I really tried my best to reverse the attached program which is
protected with Sentinel Pro dongle, but couldn't succeed! The program is 16-bit
code, so I searched for 16-bit Sentinel API function calls but non of them exist
inside the program!

I tried to trace the program's execution in a debugger - TRW2000 1.23
and SoftIce 4.05 used - BUT it crashes after trying to execute some code in an
unknown module! The program lands at that unknown module after RETF
instruction, before that, the program calls some Win API functions
including: AllocDStoCSAlias (Allocate Data segment to Code segment) and
AllocCStoDSAlias.

Also, I tried to break at BPIO -h 378 but the program dose not break there
at all!

I read all papers on CrackZ and downloaded all Sentinel related files. I'm
stuck PLEASE HELP.

NOTE: The program contains two versions: Complete and Demo. The Complete
one requires dongle. The demo one dose not require dongle but dosen't
work after 12/30/2000! I already patched this

http://us.f1.yahoofs.com/users/683af739/bc/Work/amnsetup.exe?bcaLIf7A3Kj2yMpn

Hi,

Do you know what the program is written in? (Which Compiler?)

hi will try to help you but can d/l file


gaffa

hi again

ment to type can't d/l not can


gaffa

Thank you for replies.

The program was written in Borland C++ 1991 version

Sorry for the incorrect download link. To download the program, go to http://briefcase.yahoo.com/nss6 and choose Work folder then click on amnsetup.exe. When you install the program, choose the English interface and Complete version!

BTW, I think the program is protected using the Automatic Sentinel protection mode, i.e. SPro Shell. That is because Sentinel Shell text is found in the file when viewed in HEX Viewer and there is no SPro API calls in the code (refer to the Sentinel manual for more information)

Thanks again,
Mans.

hi
i d/l the files ok
the bad news you are right about sentinel shell , all the progs that unpack this need the dongle this makes it to hard for me as i think that the unpacking code is in the dongle .
if you have the dongle then we can unpack the exe and then try to crack it but if not then you will have to find someone better than me
sorry i could not be of more help
gaffa

Ah! 16-bit programs protected with the shell are a complete bitch to hack/patch without the original dongle. (The original code is encrypted using the dongle)

Gaffa and Squidge, thank you very much for your contribution in this! I know it is hard. Unfortunately, I don't have the original dongle. But wait!! When I disassemble the program using WDasm or WCB, the disassembling program recognizes the original program and shows the API calls it makes to DLL. To better understand what I mean, try to disassemble WSTOCK.EXE using WDasm and have a look at import calls. You'll see lots of them that deals with accounting and alike (know this from their names). Now, if the original code is encrypted, then how would the disassembler recognize these calls?!

Thanks again,
Mans

Hi all,

I think Ive seen an automatic Sentinel Unsheller zencrack2.cjb.net
I dont know if it works with 16-bit code but no harm would come from trying.

Morlac

not all the exe has to be packed just enough of it to stop it from working

also in wdsm try load process under the debug menu


gaffa

Morlac., I think that Unsheller works with 32-bit code only.

Gaffa, so part of the code can be packed! This is the first time I know this. Thanks
About WDasm, the debugger works only with 32-bit code

BTW, can SoftIce automatically trace the code's execution then dump that into a file?! Another question, how can the program know that the dongle isn't present while not stopping at BPIO 328 breakpoint?! Using SoftIce, I can make the program to break before displaying the messageBox that tells the dongle is not present. Can this be of any use?!

Thanks,
Mans

for your Softice q....

Set up a backtrace buffer and check earlier posts in this forum for Kayaker's new tool to dump it to a file ;-)

did you guys read the Sentinel shell breaking courtesy of CyberHeg from CrackZ's site ? It's a 32bit shell but it's not all that different from the 16bit one. They both use the sproQuery for most of the important decryptions. I think this project is a bit over your head Mans. But give it a shot. The other pain is that it's written in Borland which makes the code much more bloated and harder to trace through. Lastly, get the sspro signatures for IDA and use them and it will find all the API calls to the dongle which will help a little when trying to figure out the sproQuery calculations.

good luck
goatass

Thanks Goatass for help. Actually, I've already read CyberHeg's tut. It is based on sproQuery function which I cannot find in my program! I've used IDA and WDasm to disassemble the program but no traces for such function (nor any other 16-bit function mentioned in Sentinel manual, strange!)

I've to agree with you that Borland makes the code harder to trace and even crash!

For Sentinel IDA signatures, they are for 32-bit programs (16-bit and 32-bit Sentinel functions are different). Anyhow, I downloaded them and applied them but they could not identify any function.

Another technique I use alot if BPX CreateFile to see when the program loads the sspro driver for communication with the dongle. This will usually land you near the main protection and you can see from the calls that you trace over, if they return 3 in AX check the variables pushed onto the stack before these calls and you can figure out what function is what.

goatass