Hi Rackmount,
before replying to you I will write a little summary of my initial approach to the crackme and an example to use map and sym files.
Reading the tutorials mentioned before, I downloaded IDA's "Sentinel Superpro lib" signature:
http://www.woodmann.net/crackz/Tools/Dongles/Dongsigs.zip
I recommend to download this file because it will help you in recognizing the function used by the dongle.
Load the file into IDA and then, when the initial autoanalysis is finished, apply the new signature; click on: 'File/Load File/Flirt Signature File'. In the new window you have to choose the right signature; scroll down until you reach Sentinel Super Pro. There are 2 different signatures for the spro, I chose the one written by CyberHeg only because I suppose is the most recent version of the signature (CyberHeg, is it right?) Well, apply the sig! As you can see, all the functions used by the crackme are clearly visible. Now, it's more easy to study the disassembled
file.
------------------------------
An example for Rackmount's thread in the 'tools of the trade' section: Map file.
what about to see the name of these new functions -I mean sproinitialize, sproread... and also the renamed variables (and so on)- in Softice's code window? This is possible using map file produced by IDA.
I don't think many people uses map file but (imho) it's a very useful feature! We will see how to create the map file with ida and how to apply it to softice.
In IDA, click on 'File/Produce/Create Map File' and create the file. Now, look for msym.exe; it's a simple 16-bit application located inside 'Softice\util16' directory. This utility converts .map file into .sym file; this convertion is necessary because .sym is the extension needed by symbol loader. When the .sym file is been created you have to run Symbol Loder. 'File/Open' to open the .sym file created before. Load it using 'Module/Load'. If everything is gone fine you will see the message:
----- '<Drive>:\<Path>\SPRO.SYM' symbols loaded -----
Well, we have almost complete the job; infact, the initialization is done and we need to load the file sprocrackme.exe. Open the exe file but don't load it yet; you need to know how to relocate the symbol base. This last task of our job is not done by default, you need to tell softice how to relocate the symbols. 'Symloc' is the command that we will use. The most generic form is:
symloc <section-number> <selector> <linear-address>
where:
<section-number> is the number of the section where to apply the symbols, the first section is '1', the second is '2' and so on
<selector> is the... selector
<linear-address> is the base address of the section.
As you can see, you can't relocate all the symbols into the entire file but you have to relocate every single section.
Now, you can load the file and when sice breaks you can use the symloc command. In this specific case I used:
symloc 1 1b 401000
where:
1 is the first section
1b is the selector, the value of CS register
401000 the base address of the .code section
No need to use symloc on other sections. If you have forgotten to recover the section and his base address do not despair because you can do it inside Softice using the 'Map32 Sprocrackme' command.
Ok, we have finished! Now you can step your code viewing all the names you need

------------------------------
Ok, back to the crackme.
Running the crackme you will see a messagebox showing this message: "General error! Status code is 12". Our first task is to kill this nag. Looking through the code you will find where the message box is called from:
Code:
.text:004010E7 push offset packetRecord ; the packet record
.text:004010EC call _RNBOsproInitialize@4 ; initialize sentinel system driver
.text:004010F1 push eax ; eax = the status code
.text:004010F2 mov word_4112BC, ax
.text:004010F8 call sub_401230 ; display the message if ax!=0
...
.text:00401230 mov eax, [esp+arg_0]
.text:00401234 sub esp, 400h
.text:0040123A test ax, ax ; eax != 0 then messagebox
.text:0040123D jz short loc_40126B
We must have ax=0 at 4010F1. We need to patch RNBOsproInitialize! This task is very simple.
Code:
.text:004075B5 mov edi, [esp+0Ch+arg_0]
.text:004075B9 or edi, edi
.text:004075BB jnz short loc_4075C9 ; to modify
.text:004075BD mov ax, 2 ; to modify
.text:004075C1 pop edi
.text:004075C2 pop esi
.text:004075C3 add esp, 4
.text:004075C6 retn 4
I changed the two instructions in:
xor eax, eax
nop
nop
nop
nop
There are infinite manners to solve this problem, choosing one is enough
First problem solved! Now we need to take care of the message 'Dongle not found'.A simple search inside the code will reveal:
Code:
.text:00401400 mov eax, dword_410E0C
.text:00401405 test eax, eax
.text:00401407 jnz short loc_40141D
.text:00401409 push offset aDongleNotFound ; "Dongle not found\n"
.text:0040140E call _printf ; display the error
The error message is shown if dword_410E0C==0. We need to locate where the proggie changes this dword. I use IDA's xrefs to perform this kind of operations. Click above the dword_410E0c and hit 'x', a dialog will appear and will show:
w _main+13D mov dword_410E0C, esi ; w: something is written in the dword
r sub_401400 mov eax, dword_410E0C ; r: the dword value is readed
Obviously, the one we are looking for is the first line. Double click on the line:
Code:
.text:00401105 mov ax, word_40E036
.text:0040110B push offset unk_40E040 ; word_40E040 will contain the word
readed by the function
.text:00401110 push eax ; cell to read at address 3Fh
.text:00401111 push offset packetRecord
.text:00401116 call _RNBOsproRead@12 ; RNBOsproRead(x,x,x)
.text:0040111B and eax, 0FFFFh
.text:00401120 mov dword_410E60, eax
.text:00401125 call sub_401390
.text:0040112A mov eax, dword_410E54
.text:0040112F xor esi, esi ; esi = 0
.text:00401131 cmp eax, esi
.text:00401133 jnz short loc_40113D
.text:00401135 cmp dword_410E60, esi
.text:0040113B jz short loc_401145
.text:0040113D
.text:0040113D loc_40113D: ; CODE XREF: _main+133j
.text:0040113D mov dword_410E0C, esi ; mov 0 in 410E0C
.text:00401143 jmp short loc_401161
Tracing the proggie I have found that the word pointed by 410E0C is initialized to 63h, a simple bpm will show you the address where the word is initialized. Ok, we know that the instruction at 40113D must be avoided, how is it possible (Remember that you can patch only superpro functions)? Simple:
1. 410E54 must be 0
2. 410E60 must be 0
1.
Using xrefs you will arrive where the dword is changed:
Code:
.text:0040161C call _RNBOsproFindFirstUnit@8 ; RNBOsproFindFirstUnit(x,x)
.text:00401621 and eax, 0FFFFh ; return value is ax=0039
.text:00401626 mov dword_410E54, eax
.text:0040162B retn
Is it possible to mov 0 in 410E54? Sure, patching the sproFindFirstUnit function. As before, there are many ways to patch this function, here is mine:
Code:
.text:004077C6 mov word ptr [esi+6], 0B39h
.text:004077CC mov ax, 39h ; change in 'mov ax,0'
.text:004077D0 pop esi
.text:004077D1 pop ebx
.text:004077D2 retn 8
2.
410E60 contains the value returned from sproRead function. In particular, the value is taken from the dongle's cell at address 3Fh. The idea is to emulate the dongle patching the sproRead function to make it return zero when the cell to be read is the number 3Fh. If you have readed the tutorials linked above you should already know how to emulate the dongle
Rackmount, I can't fully understand your problem.
You have passed this task and, I suppose you have patched the sproRead function. How have you changed the function? Have you putted 0 to eax at the end of the function or, have you emulated the dongle?
ZaiRoN