Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Removing Sentinel SuperPro from VFP application

All-in-one reversing related discussions
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Removing Sentinel SuperPro from VFP application

Post by ner0 »

Hello,

I need to ask for some help with some reversing I'm trying to achieve.
I used the forum's search function but most topics related try to emulate SuperPro dongles when what I really want to achieve is strip it out or at least bypass it to a degree that the program does not use/decrese the # of available licenses.

I'm trying to find a way to follow an amazing tutorial, by Shub-Nigurrath, on how to remove Sentinel SuperPro from an app (Removing Sentinel SuperPro dongle from Applications.pdf).
Although I'm a noob reverse-engineer, I try to learn what I can from who I can in order to reach my goal. Unfortunately there is little documentation for my specific case.

So, first off, my main obstacle at this point is that I need to remove Sentinel SuperPro checks from a commercial app that was developed in Visual FoxPro 9. The problem I'm facing is that VFP apps can't really be debugged in a disassembler like traditional C/C++ apps. The signatures won't be useful here, I think, because there is no way to see the SProNet imports/exports in the app.

I was somewhat successful in decompiling the app using ReFox XI and now have access to the source code from there, but I'm not really sure where to go from here. I found most of the app's functions to the SProNet API in the decompiled source code but unfortunately I am not able to recompile the program due to missing dependencies.

One of the options I thought about was to go for the SPro libraries themselves (SXFOXNET.DLL and SXFOXPRO.DLL) which the app uses. If only I could defeat the SproDecrement function so that it never decreases the available license numbers, that would kind of work for now. But this might not be possible without patching a few core anti-tamper calls. As an example, here is sproFormatPacket from both DLLs:
- SXFOXNET.DLL: http://i.imgur.com/EodSmi4.png
- SXFOXPRO.DLL: http://i.imgur.com/INPFJHJ.png

Do you think I can patch the DLLs?
In the tutorial I kind of got the idea that the author was patching the app and not the libraries themselves, now that I think of it maybe I misunderstood that point.


The other approach I thought of is using an executable that the program uses at startup.
This one I was able to decompile and recompile successfully due to being very small and simple.
With it I have access to the same calls that the main program does and what I was trying to do was use the sproReleaseLicense call to, well... release a license before using it. Needless to say that this failed miserably, resulting in the app throwing "invalid packet".


Anyway, I just wanted to know if someone can help me head in the right direction.
If the details I provided are insufficient, I'll gladly provide more, of course.

Thanks.
User avatar
FoxB
Posts: 458
Joined: Thu Mar 21, 2002 7:20 am
Location: Earth
Contact:

Post by FoxB »

You known the developer id for your dongle?
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Post by ner0 »

Not yet, no.
I'm trying to with DumpSentinel v0.2 and SentRead.
With DumpSentinel, it's still running through trying to find the DevID.
With SentRead, so far I've got the dongle ID, but that's probably not the same as Developer ID.
Any other tool you would advise to get it straight?

EDIT: Ok, it was taking a bit too long so I went digging in the app's source code and found the DevID.
FoxB, how can this help me particularly?
User avatar
FoxB
Posts: 458
Joined: Thu Mar 21, 2002 7:20 am
Location: Earth
Contact:

Post by FoxB »

You need or tell us the developer id for dongle or share the target software.
Dongle id is dongle data from cell00, developer id is dongle data from cell01
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Post by ner0 »

The Developer ID is: XXXX
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Post by ner0 »

Previously I mentioned 2 SuperPro DLLs used by the software.
I started by analyzing a bit more in-depth, starting with SXFOXPRO.DLL.
This DLL's structure, namely API's, is very similar to the one presented in the tutorial by Shub-Nigurrath.
Unfortunately, the DLL in question (SXFOXPRO.DLL) is only used by the app for dongle maintenance operations, not for daily licensing usage.

The actual licensing is done through sxfoxnet.dll, but this one has a somewhat different structure than the one presented in Shub-Nigurrath's tutorial, I am unable to match what is explained in the tutorial to it. For example, here is a comparison between sproFormatPacket in the tutorial and in my DLL:

Shub-Nigurrath tutorial sproFormatPacket: http://i.imgur.com/LZH9Y62.png
My DLL (sxfoxnet.dll) sproFormatPacket: http://i.imgur.com/FXC5ZEC.png

Not to mention sproRead in this DLL... if I was out of my depth before, now I'm really drowning just by looking at this sproRead call: http://i.imgur.com/CIqZAGE.png

Anyway, in case anyone is interested in looking at the DLL, here it is:
sxfoxnet.zip

Thanks for the suggestions.
User avatar
FoxB
Posts: 458
Joined: Thu Mar 21, 2002 7:20 am
Location: Earth
Contact:

Post by FoxB »

try to dump your dongle/emulator with http://rghost.net/74dLQ59Rm
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Post by ner0 »

Thanks for the tool, FoxB.
Unfortunately it did not work, got this reply:

I also tried another tool but failed with:
* Found key: 0xbb54, Hardlimit: 0xffff
! Error[00000046]: Can't open the key
.

Note: I'm running it on the machine with the physical dongle.
Attachments
DYYqhjp.png
DYYqhjp.png
User avatar
FoxB
Posts: 458
Joined: Thu Mar 21, 2002 7:20 am
Location: Earth
Contact:

Post by FoxB »

try to see at folder with dumper the file with dmp-extension ;)
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Post by ner0 »

Unfortunately there is none. No file is created. :(

I tried this with a similar dongle on another machine (different software) and there it worked, it started trying to brute-force the write password and wrote to disk a file: spro_RNBO_SPN_DRIVER_df3c_0.dmp

It did so even before querying the subnet, but it can't dump it in the machine that has the needed dongle, like i said in my previous reply.
I'm not sure if it's the OS (Windows 2008 Server).
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Post by ner0 »

FoxB, I was able to dump with a different software, from one of those websites that sell dongles.
I'm not sure if the dump is usable, in any case here is the tool and dump:
[spoiler]
Tool: http://goo.gl/hjMMdO
Dump: https://mega.co.nz/#!qgYyhL6a!y4hlek126 ... sPsCb7mQ-0 (password: www.woodmann.com)[/spoiler]
User avatar
FoxB
Posts: 458
Joined: Thu Mar 21, 2002 7:20 am
Location: Earth
Contact:

Post by FoxB »

As you wish
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Post by ner0 »

This is a registry key for an emulator, right?
Which emulator would be appropriate for this, Sentinel Emu 2007 by EDGE?

Thanks.

AH! Multikey... let's try. :)
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Post by ner0 »

Maybe I'm missing something but I can't get it to work.
I'm testing this with a Windows XP virtual machine and here's what I've done:
1. Installed Multikey v19.1.8 (32-bit);
2. Rebooted;
3. Checked Device Manager and found Virtual USB Multikey;
4. Added the registry key from the post above to Windows registry;
5. Installed Sentinel Protection drivers v7.4.0;
6. Rebooted;
7. Software does not detect either SuperPro nor SuperProNet dongle;

What am I missing here?


EDIT: Problem was the Multikey version apparently, v18.2.4 works.
ner0
Junior Member
Posts: 13
Joined: Tue Feb 14, 2012 1:36 pm

Post by ner0 »

Apparently the emulator is not completely successful in emulating everything, like sub-licenses.
For example, upon validating the dongle, the software asks the user to select what software functions the user wants to enable. Each of those software functions, if enabled, use a sub-license. With the emulator, if more than one function is enabled, the program will refuse to give access to that part of the software leaving the user restricted to only one basic function per session.

I had run into this trouble in the past using EDGE's Sentinel Emu 2007, that's why I was skeptical of using an emulator now.
Unfortunately it turns out that the emulator can't really suit this particular need. :(

FoxB, if it's not too much to ask, could you mask the dongle ID bytes, please?
Thank you ;)
Post Reply