Hello,

I have got a Sentinel LM target. At first I patched the RNBOsproFindFirstUnit. There is no sproQuery(), only sproRead().
sproRead():


When I'm at 00406F7E 66:3D 4372 CMP AX, 7243; EAX shows 00457242 UNICODE "pplication error." and the jnz is taken.

Can anyone tell me what "pplication error." means? Any idea what I did wrong before?

Thanks for answers.

Best regards
dahle77

my bedst guess is "Application error." ...means there was an error in the application

I thought so too, but what is the reason for "pplication error."?? Usually I see in sproRead something like EAX 0012E558 li.0012E558, but not "(a)pplication error.".
The application runs fine.

Uhm,

Prepare yourself for a 'doh' moment ;-).

A few instructions before AX just got assigned the value 7242h from [EDI], hence you've got 0x00457242 in EAX which just happens to point at something in your target.

Nothing strange here, its actually the Sentinel packet signature.

Regards,

CrackZ.

Does that mean I don't need to care about that error and can continue patching the file?

Thanks.

See in debuger what u have in EAX after "00406F74 |. E8 271A0000 CALL li.004089A0"
Maybe u dont make a correct patch?

EAX = 00450320 ASCII "Br" after 00406F74 |. E8 271A0000 CALL li.004089A0.
All I did before is to make the sproFindFirstUnit() to return Success.
The app only calls before sproInitialise().

Then - check how u patch sproFindFirstUnit() - maybe u didnt make something before or past this? Read manuals from Master CrackZ

@Dahle77: all in PM VendorID and SN for SLM SDK.

I still don't know what I'm doing wrong. I think I patched all required checks in the sproFindFirstUnit to get SP_Success. Does anyone want to check the exe? (PM me) It is only 300 kb.

@bfox: thanks.

btw.: Is there any difference between SSPro and Sentinel LM? The functions seem to me exactly the same.

@Dahle77: upload exe

hmm...I still can't patch the file :-)

Now I get EAX 00457242 UNICODE "nter no more than %1 characters." in sproREAD().
What does that mean?

Bfox told me only to patch sproFindFirstUnit, what I did and now only sproREAD is missing. He also said it is SLM + SSPro. Does SLM require a competely different approach than SSPro or is it the same approach as if it was only sspro?

output:
In:> FindFirstUnit DeveloperId=61491 (0xF033)
Out:> FindFirstUnit DeveloperId=61491 (0xF033) -> Status=0x3

In:> Read Address=0 (0x0)
Out:> Read Address=0 (0x0) -> Status=0x3
Data=255 (0xFF)



thanks!

It means that you STILL haven't understood what I told you at the very start of this thread, and that is that AX has been assigned the value 7242h which is the Sentinel packet record signature, the fact that 457242 points at some string in your target is purely co-incidental.

The Sentinel developer ID you quote here is a target that is known to me, in fact I broke the very first released version of this program about 5 years ago. It is today as far as I know the same protection, i.e. a Sentinel SuperPro dongle.

No surprise from the logger output you have pasted that the error code is (3) or dongle not found.

You *need* to identify the Sentinel SuperPro routines in the target .exe and patch them individually. For sproFindFirstUnit() returning AX=0 will suffice, for sproRead() you'll need to read the existing literature and code some sort of pseudo-emulation routine.

Finally, this target requires a license file as well as the dongle patch, if I remember rightly the file is named 'xswrk.dat', I recall this was trickier than the actual dongle implementation.

Regards, and good luck.

CrackZ.

thanks for your answer CrackZ!
I think I patched sproFindFirstUnit() succesfully, because otherwise I wouldn't be able to trace into sproRead(). I'm still wondering why ECX = 0 in sproRead(). Usually ECX points to the read cell, e.g. 0000003D and in this app ECX = 00000000.
Can you give me an explanation on this?

about the output:
Out:> Read Address=0 (0x0) -> Status=0x3
I don't think 0x3 is a problem, because I have had this a few times when I patched sspro successfully.

Thanks for help.

best regards

You need to look at the parameters to sproRead(), which as I recall are the API packet structure, the address to read and a pointer to where the data will be returned.

All of these parameters should probably be referenced directly off the stack rather than relying on the parameters being in specific registers, if the above parameters are passed via EAX/ECX/EDX it could well be fastcall convention. Either way, it would still be far better to retrieve them directly from the stack.

A read cell of 0 is not an issue, thats the dongles S/N, remember you can read words 0x0 & 0x1 as well as ranges 0x8-0x3F on Sentinel SuperPro's.

Regards,

CrackZ.

Thanks again for your answer CrackZ.
Now I think I figured out the structure of sproRead() and I'm sure I fill the right register with FF's.

However, I still haven't figured out why it only reads cell 0. After I went three times through sproRread() the app shows an error (Hardware Lock Serialnumber: 65535 ; Licence: Error).

Could give me some help on this problem please? Why does it only read cell 0?

Thanks again.

output:
In:> FindFirstUnit DeveloperId=56951 (0xDE77)
Out:> FindFirstUnit DeveloperId=56951 (0xDE77) -> Status=0x3


In:> Read Address=0 (0x0)
Out:> Read Address=0 (0x0) -> Status=0x3
Data=255 (0xFF)


In:> SetUnitInfo
Out:> SetUnitInfo

In:> Initialize
Out:> Initialize

In:> SetUnitInfo
Out:> SetUnitInfo

In:> FindFirstUnit DeveloperId=23720 (0x5CA8)
Out:> FindFirstUnit DeveloperId=23720 (0x5CA8) -> Status=0x3

In:> Initialize
Out:> Initialize

In:> SetUnitInfo
Out:> SetUnitInfo

In:> FindFirstUnit DeveloperId=61491 (0xF033)
Out:> FindFirstUnit DeveloperId=61491 (0xF033) -> Status=0x3

In:> Read Address=0 (0x0)
Out:> Read Address=0 (0x0) -> Status=0x3
Data=255 (0xFF)