Hi there all - just joined !

I'm newish to all this and am starting out on my first Sentinel target. I read some of the excellent tutorials by Goatass and Cyberheg and embarked on attacking my target.

I have the original dongle, IDA and Killer 3k signatures and started by patching sprofindfirstunit - with a mind to BPX with Softice on Sproread to find the dongle words being passed.

I assumed that I could patch sprofindfirstunit and leave the dongle connected and all would be well, but that's not the case.

Do the generic patches of NOPing the jump and mov Ax, 0 commonly screw up using the original dongle ?

This will probably be the first of many questions!

Thanks for any advice.

Patching any of the initiliazing api will definetly screw up any other apis even with real dongle connected. there are some infos in the init api used other then return 0 (: But the whole purpose of patching the api boggles my mind because you have the original dongle, simply trace over that api in softice it should pass. Once you have figured out ssproread (which you can also just use a generic dumper from crackz site url on this forum) then you have all the read query values and can do a nice little emulation. Watch out for sproquery thats about the only manual work involved here. Btw, when you have the original dongle you should never need to patch the executable, only when you are done with the dongle can you start to remove these apis, there is no benfit to patching the api in this situation.... i suggest reading the api help for the most basic of the sspro apis, then try programming your own sspro protected app possibly just use the dongle you have if its not a developer dongle, and then crack your own app, now you can go and attack a commercial app which may use some advanced tricks. Have fun...........Sabs

Thanks for the reply Sab.

Yes, I soon realised I was going the wrong way about it!

With my limited Assembly knowledge I've managed to get sprofindfirstunit and sproread bypassed okay. Sproquery is somewhat more daunting: Sproquery is called ten times then some CMP are started. I can follow the dongle as it passes each test but I'm not at all sure when the tests stop and the program starts properly. Am I missing any obvious tricks ?

Thanks.

Well again, you need not go such a difficult way. All you need to do is look at sproquery api or any dongle query api structure in that case. Think of it like this... Dongle needs to be seeded first with a query, then the dongle can give back the corresponding query. i.e. Send dongle 12345 dongle returns 8d3044 . SO..... Log all the queries that the application sends to the dongle by setting ur bpx at sproquery api, then log all the return values and make a table emulation.............................................Sbabsdfsdfsdf

I've really got stuck and in a vain hope that someone might put me right I've pasted some of the code.

The calls to Sproquery take the form below and repeat about 10 times with only the memory addresses changing. Push 4 and Push 8 remain the same each time.

.text:0047DABD call sproQuery
.text:0047DAC2 test ax, ax
.text:0047DAC5 jnz loc_47DDA4
.text:0047DACB lea ecx, [esp+84h+var_60]
.text:0047DACF push 4
.text:0047DAD1 lea edx, [esp+88h+var_6C]
.text:0047DAD5 push ecx
.text:0047DAD6 lea eax, [esp+8Ch+var_70]
.text:0047DADA push edx
.text:0047DADB push eax
.text:0047DADC push 8
.text:0047DADE push offset unk_598A88
.text:0047DAE3 mov byte ptr [esp+9Ch+var_70], 47h
.text:0047DAE8 mov byte ptr [esp+9Ch+var_70+1], 1
.text:0047DAED mov byte ptr [esp+9Ch+var_70+2], 0B7h
.text:0047DAF2 mov byte ptr [esp+9Ch+var_70+3], 22h
.text:0047DAF7 call sproQuery
.text:0047DAFC test ax, ax
.text:0047DAFF jnz loc_47DDA4
........................................................................etc.

At the end of the 10 calls some CMP are used.

Inside Sproquery we have:

.text:004ED2E0 push ebx
.text:004ED2E1 push esi
.text:004ED2E2 push edi
.text:004ED2E3 mov eax, [esp+arg_0]
.text:004ED2E7 or eax, eax
.text:004ED2E9 jnz short loc_4ED2F5
.text:004ED2EB mov ax, 2
.text:004ED2EF pop edi
.text:004ED2F0 pop esi
.text:004ED2F1 pop ebx
.text:004ED2F2 retn 18h
.text:004ED2F5 ; ---------------------------------------------------------------------------
.text:004ED2F5
.text:004ED2F5 loc_4ED2F5: ; CODE XREF: sproQuery+9j
.text:004ED2F5 push eax
.text:004ED2F6 call sub_4E6B60
.text:004ED2FB mov esi, eax
.text:004ED2FD cmp word ptr [esi], 7242h
.text:004ED302 jz short loc_4ED310
.text:004ED304 mov ax, 2
.text:004ED308 pop edi
.text:004ED309 pop esi
.text:004ED30A pop ebx
.text:004ED30B retn 18h
.text:004ED30B ; ---------------------------------------------------------------------------
.text:004ED30E align 4
.text:004ED310
.text:004ED310 loc_4ED310: ; CODE XREF: sproQuery+22j
.text:004ED310 test byte ptr [esi+12h], 4
.text:004ED314 jnz short loc_4ED326
.text:004ED316 mov word ptr [esi+6], 0B39h
.text:004ED31C mov ax, 39h
.text:004ED320 pop edi
.text:004ED321 pop esi
.text:004ED322 pop ebx
.text:004ED323 retn 18h
.text:004ED326 ; ---------------------------------------------------------------------------
.text:004ED326
.text:004ED326 loc_4ED326: ; CODE XREF: sproQuery+34j
.text:004ED326 mov eax, [esp+arg_8]
.text:004ED32A or eax, eax
.text:004ED32C jnz short loc_4ED340
.text:004ED32E mov word ptr [esi+6], 410h
.text:004ED334 mov ax, 10h
.text:004ED338 pop edi
.text:004ED339 pop esi
.text:004ED33A pop ebx
.text:004ED33B retn 18h
.text:004ED33B ; ---------------------------------------------------------------------------
.text:004ED33E align 4
.text:004ED340
.text:004ED340 loc_4ED340: ; CODE XREF: sproQuery+4Cj
.text:004ED340 mov bx, [esp+arg_14]
.text:004ED345 cmp bx, 38h
.text:004ED349 jbe short loc_4ED35B
.text:004ED34B mov word ptr [esi+6], 414h
.text:004ED351 mov ax, 14h
.text:004ED355 pop edi
.text:004ED356 pop esi
.text:004ED357 pop ebx
.text:004ED358 retn 18h
.text:004ED35B ; ---------------------------------------------------------------------------
.text:004ED35B
.text:004ED35B loc_4ED35B: ; CODE XREF: sproQuery+69j
.text:004ED35B lea edi, [esi+3Ch]
.text:004ED35E push ebx
.text:004ED35F push edi
.text:004ED360 push eax
.text:004ED361 call sub_4E6B30
.text:004ED366 mov word ptr [esi+30h], 10h
.text:004ED36C mov ax, [esp+arg_4]
.text:004ED371 mov [esi+34h], ax
.text:004ED375 mov [esi+36h], bx
.text:004ED379 push esi
.text:004ED37A call sub_4EB6D0
.text:004ED37F or al, al
.text:004ED381 jnz short loc_4ED3C0
.text:004ED383 mov eax, [esp+arg_C]
.text:004ED387 or eax, eax
.text:004ED389 jz short loc_4ED39C
.text:004ED38B push ebx
.text:004ED38C push eax
.text:004ED38D push edi
.text:004ED38E call sub_4E6B30
.text:004ED393 push ebx
.text:004ED394 push 0
.text:004ED396 push edi
.text:004ED397 call sub_4E6C30
.text:004ED39C
.text:004ED39C loc_4ED39C: ; CODE XREF: sproQuery+A9j
.text:004ED39C mov eax, [esp+arg_10]
.text:004ED3A0 or eax, eax
.text:004ED3A2 jz short loc_4ED3B0
.text:004ED3A4 mov ecx, [esi+38h]
.text:004ED3A7 mov [eax], ecx
.text:004ED3A9 mov dword ptr [esi+38h], 0
.text:004ED3B0
.text:004ED3B0 loc_4ED3B0: ; CODE XREF: sproQuery+C2j
.text:004ED3B0 ; sproQuery+EEj
.text:004ED3B0 mov ax, [esi+6]
.text:004ED3B4 push eax
.text:004ED3B5 call sub_4EC520
.text:004ED3BA pop edi
.text:004ED3BB pop esi
.text:004ED3BC pop ebx
.text:004ED3BD retn 18h
.text:004ED3C0 ; ---------------------------------------------------------------------------
.text:004ED3C0
.text:004ED3C0 loc_4ED3C0: ; CODE XREF: sproQuery+A1j
.text:004ED3C0 mov ax, [esi+6]
.text:004ED3C4 push eax
.text:004ED3C5 call sub_4EC520
.text:004ED3CA cmp ax, 0Ch
.text:004ED3CE jnz short loc_4ED3B0
.text:004ED3D0 mov ax, 3
.text:004ED3D4 pop edi
.text:004ED3D5 pop esi
.text:004ED3D6 pop ebx
.text:004ED3D7 retn 18h
.text:004ED3D7 sproQuery endp
.text:004ED3D7
.text:004ED3D7 ; ---------------------------------------------------------------------------

I assume that the dongle call is at 004ED37A with the returned dongle word in EAX at 004ED383 ?

What exactly should I be looking for as the input and output in Sproquery?

Sorry for being such a lamer.

Id have to say this app is a bit to much to start with, but if you are quick enough you will definetly have no problem making a solution here. As far as sproquery goes, it is only contained from crackers view within this scope..
.text:004ED2E0 push ebx
.text:004ED2E1 push esi
.text:004ED2E2 push edi
.text:004ED2E3 mov eax, [esp+arg_0]
.text:004ED2E7 or eax, eax
.text:004ED2E9 jnz short loc_4ED2F5
.text:004ED2EB mov ax, 2
.text:004ED2EF pop edi
.text:004ED2F0 pop esi
.text:004ED2F1 pop ebx
.text:004ED2F2 retn 18h

ignore the jumps, and since you are probalby using ida here, do a xref on all the calls to 004ed2e0. That will show all the sproquery calls(that are not hidden at least)
text:0047DAF7 call sproQuery this just may be only one call to it. There may be 2 more or hundreds more. Set a breakpoint there and see...
Here are two paths to finish this app...
The easy path...
emulate sproquery to return always 0 like other api...
then butcher the code that goes after the jnz.
text:0047DAE3 mov byte ptr [esp+9Ch+var_70], 47h
.text:0047DAE8 mov byte ptr [esp+9Ch+var_70+1], 1
.text:0047DAED mov byte ptr [esp+9Ch+var_70+2], 0B7h
.text:0047DAF2 mov byte ptr [esp+9Ch+var_70+3], 22h
.text:0047DAF7 call sproQuery
.text:0047DAFC test ax, ax
.text:0047DAFF jnz loc_47DDA4
-----> you stopped pasting here but this is where the magic happens for the easy path, it may look something like..
cmp returnedval, fixedvalue
jnz badplace
mov flag, goodval

or if its a more complicated program and it uses it for calculations in the ruitine later on you see something like..
mov [constantval], returneddongleval
ret
and later in the program it will use it for something either compare or constant in calculation.

Harder but better way....
Find out all the queries, and what is their challenge value.... then log the returned response value. Make a table emulation from this. THe only way to learn how to do this is read the api guide so you know how to locate these values in the stack for emulator... Have fun.. if this doesnt help enough try getting sentinel sdk and programming your own little appy and crack that first....--......-Sabaorksdflkjlsadf

m2lk:

We really do not want people to post lots and lots of code and ask others to tell them where they went wrong. It just eats up storage room on the server. If you need this much help, this type of detailed exchange of code can be handled through email and/or PM, rather than pasting all this here.

Regards,

Apologies JMI. I won't post as much if there's a next time.

Have to say though that I'm glad I did post it - YOU ARE A STAR SAB !!!

My App is fully functional without it's dongle and has been working fine for several hours so far.

I had actually already tried your suggestion to force Sproquery to pass any test and I had patched some of the following cmps but I must have given up a few Jumps to early. Your suggestion pushed me on - just what I needed!

I used the butchery method with lots of NOPS and it worked a dream !!

THANKS SO MUCH for the help SAB I owe you some virtual beer!!

Thanks also to this forum!

m2lksduhfeifpsidfasi

Ill gladly take that virtual beer, but id rather have some virtual lobster dinner or steak. Glad to see you got it working thats the first step generally.. but mots importantly you did it yourself, unlike others who cannot fathime this possibility and must rely on others as though they were mentally handicap. Great job, but I do suggest now you go and do a better quality emulation and by using the table method for sproquery, and copy one of the sproreads that are readily available all over the net. ITs better to learn this method because when you encounter a more complex sentinel, butchering will not be a option. Have fun and good to see progress is still happening.. (: Sabororoisfkdod