Results 1 to 3 of 3

Thread: unknown sentinel spro api

  1. #1

    unknown sentinel spro api

    Hi all,

    during my spare time I had project on <SENTEMUL2007.exe> from www.software-key.org and after unscrambling the driver I found this interesting piece of code:

    PHP Code:
    .text:00011B64 arg_0           dword ptr  4
    .text:00011B64
    .text:00011B64                 cmp     Options.Log1
    .text:00011B6B                 push    esi
    .text:00011B6C                 mov     esi, [esp+4+arg_0]
    .
    text:00011B70                 jnz     short loc_11B83
    .text:00011B72                 movzx   eaxword ptr [esi+34h]
    .
    text:00011B76                 push    eax             char
    .text:00011B77                 push    offset aRnbosprofx15Ce "\nRNBOsproFx15 Cell=%04.4X\n"
    .text:00011B7C                 call    PrintLog
    .text:00011B81                 pop     ecx
    .text:00011B82                 pop     ecx
    .text:00011B83
    .text:00011B83 loc_11B83:
    .
    text:00011B83                 xor     eaxeax
    .text:00011B85                 mov     ax, [esi+0Ch]
    .
    text:00011B89                 push    offset Options
    .text:00011B8E                 push    eax
    .text:00011B8F                 call    FindSentinel
    .text:00011B94                 test    eaxeax
    .text:00011B96                 jnz     loc_11C65
    .text:00011B9C                 call    CheckLic
    .text:00011BA1                 test    eaxeax
    .text:00011BA3                 jnz     loc_11C65
    .text:00011BA9                 cmp     word ptr [esi+34h], 7
    .text:00011BAE                 jbe     short loc_11BE5
    .text:00011BB0                 mov     ax, [esi+6]
    .
    text:00011BB4                 and     eax0FF00h
    .text:00011BB9                 add     eax5
    .text:00011BBC                 mov     [esi+6], ax
    .text:00011BC0                 mov     clOptions.StatusBase
    .text:00011BC6                 test    clcl
    .text:00011BC8                 jz      loc_11C89
    .text:00011BCE                 movzx   cxcl
    .text:00011BD2                 and     eax0FFFF00FFh
    .text:00011BD7                 shl     ecx8
    .text:00011BDA                 add     ecxeax
    .text:00011BDC                 mov     [esi+6], cx
    .text:00011BE0                 jmp     loc_11C89
    .text:00011BE5 ___________________________________________________________________________
    .text:00011BE5
    .text:00011BE5 loc_11BE5
    .
    text:00011BE5                 push    ebx
    .text:00011BE6                 push    ebp
    .text:00011BE7                 push    edi
    .text:00011BE8                 push    offset MemoryAccess
    .text:00011BED                 mov     ebpoffset Memory
    .text:00011BF2                 push    ebp
    .text:00011BF3                 call    ReadSentinel
    .text:00011BF8                 xor     eaxeax
    .text:00011BFA                 lea     ebx, [esi+38h]
    .
    text:00011BFD                 mov     ediebx
    .text:00011BFF                 stosd
    .text:00011C00                 stosd
    .text:00011C01                 stosd
    .text:00011C02                 mov     cx, [esi+34h]
    .
    text:00011C06                 cmp     cx3
    .text:00011C0A                 movzx   eaxcx
    .text:00011C0D                 lea     eaxMemory[eax*2]
    .
    text:00011C14                 mov     dx, [eax]
    .
    text:00011C17                 mov     [ebx], dx
    .text:00011C1A                 jnz     short loc_11C27
    .text:00011C1C                 cmp     word ptr [eax], 0
    .text:00011C20                 jnz     short loc_11C27
    .text:00011C22                 mov     word ptr [ebx], 40h
    .text:00011C27
    .text:00011C27 loc_11C27:
    .
    text:00011C27                 and     byte ptr [esi+6], 0
    .text:00011C2B                 mov     clOptions.StatusBase
    .text:00011C31                 xor     eaxeax
    .text:00011C33                 test    clcl
    .text:00011C35                 mov     ax, [esi+6]
    .
    text:00011C39                 jz      short loc_11C4D
    .text:00011C3B                 movzx   cxcl
    .text:00011C3F                 and     eax0FFFF00FFh
    .text:00011C44                 shl     ecx8
    .text:00011C47                 add     ecxeax
    .text:00011C49                 mov     [esi+6], cx
    .text:00011C4D
    .text:00011C4D loc_11C4D:
    .
    text:00011C4D                 push    ebp
    .text:00011C4E                 call    CheckDongleLic
    .text:00011C53                 test    eaxeax
    .text:00011C55                 jz      short loc_11C5B
    .text:00011C57                 and     word ptr [ebx], 0
    .text:00011C5B
    .text:00011C5B loc_11C5B:
    .
    text:00011C5B                 call    _RegCloseKey
    .text:00011C60                 pop     edi
    .text:00011C61                 pop     ebp
    .text:00011C62                 pop     ebx
    .text:00011C63                 jmp     short loc_11C89
    .text:00011C65 ___________________________________________________________________________
    .text:00011C65
    .text:00011C65 loc_11C65:
    .
    text:00011C65                 cmp     dword_17C740
    .text:00011C6C                 jnz     short loc_11C82
    .text:00011C6E                 xor     eaxeax
    .text:00011C70                 mov     ax, [esi+6]
    .
    text:00011C74                 and     eax0FFFFFF00h
    .text:00011C79                 add     eax3
    .text:00011C7C                 mov     [esi+6], ax
    .text:00011C80                 jmp     short loc_11C89
    .text:00011C82 ___________________________________________________________________________
    .text:00011C82
    .text:00011C82 loc_11C82
    .
    text:00011C82                 or      RetValue, -1
    .text:00011C89
    .text:00011C89 loc_11C89:
    .
    text:00011C89                 cmp     Options.Log1
    .text:00011C90                 jnz     short loc_11CAF
    .text:00011C92                 xor     eaxeax
    .text:00011C94                 mov     al, [esi+6]
    .
    text:00011C97                 and     eax0FFh
    .text:00011C9C                 push    eax
    .text:00011C9D                 movzx   eaxword ptr [esi+38h]
    .
    text:00011CA1                 push    eax             char
    .text:00011CA2                 push    offset aData04_4xRes_1 "Data=%04.4X Result=%04.4X\n"
    .text:00011CA7                 call    PrintLog
    .text:00011CAC                 add     esp0Ch
    .text:00011CAF
    .text:00011CAF loc_11CAF:
    .
    text:00011CAF                 push    esi
    .text:00011CB0                 call    EncryptPacket
    .text:00011CB5                 mov     eaxRetValue
    .text:00011CBA                 pop     esi
    .text:00011CBB                 retn    4 
    it is used for emulation of sentinel_spro API 15h which is unknown to me; strange point is that this api is not accessible from sx32w.dll; does anyone out there have info about this api?

  2. #2
    .text:0001354E SPRO_Switcher dd offset func_00_RNBOsproInitialize
    .text:0001354E ; DATA XREF: RbLdlSproDispatch+8Cr
    .text:0001354E dd offset func_01_RNBOsproGetVersion ; jump table for switch statement
    .text:0001354E dd offset func_02_RNBOsproSetUnitInfo
    .text:0001354E dd offset func_03_RNBOsproGetUnitInfo
    .text:0001354E dd offset func_04_RbLdlSproSetLogCfg
    .text:0001354E dd offset func_05_RbLdlSproGetLogCfg
    .text:0001354E dd offset func_06_RNBOsproCfgLibParams
    .text:0001354E dd offset func_07_UNSUPPORTED
    .text:0001354E dd offset func_08_RNBOsproFindFirstUnit
    .text:0001354E dd offset func_09_RNBOsproFindNextUnit
    .text:0001354E dd offset func_0A_RNBOsproRead_0B_RNBOsproExtendedRead
    .text:0001354E dd offset func_0A_RNBOsproRead_0B_RNBOsproExtendedRead
    .text:0001354E dd offset func_0C_RNBOsproDecrement
    .text:0001354E dd offset func_0D_RNBOsproWrite
    .text:0001354E dd offset func_0E_RNBOsproOverwrite
    .text:0001354E dd offset func_0F_RNBOsproActivate
    .text:0001354E dd offset func_10_17_RNBOsproQuery
    .text:0001354E dd offset func_11_RNBOsproGetHardLimit
    .text:0001354E dd offset func_12_RbLdlSproSWO
    .text:0001354E dd offset func_13_RbLdlSproBlockRead
    .text:0001354E dd offset func_14_RbLdlSproBlockWrite
    .text:0001354E dd offset func_15_RbLdlSproGetProperty
    .text:0001354E dd offset func_16_RbLdlSproSetProperty
    .text:0001354E dd offset func_10_17_RNBOsproQuery

  3. #3
    would you be more detailed on funcs 12h-16h..(input parameters, etc.)

Similar Threads

  1. Another unknown
    By SiGiNT in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: September 2nd, 2006, 01:03
  2. sentinel
    By iamritu in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 11th, 2005, 19:07
  3. un unknown
    By Mostek in forum Malware Analysis and Unpacking Forum
    Replies: 25
    Last Post: January 4th, 2003, 10:45
  4. Sentinel spro dongle protection
    By ComanderKeen in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: June 20th, 2002, 14:26
  5. sentinel spro - no need for devID
    By Unregistered in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: October 16th, 2001, 08:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •