cEnginEEr
May 26th, 2007, 00:53
Hi all,
during my spare time I had project on <SENTEMUL2007.exe> from www.software-key.org and after unscrambling the driver I found this interesting piece of code:
.text:00011B64 arg_0 = dword ptr 4
.text:00011B64
.text:00011B64 cmp Options.Log, 1
.text:00011B6B push esi
.text:00011B6C mov esi, [esp+4+arg_0]
.text:00011B70 jnz short loc_11B83
.text:00011B72 movzx eax, word ptr [esi+34h]
.text:00011B76 push eax ; char
.text:00011B77 push offset aRnbosprofx15Ce ; "\nRNBOsproFx15 Cell=%04.4X\n"
.text:00011B7C call PrintLog
.text:00011B81 pop ecx
.text:00011B82 pop ecx
.text:00011B83
.text:00011B83 loc_11B83:
.text:00011B83 xor eax, eax
.text:00011B85 mov ax, [esi+0Ch]
.text:00011B89 push offset Options
.text:00011B8E push eax
.text:00011B8F call FindSentinel
.text:00011B94 test eax, eax
.text:00011B96 jnz loc_11C65
.text:00011B9C call CheckLic
.text:00011BA1 test eax, eax
.text:00011BA3 jnz loc_11C65
.text:00011BA9 cmp word ptr [esi+34h], 7
.text:00011BAE jbe short loc_11BE5
.text:00011BB0 mov ax, [esi+6]
.text:00011BB4 and eax, 0FF00h
.text:00011BB9 add eax, 5
.text:00011BBC mov [esi+6], ax
.text:00011BC0 mov cl, Options.StatusBase
.text:00011BC6 test cl, cl
.text:00011BC8 jz loc_11C89
.text:00011BCE movzx cx, cl
.text:00011BD2 and eax, 0FFFF00FFh
.text:00011BD7 shl ecx, 8
.text:00011BDA add ecx, eax
.text:00011BDC mov [esi+6], cx
.text:00011BE0 jmp loc_11C89
.text:00011BE5 ; ___________________________________________________________________________
.text:00011BE5
.text:00011BE5 loc_11BE5:
.text:00011BE5 push ebx
.text:00011BE6 push ebp
.text:00011BE7 push edi
.text:00011BE8 push offset MemoryAccess
.text:00011BED mov ebp, offset Memory
.text:00011BF2 push ebp
.text:00011BF3 call ReadSentinel
.text:00011BF8 xor eax, eax
.text:00011BFA lea ebx, [esi+38h]
.text:00011BFD mov edi, ebx
.text:00011BFF stosd
.text:00011C00 stosd
.text:00011C01 stosd
.text:00011C02 mov cx, [esi+34h]
.text:00011C06 cmp cx, 3
.text:00011C0A movzx eax, cx
.text:00011C0D lea eax, Memory[eax*2]
.text:00011C14 mov dx, [eax]
.text:00011C17 mov [ebx], dx
.text:00011C1A jnz short loc_11C27
.text:00011C1C cmp word ptr [eax], 0
.text:00011C20 jnz short loc_11C27
.text:00011C22 mov word ptr [ebx], 40h
.text:00011C27
.text:00011C27 loc_11C27:
.text:00011C27 and byte ptr [esi+6], 0
.text:00011C2B mov cl, Options.StatusBase
.text:00011C31 xor eax, eax
.text:00011C33 test cl, cl
.text:00011C35 mov ax, [esi+6]
.text:00011C39 jz short loc_11C4D
.text:00011C3B movzx cx, cl
.text:00011C3F and eax, 0FFFF00FFh
.text:00011C44 shl ecx, 8
.text:00011C47 add ecx, eax
.text:00011C49 mov [esi+6], cx
.text:00011C4D
.text:00011C4D loc_11C4D:
.text:00011C4D push ebp
.text:00011C4E call CheckDongleLic
.text:00011C53 test eax, eax
.text:00011C55 jz short loc_11C5B
.text:00011C57 and word ptr [ebx], 0
.text:00011C5B
.text:00011C5B loc_11C5B:
.text:00011C5B call _RegCloseKey
.text:00011C60 pop edi
.text:00011C61 pop ebp
.text:00011C62 pop ebx
.text:00011C63 jmp short loc_11C89
.text:00011C65 ; ___________________________________________________________________________
.text:00011C65
.text:00011C65 loc_11C65:
.text:00011C65 cmp dword_17C74, 0
.text:00011C6C jnz short loc_11C82
.text:00011C6E xor eax, eax
.text:00011C70 mov ax, [esi+6]
.text:00011C74 and eax, 0FFFFFF00h
.text:00011C79 add eax, 3
.text:00011C7C mov [esi+6], ax
.text:00011C80 jmp short loc_11C89
.text:00011C82 ; ___________________________________________________________________________
.text:00011C82
.text:00011C82 loc_11C82:
.text:00011C82 or RetValue, -1
.text:00011C89
.text:00011C89 loc_11C89:
.text:00011C89 cmp Options.Log, 1
.text:00011C90 jnz short loc_11CAF
.text:00011C92 xor eax, eax
.text:00011C94 mov al, [esi+6]
.text:00011C97 and eax, 0FFh
.text:00011C9C push eax
.text:00011C9D movzx eax, word ptr [esi+38h]
.text:00011CA1 push eax ; char
.text:00011CA2 push offset aData04_4xRes_1 ; "Data=%04.4X Result=%04.4X\n"
.text:00011CA7 call PrintLog
.text:00011CAC add esp, 0Ch
.text:00011CAF
.text:00011CAF loc_11CAF:
.text:00011CAF push esi
.text:00011CB0 call EncryptPacket
.text:00011CB5 mov eax, RetValue
.text:00011CBA pop esi
.text:00011CBB retn 4
it is used for emulation of sentinel_spro API 15h which is unknown to me; strange point is that this api is not accessible from sx32w.dll; does anyone out there have info about this api?