Hello everybody,

first wanna thank all who're doing effort to keep this forum the best.


Recently I had affair with a HASP dongle protected program , Having the original dongle i didn't had problem to emulate , emulation was perfect with HaspEmul made by brain's studio. just dumped the original dongle , i converted manually to reg , & installed the the emulated driver and activated the dump , the emulator emulated the dongle as it was the reg , the key name of the reg was the pwd for the dongle, it just worked fine.

Now with a software which is protected with Sentinel superpro , I've found some emulators , brute forced the pwd for the dongle , & successfully dumped , but was choqued that in the dump was several bytes x00 x00 , just two who were x01 & x07 , also some weren't decrypted, Is this dump the real dump from the Dongle , I dunno ... , but continued my work & activated the emulator , (that emulator doesn't give where to put the reg in the registry) I got an idea, I activated the emulation , & did the brute force , now the program that brute force will search in the reg for the key , & found that he was brute forcing this path: HKLM\Controlset001\Services\Sentinel\XXXX ; (XXXX --> is the brute force area , 0001 .. 0002 .... 0003...) I've created a key with the Dongle pwd & put the dump in a Binary Value , but still the emulator doesn't give those info in the binary value to the soft , ... if someone could explain what's wrong i'll be thankful, just to tell if he does see the problem nothing else Thank you very much.

2 suggestions.

1st, whatever happened to debugging the Sentinel API or the driver and figuring it out? ;-).

2nd. Perhaps this is more helpful. If this is the dongle emulator I'm thinking it is which I believe it probably is, you require some additional registry entries, specifically, "MemoryAccess" to tell the emulator what status each memory cell has, and also "Status" & "Security". If you'd loaded the driver into IDA you would probably have seen this.

Regards

CrackZ.

Listen to the man. He knows whereof he speaks.

Regards,

sentinel drivers V5.41 , I used all emulator that I found, "sentemul" & "sentinel emul pro all versions"
V0.43 of SEP worked fine. it emuled the dongle.

Let me talk a little about the software ; it's not an exe file it's like a plugin that add a menu on a program, two .arx files that when i hexedit they have the index of an executable but doesn't execute (not a valid win32 application), one of the arx files is the responsible of calling spro even the name is (sproXXXX.arx) for that reason I cannot trace them with softice (i'm working with softice on xp) not to mention that the main program is anti-softice .... , well with ida i opened the 'sproXXXX.arx' , sigs didn't show any RNBO call , but found the famous '7242' called many many times , I patched all of them , no result ... , always (dongle not found)
the thing that I don't understand is :

I have the original dongle, I tried to dump it , with brute force it found the id at '7AD9' & dump. but the full real id is '7AD9A5' (took from the dongle info that the software gives), Dump isn't what i was waiting for, there was too much x00 bytes only two byes with x01 & x07 , & others that weren't decrypted.
well now i continued the work & tried to emulate , without emulation & dongle not connected when i click a menu it says (dongle not found). But when I used the sentinel emulator pro(0.43) and without placing the dump anywhere in the reg (cuz i don't know even where to place it, the emulator doesn't say where ) I click the added protected menu on the program , It's says first (you have XXX days left for evaluation (xxx generate each time i click a menu (256,19,12,140...) and just after the box that says you have xxx days evaluation left , another box appear (I don't acceed the menu ) saying : "Key Incorrect" it means that the soft read the key info from I dunno where and it was incorrect and was shocked when I clicked on 'dongle info in the program' & saw that the id emulated was 7AD9XXXX (xxxx numbers that generate each time I click a menu) the one that the emulator emulated were the first 4 digits of my dongle id , where did he saw this ??...

I assumed you were talking about Sentemul.

I'm puzzled by your reasons as to why you can't debug .arx files (I'm assuming they are AutoCAD plugins, if not please correct me), I've never had any problems with them since they are loaded like libraries by AutoCAD (big hint here). I'd bet the anti-SoftICE is trivial also.....have you researched what method might be obstructing your debugging?.

OK, you found many '7242' references and patched them all, with all due respect, how in the hell did you honestly expect this to work? ;-), what patches did you make? (I'm assuming you simply assumed the 7242 reference was a Sentinel function and fired back EAX=0), did you identify any of the RNBO functions?, lets face it if it reads or queries the dongles memory or does anything even remotely using the API EAX=0 just isn't going to cut it ;p.

So your dongle ID is 0x7AD9, Sentinel Developer ID's are a max. of 0xFFFF, so the software reporting "full real id is '7AD9A5'" is getting the A5 from elsewhere. I don't understand why you are unsure of the 'dump', if in doubt use good old spath's dumper from my page, some cells may not read out properly if designated as 'algorithm descriptors'.

This is the format of how your registry entry for this emulator should look :
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Emulator\Sentinel\7AD9]
"Memory"=hex: (memory go's here)
"MemoryAccess"=hex: (memory access flags go here)
"Status"=hex:
"Security"=hex: (the emulator isn't free you know!)

If you want to e-mail me and ask further questions, feel free, I dare say if the off the shelf emulator your using doesn't come with something even closely resembling instructions expect to have to do some work to get it to play how you like ;-).

Regards

CrackZ.

Can you explain memory access flags for this driver?

hi all,

can anybody give a hints on trapping a "security" emulator if it was not free