Log in

View Full Version : Sentinel SuperPro Emulator


nikan
August 7th, 2004, 00:46
hi all
my problem is a target that protected with superpro. preiviously i changed the target and redirect rnbo function to a dll. but now i need a way that the target work without patching .
if i write the sentinel.sys the problem will solve.
my question : can i write a filter driver that capture all data transfer bitween program and driver(sentinel.sys) and send correct result back to the program or i must write a sentinel.sys ?

thanks.

Jacques
August 8th, 2004, 21:58
Hi nikan,

I can't answer your question regarding the filter driver, but I did have a similar problem about a year ago where I had to bypass a superpro dongle without patching the target.

What saved me was finding an emulator by some guy called Steven that I was able to modify for my own purposes. There are a few versions of this emulator floating around, the one that I used was v0.24 because it had DebugPrint calls that allowed you to watch the calls being made in your debugger's output window... Steven did a pretty nice job. (There seems to be a v0.43 around, but it doesn't have the debug prints.)

The emulator is able to recognize 15 products. If the given vendor ID matches one that it knows about, then it will use the associated block of "dongle memory" for the read/write calls.

All I had to do was:
1) Change the vendor code to that of the target.
2) Adapt the "dongle memory" block so it provides data that works with whatever checks there are in the target.
3) Recompute the checksum field in the PE header. (This field is not used by standard exe's, but is used by .sys drivers. I used LordPE to fix it.)

The emulator also has a 10 minute time limit built-in, but bypassing it is pretty easy. I suppose this is step #1.

This emulator worked great for the first target I used it on, however, just today I tried it on a second target (that's why I'm on the board again) and it doesn't recognize any of the function calls (in the debugger it says "fn is XXXX - yet unknown". Something funny is going on in this new target, it seems that the function specifiers in the superpro packet are different with each invocation. Hopefully it will work in your case.

Let me know if you're interested and I can provide more details.

Jacques

nikan
August 9th, 2004, 00:49
hi Jacques

tanks for your reply.
i have sentinel emulator version 0.43 and a patch that remove time limit.
can you tell me is it support sproQuery?
however i decide to write a filter driver becaus if i copy sentinel.sys of emulator to win32\driver then other superpro protected programs dos not work if i have related dongle.
also it is good that memory dump and sproquery pair can change from registery.

nikan.

Jacques
August 9th, 2004, 01:56
I don't know for sure if version 0.43 of the emulator will work, but I imagine you can probably get it work. I've never used it myself, mainly because it didn't have the DebugPrint calls, and v0.24 worked just fine for me. I also seem to remember that v0.43 is set up with only a single block of "dongle memory" (but I can't recall for certain).

As for sproQuery(), the emulator does recognize the call, and v0.24 prints the following info for it: "sproQuery: cell=%02X, len=%02X" to the debugger. What is does after this, beyond faking a good return code, I'm not exactly sure. (My target was quite simplistic, it just read the values in 5 cells and XOR'd them together, it didn't use sproQuery at all.) However, doing a quick scan of the code once more, I do see a call to a fucntion that prints "process_query() - cant find dump"... so it seems that the emulator is set up to handle algorithm queries.

If you're not in a rush and you need to be able to use real Sentinel dongles too, then writing a filter driver sounds like the way to go. Unfortunately, I don't know enough about the Windows Driver Model to be able to tell if this will work or not.

I am quite interested in whether the filter driver would work, so if you do decide to do this, please keep posting your progress on the board.

Jacques

nikan
August 9th, 2004, 08:28
ok
i started to write the filter driver with compuware driver suite 2.7 and windows 2000 ddk.
previously i write a program that can encrypt and decrypt the rnbo Packet correctly.
can anyone help me with any idea and information about filter driver?
i was found that sentinel driver make a device named "rnbdrv" is it true?

Jacques
August 10th, 2004, 17:08
Quote:
[Originally Posted by nikan]ok
i started to write the filter driver with compuware driver suite 2.7 and windows 2000 ddk.
previously i write a program that can encrypt and decrypt the rnbo Packet correctly.
can anyone help me with any idea and information about filter driver?
i was found that sentinel driver make a device named "rnbdrv" is it true?

An original sentinel.sys has the following string refs it:
\\Device\\ParallelPort
\\Device\\RNBODEV
\\DosDevices\\RNBODRV
but I have no idea if this is the proper way to refer to the driver when trying to add a filter layer to it.

Question for you:
Did you find a doc on the encryption/decryption of the spro packet, or did you trace the code and figure it out yourself?

Question for the dongle experts:
Is it even possible to create a filter driver for the sentinel drivers? It seems suspicious that no-one has done it before... (or maybe they have and I don't know about it).

nikan
August 11th, 2004, 01:27
the filter driver is written!!!
my filetr driver and enc\dec algorithm is work properly in sentinel driver version 5.41!
i know about one version of this algorithm.
the next improvment in my project is :
1:read dump and sproquery pairs from registry.
2:create a filter driver that work in 2 mode: emulate mode and capture mode.

nikan.

nikan
August 11th, 2004, 01:31
hi Jacques
sorry for my bad english writing.
i traced a target that call rnbo function and found the way of enc\dec.
nikan.

Jacques
August 11th, 2004, 03:23
Quote:
[Originally Posted by nikan]the filter driver is written!!!
my filetr driver and enc\dec algorithm is work properly in sentinel driver version 5.41!
nikan.

Excellent!

What driver name did you use when you created the "Device Filter" shell in Driver Studio?

Did you have to filter anything besides Read & Write? (and maybe Create & Close)?

nikan
August 11th, 2004, 06:51
hi Jacques
the symbolicnames of devices that are created by sentinel.sys are RNBODRV0 and RNBODRV1.
all of packet transfers between program and driver are performed via ReadFile function.
after any call to rnbo function except (formatPacket for the first time and initialize) , the program prepair the packet and encrypt it and finally send it to driver via ReadFile function.

nikan.

Jacques
August 12th, 2004, 02:05
Hi nikan,

I did know about passing the packet via ReadFile, but my driver knowlegde is minimal at best, so I'm still having trouble figuring out where things fit in at that level.

What is the difference between RNBODRV0 and RNBODRV1? Is 0 for parallel and 1 for USB?

Thanks for the tips,
Jacques

nikan
August 12th, 2004, 05:21
hi Jacques
i am not sure but possiblly you are correct.
i tested may filter driver with a usb superpro dongle and the correct response recieved from RNBODRV1.
i will test a parallel dongle asap to find out if dongle response will recieve from RNBODRV0 or not.

nikan.

cah
August 12th, 2004, 08:58
Dear Nikan

How to find & analyse spro quries & their seed codes for given application?
Do you have any tools for it? How to inject this code into exe file?

Help in this highly appreciated
CaH

nikan
August 12th, 2004, 09:39
hi Jacques
capture mode of my driver is completed.
i tested it with some protected programs, then i decided to test it with superpro shell, so i created a shelled version of notepad.exe with my dongle.
you can see data transfer between Sentinel toolkit and driver in protection duration here:

"
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addres s=0x3C,Data=0x226A,AccessCode=0x3)
OUT,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addre ss=0x3C,Data=0x226A,AccessCode=0x0)-> Status=0x0
In,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addres s=0x3D,Data=0xEA46,AccessCode=0x3)
OUT,RNBOsproOverwrite(WritePassword=0x0000,OverwritePassword1=0x0000,OverwritePassword2=0x0000,Addre ss=0x3D,Data=0xEA46,AccessCode=0x0)-> Status=0x0
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x1D5DDBD3,Length=0x4)
OUT,RNBOsproQuery(Response=2AFF717F,Response32=FF2A7F71)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x1E6D65B,Length=0x4)
OUT,RNBOsproQuery(Response=5BC57D9A,Response32=C0000A7D)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x40E7DC6F,Length=0x4)
OUT,RNBOsproQuery(Response=385CF58,Response32=5C38580F)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xD244FFA,Length=0x4)
OUT,RNBOsproQuery(Response=218B8727,Response32=8B212787)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xCB90863,Length=0x4)
OUT,RNBOsproQuery(Response=CA6777D8,Response32=67CAD877)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xDF72CA25,Length=0x4)
OUT,RNBOsproQuery(Response=C085466E,Response32=85C06E46)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x9F82141B,Length=0x4)
OUT,RNBOsproQuery(Response=30D73352,Response32=D7305233)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x83C5C3EB,Length=0x4)
OUT,RNBOsproQuery(Response=725BADEA,Response32=5B72EAAD)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xBF4FA9EC,Length=0x4)
OUT,RNBOsproQuery(Response=A31B782,Response32=1BA38207)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xDADD9E6C,Length=0x4)
OUT,RNBOsproQuery(Response=F1294E59,Response32=29F1594E)-> Status=0x0
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x0000,Length=0x4)
OUT,RNBOsproQuery(Response=52D57DB8,Response32=D552B87D)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x44E4A547,Length=0x4)
OUT,RNBOsproQuery(Response=3950DE20,Response32=503920DE)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xDCF1C80,Length=0x4)
OUT,RNBOsproQuery(Response=35739CA,Response32=7335CA09)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x48B38CC,Length=0x4)
OUT,RNBOsproQuery(Response=78DB6474,Response32=DB787464)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x7192555D,Length=0x4)
OUT,RNBOsproQuery(Response=A8DD2735,Response32=DDA83527)-> Status=0x0
"

and after runnig shelled notepad.exe my programs shows these sequence of calls to driver :


"
In,RNBOsproFindFirstUnit(DeveloperId=0x0000)
OUT,RNBOsproFindFirstUnit(DeveloperId=0x0)-> Status=0x0
In,RNBOsproRead(Address=0x30)
OUT,RNBOsproRead(Packet,Address=0x30,Data=0x0)-> Status=0x0
In,RNBOsproRead(Address=0x34)
OUT,RNBOsproRead(Packet,Address=0x34,Data=0x0)-> Status=0x0
In,RNBOsproRead(Address=0x38)
OUT,RNBOsproRead(Packet,Address=0x38,Data=0x0)-> Status=0x0
In,RNBOsproRead(Address=0x3C)
OUT,RNBOsproRead(Packet,Address=0x3C,Data=0x0)-> Status=0x4
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproRead(Address=0x0)
OUT,RNBOsproRead(Packet,Address=0x0,Data=0x28)-> Status=0x0
In,RNBOsproQuery(Address=0x0,Data=0xB55EE90,Length=0x4)
OUT,RNBOsproQuery(Response=B55EE90,Response32=5EB500E9)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xA33A314C,Length=0x4)
OUT,RNBOsproQuery(Response=C3ED6B28,Response32=EDC3286B)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0xB285D6C8,Length=0x4)
OUT,RNBOsproQuery(Response=74497B23,Response32=4974237B)-> Status=0x0
In,RNBOsproQuery(Address=0x3C,Data=0x44E4A547,Length=0x4)
OUT,RNBOsproQuery(Response=3950DE20,Response32=503920DE)-> Status=0x0
In,RNBOsproWrite(WritePassword=0x0000,Address=0x100,Data=0x3125,AccessCode=0x0)
OUT,RNBOsproWrite(WritePassword=0x0000,Address=0x100,Data=0x3125,AccessCode=0x0)-> Status=0x5
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
In,RNBOsproSetUnitInfo
OUT,RNBOsproSetUnitInfo
"

i changed the developer id and passwords to zero!
i hope that this inforamtion help you to solve your problem with shell!
again sorry for my bad english writing.

nikan.

nikan
August 12th, 2004, 09:45
hi CaH

i don't know but i gess that sproQuey algo is the same as packet transfer enc/dec algo.

nikan.

Jacques
August 12th, 2004, 18:17
Quote:
[Originally Posted by nikan]hi Jacques
capture mode of my driver is completed.

i hope that this inforamtion help you to solve your problem with shell!
again sorry for my bad english writing.


Nice work nikan!

Thanks for the including the call sequence information, it definitely helps. I think your idea of making a filter driver that can operate in both "spy" and "emulate" mode is definitely the best idea. Once you get it to work properly, you will be able to emulate any SuperPro dongle with only a little more effort.

I'm a little short on free time at the moment, so I will probably stop my work on my current target. Your efforts have inpired me to do this the right way, so as my spare time increases I think I will also try to write a filter driver like yours. Yesterday I identified the packet decryption code in v0.24 of the emulator and v5.41 of the real sentinel.sys. As expected, the emulator does not know about the newer encryption method. The encryption/decyption code is not trivial, but it's not too hard either...

Jacques

PS Your English is just fine, and it's probably a lot better than my ability at your native language. (what is it?)

nikan
August 16th, 2004, 02:46
hi Jacques

tell me if i can help you in your project.
my project on superpro is compeleted. i startetd to write a filter driver for HARDLOCK dongle. this is a harder target!!!

nikan.

Jacques
August 16th, 2004, 23:24
Quote:
[Originally Posted by nikan]hi Jacques

tell me if i can help you in your project.
my project on superpro is compeleted. i startetd to write a filter driver for HARDLOCK dongle. this is a harder target!!!

nikan.


Thanks for the offer nikan. If you don't mind, I will take you up on your offer, but not just yet because my free time is diminishing rapidly (work, life) and to make things worse, my main PC died last night. I'm looking at a complete re-install on a new drive, so it will probably be a week before I have enough time just to get the system back to where it was.

Anyways I'll keep you posted once I get back to it.

Thanks,
Jacques

nikan
August 18th, 2004, 08:24
hi all

some note on superpro shell:

1: packet signature in sqroquery call from shell is 0x7243 not 0x7242.
2. sproquery pairs are different in every run of shelled program so possibly it is removable without dongle because propably the spro algo is hided in shell.

nikan.

PVA
August 20th, 2004, 02:06
Quote:
[Originally Posted by nikan]some note on superpro shell:
1: packet signature in sqroquery call from shell is 0x7243 not 0x7242.
2. sproquery pairs are different in every run of shelled program so possibly it is removable without dongle because propably the spro algo is hided in shell.

1. in new version of drivers it support both packet signatures
2. shell contain 16 pairs in two continuous tables that xor'ed by const value. And it produce some (two?) requests that are decryption keys for sections.

[newbie]

p.s. sorry for bad english

nikan
August 20th, 2004, 02:44
hi pva

"in new version of drivers it support both packet signatures"
yes i saw it before.

"sproquery pairs are different in every run of shelled program so possibly it is removable without dongle because propably the spro algo is hided in shell"
i say it because the query pairs that used by shell is different in every run and is different with those that used by toolkit during shell making time.

if the query algo is not hided in shell therefore it is a symmetric algo so that a program can xor data with a const then call sproQuery and supply xored data ,then xor response with that const and the result is consistently valid, is it true? i will test it.

nikan.

PVA
August 20th, 2004, 03:32
Quote:
[Originally Posted by nikan]"sproquery pairs are different in every run of shelled program so possibly it is removable without dongle because propably the spro algo is hided in shell"...

program may be unshelled w/o dongle, but there are no sproQuery in shell. It use another algo. Basic unshell tricks already described in "Unbreak the shell" (or smth similar) tutor by Cyberheg (AFAIK) & discussed on russian messageboards.

[newbie]

nikan
August 20th, 2004, 08:56
hi pva

i read that tut before beacuse it is the first result of serach on "carck shell sentinel" on google !!!
but i search for a new way for cracking the shell if it is.
if query algo is not in shell so the idea that i wrote on my last post is true, is it?

however i tested my emulator on sum program and it work perfectly but it is not work on shelled programs and i want to add this feature to my emulator, if you have valuable info please share it with me.

tanks.
nikan.

nikan
August 26th, 2004, 13:08
hi all

there was a bug in my filter driver (packet overflow) that lead me to missundrstand about shell making procedure.

during making shell ,sproquery is called 500 time for making 500 query pairs that is xored with two static data ,encrypted and saved in section 00000001. and another call is for encryption of sum piece of target.

nikan.

Flanger
August 31st, 2004, 23:36
Hello , Nikan.
I have same problem . Help me please.I am sorry for the impudent request. Give me source code your filter driver. Sorry my English.

Best Regards ,
Flanger.