Results 1 to 3 of 3

Thread: Please help me with this Sentinel protection before I get mad!

  1. #1

    Please help me with this Sentinel protection before I get mad!

    Hi all,

    I'm dealing with a Sentinel protected target.
    On a previous version of the target, trivial patching succeeded, it was only finding a "Key not found" string which was shown in a messagebox, and jumping over it. THAT easy. It was just next to SproFindFirstUnit.

    Now, the API seems to be applied in a better way, and the "Key not found" message is not on the strings, and next to SproFindFirstUnit nothing seems to appear related to it.

    This time, the "Key not found" message is not on the strings so I bet they encrypted it somehow, so I can't know for sure where in the code it is being shown. I mean if I BP MessageBoxA, I get somewhere but tracing back is very difficult because the program loads many modules so I can't know for sure which one originates the call, for example, the one I think that does does not have any dongle code inside :S

    I did some patching inside sproRead, and got the "Key not found" message away, and the program starts, but there are no toolbars so the program can't be used. I think they are reading some address or something from the dongle to show them, but there are no CMPs around and I'm not good at analysing ALL the code. I understand parts of it but not all.

    Another approach was to use an existing dongle emulator and experiment with cell values during the trace. Vendor ID is 2212h. I filled the cells with ABCDEFGHIJK... etc and found out that during the analysis of sproRead, the cell #25 was being read. I understood that first by analysing the dump, and then by a push 19h before sproRead

    By experimenting with various values, I got rid of the "Key not found" message with no patching (Yee-haw!), but now it says "Please register application with serial number A70GP00000A". A70GP00000A is the serial number I used when installing the app so it's basicalling telling me to register using the serial I already used (no good). I patched this away by returning eax=1 in the previous call.

    What I can't "tame" yet is how to get the toolbars to appear (the most important thing).
    I think sproRead is not scaring me now, what is scaring me is sproQuery, because right before returning from it, I get a cmp [eax], [ecx] with eax and esi being completely different values like (1abff39d for eax and d1927dda for ecx). If I patch the previous pushes to push eax the two times, the program crashes. Tried with push ecx the two times as well but it crashes too so it seems none of the values of the cmp are correct. But maybe I'm not analysing the right spot. This is driving me crazy, I dedicated like 25 hours total to this target and I'm sooo frustrated that I cannot get it working

    I read many tutorials including a very nice and big one from Shub-nigurrath, which is very clear and I see everything in there, I just can't find out how to know what the application is expecting from the dongle. I know it is no easy task, tho... but maybe someone can point me in the right direction...

    There's one thing on the tutorial that I can't get...
    On sproQuery, there are two hardcoded values: cb93c50d at 4776fd and dbadfa6d at 477705... are they the seed value? I assume they are specific for the target in the tutorial...



  2. #2
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    you can upload the target software?

  3. #3
    Quote Originally Posted by FoxB View Post
    you can upload the target software?
    Sure, I'll upload it to my server and PM the link

    THANKS for the willingness!

Similar Threads

  1. Sentinel Lm
    By Theislander in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: April 1st, 2011, 09:06
  2. Sentinel Pro
    By personmans in forum The Newbie Forum
    Replies: 14
    Last Post: March 24th, 2009, 18:06
  3. Sentinel, and now ?
    By andreas heinz in forum The Newbie Forum
    Replies: 8
    Last Post: March 29th, 2005, 13:11
  4. Sentinel spro dongle protection
    By ComanderKeen in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: June 20th, 2002, 14:26
  5. Sentinel SuperPro dongle protection
    By jholmes in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: November 28th, 2001, 20:21


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts