PDA

View Full Version : Sentinel, and now ?


andreas heinz
March 15th, 2005, 17:21
Hi Guys,
I'm a new member and this is my first posting.
I'm from Hamburg, Germany and 31 Years old.

I've read nearly all Tut's from woodman.com and now it's the time to ask for some asskickin' in the right direction ;-)

I got one licensed version of my app, protected(Har :P) by a SentinelSuperPro from Alladin.The API-Calls are inside my Target, not linked against any DLL(so statically linked).
And now i need some advice on how to get either the emulator workin or to find the points of interest for patching...
I swear, i tried all the standard ways, but it seems to give any subroutines which makes me confused.
So, my dump from my SentinelSuperPro (using Sdump,thanks to CrackZ ;P) and the whole IDA-Listing of the interesting func's are attached as .txt-file


Please inform me, if U need additional informations.
Greetz and Tribute to all the great People who know how to reverse and share Knowledge with us, namely +spath, CrackZ, Sp0raw, MeteO, Killer3K , CyberHeg,and all the others being unamed.....
Greetz
SuumCuique

JMI
March 15th, 2005, 17:44
andreas heinz:

Please edit your post and take out the long listing of code and put it into a text file and attach it. We really do not need that much code displayed in the thread for the few who may have a specific interest in it.

Regards,

andreas heinz
March 16th, 2005, 10:38
Yep, it will be done...

andreas heinz
March 16th, 2005, 15:03

Hi all,
I need some additional informations on emulating a sentinelsuperPro and on how to insert the dump into my App.
I have no dll's, the whole stuff is statically linked. And the func calls are very nested.
I first posted in the newbie frorum, because I'm new in this forum, and so I point to this posting, because there are the listings of the SproCalls, which i patched and with my dump.
Please excuse my xpost, but it seems, here are the ones who got more experience on Dongles...

CrackZ
March 16th, 2005, 19:46
Hiya andreas,

First suggestion, do JMI a big favour and ask him to merge your posts (this one and the one from the newbie forum), I think you might even be able to do it yourself ;-).

OK, my initial suggestions :

1. sproFormatPacket() shouldn't need to be patched.
2. Read a few tutorials about sproRead(), more specifically to emulate that function your emulation code needs to pass back emulated dongle memory, simply clearing AX to 0 will pass only the status check, the code after just looks like a loop of reading each word. This is likely your main problem at this stage.
3. The rest of your code paste is pretty much junk ;-), keep in mind you are here to attack the dongle API and nothing else, if you can't simulate the dongle API your just going to blindly force checks instead of working out why the code flows as it does.
4. You can brute force the write password, overwrites are another story (pray you've got them in the app if you really need to recover them).
5. Forget getting your dump to work with any 'Sentinel Emulators' at least in the short term.
6. Read SSPro API guide (this is IMPERATIVE!) or contact me someway.

Regards

CrackZ.

JMI
March 16th, 2005, 20:55
Actually he can't, but anything for an admirer of Shania.

Regards,

andreas heinz
March 23rd, 2005, 06:29
1. Ok, will try to merge ...
2. Right, i inserted FormatPacket as patched, but it wasn't. Was unchanged. My failure (Perhaps one beer too much;-) )
3. Well, The main Problem for me is not be confused by the whole loops.
Can't see the forest, because of the trees....
So, to suggest the flow I have to investigate a lot more...
I downloaded the Rainbow Toolkit and studied the API-Documentation, the details of the functions, the return values and their meaning was very helpfully (thanks for your advice), could be the start point to write a bruteforce function to get the Passwords.
And it seems, you prefer to insert the dump into the target and forward the query flows to the memory adresses....
Well, we'll see...
I will give Feedback when done...
Regards

egalerst
March 24th, 2005, 18:14
my 2 cents, if any of the gods here knows better correct me.

you made a good approach.
formatpacket normally only needs to be patched for users who dont have the sentinel driver installed.
u already succesfully patched the findfirstunit() and your next step would be dealing with sproread(). to accomplish this task u have to trace the program with the dongle attached(sounds like u got it. now when sproread is called take a look at the destination buffer (remember u have the api guide
now write down the result after the sproread()
next step is to replace the sproread() with one of crackz' fine emulator code.
sprowrite() is almost the same approach.
good luck

andreas heinz
March 29th, 2005, 13:11
Thanks for the advice.
Think it's the lack of experience which let me lead into the deeps of the loops.
Well, I'm checkin' the DestinBuffer and SproRead is called 61 times in one loop and after that no more (checked the app. SproRead() is called only this one time.)
Now the job is to get it emulated ;-)
Will try what's in CrackZ-Tutorials
(But I never ever setted up a deltaOffset, now it's the time for cooling a six-pack)
Regards