generation stage rather than in the _genxxx routines as I expected, maybe this is the anti debug stuff?

I'm going to follow up a thought I just had about lscgen.exe. Maybe this will have less baggage and outside references since it is all command line stuff!

I solved the dongle decrement problem (temporarily) while I try to find the right place to insert the new vendor code..... bpx on sprodecrement and whip the dongle out! The generation routine continues but then fails right at the end when, I presume, the final dongle access is made to seal the deal.

Maybe I can turn sprodecrement into an increment ho ho!

regards

ADG

adg
February 14th, 2002, 06:12
Tried out lscgen.exe idea and this does generally the same as WlscGen.exe :-(

I'm beginning to think that _gengetNBVendorcode is not actually used in 7.1.1.

Tried bpx on _computevendorcode and changing the result in EAX to the vendorcode I'm looking at but no joy again.

I must look at cracking the dongle requirement or stopping sprodecrement, the dongle is beginning to look a bit short on licenses! Any ideas on this front? Would it be a case of patching the "dongle writing" routine so that it doesn't write to the cell but returns LS_Success?

I tried running the target, with MY generated license, and breaking out on _computevendorcode and changing the EAX result to MY vendorcode and got a different error message! Perhaps a dirty fix would be to patch the target at _computevendorcode and replace EAX with my vendorcode! but that accepts defeat in the eyes of the Sentinel!!

nblender.... I tried "bpm _gengetNBVendorcode" but it broke only in WINICE and nowhere else, did i do something wrong?

If anyone wants to look at this version of WlscGen.exe call out and I will upload!

Cheers

ADG

adg
February 14th, 2002, 08:21
Thought I'd let you know my little success with WlscGen.exe

Managed to stop the sprodecrement function from working!

I put a little patch right at the start of the function which simply put LS_SUCCESS into EAX and returned the function (retn 0Ch)

No more Decrements!

This means that you should be able to generate a totally unlocked license because sprodecrement only decrements by one license per hit (unlocked license costs 250 licences!!! :-0) but the dongle cell is checked along the way so if it doesn't hit 0 then it will keep going until the cows come home!!

Now for some real cracking!

Cheers

ADG

kade
February 21st, 2002, 15:21
I had the same problem with Wlscgen.exe yesterday. It is some kind of anti-debugging technique. I don't have time at the moment to discover how they did it (ida shows a lot of nop's and a lot of int 3's - also there is a sti call which I believe is used when you protect the software with a dongle), but I found out how to defeat it. This is what you need to do :

Step 1 : Before loading Wlscgen.exe you have to set up a breakpoint to Getversion. Softice will certainly popup when you load Wlscgen.exe.

Step 2 : When softice pops up you do "bc *" and "bpx #0041f0c0". We use "bc *" here because Getversion is called alot in Wlscgen.exe and softice would thereby pop up too many times.

Step 3 : press F5 and generate the license, softice will pop up at the desired breakpoint.

I hope this also works for you. Let me know if you know what technique they used.

Good luck

adg
February 22nd, 2002, 05:05
kade,

Thanks for that pointer! I shall give it a go tonight and let you know the results!

cheers

ADG

adg
February 26th, 2002, 09:35
Well, I tried the above test but with no success, even substituting the right address (kade's address I think is for 7.1.0) and doing the necessary.

I did some more thinking and surfing over the past few days and decided to try to find out what scheme Rainbow are using for anti-Softice. I used FrogsIce to try to intercept the hook and it appears that the int03's are a read herring and the real detection is by a call to VMM's 'Test_Debug_Installed'.

SO..... the obvious question here is how do I defeat this detection method? Does FrogsIce cope with this method or does it just flag it up in the log?

I tried hooking the call using "Hook DrX" but I seem to be having problems with Win98 crashing on me! I wil continue to work on this but any suggestions would be gratefully received!

BTW.... I seem to be having a few problems with IDA not decompiling correctly, it seems to decompile most of the WLSCGEN.exe but not all of it and some FLIRT sigs don't attach. I know it has worked on WlscGen.exe before but now it's playing up. Has anyone else seen this, or is my system getting frazzled causing IDA grief in the process?

Cheer

ADG

MTB
February 26th, 2002, 10:14
Hiya

I had a similar problem with a target. Believe it or not try W32dasm, it worked on my stuff. Now the other thing to try is the LATEST version of IDA Pro 4.17 vs the older 4.04, the 17 version got by the anti IDA stuff with ease. Still had to run overnight, and it applied the correct signatures.

MTB

adg
March 1st, 2002, 15:12
Beginning to get a little cheesed off here!

I have run Wlscgen.exe to death but I still can't isolate (bpx or bpm ) _gengetnbvendorcode.

I installed and used FrogsICE to try to find where the anti-softice was embedded in the app but until now it hasn't trapped anything. I have tried trapping the debug register check but it hasn't found this type of protection! I have tried the Int03 trap with no luck either! I'm beginning to think that there is no protection and that _gengetNBVendorcode is not used at all in 7.1.1 (can't be !!)

Beginning to think it might be easier to strip SentinelLM references out of the target! :-0

Any Ideas how I might break on the call to a dll?

I have looked at an essay written about VxD protection where CreateFileA and something else (I can't quite remember right now) were used to detect the call to the VxD in question! would the same idea apply? or do I need to use something more elaborate?

I know the name of the dll that does all the SentinelLM calls but this is NOT referenced in the imports table in my IDA listing of the target. Hmm is this a relocation? or is the call being asked indirectly of another dll like Kernel or VMM?

Any pointers would help break the gloom lying over my head at present!!

cheers

ADG

moZfet
April 17th, 2002, 19:09
Heya ADG,

I invite u to read your personnal messages

Regards, moZ