Jacques
August 8th, 2004, 21:58
Hi nikan,
I can't answer your question regarding the filter driver, but I did have a similar problem about a year ago where I had to bypass a superpro dongle without patching the target.
What saved me was finding an emulator by some guy called Steven that I was able to modify for my own purposes. There are a few versions of this emulator floating around, the one that I used was v0.24 because it had DebugPrint calls that allowed you to watch the calls being made in your debugger's output window... Steven did a pretty nice job. (There seems to be a v0.43 around, but it doesn't have the debug prints.)
The emulator is able to recognize 15 products. If the given vendor ID matches one that it knows about, then it will use the associated block of "dongle memory" for the read/write calls.
All I had to do was:
1) Change the vendor code to that of the target.
2) Adapt the "dongle memory" block so it provides data that works with whatever checks there are in the target.
3) Recompute the checksum field in the PE header. (This field is not used by standard exe's, but is used by .sys drivers. I used LordPE to fix it.)
The emulator also has a 10 minute time limit built-in, but bypassing it is pretty easy. I suppose this is step #1.
This emulator worked great for the first target I used it on, however, just today I tried it on a second target (that's why I'm on the board again) and it doesn't recognize any of the function calls (in the debugger it says "fn is XXXX - yet unknown"

. Something funny is going on in this new target, it seems that the function specifiers in the superpro packet are different with each invocation. Hopefully it will work in your case.
Let me know if you're interested and I can provide more details.
Jacques
Jacques
August 9th, 2004, 01:56
I don't know for sure if version 0.43 of the emulator will work, but I imagine you can probably get it work. I've never used it myself, mainly because it didn't have the DebugPrint calls, and v0.24 worked just fine for me. I also seem to remember that v0.43 is set up with only a single block of "dongle memory" (but I can't recall for certain).
As for sproQuery(), the emulator does recognize the call, and v0.24 prints the following info for it: "sproQuery: cell=%02X, len=%02X" to the debugger. What is does after this, beyond faking a good return code, I'm not exactly sure. (My target was quite simplistic, it just read the values in 5 cells and XOR'd them together, it didn't use sproQuery at all.) However, doing a quick scan of the code once more, I do see a call to a fucntion that prints "process_query() - cant find dump"... so it seems that the emulator is set up to handle algorithm queries.
If you're not in a rush and you need to be able to use real Sentinel dongles too, then writing a filter driver sounds like the way to go. Unfortunately, I don't know enough about the Windows Driver Model to be able to tell if this will work or not.
I am quite interested in whether the filter driver would work, so if you do decide to do this, please keep posting your progress on the board.
Jacques
nikan
August 12th, 2004, 09:39
hi Jacques
capture mode of my driver is completed.
i tested it with some protected programs, then i decided to test it with superpro shell, so i created a shelled version of notepad.exe with my dongle.
you can see data transfer between Sentinel toolkit and driver in protection duration here:
"
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addres s=0x3C,Data=0x226A,AccessCode=0x3)
OUT,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addre ss=0x3C,Data=0x226A,AccessCode=0x0)-> Status=0x0
In,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addres s=0x3D,Data=0xEA46,AccessCode=0x3)
OUT,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addre ss=0x3D,Data=0xEA46,AccessCode=0x0)-> Status=0x0
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x1D5DDBD3,Length=0x4)
OUT,RNBOsproQuery(Response=2AFF717F,Response32=FF2A7F71)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x1E6D65B,Length=0x4)
OUT,RNBOsproQuery(Response=5BC57D9A,Response32=C0000A7D)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x40E7DC6F,Length=0x4)
OUT,RNBOsproQuery(Response=385CF58,Response32=5C38580F)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xD244FFA,Length=0x4)
OUT,RNBOsproQuery(Response=218B8727,Response32=8B212787)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xCB90863,Length=0x4)
OUT,RNBOsproQuery(Response=CA6777D8,Response32=67CAD877)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xDF72CA25,Length=0x4)
OUT,RNBOsproQuery(Response=C085466E,Response32=85C06E46)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x9F82141B,Length=0x4)
OUT,RNBOsproQuery(Response=30D73352,Response32=D7305233)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x83C5C3EB,Length=0x4)
OUT,RNBOsproQuery(Response=725BADEA,Response32=5B72EAAD)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xBF4FA9EC,Length=0x4)
OUT,RNBOsproQuery(Response=A31B782,Response32=1BA38207)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xDADD9E6C,Length=0x4)
OUT,RNBOsproQuery(Response=F1294E59,Response32=29F1594E)-> Status=0x0
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x0000,Length=0x4)
OUT,RNBOsproQuery(Response=52D57DB8,Response32=D552B87D)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x44E4A547,Length=0x4)
OUT,RNBOsproQuery(Response=3950DE20,Response32=503920DE)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xDCF1C80,Length=0x4)
OUT,RNBOsproQuery(Response=35739CA,Response32=7335CA09)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x48B38CC,Length=0x4)
OUT,RNBOsproQuery(Response=78DB6474,Response32=DB787464)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x7192555D,Length=0x4)
OUT,RNBOsproQuery(Response=A8DD2735,Response32=DDA83527)-> Status=0x0
"
and after runnig shelled notepad.exe my programs shows these sequence of calls to driver :
"
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproRead(Address=0x30)
OUT,RNBOsproRead(Packet,Address=0x30,Data=0x0)-> Status=0x0
In,RNBOsproRead(Address=0x34)
OUT,RNBOsproRead(Packet,Address=0x34,Data=0x0)-> Status=0x0
In,RNBOsproRead(Address=0x38)
OUT,RNBOsproRead(Packet,Address=0x38,Data=0x0)-> Status=0x0
In,RNBOsproRead(Address=0x3C)
OUT,RNBOsproRead(Packet,Address=0x3C,Data=0x0)-> Status=0x4
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproRead(Address=0x0)
OUT,RNBOsproRead(Packet,Address=0x0,Data=0x28)-> Status=0x0
In,RNBOsproQuery(Address=0x0,Data=0xB55EE90,Length=0x4)
OUT,RNBOsproQuery(Response=B55EE90,Response32=5EB500E9)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xA33A314C,Length=0x4)
OUT,RNBOsproQuery(Response=C3ED6B28,Response32=EDC3286B)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xB285D6C8,Length=0x4)
OUT,RNBOsproQuery(Response=74497B23,Response32=4974237B)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x44E4A547,Length=0x4)
OUT,RNBOsproQuery(Response=3950DE20,Response32=503920DE)-> Status=0x0
In,RNBOsproWrite(WritePassword=0x0000,Address=0x100,Data=0x3125,AccessCode=0x0)
OUT,RNBOsproWrite(WritePassword=0x0000,Address=0x100,Data=0x3125,AccessCode=0x0)-> Status=0x5
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
"
i changed the developer id and passwords to zero!
i hope that this inforamtion help you to solve your problem with shell!
again sorry for my bad english writing.
nikan.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.