Hi,

i have a target written in VB4 (pcode) and the sx32w.dll (sentinel superpro v 5.x). Debugging the VB4 program is a pain, tons and tons of instructions (ExDec (crash), dodi (stop with “unsupported custom control”, vbreformer (?!)), Wdasm goes in error. I use OllyDbg (it works great).

The target calls in sequence:

1. RNBOsproFormatPacket
2. RNBOsproInitialize
3. RNBOsproFindFirstUnit
4. six calls to VB400032.rtcMidCharVar ('BFC060CE')
5. RNBOsproQuery (with cell 0x08)
6. many calls to VB400032.rctHexVarFromVar
7. RNBOsproFindNextUnit
8. rctMessageBox (error key not found)
9. PROGRAM EXIT

I have patched the following routines:

RNBOsproFormatPacket
xor eax,eax
retn 08h

RNBOsproInitialize
xor eax,eax
retn 04h

RNBOsproFindFirstUnit
push ebx esi
xor eax,eax
pop esi ebx
retn 08h

RNBOsproFindNextUnit
mov eax,0Ah
retn 04h

I also have the dump of the original dongle:

Cell 0x00: YYYY (1/0) (Dongle Serial Number)
Cell 0x01: XXXX (1/0) (Developer ID)
Cell 0x02: ???? (1/4) (OverWrite Password 1)
Cell 0x03: ???? (1/4) (OverWrite Password 2)
Cell 0x04: ???? (1/4) (Write Password)
Cell 0x05: ???? (1/4) (Reserved Cell)
Cell 0x06: ???? (1/4) (Reserved Cell)
Cell 0x07: ???? (1/4) (Reserved Cell)
Cell 0x08: ???? (1/4) (Active Algorithm) (Read Only Data)
Cell 0x09: ???? (1/4) (Read Only Data)
Cell 0x0A: ???? (1/4) (Inactive Algorithm) (Read Only Data)
Cell 0x0B: ???? (1/4) (Read Only Data)
Cell 0x0C: ???? (1/4) (Active Algorithm) (Read Only Data)
Cell 0x0D: ???? (1/4) (Read Only Data)
Cell 0x0E: ???? (1/4) (Active Algorithm) (Read Only Data)
Cell 0x0F: ???? (1/4) (Read Only Data)
Cell 0x10: ???? (1/4) (Active Algorithm) (Read Only Data)
Cell 0x11: ???? (1/4) (Read Only Data)
Cell 0x12: ???? (1/4) (Inactive Algorithm) (Read Only Data)
Cell 0x13: ???? (1/4) (Read Only Data)
Cell 0x14: ???? (1/4) (Active Algorithm) (Read Only Data)
Cell 0x15: ???? (1/4) (Read Only Data)
Cell 0x16: ???? (1/4) (Inactive Algorithm) (Read Only Data)
Cell 0x17: ???? (1/4) (Read Only Data)
Cell 0x18: 0000 (0/0)
Cell 0x19: 0000 (0/0)
Cell 0x1A: 0000 (0/0)
Cell 0x1B: 0000 (0/0)
....
Cell 0x3E: 0000 (0/0)
Cell 0x3F: 0000 (0/0)


The problem is here:

4. six calls to VB400032.rtcMidCharVar ('BFC060CE')
5. RNBOsproQuery (with cell 0x08)
6. many calls to VB400032.rctHexVarFromVar

but, the target is very hard to debug (for me ).

Any tips?

Thanx.
DrQ

Hi,

You have also to emulate the query with it's corresponding response.

To do this make a breakpoing in the sx32w.dll at query function and see it's response value. So, you can emulate it.

KSA

hi

you must use wktdbg for vb p-code debugging.
also you can get my sentinel monitor from exetools forum. it can monitor and collect all of data and query pairs for you.

wktdbg works only for vb >= 5



i have forgotten to say, that i don'have the dongle (but only the dump)


Thanx
DrQ

Hi

Maybe it would be good to read this article
hxxp://www.programmersheaven.com/articles/userarticles/john/vbvm.htm
It's about VB6 pcode but the overall
layout of the virtual machine in VB 4 is similar
to that of VB6 (the usage of the jump table for example).
It can be helpful when stepping through the VM.