View Full Version : Sentinel LM (sproRead) "pplication error." ?
Dahle77
March 29th, 2008, 16:29
Hello,
I have got a Sentinel LM target. At first I patched the RNBOsproFindFirstUnit. There is no sproQuery(), only sproRead().
sproRead():
Code:
00406F60 /$ 56 PUSH ESI ; sproREAD
00406F61 |. 57 PUSH EDI
00406F62 |. 8B7424 0C MOV ESI, DWORD PTR SS:[ESP+C]
00406F66 |. 85F6 TEST ESI, ESI
00406F68 |. 75 09 JNZ SHORT li.00406F73
00406F6A |. 66:B8 1000 MOV AX, 10
00406F6E |. 5F POP EDI
00406F6F |. 5E POP ESI
00406F70 |. C2 0C00 RETN 0C
00406F73 |> 56 PUSH ESI
00406F74 |. E8 271A0000 CALL li.004089A0
00406F79 |. 8BF8 MOV EDI, EAX
00406F7B 66:8B07 MOV AX, WORD PTR DS:[EDI]
00406F7E 66:3D 4372 CMP AX, 7243
00406F82 |. 75 31 JNZ SHORT li.00406FB5
When I'm at 00406F7E 66:3D 4372 CMP AX, 7243; EAX shows 00457242 UNICODE "pplication error." and the jnz is taken.
Can anyone tell me what "pplication error." means? Any idea what I did wrong before?
Thanks for answers.
Best regards
dahle77
Arcane
March 29th, 2008, 16:38
my bedst guess is "Application error." ...means there was an error in the application

Dahle77
March 29th, 2008, 16:56
I thought so too, but what is the reason for "pplication error."?? Usually I see in sproRead something like EAX 0012E558 li.0012E558, but not "(a)pplication error.".
The application runs fine.
CrackZ
March 29th, 2008, 17:00
Uhm,
Prepare yourself for a 'doh' moment ;-).
A few instructions before AX just got assigned the value 7242h from [EDI], hence you've got 0x00457242 in EAX which just happens to point at something in your target.
Nothing strange here, its actually the Sentinel packet signature.
Regards,
CrackZ.
Dahle77
March 29th, 2008, 18:23
Does that mean I don't need to care about that error and can continue patching the file?
Thanks.
sataron
March 30th, 2008, 04:39
See in debuger what u have in EAX after "00406F74 |. E8 271A0000 CALL li.004089A0"
Maybe u dont make a correct patch?
Dahle77
March 30th, 2008, 04:56
EAX = 00450320 ASCII "Br" after 00406F74 |. E8 271A0000 CALL li.004089A0.
All I did before is to make the sproFindFirstUnit() to return Success.
The app only calls before sproInitialise().
sataron
March 30th, 2008, 05:02
Then - check how u patch sproFindFirstUnit() - maybe u didnt make something before or past this? Read manuals from Master CrackZ
FoxB
March 30th, 2008, 06:16
@Dahle77: all in PM

VendorID and SN for SLM SDK.
Dahle77
March 30th, 2008, 08:04
I still don't know what I'm doing wrong. I think I patched all required checks in the sproFindFirstUnit to get SP_Success. Does anyone want to check the exe? (PM me) It is only 300 kb.
@bfox: thanks.
btw.: Is there any difference between SSPro and Sentinel LM? The functions seem to me exactly the same.
FoxB
March 30th, 2008, 10:12
@Dahle77: upload exe
Dahle77
April 13th, 2008, 14:51
hmm...I still can't patch the file :-)
Now I get EAX 00457242 UNICODE "nter no more than %1 characters." in sproREAD().
What does that mean?
Bfox told me only to patch sproFindFirstUnit, what I did and now only sproREAD is missing. He also said it is SLM + SSPro. Does SLM require a competely different approach than SSPro or is it the same approach as if it was only sspro?
output:
In:> FindFirstUnit DeveloperId=61491 (0xF033)
Out:> FindFirstUnit DeveloperId=61491 (0xF033) -> Status=0x3
In:> Read Address=0 (0x0)
Out:> Read Address=0 (0x0) -> Status=0x3
Data=255 (0xFF)
thanks!
CrackZ
April 13th, 2008, 20:57
Quote:
Now I get EAX 00457242 UNICODE "nter no more than %1 characters." in sproREAD().
What does that mean? |
It means that you STILL haven't understood what I told you at the very start of this thread, and that is that AX has been assigned the value 7242h which is the Sentinel packet record signature, the fact that 457242 points at some string in your target is purely co-incidental.
The Sentinel developer ID you quote here is a target that is known to me, in fact I broke the very first released version of this program about 5 years ago. It is today as far as I know the same protection, i.e. a Sentinel SuperPro dongle.
No surprise from the logger output you have pasted that the error code is (3) or dongle not found.
You *need* to identify the Sentinel SuperPro routines in the target .exe and patch them individually. For sproFindFirstUnit() returning AX=0 will suffice, for sproRead() you'll need to read the existing literature and code some sort of pseudo-emulation routine.
Finally, this target requires a license file as well as the dongle patch, if I remember rightly the file is named 'xswrk.dat', I recall this was trickier than the actual dongle implementation.
Regards, and good luck.
CrackZ.
Dahle77
April 15th, 2008, 09:24
thanks for your answer CrackZ!
I think I patched sproFindFirstUnit() succesfully, because otherwise I wouldn't be able to trace into sproRead(). I'm still wondering why ECX = 0 in sproRead(). Usually ECX points to the read cell, e.g. 0000003D and in this app ECX = 00000000.
Can you give me an explanation on this?
about the output:
Out:> Read Address=0 (0x0) -> Status=0x3
I don't think 0x3 is a problem, because I have had this a few times when I patched sspro successfully.
Thanks for help.
best regards
CrackZ
April 15th, 2008, 14:30
You need to look at the parameters to sproRead(), which as I recall are the API packet structure, the address to read and a pointer to where the data will be returned.
All of these parameters should probably be referenced directly off the stack rather than relying on the parameters being in specific registers, if the above parameters are passed via EAX/ECX/EDX it could well be fastcall convention. Either way, it would still be far better to retrieve them directly from the stack.
A read cell of 0 is not an issue, thats the dongles S/N, remember you can read words 0x0 & 0x1 as well as ranges 0x8-0x3F on Sentinel SuperPro's.
Regards,
CrackZ.
Dahle77
April 16th, 2008, 11:25
Thanks again for your answer CrackZ.
Now I think I figured out the structure of sproRead() and I'm sure I fill the right register with FF's.
However, I still haven't figured out why it only reads cell 0. After I went three times through sproRread() the app shows an error (Hardware Lock Serialnumber: 65535 ; Licence: Error).
Could give me some help on this problem please? Why does it only read cell 0?
Thanks again.
output:
In:> FindFirstUnit DeveloperId=56951 (0xDE77)
Out:> FindFirstUnit DeveloperId=56951 (0xDE77) -> Status=0x3
In:> Read Address=0 (0x0)
Out:> Read Address=0 (0x0) -> Status=0x3
Data=255 (0xFF)
In:> SetUnitInfo
Out:> SetUnitInfo
In:> Initialize
Out:> Initialize
In:> SetUnitInfo
Out:> SetUnitInfo
In:> FindFirstUnit DeveloperId=23720 (0x5CA8)
Out:> FindFirstUnit DeveloperId=23720 (0x5CA8) -> Status=0x3
In:> Initialize
Out:> Initialize
In:> SetUnitInfo
Out:> SetUnitInfo
In:> FindFirstUnit DeveloperId=61491 (0xF033)
Out:> FindFirstUnit DeveloperId=61491 (0xF033) -> Status=0x3
In:> Read Address=0 (0x0)
Out:> Read Address=0 (0x0) -> Status=0x3
Data=255 (0xFF)
Powered by vBulletin® Version 4.2.2 Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.