Log in

View Full Version : CyberHeg's sentinel crackme


Rackmount
April 25th, 2003, 16:00
Ok...I am working on Cyberhedge's sentinel crackme and so far have done the first trivial patch on SProFindFirstUnit. Now as I am reading several tut's on sentinel emulation, they seem to indicate that I need to set up an area of the program to read simulated dongle memory to emulate SProRead function. This gives me a few questions...
#1 It does not appear that the emulation patch occurs at the beginning on the sproread function , but actually is initiated after several lines of the function have already been executed. To me, the sproread code in the crackme seems very similar to what Goatass shows in his FlexiSIGN PRO tut, so I believe that my patch would begin at:

004079c0 mov word ptr [esi+30h], 0Ah

The other tut's seem to initiate patch at a jump which is either nop'd or made to jump to following instruction. Question: why are the starting locations of these emulations different (or are they different)? I dont have the code preceding the patchs for Crackz tut's so I cant compare what is done before patch insertion. In Goatass' tut he seems to do patch after a buffer has been set up in EDI to hold returned WORD from the dongle.

#2 Simulated dongle memory. OH you mean in order to simulate the dongle I need to know what in in its memory so I can simulate it? Not really sure what information I need to hardcode in order to get this done.

#3 Where to hardcode simulated dongle memory. In past experience with adding code I have always used whatever space I can find that will fit what is needed. I believe that as long as I can find a space, I can redirect the routine there and back...no problems...right?

It could be that once the above questions are explained I will once again be using the hammer of knowledge adjustment on my brain (or computer) This is interesting and I am having fun...no really...I am...I swear...lol Ok...I may need a bit of hand holding through this...but eh, that is why this is a newbies forum right?

ZaiRoN
April 25th, 2003, 18:14
Hi Rackmount,

I moved your thread in this area because it could be an interesting project. It could be an occasion in order to learn something on the dongle. I am not so confident with dongle but I think these tutorials can help:

http://www.woodmann.net/fravia/cyberheg_lm_dongle.htm
http://www.woodmann.net/fravia/goatass_flexitut.htm
http://www.woodmann.net/crackz/Tutorials/Cyberheg4.htm

If you have other useful tutorials/resources (or something else) for this kind of application feel free to tells us:-)
I will try this crackme in the next days and I hope other guys will help you :-)

Regards,
ZaiRoN

CrackZ
April 27th, 2003, 07:06
Hiya,

I attach my solution plus the original source code to the CrackMe purely for reference ;-).

Regards

CrackZ.

ZaiRoN
April 27th, 2003, 11:03
Hi Rackmount,

#1.
You can patch the function wherever you want, no need to start exactly at 4079C0. It depends on the code you want to add. Pay attention to the stack...

#2.
Yes, if you want to simulate the dongle you need to understand what the crackme wants to read from the dongle data (or packet record). Take a look at the messages displayed by crackme (i.e. 'Dongle not found') and try to understand the reason why these messages are showed.

#3.
you are right, you can put the dongle data inside one of the free spaces of the file.

Regards,
ZaiRoN

cyberheg
April 27th, 2003, 14:22
It's funny. My crackme never got so much attention as now. I am wondering why it took 2 years for people to find it.

Even though CrackZ posted my source code I think you should better try without reading it to not spoil the fun.
The only difference between the code posted and my original code is my solution which I had to rip out to not expose my real dongle data (yes, I bought a dongle devkit).

If you need the most recent sdk (manual etc.) you can get it from http://www.perico.no/downloads/SSP631CD.zip
It's a 160 mb whopper though since it's a complete iso cd image.

Another thing... My nick is not CyberHedge !?

// CyberHeg

Rackmount
April 28th, 2003, 09:53
Zairon: A wonderful idea to make this a group effort....now I can share my growing pains...lol

CyberHeg: I appologize...musta had the dang name mangler on in my head.

I will post my progeress as it occurs along this thread..(don't hold your breath though as it could be slow) As previously mentioned I am at the point of emulating the SProread function now....so far I just crash the proggie...but hey what's a little page fault between friends right? If I get too hung up...I will post my replacement code for those of you in the know to disect and discuss. Until next we meet again..fair the well.

Rackmount

ZaiRoN
April 28th, 2003, 13:32
Hi Rackmount,
Quote:
As previously mentioned I am at the point of emulating the SProread function now....so far I just crash the proggie
Feel free to post your code, we will try to help you
Quote:
It's funny. My crackme never got so much attention as now. I am wondering why it took 2 years for people to find it.
LOL! It's a very nice crackme; I had a lot of fun in solving it!

ZaiRoN

Rackmount
May 1st, 2003, 11:25
Ok....so far I have "fixed" the SProFindFirstUnit and now the SProRead function. Initially when the program was run, it would only say "Dongle not found" Now, it actually says something like:
Program feature item 1, not enabled
Program feature item 2, not enabled
Program feature item 3, not enabled
Program feature item 4, not enabled
Wow...I am doin' good!!! I have more information to work with now...4 features...woo hoo! but they are not enabled...bummer...this need to be fixed ASAP! (so I can dance and sing in celebration!) OK here is what I am doing now to gather the required info...opened a beer, and then another...oops...you guys don't need this much information...lol

Now really... I have set SICE to break on all calls to SProRead and am noting what cells are trying to be read. IDA has nicely indicated my SProQuery function so I will need to see if I can break on that...why? because I can! Oh, am I getting ahead of myself? Maybe another beer will help (sure can't hurt...lol). Ok what I have seen from the tut's at this point is trace the functions to see what is being done with the read WORDs. So, a tracing I will go (I hear it can be very scarey in those cold and dark code woods this time of year...better pack a debugger just in case).

Narration: So once again our brave (would-be) hero marches off into the cold and dark and slightly damp (ok not really damp, but it just seemed to fit) code woods. Will he need his debugger? What mysterious code creatures await him in this journey? Stay tuned for the next episode...

Rackmount

ZaiRoN
May 2nd, 2003, 12:43
Hi Rackmount,

before replying to you I will write a little summary of my initial approach to the crackme and an example to use map and sym files.

Reading the tutorials mentioned before, I downloaded IDA's "Sentinel Superpro lib" signature:
http://www.woodmann.net/crackz/Tools/Dongles/Dongsigs.zip
I recommend to download this file because it will help you in recognizing the function used by the dongle.

Load the file into IDA and then, when the initial autoanalysis is finished, apply the new signature; click on: 'File/Load File/Flirt Signature File'. In the new window you have to choose the right signature; scroll down until you reach Sentinel Super Pro. There are 2 different signatures for the spro, I chose the one written by CyberHeg only because I suppose is the most recent version of the signature (CyberHeg, is it right?) Well, apply the sig! As you can see, all the functions used by the crackme are clearly visible. Now, it's more easy to study the disassembled
file.

------------------------------
An example for Rackmount's thread in the 'tools of the trade' section: Map file.
what about to see the name of these new functions -I mean sproinitialize, sproread... and also the renamed variables (and so on)- in Softice's code window? This is possible using map file produced by IDA.
I don't think many people uses map file but (imho) it's a very useful feature! We will see how to create the map file with ida and how to apply it to softice.

In IDA, click on 'File/Produce/Create Map File' and create the file. Now, look for msym.exe; it's a simple 16-bit application located inside 'Softice\util16' directory. This utility converts .map file into .sym file; this convertion is necessary because .sym is the extension needed by symbol loader. When the .sym file is been created you have to run Symbol Loder. 'File/Open' to open the .sym file created before. Load it using 'Module/Load'. If everything is gone fine you will see the message:
----- '<Drive>:\<Path>\SPRO.SYM' symbols loaded -----

Well, we have almost complete the job; infact, the initialization is done and we need to load the file sprocrackme.exe. Open the exe file but don't load it yet; you need to know how to relocate the symbol base. This last task of our job is not done by default, you need to tell softice how to relocate the symbols. 'Symloc' is the command that we will use. The most generic form is:
symloc <section-number> <selector> <linear-address>
where:
<section-number> is the number of the section where to apply the symbols, the first section is '1', the second is '2' and so on
<selector> is the... selector
<linear-address> is the base address of the section.
As you can see, you can't relocate all the symbols into the entire file but you have to relocate every single section.
Now, you can load the file and when sice breaks you can use the symloc command. In this specific case I used:
symloc 1 1b 401000
where:
1 is the first section
1b is the selector, the value of CS register
401000 the base address of the .code section

No need to use symloc on other sections. If you have forgotten to recover the section and his base address do not despair because you can do it inside Softice using the 'Map32 Sprocrackme' command.

Ok, we have finished! Now you can step your code viewing all the names you need
------------------------------

Ok, back to the crackme.
Running the crackme you will see a messagebox showing this message: "General error! Status code is 12". Our first task is to kill this nag. Looking through the code you will find where the message box is called from:
Code:
.text:004010E7 push offset packetRecord ; the packet record
.text:004010EC call _RNBOsproInitialize@4 ; initialize sentinel system driver
.text:004010F1 push eax ; eax = the status code
.text:004010F2 mov word_4112BC, ax
.text:004010F8 call sub_401230 ; display the message if ax!=0
...
.text:00401230 mov eax, [esp+arg_0]
.text:00401234 sub esp, 400h
.text:0040123A test ax, ax ; eax != 0 then messagebox
.text:0040123D jz short loc_40126B
We must have ax=0 at 4010F1. We need to patch RNBOsproInitialize! This task is very simple.
Code:
.text:004075B5 mov edi, [esp+0Ch+arg_0]
.text:004075B9 or edi, edi
.text:004075BB jnz short loc_4075C9 ; to modify
.text:004075BD mov ax, 2 ; to modify
.text:004075C1 pop edi
.text:004075C2 pop esi
.text:004075C3 add esp, 4
.text:004075C6 retn 4
I changed the two instructions in:

xor eax, eax
nop
nop
nop
nop

There are infinite manners to solve this problem, choosing one is enough

First problem solved! Now we need to take care of the message 'Dongle not found'.A simple search inside the code will reveal:
Code:
.text:00401400 mov eax, dword_410E0C
.text:00401405 test eax, eax
.text:00401407 jnz short loc_40141D
.text:00401409 push offset aDongleNotFound ; "Dongle not found\n"
.text:0040140E call _printf ; display the error
The error message is shown if dword_410E0C==0. We need to locate where the proggie changes this dword. I use IDA's xrefs to perform this kind of operations. Click above the dword_410E0c and hit 'x', a dialog will appear and will show:

w _main+13D mov dword_410E0C, esi ; w: something is written in the dword
r sub_401400 mov eax, dword_410E0C ; r: the dword value is readed

Obviously, the one we are looking for is the first line. Double click on the line:
Code:
.text:00401105 mov ax, word_40E036
.text:0040110B push offset unk_40E040 ; word_40E040 will contain the word
readed by the function
.text:00401110 push eax ; cell to read at address 3Fh
.text:00401111 push offset packetRecord
.text:00401116 call _RNBOsproRead@12 ; RNBOsproRead(x,x,x)
.text:0040111B and eax, 0FFFFh
.text:00401120 mov dword_410E60, eax
.text:00401125 call sub_401390
.text:0040112A mov eax, dword_410E54
.text:0040112F xor esi, esi ; esi = 0
.text:00401131 cmp eax, esi
.text:00401133 jnz short loc_40113D
.text:00401135 cmp dword_410E60, esi
.text:0040113B jz short loc_401145
.text:0040113D
.text:0040113D loc_40113D: ; CODE XREF: _main+133j
.text:0040113D mov dword_410E0C, esi ; mov 0 in 410E0C
.text:00401143 jmp short loc_401161
Tracing the proggie I have found that the word pointed by 410E0C is initialized to 63h, a simple bpm will show you the address where the word is initialized. Ok, we know that the instruction at 40113D must be avoided, how is it possible (Remember that you can patch only superpro functions)? Simple:
1. 410E54 must be 0
2. 410E60 must be 0

1.
Using xrefs you will arrive where the dword is changed:
Code:
.text:0040161C call _RNBOsproFindFirstUnit@8 ; RNBOsproFindFirstUnit(x,x)
.text:00401621 and eax, 0FFFFh ; return value is ax=0039
.text:00401626 mov dword_410E54, eax
.text:0040162B retn
Is it possible to mov 0 in 410E54? Sure, patching the sproFindFirstUnit function. As before, there are many ways to patch this function, here is mine:
Code:
.text:004077C6 mov word ptr [esi+6], 0B39h
.text:004077CC mov ax, 39h ; change in 'mov ax,0'
.text:004077D0 pop esi
.text:004077D1 pop ebx
.text:004077D2 retn 8
2.
410E60 contains the value returned from sproRead function. In particular, the value is taken from the dongle's cell at address 3Fh. The idea is to emulate the dongle patching the sproRead function to make it return zero when the cell to be read is the number 3Fh. If you have readed the tutorials linked above you should already know how to emulate the dongle

Rackmount, I can't fully understand your problem.
You have passed this task and, I suppose you have patched the sproRead function. How have you changed the function? Have you putted 0 to eax at the end of the function or, have you emulated the dongle?

ZaiRoN

Rackmount
May 2nd, 2003, 13:26
ZaiRon:

I am by no means a graceful programmer. I hit things with a sledgehammer to fix them. For me on my system, I did not even get the first error message you show. This crackme runs as a DOS box...no messagebox breaks...as of yet. The first patch I did was on the FindFirstUnit in which I patched as follows:

00407790 push ebx
00407791 push esi
00407792 mov eax, [esp+arg_0]
00407796 xor eax, eax ; was: or eax,eax
00407798 jz short loc_40779E ; always jumps now
0040779A mov ax, 2 ; ignored
0040779E pop esi
0040779F pop ebx
004077A0 retn 8

The second patch is at SProRead function and is almost identical to the code in Cyberheg's Sentinel License Manager Cracking tut starting right after the validate packet record line in this function. So far, all I have are zeros in the emulated dongle memory space. After I gain some insights from tracing I will place "stuff" in the memory area.

Your approach is far better at understanding the why aspects...mine is simply hitting the functions with a hammer without respect for the reasons...of course, I wouldn't want to bet that the hammer will work beyond where I am now. At this point, I believe that I will have to start paying attention to my surroundings and actually follow what is going on...and why (as you have done).

Thank you for the example on the SYMLOC function. I found it to be exactly what I needed to get it working.

Rackmount

ZaiRoN
May 2nd, 2003, 15:08
Hi,
Quote:
For me on my system, I did not even get the first error message you show.
This message is dependent by the os; inside sproInitialize there is a call to GetVersion... For me, the message is showed in winxp but not in w98.

ZaiRoN

Rackmount
May 2nd, 2003, 16:07
ZaiRon...Hola amigo:

So....now you know my OS...lol. Hey, the SYMLOC is not quite right...I made the sym file as described and opened and loaded with loader. I then opened sprocrackme.exe with loader, but didn't load, broke into SICE with Ctrl-D and entered SYMLOC 1 1b 401000, F-5'd back to loader and loaded the exe...looked around and....no symbols! Did I miss something?

I have noticed that when the prog first starts it is in the 408000 range and then after a bit of initialization routines it heads south to 401000. This affected my breaks on the SProRead calls which was rectified once I stepped up tp the code that began in 401000. i.e. When I initially set a break on 401116 it said something like "out of range", but once I got to the 401000 section it broke just fine....could this be affecting the symbol loading?

Rackmount

ZaiRoN
May 2nd, 2003, 16:39
Hi Rackmount,

I think it's my fault, sorry. I forgot to tell you when to use the symloc command. I added a new line in my previous post (the one in italic form):
"As you can see, you can't relocate all the symbols into the entire file but you have to relocate every single section.
Now, you can load the file and when sice breaks you can use the symloc command.
In this specific case I used:
symloc 1 1b 401000"

Using sym command you can see if you have loaded symbols.
I hope this will solve your problem.

ZaiRoN

cyberheg
May 3rd, 2003, 01:37
Quote:
Originally posted by ZaiRoN
Hi,This message is dependent by the os; inside sproInitialize there is a call to GetVersion... For me, the message is showed in winxp but not in w98.

ZaiRoN


The error message usually just happens because you're not having the Sentinel Super Pro driver installed, not because of the OS you're using. Lots of software installs all kinda drivers without you knowing it so I guess you just had the driver installed by luck on one OS while not on the other.

// CyberHeg

sope
May 3rd, 2003, 03:23
Hello ZaiRoN

Thanks for the info provided on map to symbol file & its importance I did not knew about the method you described above.

Methods i knew were are below:

Method (1) :
Create a Map from IDA file then i run a utility "mapsym.exe" which creates .sym file for the respective map file. Next i run "nmsym.exe" inside softice folder on the created .sym file which outputs a ".nms" file which i load editing the winice.dat file
putting below line

LOAD=G:\SIW405\sig.nms <--- and then reboot the machine.

Method (2):
Since i normally play with 10 to 15 MB file size sometimes while converting the .sym file from the map file using the utility "mapsym.exe" i get some errors "string not found". So in that case i use great IDA Plugin from Mostek to create ".nms" file.

Regards
Sope!

Rackmount
May 5th, 2003, 09:38
Well...I have achieved success on at least one issue. The SYMLOC function is now workingh quite well thanks to ZaiRoN and sope. Now I have options...woo hoo! My problem was blindly inputting what ZaiRoN indicated without following what was going on with my computer. In my case the CS register was 016f and not 1b. By checking the SYM function I was able to see where my symbols had loaded, then doing a MAP32 <progname> I saw where my program was located. Once the correction was made to bring the symbols in line with the correct CS, I had a roadmap to my programs code in SICE....nice.

A nice "trick?" I noticed in the crackme...some calls to SProRead use EAX for key cell, others use EDX. I noticed this after marking down all EAX values during my SICE breaks to this function. Some of the values didn't look to be within possible cell ranges...according to the Sentinel manual, each key has 128 bytes of memory organized as 64 cells with addresses of 00 to 3F, yet I had a value of 102h in EAX in four calls. Stepping out of the read function confirmed that in several calls the key cell address was pushed in EDX instead of EAX. OK so now I know what cells are being read, it is time to follow the store addresses to follow changes to feel what must go in my emulated dongle memory. (Side note: at this point, without the imposed rules, the proggie might be owned by changing the last few conditional jumps in the feature enabled/disabled check routine. This is inelegant and could work on some proggies, but may also leave you very "buggy" cracks....err I mean "fixes"

Hey...this isn't a timed test is it? lol Maybe not, as in the text of the crackme it says this is a time consuming effort. Anyway...this is my current status on the crackme.

(Oh...on a side note...I have applied these same sentinel emulations to my own personal target...and man did it get pissed...lol. It could be self checking...or maybe it is because I haven't fed its emulated memory yet. But on one side, the initial splash screen doesn't come up saying DEMO, but the proggie crashes shortly past the splash screen routine. An interesting thing I have seen on my target from an IDA disassembly, there appear to be no xrefs to the SProQuery function. Could it be that this company did not even use its dongle properly? But, if this were the case, wouldn't my forcing the SProRead function to return SP_Success have "fixed" this program?)

Rackmount

cah
May 27th, 2003, 01:43
Hi cyberheg!

I downloaded SSP631CD.ZIP, but unable to unzip & CRC fail in & file corrupt.

Please rezip into sizable volumes (~10 mb) for ease of downloading.

Please check your PM
CaH

FoxB
May 27th, 2003, 07:18
Hi!

Direct link:
ftp://ftp.rtcs.ru/Pub/drm/sx/6.3.1/sx-6.3.1-image.zip

FoxB

JMI
May 27th, 2003, 10:31
FoxB:

There's nothing in this directory.

cah:

The file is an "iso" file. Try unpacking it with winrar. Mine seems to work fine. You need a cd burning program to burn the iso to disk and the software to do that.

Regards,

FoxB
May 27th, 2003, 22:06
To JMI,

Work link:
http://www.pericosecurity.com/downloads/SSP631CD.zip

FoxB

ramin_rad2000
February 26th, 2004, 03:58
dsadHi ,I am working on cyberhege sentinel spro crackme but i am really lost in the darkness and i need help!(sorry for my bad english cause it is not my mothers language)
i used softice and ida
this is the first call to sproread,i need to know which words are dongle expected?

.text:00401105 mov ax, word_0_40E036
.text:0040110b push offset unk_0_40E040 ---->bpm on this loc
.text:00401110 push eax
.text:00401111 push offset unk_0_410EB8 --->packet record
.text:00401116 call _RNBOsproRead@12

in sice i used bpmw-d-b(all of them) 016fds register)0040E040 r
but i didn't work.

.text:0040111B and eax, 0FFFFh
.text:00401120 mov dword_0_410E60, eax
.text:00401125 call sub_0_401390

.text:00401390 mov eax, word_0_40E03A
.text:00401396 push offset word_0_40E042 --->bpm(like above)
.text:0040139B push eax
.text:0040139C push offset unk_0_410EB8
.text:004013A1 call _RNBOsproRead@12
.text:004013A6 mov cx, word_0_40E03C
.text:004013AD push offset dword_0_40E044 --->bpm(like above)
.text:004013B2 and eax, 0FFFFh
.text:004013B7 push ecx
.text:004013B8 push offset unk_0_410EB8
.text:004013BD mov dword_0_410E64, eax
.text:004013C2 call _RNBOsproRead@12
.text:004013C7 mov dx, word_0_40E03E
.text:004013CE push offset dword_0_4112C0 --->bpm(like above)
.text:004013D3 and eax, 0FFFFh
.text:004013D8 push edx
.text:004013D9 push offset unk_0_410EB8
.text:004013DE mov dword_0_410E68, eax
.text:004013E3 call _RNBOsproRead@12



and here is emulated sproread(part of):

.text:004079C0 push ebp
.text:004079C1 lea edx, ds:410EFFh ---->store dongle code here?
.text:004079C7 shl ecx, 1
.text:004079C9 mov ebp, ecx
.text:004079CB add ebp, edx
.text:004079CD mov eax, [ebp+0]
.text:004079D0 pop ebp
.text:004079D1 mov dx, 400h
.text:004079D5 mov [esi+6], dx
.text:004079D9 nop
.text:004079DA nop
.text:004079DB nop
.text:004079DC nop
.text:004079DD mov [edi], ax
.text:004079E0
.text:004079E0 loc_0_4079E0: ; CODE XREF: .text:004079FE j
.text:004079E0 mov ax, [esi+6]
.text:004079E4 push eax
.text:004079E5 call sub_0_406F90 ; _I386SPRO500MSFTCIE@4
.text:004079EA pop edi
.text:004079EB pop esi
.text:004079EC retn 0Ch

I didn't calculate the delta offset cause i didn't understand it in other tutorials about sentinel,i thought i can simply put dongle words some where sutiable at the end of rdata or data(i can extend sections right?) this emulate function always return 0000 in ax,and i patched the sprofindfirstunit
correctly(simple)

cyberheg
April 2nd, 2004, 02:17
I havn't been following the discussion too closely but didn't any of you beat it yet?
I must say I am surprised people first caught attention on it now when its 2 years since I made the crackme.

Another thing is my nick is CyberHeg not cyberhedge or whatever people calls me

-- CyberHeg