SSPRO - sproQuery() help required [Archive] - RCE Messageboard's Regroupment

View Full Version : SSPRO - sproQuery() help required

Dahle77

February 9th, 2008, 15:57

Hello everybody

I'm working on a Sentinel Super Pro Crackme and I do have access to the dongle.
At first I used to TORO Sentinel Monitor to capture the values.
Here is the result:

Code:



TORO Sentinel Info File

DongleType=4

MemorySize=40

DesignID=0000

PartNumber=00000000

SerialNumber=00000000



0000,3 XXXX,1 ------ ------ ------ ------ ------ ------ 

0000,3 ------ ------ ------ ------ ------ ------ ------ 

------ ------ ------ ------ ------ ------ ------ ------ 

------ ------ ------ ------ ------ ------ ------ ------ 

------ ------ ------ ------ ------ ------ ------ ------ 

------ ------ ------ ------ ------ ------ ------ ------ 

0210,0 ------ ------ ------ 21C2,0 ------ ------ ------ 

0301,0 ------ ------ ------ 0000,0 ------ ------ ------

Next step: using IDA to identify the sspro functions:
(1) sproFormatPacket 00430800
(2) sproFindFirstUnit 004309F0
(3) sproWrite 00430DB0
(4) sproFindNextUnit 00430CB0
(5) sproRead 00430D20

(1) - (5) trival emulation, not a problem.

(6) sproQuery 00430E60

Code:



00430E60    56              PUSH ESI       ; sproQUERY()

00430E61    57              PUSH EDI

00430E62    8B7424 0C       MOV ESI, DWORD PTR SS:[ESP+C]

00430E66    85F6            TEST ESI, ESI

00430E68    75 09           JNZ SHORT crkme.00430E73

00430E6A    66:B8 1000      MOV AX, 10

00430E6E    5F              POP EDI

00430E6F    5E              POP ESI

00430E70    C2 1800         RETN 18

I found an emulation code in the tutorial of ArTeam, but I still don't know how to find the values for sproquery.
When I'm at 00430E62 EBP shows 00421350 crkme.00421350

At 00421350 I have got the following code:

Code:



0042134F    00B7 22D50300   ADD BYTE PTR DS:[EDI+3D522], DH

00421355    0000            ADD BYTE PTR DS:[EAX], AL

00421357    0011            ADD BYTE PTR DS:[ECX], DL

00421359    06              PUSH ES

0042135A    8E02            MOV ES, WORD PTR DS:[EDX]                ; Modification of segment register

0042135C    68 12420003     PUSH 3004212

00421361    CD 34           INT 34

00421363    0258 CA         ADD BL, BYTE PTR DS:[EAX-36]

00421366    42              INC EDX

00421367    00BB 7434027C   ADD BYTE PTR DS:[EBX+7C023474], BH

0042136D    B8 42001106     MOV EAX, 6110042

00421372    34 02           XOR AL, 2

00421374    68 12420003     PUSH 3004212

00421379    CD 8E           INT 8E

0042137B    0296 B8420004   ADD DL, BYTE PTR DS:[ESI+40042B8]

00421381    91              XCHG EAX, ECX

00421382    D5 03           AAD 3

00421384    3D 71000092     CMP EAX, 92000071

00421389    108E 029CB842   ADC BYTE PTR DS:[ESI+42B89C02], CL

0042138F    000491          ADD BYTE PTR DS:[ECX+EDX*4], AL

00421392    D5 03           AAD 3

00421394    095B 00         OR DWORD PTR DS:[EBX], EBX

00421397    0092 108E02C2   ADD BYTE PTR DS:[EDX+C2028E10], DL

0042139D    BC 42004533     MOV ESP, 33450042

004213A2    D5 03           AAD 3

004213A4    F3:             PREFIX REP:                              ; Superfluous prefix

004213A5    0100            ADD DWORD PTR DS:[EAX], EAX

004213A7    0092 19340288   ADD BYTE PTR DS:[EDX+88023419], DL

004213AD    B8 4200441A     MOV EAX, 1A440042

004213B2    0000            ADD BYTE PTR DS:[EAX], AL

004213B4    00E6            ADD DH, AH

004213B6    42              INC EDX

004213B7    00BB 74D503D6   ADD BYTE PTR DS:[EBX+D603D574], BH

004213BD    99              CDQ

I guess I will need the red marked codes, because ArTeam got the values from a similar place. I can't really find any compares for the queryvalues in the crackme.
So I need some help on the sproquery() function to solve that crackme.

I read the tutorials on CrackZ page, the FAQ and also searched on the forum for information.

Thanks for help.

Best regards
Dahle77

CrackZ

February 12th, 2008, 17:26

I'm confused;

i). When I'm at 00430E62 EBP shows 00421350 crkme.00421350

Why is it relevant what EBP shows?, at this point you should be looking at the arguments on the stack, at [esp+14] will be a pointer to the query data, [esp+18] will be a pointer to where the response should be placed and [esp+1ch] a pointer to a dword where the last 32-bits of the query response will be returned, finally [esp+20h] holds the length of the query, typically it is the response32 [esp+1ch] that is checked more often than not on the application side.

Trivial query code can be used to fake the responses/fill the response buffer(s) as you require, remember to clear also the status (eax=0) then look for the checks on this data on the application side and perhaps patch there.

Another possibility is to patch in complete emulation of the query by *solving* the query descriptors, since this is a crackme I presume it isn't expected you do this ;-).

421350 looks like complete junk to me.

Regards

CrackZ.

Dahle77

February 29th, 2008, 16:21

Thank you CrackZ for your answer.

I read Cyberhegs Tutorial about breaking the shell, but I haven't gone further with the crackme.
The crackme is protected by the sentinel shell. According to Cyberhegs essay there are two tables and two xor values. I was tracing the sproQuery-function for hours, but didn't find the queries.

I also studied some postings on this board and maybe this part might be interesting (does it help to emulate the sproQuery?):

Code:



0042FABB   .  66:85C0       TEST AX, AX

0042FABE   .  75 29         JNZ SHORT sproREAD.0042FAE9

0042FAC0   .  66:817C24 04 >CMP WORD PTR SS:[ESP+4], 0DE9B

0042FAC7   .  75 20         JNZ SHORT sproREAD.0042FAE9

0042FAC9   .  66:817C24 08 >CMP WORD PTR SS:[ESP+8], 0A17C

0042FAD0   .  75 17         JNZ SHORT sproREAD.0042FAE9

0042FAD2   .  66:817C24 0C >CMP WORD PTR SS:[ESP+C], 9A8F

0042FAD9   .  75 0E         JNZ SHORT sproREAD.0042FAE9

0042FADB   .  66:817C24 10 >CMP WORD PTR SS:[ESP+10], 74BE

0042FAE2   .  75 05         JNZ SHORT sproREAD.0042FAE9

0042FAE4   .  BE 01000000   MOV ESI, 1

0042FAE9   >  8BC6          MOV EAX, ESI

0042FAEB   .  5E            POP ESI

0042FAEC   .  83C4 10       ADD ESP, 10

0042FAEF   .  C3            RETN

Is it always possible to find the querries in sentinel shell protected exe-files?
Does this crackme require bruteforcing or a real dongle?

I attached a graph overview of the sproQuery. Maybe anyone could give me some hints which call should be analyzed carefully.

If anyone wants the crackme (it's just a keygen protected by the shell) let me know.

Thanks for your help.

Best regards

dahle77