Hi there !

I wanna say hi to Woodmann cuz you ROCK ! I've read a couple of things and you're always right ! Good work !

Well, i try to figure out, for school, the dongle protection of sentinel superpro. I know a couple of things has been already written about this but i still can't get my way around with the Wysiwyg Release 6 software. I tried to compare with passed version but they rebuilt the whole thing.

Here's the link, if it can help:
Link removed by Woodmann

Thanks for your help

Ahem. We all love Woodmann but what do you want him to do - crack it for you?

C'mon, if you've spent more than 5 minutes lurking here you'd know this isn't the way we do things. Forgive me but there's more than a couple of holes in your story. You expect us to believe this is a school project? Or that you've done any reasonable amount of "homework" on it in the past? So they rebuilt the whole thing. So what. How do YOU see that past versions are different from this one?

This is a school too, show your work, some background research, something!, else how can anyone grade this as anything more than a crack request?

Kayaker

Hi to all

i had cracked earlier Release 5 in the past and this Release 6 of the program you are talking (read the FAQ and do not post program name first of all)
it is sentinel and some license protection for me it was easy to undongle it, i think it must be easy for you too just spend more time on it

good luck

Howdy,

You have clearly mistaken me for someone else.

While it is true, I do rock, I am almost never right
about anything.
It was a nice try to schmooze me but it has failed.

Woodmann

I'm sorry, i didn't want it to go that way.

You'r right, it's not for school. I have version 3.5c and compared the .exe with the one from the site. I took the changes in note and looked a the release 6 and it doesn't seem to be the same thing at all.

I don't want you to do it for me, i would just appreciate some cues to get my way around.

And sorry Woodmann for my mistake.

I hope it clear things out.

Thanks

Hi,

Thanks for your honesty

Now, on to your current project.

You need to tell us what you think/know about this new version.
If you can provide something that shows you have even a basic
understanding of this target, people will help you.


Woodmann

And don't forget Rule #1:

If you want to schmooze Woodmann, you HAVE to say you LOVE him. Really, He said it in one of his posts.

Honest!

I wouldn't make something like that up, would I?



Regards,

my advice would be to redirect all dongle api calls to an emulator dll.

the following code embeded into the emulated api might be useful as it would reveal the return address on the call stack - and hence tell you where the api call was made from.

a little poking around the callee address should reveal useful info

DWORD callee;
__asm {
mov eax, dword ptr [ebp+4]
mov callee, eax
}

2Zaza:

if you do not have an original dongle it may be useles or long time waisting for hunting responses from dongle
maybe you can give an example of such a code.

hunting for responses can take some time but then life isnt easy is it!

it is only useless searching for responses if the code is actually encrypted using the dongle, which seems to be a rare thing.

if you have an original d0ngle then it can speed up the emulation of a sp0read function as you could simply dump the cells - however even witht the original dongle you would have problems with spr0query.

in most cases the challenge/response values for spr0query will be very close to where the api is called.

Hey thanks guys

I'm glad it turns out good finally !

I think i need to do some more tutorial and read how to emulate DLL. I'll do my "homework" and i'll get back to you on that.

Thanks !

I only more recently begin to reversing SentinelSuper Pro.
Now I am engaged in program Name and URL to Target Removed. I read the Cyberheg tutorials and many other authors , but I can not understand as me to find in the program a place where correct values "cell" are checked.
Do not prompt me as me to be, and what law and check?

MaddMaxx:

Apparently you didn't learn anything by reading the previous posts in this thread. Go back and read the Big Red Letters at the top of the Forums and read the FAQ and then tell us what YOU have already done to solve your own problem. So far it looks like you want someone to take you by the hand and lead you through the dark codewoods. If you read the FAQ (or the contents of this thread) you would already know you are not supposed to post the name or URL of your target.

Regards,

I seem to recall that we did a little project on sentinel which included a small crackme...I got pretty far with the crackme until I got distracted with a different....well...ok... I got stuck on the last bit ;-P Still, it would be a good thing for those interested to check it out and see where you can go...If it is still active...I will add my thoughts and ideas up to as far as I got with that crackme to questions posed regarding its intricacies. Maybe together we can polish it off once and for all ;-)

Iam now reversing version 1.08. I found only 4 cell's:

00 - need any number, not zer (0)
3a - products expire date (iam write for emule sproread function 0048 - expired juny 2006)
3c - product ID (iam write for emule sproread function 2800 - version Perform)

but the program uses still
3b; 3e; 09; 34; 38

Earlier, when has been written old tutorials, checks were open and did not make work to find both values, and sites of a code.
Now they have learned to programmming and find not so simply.
The program at the first start at me at all does not see systems cell (3C), and repeatedly correctly all reads.
And so until I shall not jam a site of memory, with what she it worked. Then again sees nothing.
Likely any cell's should be identical
And everywhere, after checks, I see what code

lea ecx, [ebp+var_14]
.text:004B9E7E push ecx
.text:004B9E7F push eax
.text:004B9E80 push offset unk_912A20
.text:004B9E85 call sproRead - dongle function
.text:004B9E8A test ax, ax
.text:004B9E8D jz short loc_4B9EDB - if not zero

This code:

.text:004B9E8F mov eax, dword_912E48
.text:004B9E94 dec eax
.text:004B9E95 mov dword_912E48, eax
.text:004B9E9A jnz short loc_4B9ECB
.text:004B9E9C push 20h ; dwPriorityClass
.text:004B9E9E call ds:GetCurrentProcess
.text:004B9EA4 push eax ; hProcess
.text:004B9EA5 call ebx ; SetPriorityClass
.text:004B9EA7 mov eax, nPriority
.text:004B9EAC cmp eax, 0FFFFFFFFh
.text:004B9EAF jz short loc_4B9ECB
.text:004B9EB1 push eax ; nPriority
.text:004B9EB2 call ?AfxGetThread@@YGPAVCWinThread@@XZ ; AfxGetThread(void)
.text:004B9EB7 mov edx, [eax+2Ch]
.text:004B9EBA push edx ; hThread
.text:004B9EBB call ds:SetThreadPriority
.text:004B9EC1 mov nPriority, 0FFFFFFFFh
.text:004B9ECB
.text:004B9ECB loc_4B9ECB: ; CODE XREF: sub_4B8FC0+EDAj
.text:004B9ECB ; sub_4B8FC0+EEFj
.text:004B9ECB push offset unk_912E28 ; lpCriticalSection
.text:004B9ED0 call ds:LeaveCriticalSection
.text:004B9ED6 or eax, 0FFFFFFFFh
.text:004B9ED9 jmp short loc_4B9EED
.text:004B9EDB ; ---------------------------------------------------------------------------
.text:004B9EDB
.text:004B9EDB loc_4B9EDB: ; CODE XREF: sub_4B8FC0+ECDj
.text:004B9EDB mov ecx, offset unk_912E90
.text:004B9EE0 call sub_758D20
.text:004B9EE5 mov eax, [ebp+var_14]
.text:004B9EE8 and eax, 0FFFFh
.text:004B9EED
.text:004B9EED loc_4B9EED: ; CODE XREF: sub_4B8FC0+F19j
.text:004B9EED test eax, eax
.text:004B9EEF mov dword_951638, eax
.text:004B9EF4 jle short loc_4B9F02
.text:004B9EF6 mov dword_95163C, 1
.text:004B9F00 jmp short loc_4B9F0C


Ask me please - what is it?

I found crack Dee for version 1.06/ I down this release, patching file & see, why Dee released in progs emulations functions dongle.
This patch only changes many JZ - JMP
Emulation this patch does not have.
But me interesting only good emulation dongle fuctions code.

TNX ALL !

return in sproFindFirstUnit eax=0
return in sproRead cell 2 and 3 some bytes (they are used as request code) and eax=0
this is all emulation
now you need to find right response serial to request code and unlock Report or Design or Perform....

bye

Dee

Big big thank you
I looking this

but you ask me

"now you need to find right response serial to request code and unlock Report or Design or Perform...."

this is the crypt code ?
when i can found it ?

From what to start a search i know one address - 70b0c0 (in version 1.08.241)
Function returns in "eax" a code of a product (5 - Perform)
In you patch for version 1.06 you write in this function code - mov al, 05
You speak about it ?

I mean to unlock one of the options you need to find right serial.
If then dongle emulation is done right - you should get window with ID (from dongle) and field for response code.
Enter any code...
bpx GetWindowTextA this should work as i remeber...
bpm on adress where your input code is and start serial fishing...

in previous patches i just patched one function to return eax=5
so it unlocked Perform 5000

bye

Big thanks!
i look it ....

bye

and then theres just the little matter of sproquery.......