Results 1 to 10 of 10

Thread: sentinel superpro dongle confused

  1. #1

    sentinel superpro dongle confused


    I found the dll file which contains sentinel api function. Functions are :
    0001:000251E0 sproFormatPacket
    0001:00025240 sproFindNextUnit
    0001:00025370 sproGetVersion
    0001:00025490 sprofindfirstunit
    0001:000255A0 sproFindNextUnit_0
    0001:000256B0 sproread
    0001:00025780 sproExtendedRead
    0001:00025860 sproActivate
    0001:00025920 sproOverwrite
    0001:000259F0 sproDecrement
    0001:00025AA0 sproActivate_0
    0001:00025B60 sproQuery
    0001:00025C90 sproFullStatus

    I guess that, we must only deal with sprofindfirstunit, sproread functions. I found that no sproquery called.

    Follow some tuts on this site, I Bypass sprofindfirstunit like this:
    sprofindfirstunit proc near ; CODE XREF: sub_60105C70+A9p

    arg_0 = dword ptr 0Ch

    push ebx
    push esi
    mov eax, [esp+arg_0]
    or eax, eax
    nop
    nop
    mov ax, 0
    pop esi
    pop ebx
    retn 8
    sprofindfirstunit endp

    With sproread(), I use the standard code which released by Crackz. Dump data is pushed next to sproread emu code. Here is the dump :
    API majVer=5, minVer=37, rev=6, osDrvrType=5
    Dumping Key: id=0x5246, developerID=0xACA3
    WORD awMem[64] = {
    0x5246/*1*/, 0xACA3/*1*/, _ALGO_/*4*/, _ALGO_/*4*/,
    _N_AV_/*3*/, _N_AV_/*3*/, _N_AV_/*3*/, _N_AV_/*3*/,
    0xD341/*1*/, 0x0001/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0034/*0*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
    0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*0*/,
    };

    BYTE abAc[64] = {
    1, 1, 4, 4, 3, 3, 3, 3, 1, 1, 1, 1, 1, 1, 1, 1,
    1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0,
    1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
    1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0,
    };

    Key #0 write pw: 0CEE

    Tracing the program by IDA48! I found the subroutine make the read of dongle. Here is that subroutine:
    dongleread proc near ; CODE XREF: sub_60105C70+BFp
    ; sub_60105C70+D9p ...

    arg_0 = dword ptr 4

    mov ecx, [esp+arg_0]
    lea eax, [esp+arg_0]
    push eax
    push ecx
    push offset unk_601276B0
    call sproread // has been emulated
    test ax, ax
    jz short loc_60106195
    movsx eax, ax
    push eax
    push eax ; arglist
    push offset aErrorRainbowSu ; "Error: Rainbow SuperPro error code '%d "...
    call apiCTrace // ???
    add esp, 0Ch
    push offset simpleNotFoundException
    call Exception__Throw // dongle error...

    loc_60106195: ; CODE XREF: dongleread+17j
    mov ax, word ptr [esp+arg_0] // store read dongle data.
    retn
    dongleread endp


    Continue tracing the program, after sprofindfirstunit success, the program will make the dongle read and here is the code which calculate the read value:
    (after the push then call dongleread() ):
    call ExceptionLink_Construct
    lea ecx, [ebp+var_58]
    push ebx
    push ecx
    call _setjmp3
    add esp, 8
    test eax, eax
    jnz loc_601060E9
    push 63Eh ; uID
    call strRscLoad
    mov esi, eax
    push 0ACA3h
    push offset unk_601276B0
    mov [ebp+var_8], esi
    call sprofindfirstunit// find dongle
    test ax, ax
    jz short loc_60105D2D
    push offset simpleNotFoundException
    call Exception__Throw

    loc_60105D2D: ; CODE XREF: sub_60105C70+B1j
    push 1 //location to read
    call dongleread
    add esp, 4
    cmp ax, 0ACA3h
    jz short loc_60105D47
    push offset simpleNotFoundException
    call Exception__Throw

    loc_60105D47: ; CODE XREF: sub_60105C70+CBj
    push 8
    call dongleread
    add esp, 4
    mov edi, offset aDoNotTransla_0 ; "<DO NOT TRANSLATE> - OEM Product ID"
    mov ecx, 24h
    xor edx, edx
    repe cmpsb
    mov ebx, eax
    jnz short loc_60105D7A
    cmp bx, 0D341h
    jz short loc_60105D96
    cmp bx, 0D342h
    jz short loc_60105D96
    cmp bx, 0D343h
    jz short loc_60105D96
    jmp short loc_60105D8C
    ; 컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴

    loc_60105D7A: ; CODE XREF: sub_60105C70+F1j
    mov eax, [ebp+var_8]
    push eax ; char *
    call ds:atoi
    add esp, 4
    cmp bx, ax
    jz short loc_60105D96

    loc_60105D8C: ; CODE XREF: sub_60105C70+108j
    push offset simpleNotFoundException
    call Exception__Throw

    loc_60105D96: ; CODE XREF: sub_60105C70+F8j
    ; sub_60105C70+FFj ...
    push 0
    call dongleread
    add esp, 4
    cmp word_60127F98, ax
    jz nghingo
    mov ecx, 138h
    mov esi, offset unk_60123918
    mov edi, offset word_60127AB8
    push 34h
    rep movsd
    call dongleread
    not al
    mov edi, 0FFh
    push 1Fh
    and eax, edi
    mov word_60127AC4, 1
    shl eax, 1Ch
    or eax, 0EFFFFFFFh
    mov dword_60127AD8, eax
    or eax, 0FFFFFFFFh
    mov dword_60127ADC, eax
    mov dword_60127AE0, eax
    mov dword_60127AE4, eax
    mov dword_60127AE8, eax
    call dongleread
    push 9
    mov word_60127AC0, ax
    call dongleread
    push 0Bh
    mov word_60127AC6, ax
    call dongleread
    mov si, ax
    push 0Ah
    and esi, 0FFFFh
    shl esi, 10h
    call dongleread
    and eax, 0FFFFh
    push 17h
    or esi, eax
    mov dword_60127DFC, esi
    call dongleread
    push 16h
    mov word_60127ACA, ax
    call dongleread
    push 1Eh
    mov word_60127ACC, ax
    call dongleread
    push 1Dh
    mov word_60127ACE, ax
    call dongleread
    push 20h
    mov word_60127AD0, ax
    call dongleread
    push 21h
    mov word_60127AEC, ax
    call dongleread
    push 0Ch
    mov word_60127DFA, ax
    call dongleread
    push 0Dh
    mov word_60127F04, ax
    mov word_60127ABA, ax
    call dongleread
    push 0Eh
    mov word_60127F06, ax
    call dongleread
    push 0Fh
    mov word_60127F08, ax
    call dongleread
    push 10h
    mov word_60127F0A, ax
    call dongleread
    add esp, 40h
    mov word_60127F0C, ax
    push 11h
    call dongleread
    push 12h
    mov word_60127F0E, ax
    call dongleread
    push 13h
    mov word_60127F10, ax
    call dongleread
    push 14h
    mov word_60127F12, ax
    call dongleread
    mov word_60127F14, ax
    push 15h
    call dongleread
    push 18h
    mov word_60127F16, ax
    call dongleread
    add esp, 18h
    cmp ax, 1
    mov word_60127AD2, ax
    jb short loc_60105F56
    lea ecx, [ebp+var_14]
    push 8
    push ecx
    push 4
    push 19h
    call what
    add esp, 10h
    lea edx, [ebp+var_14]
    push 103h ; __int16
    push edx ; void *
    push offset byte_60127E00 ; void *
    call strLengthCopy
    mov ax, word_60127AD2

    loc_60105F56: ; CODE XREF: sub_60105C70+2B9j
    mov esi, ds:strncat
    cmp ax, 2
    jb short loc_60105F95
    lea eax, [ebp+var_14]
    push 8
    push eax
    push 4
    push 24h
    call what
    push 1 ; size_t
    push offset asc_60123E38 ; ","
    push offset byte_60127E00 ; char *
    call esi ; strncat
    lea ecx, [ebp+var_14]
    push 9 ; size_t
    push ecx ; char *
    push offset byte_60127E00 ; char *
    call esi ; strncat
    mov ax, word_60127AD2
    add esp, 28h

    loc_60105F95: ; CODE XREF: sub_60105C70+2F0j
    cmp ax, 3
    jnz short loc_60105FC8
    lea edx, [ebp+var_14]
    push 8
    push edx
    push 4
    push 28h
    call what
    push 1 ; size_t
    push offset asc_60123E3C ; ","
    push offset byte_60127E00 ; char *
    call esi ; strncat
    lea eax, [ebp+var_14]
    push 9 ; size_t
    push eax ; char *
    push offset byte_60127E00 ; char *
    call esi ; strncat
    add esp, 28h

    loc_60105FC8: ; CODE XREF: sub_60105C70+329j
    push 0
    call dongleread
    mov word_60127F98, ax
    mov ax, word_60127AC0
    add esp, 4
    cmp ax, 33h
    jb short loc_60105FEA
    cmp ax, 64h
    jb short loc_60105FF8

    loc_60105FEA: ; CODE XREF: sub_60105C70+372j
    mov cx, word_60123920
    mov word_60127AC0, cx

    loc_60105FF8: ; CODE XREF: sub_60105C70+378j
    mov ax, word_60127ACA
    cmp ax, 1
    jb short loc_60106009
    cmp ax, di
    jb short loc_60106017

    loc_60106009: ; CODE XREF: sub_60105C70+392j
    mov dx, word_6012392A
    mov word_60127ACA, dx

    loc_60106017: ; CODE XREF: sub_60105C70+397j
    mov ax, word_60127ACC
    cmp ax, 1
    jb short loc_60106028
    cmp ax, di
    jb short loc_60106034

    loc_60106028: ; CODE XREF: sub_60105C70+3B1j
    mov ax, word_6012392C
    mov word_60127ACC, ax

    loc_60106034: ; CODE XREF: sub_60105C70+3B6j
    mov ax, word_60127ACE
    cmp ax, 1
    jb short loc_60106045
    cmp ax, di
    jb short loc_60106053

    loc_60106045: ; CODE XREF: sub_60105C70+3CEj
    mov cx, word_6012392E
    mov word_60127ACE, cx

    loc_60106053: ; CODE XREF: sub_60105C70+3D3j
    mov ax, word_60127AD0
    cmp ax, 1
    jb short loc_60106064
    cmp ax, di
    jb short loc_60106072

    loc_60106064: ; CODE XREF: sub_60105C70+3EDj
    mov dx, word_60123930
    mov word_60127AD0, dx

    loc_60106072: ; CODE XREF: sub_60105C70+3F2j
    cmp word_60127AEC, di
    jb short loc_60106087
    mov ax, word_6012394C
    mov word_60127AEC, ax

    loc_60106087: ; CODE XREF: sub_60105C70+409j
    cmp word_60127DFA, di
    jb short loc_6010609E
    mov cx, word_60123C5A
    mov word_60127DFA, cx

    loc_6010609E: ; CODE XREF: sub_60105C70+41Ej
    mov al, byte_60127E00
    test al, al
    jz short loc_601060B9
    mov ax, word_60127AD2
    cmp ax, 1
    jb short loc_601060B9
    cmp ax, 3
    jbe short nghingo

    loc_601060B9: ; CODE XREF: sub_60105C70+435j
    ; sub_60105C70+441j
    mov dx, word_60123932
    push 103h ; __int16
    push offset unk_60123C60 ; lpString
    push offset byte_60127E00 ; void *
    mov word_60127AD2, dx
    call _strBufferCopy
    lea eax, [ebp+var_5C]
    push eax
    call ExceptionLink_Destruct
    mov eax, [ebp+var_4]
    jmp short loc_60106141
    ; 컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴

    loc_601060E9: ; CODE XREF: sub_60105C70+8Aj
    push offset NotFoundException__RuntimeClass
    call Exception__CatchProc
    test eax, eax
    jz short nghingo
    mov ecx, 138h
    mov esi, offset unk_60123918
    mov edi, offset word_60127AB8
    mov word_60127F98, bx
    rep movsd
    mov [ebp+var_4], 1

    nghingo: ; CODE XREF: sub_60105C70+137j
    ; sub_60105C70+447j ...
    lea eax, [ebp+var_5C]
    push eax
    call ExceptionLink_Destruct
    mov eax, [ebp+var_4]
    jmp short loc_60106141
    ; 컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴

    loc_60106124: ; CODE XREF: sub_60105C70+62j
    ; sub_60105C70+6Cj
    mov ecx, 138h
    mov esi, offset unk_60123918
    mov edi, offset word_60127AB8
    mov word_60127F98, bx
    rep movsd
    mov eax, 1

    loc_60106141: ; CODE XREF: sub_60105C70+477j
    ; sub_60105C70+4B2j
    mov edi, [ebp+arg_4]
    mov ecx, 118h
    mov esi, offset word_60127AB8
    rep movsd
    pop edi
    pop esi
    pop ebx
    mov esp, ebp
    pop ebp
    retn
    sub_60105C70 endp


    With that dump, the program said that the dongle need upgrade so I need some hint from some pro person:
    - So which value of dump need change and change to what?
    - I see a lot of cmp the dongle data with 1, what does it mean?
    .. and more question ?
    Some one help me?
    Last edited by k66473; March 2nd, 2006 at 06:09.
    http://www.google.com

  2. #2
    Hiya,

    I recognise the developer ID of this particular target (naturally I'll omit any further mention of the program name). I don't know what version of the program you are working with but these are my notes from v5.3. Perhaps this will help you.

    Word 1 = Developer ID ACA3
    Word 8 = D341h (explicit check)
    Word 1F = 35 (version info v5.3)
    Word 9 = Full (Value) = 7FFFh
    Word A = Point Count (Low Value)
    Word B = Point Count (High Value) 7FFFh
    Word C = OEM Code (Value)
    Word 16 = Manager Clients (Value)
    Word 17 = Display Clients (Value)
    Word 1D = Internet Manager Clients (Value)
    Word 1E = Internet Display Clients
    Word 20 = Connectivity (Value)
    Word 21 = P2SQL (Value)
    Word 22/23 = Serial Number
    24-3F = 0

    Protected files: CiUSafe.exe, Ctutil32.dll, Usafe32.dll

    Regards

    CrackZ.

  3. #3
    As I seen, this dongle also has come enhaced-cells algo, and I also can detect what is software name too like CrackZ;-)

    k66473, contact with me, pls.

  4. #4
    I cannot message to mr.x because :
    "mr.x has exceeded their stored private messages quota and can not accept further messages until they clear some space."

    Information comes from Crackz helps me a lot. Now the program has run.
    But there are some different with crackz's notes:
    Word 1F = 35 (version info v5.3)
    this data, I changed it to 46h and the program does not said that dongle need upgrade any more. Here is the code which compare this value:
    mov word_60127F98, ax
    mov ax, word_60127AC0 //1F value (46H)
    add esp, 4
    cmp ax, 33h //??
    jb short loc_60105FEA
    cmp ax, 64h //??
    jb short loc_60105FF8

    loc_60105FEA: ; CODE XREF: sub_60105C70+372j
    mov cx, word_60123920
    mov word_60127AC0, cx

    I saw it cmp with 33, and 64 H but if I changed this dongle memory to 33 and 64, the program still said it must be update dongle. I changed to 46H and program does not said any more. But I do not know why??

    Word 9 = Full (Value) = 7FFFh
    Word A = Point Count (Low Value)
    Word B = Point Count (High Value) 7FFFh

    Mine data is different. If I follow the above value then points count exceeds limits.?
    So I follow the data in my dump.

    I found the code which cmp read data with some value :
    mov ax, word_60127ACC
    cmp ax, 1
    jb short loc_60106028
    cmp ax, di // here DI=FF
    jb short loc_60106034


    I do not know why it compare with 1 ?? Hint me please !
    But when I saw the value in DI at cmp ac,di. I change the rest data in dump to that value.
    Maybe my program need time to test but now it is running well.
    Thanks Crackz
    Thanks all.
    Last edited by k66473; March 6th, 2006 at 09:13.
    http://www.google.com

  5. #5
    Quote Originally Posted by mr.x
    As I seen, this dongle also has come enhaced-cells algo,

    ...
    I don't understand this.
    There are sproextendread() function but there is no call to it.
    I can only see sproread() called.
    Am I miss something ?
    Last edited by k66473; March 6th, 2006 at 07:41.
    http://www.google.com

  6. #6
    today, I found that, the program will not work if network is present, It only work if mode is stand alone server.
    I will do more researching.
    http://www.google.com

  7. #7
    it is alright now.
    Thanks all
    http://www.google.com

  8. #8

    Smile

    Quote Originally Posted by CrackZ
    Hiya,

    I recognise the developer ID of this particular target (naturally I'll omit any further mention of the program name). I don't know what version of the program you are working with but these are my notes from v5.3. Perhaps this will help you.

    Word 1 = Developer ID ACA3
    Word 8 = D341h (explicit check)
    Word 1F = 35 (version info v5.3)
    Word 9 = Full (Value) = 7FFFh
    Word A = Point Count (Low Value)
    Word B = Point Count (High Value) 7FFFh
    Word C = OEM Code (Value)
    Word 16 = Manager Clients (Value)
    Word 17 = Display Clients (Value)
    Word 1D = Internet Manager Clients (Value)
    Word 1E = Internet Display Clients
    Word 20 = Connectivity (Value)
    Word 21 = P2SQL (Value)
    Word 22/23 = Serial Number
    24-3F = 0

    Protected files: CiUSafe.exe, Ctutil32.dll, Usafe32.dll

    Regards

    CrackZ.
    how to calc Word 8 = D341h
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    Quote Originally Posted by yijing
    how to calc Word 8 = D341h
    See carefull:

    ---------------Cut-------------------
    push 8
    call dongleread
    add esp, 4
    mov edi, offset aDoNotTransla_0 ; "<DO NOT TRANSLATE> - OEM Product ID"
    mov ecx, 24h
    xor edx, edx
    repe cmpsb
    mov ebx, eax
    jnz short loc_60105D7A
    cmp bx, 0D341h
    jz short loc_60105D96
    cmp bx, 0D342h
    jz short loc_60105D96
    cmp bx, 0D343h
    jz short loc_60105D96
    jmp short loc_60105D8C
    -----End Cut----------------

  10. #10
    Lost in Lala Land peterg70's Avatar
    Join Date
    Oct 2001
    Location
    Down Under
    Posts
    195
    I saw it cmp with 33, and 64 H but if I changed this dongle memory to 33 and 64, the program still said it must be update dongle. I changed to 46H and program does not said any more. But I do not know why??
    Simple solution the value is in Hex. i.e. 0x35 = 53 which is version 5.3
    So your 0x46 = 70 is now Version 7.0
    0x33 = Version 5.1
    0x64 = Version 10.0

    So find your version Probably 6.0 convert to decimal 60 then Hex it 3C and our done.
    Of course there are more cells with heaps of other options.

    for 08 memory
    0xD341 = One type of Product
    0xD342 = Is Another Type of Product
    0xD343 = and another type of Product

    I swear that Developer ID was burnt into my memory.

Similar Threads

  1. Looking for sentinel superpro 7.3 ida signature
    By rcefor in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: August 3rd, 2007, 18:30
  2. sentinel superpro
    By david_hi in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: July 13th, 2007, 22:28
  3. help! sentinel superpro
    By boxx in forum Advanced Reversing and Programming
    Replies: 17
    Last Post: March 21st, 2002, 04:31
  4. want to crack dongle sentinel superpro
    By steel detail in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: July 22nd, 2001, 21:16
  5. sentinel superpro sheme : someone understand this ?
    By samy la guigne in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: June 4th, 2001, 12:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •