Page 1 of 2 12 LastLast
Results 1 to 15 of 25

Thread: Sentinel SuperPro Emulator

  1. #1

    Sentinel SuperPro Emulator

    hi all
    my problem is a target that protected with superpro. preiviously i changed the target and redirect rnbo function to a dll. but now i need a way that the target work without patching .
    if i write the sentinel.sys the problem will solve.
    my question : can i write a filter driver that capture all data transfer bitween program and driver(sentinel.sys) and send correct result back to the program or i must write a sentinel.sys ?

    thanks.

  2. #2
    Jacques
    Guest
    Hi nikan,

    I can't answer your question regarding the filter driver, but I did have a similar problem about a year ago where I had to bypass a superpro dongle without patching the target.

    What saved me was finding an emulator by some guy called Steven that I was able to modify for my own purposes. There are a few versions of this emulator floating around, the one that I used was v0.24 because it had DebugPrint calls that allowed you to watch the calls being made in your debugger's output window... Steven did a pretty nice job. (There seems to be a v0.43 around, but it doesn't have the debug prints.)

    The emulator is able to recognize 15 products. If the given vendor ID matches one that it knows about, then it will use the associated block of "dongle memory" for the read/write calls.

    All I had to do was:
    1) Change the vendor code to that of the target.
    2) Adapt the "dongle memory" block so it provides data that works with whatever checks there are in the target.
    3) Recompute the checksum field in the PE header. (This field is not used by standard exe's, but is used by .sys drivers. I used LordPE to fix it.)

    The emulator also has a 10 minute time limit built-in, but bypassing it is pretty easy. I suppose this is step #1.

    This emulator worked great for the first target I used it on, however, just today I tried it on a second target (that's why I'm on the board again) and it doesn't recognize any of the function calls (in the debugger it says "fn is XXXX - yet unknown"). Something funny is going on in this new target, it seems that the function specifiers in the superpro packet are different with each invocation. Hopefully it will work in your case.

    Let me know if you're interested and I can provide more details.

    Jacques
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    hi Jacques

    tanks for your reply.
    i have sentinel emulator version 0.43 and a patch that remove time limit.
    can you tell me is it support sproQuery?
    however i decide to write a filter driver becaus if i copy sentinel.sys of emulator to win32\driver then other superpro protected programs dos not work if i have related dongle.
    also it is good that memory dump and sproquery pair can change from registery.

    nikan.

  4. #4
    Jacques
    Guest
    I don't know for sure if version 0.43 of the emulator will work, but I imagine you can probably get it work. I've never used it myself, mainly because it didn't have the DebugPrint calls, and v0.24 worked just fine for me. I also seem to remember that v0.43 is set up with only a single block of "dongle memory" (but I can't recall for certain).

    As for sproQuery(), the emulator does recognize the call, and v0.24 prints the following info for it: "sproQuery: cell=%02X, len=%02X" to the debugger. What is does after this, beyond faking a good return code, I'm not exactly sure. (My target was quite simplistic, it just read the values in 5 cells and XOR'd them together, it didn't use sproQuery at all.) However, doing a quick scan of the code once more, I do see a call to a fucntion that prints "process_query() - cant find dump"... so it seems that the emulator is set up to handle algorithm queries.

    If you're not in a rush and you need to be able to use real Sentinel dongles too, then writing a filter driver sounds like the way to go. Unfortunately, I don't know enough about the Windows Driver Model to be able to tell if this will work or not.

    I am quite interested in whether the filter driver would work, so if you do decide to do this, please keep posting your progress on the board.

    Jacques
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    ok
    i started to write the filter driver with compuware driver suite 2.7 and windows 2000 ddk.
    previously i write a program that can encrypt and decrypt the rnbo Packet correctly.
    can anyone help me with any idea and information about filter driver?
    i was found that sentinel driver make a device named "rnbdrv" is it true?

  6. #6
    Jacques
    Guest
    Quote Originally Posted by nikan
    ok
    i started to write the filter driver with compuware driver suite 2.7 and windows 2000 ddk.
    previously i write a program that can encrypt and decrypt the rnbo Packet correctly.
    can anyone help me with any idea and information about filter driver?
    i was found that sentinel driver make a device named "rnbdrv" is it true?
    An original sentinel.sys has the following string refs it:
    \\Device\\ParallelPort
    \\Device\\RNBODEV
    \\DosDevices\\RNBODRV
    but I have no idea if this is the proper way to refer to the driver when trying to add a filter layer to it.

    Question for you:
    Did you find a doc on the encryption/decryption of the spro packet, or did you trace the code and figure it out yourself?

    Question for the dongle experts:
    Is it even possible to create a filter driver for the sentinel drivers? It seems suspicious that no-one has done it before... (or maybe they have and I don't know about it).
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    the filter driver is written!!!
    my filetr driver and enc\dec algorithm is work properly in sentinel driver version 5.41!
    i know about one version of this algorithm.
    the next improvment in my project is :
    1:read dump and sproquery pairs from registry.
    2:create a filter driver that work in 2 mode: emulate mode and capture mode.

    nikan.

  8. #8
    hi Jacques
    sorry for my bad english writing.
    i traced a target that call rnbo function and found the way of enc\dec.
    nikan.

  9. #9
    Jacques
    Guest
    Quote Originally Posted by nikan
    the filter driver is written!!!
    my filetr driver and enc\dec algorithm is work properly in sentinel driver version 5.41!
    nikan.
    Excellent!

    What driver name did you use when you created the "Device Filter" shell in Driver Studio?

    Did you have to filter anything besides Read & Write? (and maybe Create & Close)?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    hi Jacques
    the symbolicnames of devices that are created by sentinel.sys are RNBODRV0 and RNBODRV1.
    all of packet transfers between program and driver are performed via ReadFile function.
    after any call to rnbo function except (formatPacket for the first time and initialize) , the program prepair the packet and encrypt it and finally send it to driver via ReadFile function.

    nikan.

  11. #11
    Jacques
    Guest
    Hi nikan,

    I did know about passing the packet via ReadFile, but my driver knowlegde is minimal at best, so I'm still having trouble figuring out where things fit in at that level.

    What is the difference between RNBODRV0 and RNBODRV1? Is 0 for parallel and 1 for USB?

    Thanks for the tips,
    Jacques
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    hi Jacques
    i am not sure but possiblly you are correct.
    i tested may filter driver with a usb superpro dongle and the correct response recieved from RNBODRV1.
    i will test a parallel dongle asap to find out if dongle response will recieve from RNBODRV0 or not.

    nikan.

  13. #13
    Registered User cah's Avatar
    Join Date
    Sep 2001
    Location
    CYBERABAD
    Posts
    58

    SPRO Quries & Their seed codes

    Dear Nikan

    How to find & analyse spro quries & their seed codes for given application?
    Do you have any tools for it? How to inject this code into exe file?

    Help in this highly appreciated
    CaH

  14. #14
    hi Jacques
    capture mode of my driver is completed.
    i tested it with some protected programs, then i decided to test it with superpro shell, so i created a shelled version of notepad.exe with my dongle.
    you can see data transfer between Sentinel toolkit and driver in protection duration here:

    "
    In,RNBOsproSetUnitInfo
    OUT,RNBOsproSetUnitInfo
    In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
    OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
    In,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addres s=0x3C,Data=0x226A,AccessCode=0x3)
    OUT,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addre ss=0x3C,Data=0x226A,AccessCode=0x0)-> Status=0x0
    In,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addres s=0x3D,Data=0xEA46,AccessCode=0x3)
    OUT,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addre ss=0x3D,Data=0xEA46,AccessCode=0x0)-> Status=0x0
    In,RNBOsproSetUnitInfo
    OUT,RNBOsproSetUnitInfo
    In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
    OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x1D5DDBD3,Length=0x4)
    OUT,RNBOsproQuery(Response=2AFF717F,Response32=FF2A7F71)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x1E6D65B,Length=0x4)
    OUT,RNBOsproQuery(Response=5BC57D9A,Response32=C0000A7D)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x40E7DC6F,Length=0x4)
    OUT,RNBOsproQuery(Response=385CF58,Response32=5C38580F)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0xD244FFA,Length=0x4)
    OUT,RNBOsproQuery(Response=218B8727,Response32=8B212787)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0xCB90863,Length=0x4)
    OUT,RNBOsproQuery(Response=CA6777D8,Response32=67CAD877)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0xDF72CA25,Length=0x4)
    OUT,RNBOsproQuery(Response=C085466E,Response32=85C06E46)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x9F82141B,Length=0x4)
    OUT,RNBOsproQuery(Response=30D73352,Response32=D7305233)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x83C5C3EB,Length=0x4)
    OUT,RNBOsproQuery(Response=725BADEA,Response32=5B72EAAD)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0xBF4FA9EC,Length=0x4)
    OUT,RNBOsproQuery(Response=A31B782,Response32=1BA38207)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0xDADD9E6C,Length=0x4)
    OUT,RNBOsproQuery(Response=F1294E59,Response32=29F1594E)-> Status=0x0
    In,RNBOsproSetUnitInfo
    OUT,RNBOsproSetUnitInfo
    In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
    OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
    In,RNBOsproSetUnitInfo
    OUT,RNBOsproSetUnitInfo
    In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
    OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x0000,Length=0x4)
    OUT,RNBOsproQuery(Response=52D57DB8,Response32=D552B87D)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x44E4A547,Length=0x4)
    OUT,RNBOsproQuery(Response=3950DE20,Response32=503920DE)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0xDCF1C80,Length=0x4)
    OUT,RNBOsproQuery(Response=35739CA,Response32=7335CA09)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x48B38CC,Length=0x4)
    OUT,RNBOsproQuery(Response=78DB6474,Response32=DB787464)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x7192555D,Length=0x4)
    OUT,RNBOsproQuery(Response=A8DD2735,Response32=DDA83527)-> Status=0x0
    "

    and after runnig shelled notepad.exe my programs shows these sequence of calls to driver :


    "
    In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
    OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
    In,RNBOsproRead(Address=0x30)
    OUT,RNBOsproRead(Packet,Address=0x30,Data=0x0)-> Status=0x0
    In,RNBOsproRead(Address=0x34)
    OUT,RNBOsproRead(Packet,Address=0x34,Data=0x0)-> Status=0x0
    In,RNBOsproRead(Address=0x38)
    OUT,RNBOsproRead(Packet,Address=0x38,Data=0x0)-> Status=0x0
    In,RNBOsproRead(Address=0x3C)
    OUT,RNBOsproRead(Packet,Address=0x3C,Data=0x0)-> Status=0x4
    In,RNBOsproSetUnitInfo
    OUT,RNBOsproSetUnitInfo
    In,RNBOsproRead(Address=0x0)
    OUT,RNBOsproRead(Packet,Address=0x0,Data=0x28)-> Status=0x0
    In,RNBOsproQuery(Address=0x0,Data=0xB55EE90,Length=0x4)
    OUT,RNBOsproQuery(Response=B55EE90,Response32=5EB500E9)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0xA33A314C,Length=0x4)
    OUT,RNBOsproQuery(Response=C3ED6B28,Response32=EDC3286B)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0xB285D6C8,Length=0x4)
    OUT,RNBOsproQuery(Response=74497B23,Response32=4974237B)-> Status=0x0
    In,RNBOsproQuery(Address=0x3C,Data=0x44E4A547,Length=0x4)
    OUT,RNBOsproQuery(Response=3950DE20,Response32=503920DE)-> Status=0x0
    In,RNBOsproWrite(WritePassword=0x0000,Address=0x100,Data=0x3125,AccessCode=0x0)
    OUT,RNBOsproWrite(WritePassword=0x0000,Address=0x100,Data=0x3125,AccessCode=0x0)-> Status=0x5
    In,RNBOsproSetUnitInfo
    OUT,RNBOsproSetUnitInfo
    In,RNBOsproSetUnitInfo
    OUT,RNBOsproSetUnitInfo
    "

    i changed the developer id and passwords to zero!
    i hope that this inforamtion help you to solve your problem with shell!
    again sorry for my bad english writing.

    nikan.

  15. #15
    hi CaH

    i don't know but i gess that sproQuey algo is the same as packet transfer enc/dec algo.

    nikan.

Similar Threads

  1. Search Sentinel SuperPro Emulator
    By psicomet in forum The Newbie Forum
    Replies: 2
    Last Post: October 6th, 2006, 07:17
  2. Sentinel SuperPro USB
    By brentw in forum The Newbie Forum
    Replies: 1
    Last Post: April 15th, 2005, 15:43
  3. Looking for Sentinel SuperPro Emulator
    By barshad in forum The Newbie Forum
    Replies: 1
    Last Post: March 28th, 2005, 10:17
  4. Need help with Sentinel SuperPro
    By Calintz in forum The Newbie Forum
    Replies: 6
    Last Post: March 18th, 2005, 12:30
  5. Sentinel SuperPro
    By Aldavan Diablo in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: May 13th, 2001, 16:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •