Sentinel Super Pro Need Help [Archive] - RCE Messageboard's Regroupment

View Full Version : Sentinel Super Pro Need Help

sope

April 29th, 2003, 08:56

Hello Everybody

I am working on a Sentinel Super Pro Target, I don't have access to the Dongle. If any body who can look at this target, & tell me if its really possible without dongle because after tracing, logging i see that the programmer never compares the return value which is read from the dongle.

It reads the words, copies word to different places then joins the 3 words from different cell & pass that as parameters to a dll file. Which copies, to some other address does something then pushes BADNUM offset & then compares it & again we r in some dlls its such a confusion i just can't put it on paper.

Hope to get atleast hints so that i keep moving & learning + shareing too

Regards
Sope!

Below is the things which i have already noted on this target.

(1) sprofindfirstunit 0x7745E0
(2) SproRead 0x7747B0
(3) SproActivate 0x774920
(4) SproExtentedRead 0x774860
(5) SproDecrement 0x766FB3
(6) SproQuery 0x774BA0

Code:



:00766C70	push    0CB46h		<--- Developer ID.

:00766C75	push    edi		<--- rnbo handle 

:00766C76       call    sproFindFirstUnit

(1) Trival emulation for sprofindfirstunit and it's done.

Before we reach SproRead(), diged this part of the program

Now this is wired stuff i haven't see anything like this there is approx. 427 parameters pushed & calls a function some manipulation goes there in that function. i did not understood whats going in there.

Code:



:00768100   mov     eax, dword_B745BC   ; <--- move Flag check variable

:00768105   test    eax, eax

:00768107   jnz     short locret_76813B

:00768109   mov     dword_B745BC, 1     ; <--- move 1 to the Flag



Below functions pushes 427 times some values & calls 1 functions.



:00768113   call    sub_7D2D10		; After the call eax=0x30E0480

:00768118   call    sub_7C56D0		; eax=0x30E4280

:0076811D   call    sub_7B7FC0		; eax=0x30E8080

:00768122   call    sub_7AA7D0		; eax=0x30EDE00

:00768127   call    sub_79D2F0		; eax=0x30F1C00

:0076812C   call    sub_78FB40		; eax=0x30F5A00

:00768131   call    sub_782480 		; eax=0x30F9800

:00768136   jmp     loc_774E50         ;  eax=0x30FD600

I noted the eax value from the functions returned & only thing i understood was if we subtract we get exactly 0x3E00 bytes. So that much chunks of bytes manipulated or initialized.

0x30EDE00 - 0x30E8080 - 0x3E00 bytes similarly for the rest of it.
Now i reach SproRead(). I don't rip any code here for it.

:00413CD3 Call 414290 <--- reads Cell 0 & Cell 1 stores in EAX.

Cell 1 is recovered from sproFindFirstUnit() & Cell 0 dongle id i put 0x1111 so in EAX i had 0x1111CB46 which is stored at 0x2FAF8D8. Delayed checking it gets XOR with static value 0x42FCE52A then stored.

Next i reach below code

:00413D33 call sub_4142F0 <--- this call Reads Cell 1F, 22, 25, 20, 23, 26, 21, 24, 27

:00413D38 push offset aBadnum ; "BADNUM"
:00413D3D lea ecx, [esp+32]
:00413D41 mov [esp+230h], ebx
:00413D48 call sub_411330

I don't rip any code here. What i does i'll explain here in short.

It takes 2 parameters first is the Address where the word from the Cell Read
will be stored, second the Cell number.

Code:



-----------------------------------------------------------------

Address	Cell No.  Address    Cell No. Address    Cell No.

-----------------------------------------------------------------

0x2FAF88A	  0x1F	  0x2FAF88A    0x20   0x2FAF88A    0x21	

0x2FAF890	  0x22	  0x2FAF890    0x23   0x2FAF890    0x24

0x2FAF888	  0x25	  0x2FAF888    0x26   0x2FAF888    0x27



Note: Address 0x2FAF88A stores for 1F / 20 / 21

	      0x2FAF890 stores for 22 / 23 / 24

	      0x2FAF888	stores for 25 / 26 / 27

sub_414110 which calls sproread is been cross reference from 22 different location. Cell: 1E, 2B, 2C, 32, 33, 34, 35, 36, 2D, 2E i never reach this part of the program.

Next i reach. as name suggest BADNUM. Till here there is no checking what word it read from the dongle.

:00413D38 push offset aBadnum ; "BADNUM"
:00413D3D lea ecx, [esp+32]
:00413D41 mov [esp+230h], ebx
:00413D48 call sub_411330 <--- Copy Words from dongle read to some location.

Then call again routines of reading Cell 0 & Cell 1 & then again Cell 1F, 22, 25, 20, 23, 26, 21, 24, 27. Its difficult to put on paper now where things gets copied, read manipulated etc...

Assumption:
While going through the string reference i also see some license file which i guess is required for proper execution. Ref to file with ".sec" is suspicious. 0xB0EA34 is the ref to some file with ".sec" extension.

scorpie

April 30th, 2003, 04:49

Hello Sope,

Could you kindly inform us about your target clearly. Curtail information is not informative enough.

Bye,
Scorpie

sope

April 30th, 2003, 06:09

Hello scorpie

Thanks for your interest. Please check your PM.

Regards
Sope!

scorpie

April 30th, 2003, 23:50

Hello Sope,

Thank you for the reply.

Kindly check your PM.

Regards,
Scorpie

Rackmount

May 1st, 2003, 11:36

Hey guys:

I am really interested in Sentinel dongle protections as well. Any chance I can follow your progress on this to maybe give me some additional insights into these type dongles? I can't say that "see your PM" is very helpful to me. I do understand the reason behind it though, and will leave off if that is your choice. I can't say that I will be able to offer any assistance on your project Sope, but I would love to eat some of the brain matter being offered by others to assist you.

Rackmount

sope

May 2nd, 2003, 08:27

Not possible without some ".sec" security files

Hello scorpie, rackmount

Below is the full details of things that i have noted down. After emulating SproFindFirstUnit we land below.

Code:

00413CD1 loc_413CD1:		

00413CD1     mov ecx, esi	    ; ecx is some sort of table

00413CD3     call Read_Cell01	    ; Call to Read Cell 0 & Cell 1

00413CD8     cmp eax, 0FFFFFFFFh    ; we have eax=0x1111CB46

00413CDB     mov [esp+18h], eax	    ; save it at 0x2FAF8D8

00413CDF     jnz short loc_413CE8   ; carry on from here

00413CE1     or	 eax, eax

00413CE3     jmp loc_4140EB



00414290 Read_Cell01 proc near

00414290 var_8=	dword ptr -8

00414290 var_4=	dword ptr -4



00414290     sub esp, 8

00414293     lea eax, [esp+0]

00414297     push esi

00414298     push eax			; EAX=0x2FAF8B4

00414299     mov esi, ecx

0041429B     push 0			; push cell to read = 0

0041429D     call sproread_called

004142A2     test eax, eax	

004142A4     jz	 short loc_4142AE 	; if zero go & read cell 1

004142A6     or	 eax, 0FFFFFFFFh  

004142A9     pop esi

004142AA     add esp, 8

004142AD     retn



004142AE loc_4142AE:				 



004142AE     lea ecx, [esp+8] 		; Get Store Address in ecx

004142B2     push ecx	      		; push on stack

004142B3     push 1	      		; push cell to read = 1

004142B5     mov ecx, esi    		; esi is some form of a table

004142B7     call sproread_called 

004142BC     test eax, eax    		

004142BE     jz	 short loc_4142C8	; if zero go here loc_4142C8

004142C0     or	 eax, 0FFFFFFFFh

004142C3     pop esi

004142C4     add esp, 8

004142C7     retn



004142C8 loc_4142C8:			

004142C8     mov eax, [esp+4]		; Get WORD read from Cell 0 address in edx=0x1111

004142CC     mov edx, [esp+8]		; Get WORD read from Cell 1 address in edx=0xCB46

004142D0     and eax, 0FFFFh		; Preserve Lower bytes

004142D5     and edx, 0FFFFh

004142DB     shl eax, 10h		; ShiftLeft Low Word to High Word

004142DE     or	 eax, edx 		; EAX = 0x1111CB46

004142E0     pop esi

004142E1     add esp, 8

004142E4     retn

004142E4 Read_Cell01 endp



Note: Word read from Cell 0 is stored at 0x2FAF8B4 = 0x1111

      Word read from Cell 1 is stored at 0x2FAF8B8 = 0xCB46

      which gets stored in 0x2FAF8D8 



After some compares with 0 we land below.



00413D2C loc_413D2C:				 

00413D2C     lea ecx, [esp+16]	

00413D30     push ecx		; ecx = 0x2FAF8D0

00413D31     mov ecx, esi	; ecx = esi = 0x30FC050



00413D33     call Read_Cell_1f_27	Call to Read Cell 1F to 27



004142F0 Read_Cell_1f_27 proc near		 ; CODE	XREF: sub_412490+87p

004142F0					 ; sub_413890+6Dp

004142F0					 ; sub_413B00+233p

004142F0 

004142F0 var_C=	dword ptr -0Ch

004142F0 var_8=	dword ptr -8

004142F0 var_4=	dword ptr -4

004142F0 arg_0=	dword ptr  4

004142F0 

004142F0     sub esp, 0Ch

004142F3     push ebx	 		; ebx = 0

004142F4     push esi			; esi = 0x30FC050

004142F5     lea eax, [esp+10h]		; eax = 0x2FAF8B4 Address of Cell 0

004142F9     push edi			; edi = 0

004142FA     push eax			; push Cell 0 address

004142FB     push 25h			; Push cell 0x25

004142FD     push 22h			; Push cell 0x22

004142FF     mov esi, ecx		; esi = ecx = 0x30FC050 

00414301     push 1Fh			; Push cell 0x1F

00414303     mov dword ptr [esp+24h], 0	; Moves 0 to address of Cell 0



0041430B     call sub_4144E0		; Call SproRead



Lets Examine this call sub_4144E0



004144E0 sub_4144E0 proc near			 ; CODE	XREF: Read_Cell_1f_27+1Bp

004144E0					 ; Read_Cell_1f_27+2Fp

004144E0					 ; Read_Cell_1f_27+43p

004144E0					 ; call_to_read_Cell_3b+20p

004144E0 

004144E0     push ecx			; ECX = 0x30FC050

004144E1     push ebx			; EBX = 0

004144E2     push esi			; ESI = 0x30FC050

004144E3     mov esi, ecx		; esi = ecx = 0x30FC050

004144E5     lea eax, [esp+0Ah]		; EAX = 0x2FAF88A Store Address of Cell 0x1F

004144E9     mov ecx, [esp+10h]		; Get Cell to Read ecx = 0x1F

004144ED     push edi			; edi = 0

004144EE     push eax			; push eax = 0x2FAF88A

004144EF     push ecx			; push ecx = Cell 0x01F

004144F0     mov ecx, esi		; esi = ecx = 0x30FC050

004144F2     call sproread_called	 



ok, sproread_called is = sub_414110 which reads word from the respective cell 

and stores in the address pushed above. Similarly it calls for Cell 22 & 25.

Check the table above in my first post about it.



We reach the below code now



0041451D     test ebx, ebx		

0041451F     jz	 short loc_414565	; jump will be taken

00414521     test edi, edi

00414523     jz	 short loc_41454C

00414525     test eax, eax

00414527     jz	 short loc_414533



sooner we will reach the below code

continues in next post ......

sope

May 2nd, 2003, 08:28

Code:

00414582 loc_414582:				 



00414582     mov dx, [esp+14h]		; dx = word from cell 22 stored address

00414587     mov si, [esp+0Ch]		; si = word from cell 25 stored address

0041458C     test ebx, ebx

0041458E     jz	 short loc_4145A5	; jump will be taken

00414590     cmp dx, si

00414593     jnz short loc_4145A5

00414595     mov eax, [esp+20h]

00414599     pop edi

0041459A     pop esi

0041459B     pop ebx

0041459C     mov [eax],	dx

0041459F     xor eax, eax

004145A1     pop ecx

004145A2     retn 10h

004145A5 

004145A5 loc_4145A5:			 

004145A5				 

004145A5     mov cx, [esp+0Eh]	 	; cx = word from cell 1F stored address

004145AA     test edi, edi

004145AC     jz	 short loc_4145C3	; jump will be taken



004145C3 loc_4145C3:				 

004145C3     test eax, eax

004145C5     jz	 short loc_4145DC      	; jump will be taken

004145C7     cmp cx, dx		       	

004145CA     jnz short loc_4145DC      	; jump will be taken	



004145DC loc_4145DC:			

004145DC     test ebx, ebx

004145DE     jnz short loc_414631

004145E0     test edi, edi

004145E2     jnz short loc_414631

004145E4     test eax, eax

004145E6     jnz short loc_414631

004145E8     cmp cx, dx	;<-- compare word from cell 0x1F with cell 0x22

004145EB     jnz short loc_4145FB     ; if not next compare

004145ED     mov edx, [esp+20h]



004145FB loc_4145FB:				 

004145FB     cmp cx, si	;<--- compare word from cell 0x1F with cell 0x25

004145FE     jnz short loc_414610     ; if not next compare

00414600     mov eax, [esp+20h]



00414610 loc_414610:				 

00414610     cmp dx, si  ; <--- compare word from cell 0x22 with cell 0x25

00414613     jnz short loc_414625     	; if not mov in eax=0xFFFFFFFD

00414615     mov ecx, [esp+20h]	      	; or get Cell 0 address & store word of cell 0x22

00414619     pop edi

0041461A     pop esi

0041461B     xor eax, eax

0041461D     mov [ecx],	dx	     	; <--- here save the word from cell 0x22

00414620     pop ebx

00414621     pop ecx

00414622     retn 10h



00414625 loc_414625:				 ; CODE	XREF: sub_4144E0+133j

00414625     pop edi

00414626     pop esi

00414627     mov eax, 0FFFFFFFDh	

0041462C     pop ebx

0041462D     pop ecx

0041462E     retn 10h

0041463A sub_4144E0 endp



004145E8     cmp cx, dx	;<-- compare word from cell 0x1F with cell 0x22

004145FB     cmp cx, si	;<-- compare word from cell 0x1F with cell 0x25

00414610     cmp dx, si ;<-- compare word from cell 0x22 with cell 0x25



what happens is if at 0x4145E8 cx = dx then cx word is stored, similarly if at 0x4145Fb cx = si then cx word is stored, if at 0x414610 dx = si dx word is stored.

if it does not match eax=0xFFFFFFFFFD & ret.



Next we reach here



00414338     test edi, edi

0041433A     jnz short loc_414369	

0041433C     test ebx, ebx

0041433E     jnz short loc_414369

00414340     test eax, eax

00414342     jnz short loc_414369

00414344     mov eax, [esp+0Ch]		; get in eax= word from cell24

00414348     mov ecx, [esp+10h]		; get in ecx= word from cell23

0041434C     mov edx, [esp+14h]		; get in edx= word from cell23

00414350     mov esi, [esp+1Ch]		; get address to copy

00414354     push eax

00414355     push ecx

00414356     push edx

00414357     mov ecx, esi		; ecx=0x2FAF8D0 address where 3 cell words read will be stored

00414359     call ECX_3Cell_Words_stored 

0041435E     mov eax, esi

00414360     pop edi

00414361     pop esi

00414362     pop ebx

00414363     add esp, 0Ch

00414366     retn 4



After this we land here 



00413D38     push offset aBadnum	; "BADNUM"

00413D3D     lea ecx, [esp+32]		; ecx=2FAF8DC 

00413D41     mov [esp+230h], ebx

00413D48     call is_strcopy		; copies in ecx address BADNUM

00413D4D     push eax	      		; eax=2FAF8DC

00413D4E     lea ecx, [esp+20]		; ecx=2faF8D0

00413D52     call sub_412630		; compare it with 3 cell words stored 

00413D57     lea ecx, [esp+28]		

00413D5B     mov edi, eax

00413D5D     call unknown_libname_18	; compare each bytes with BADNUM if not edi = 0 otherwise 1

00413D62     cmp edi, ebx		

00413D64     jz	 short loc_413D94	; if zero it ties to open a file rb attribute

00413D66     mov ecx, esi		; prepared for same stuff again

00413D68     mov [esi+14h], ebx

00413D6B     call sub_413890		; Reads Cell 0_1



ok the below compare is important. If edi = 0 we take the jump loc_413D94

otherwise we are back in the same old routines Read Cell 0 then 1 etc...



00413D62     cmp edi, ebx		

00413D64     jz	 short loc_413D94	; if zero it ties to open a file rb attribute



Let see what it does 



00413D94 loc_413D94:				 

00413D94     sub esp, 8

00413D97     lea edx, [esp+18h]

00413D9B     mov ecx, esp

00413D9D     mov [esp+24h], esp

00413DA1     push edx

00413DA2     call is_strncpy	; copies to different address

00413DA7     lea eax, [esp+2Ch]

00413DAB     push 200h

00413DB0     push eax		; eax = address of 3 cell words read 

00413DB1     mov ecx, esi	; esi = some table

00413DB3     call sub_413A20	; perform some maths & we get some file name in ecx



00413DB8     lea ecx, [esp+24h]

00413DBC     push 0B0EA40h	; "rb" read binary mode

00413DC1     push ecx		; which file for me c:\-1.sec 

00413DC2     call ds:fopen	; Open it 

00413DC8     mov ebp, eax

00413DCA     add esp, 8

00413DCD     cmp ebp, ebx

ok, so its confirmed there is some ".sec" (security) file which is opend in "rb" mode & some good info is stored in it. So the assumptions was correct.

Regards
Sope!