k66473
March 2nd, 2006, 06:06

I found the dll file which contains sentinel api function. Functions are :
0001:000251E0 sproFormatPacket
0001:00025240 sproFindNextUnit
0001:00025370 sproGetVersion
0001:00025490 sprofindfirstunit
0001:000255A0 sproFindNextUnit_0
0001:000256B0 sproread
0001:00025780 sproExtendedRead
0001:00025860 sproActivate
0001:00025920 sproOverwrite
0001:000259F0 sproDecrement
0001:00025AA0 sproActivate_0
0001:00025B60 sproQuery
0001:00025C90 sproFullStatus
I guess that, we must only deal with sprofindfirstunit, sproread functions. I found that no sproquery called.
Follow some tuts on this site, I Bypass sprofindfirstunit like this:
sprofindfirstunit proc near ; CODE XREF: sub_60105C70+A9p
arg_0 = dword ptr 0Ch
push ebx
push esi
mov eax, [esp+arg_0]
or eax, eax
nop
nop
mov ax, 0
pop esi
pop ebx
retn 8
sprofindfirstunit endp
With sproread(), I use the standard code which released by Crackz. Dump data is pushed next to sproread emu code. Here is the dump :
API majVer=5, minVer=37, rev=6, osDrvrType=5
Dumping Key: id=0x5246, developerID=0xACA3
WORD awMem[64] = {
0x5246/*1*/, 0xACA3/*1*/, _ALGO_/*4*/, _ALGO_/*4*/,
_N_AV_/*3*/, _N_AV_/*3*/, _N_AV_/*3*/, _N_AV_/*3*/,
0xD341/*1*/, 0x0001/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0034/*0*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*0*/,
};
BYTE abAc[64] = {
1, 1, 4, 4, 3, 3, 3, 3, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0,
};
Key #0 write pw: 0CEE
Tracing the program by IDA48! I found the subroutine make the read of dongle. Here is that subroutine:
dongleread proc near ; CODE XREF: sub_60105C70+BFp
; sub_60105C70+D9p ...
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
lea eax, [esp+arg_0]
push eax
push ecx
push offset unk_601276B0
call sproread // has been emulated
test ax, ax
jz short loc_60106195
movsx eax, ax
push eax
push eax ; arglist
push offset aErrorRainbowSu ; "Error: Rainbow SuperPro error code '%d "...
call apiCTrace // ???
add esp, 0Ch
push offset simpleNotFoundException
call Exception__Throw // dongle error...
loc_60106195: ; CODE XREF: dongleread+17j
mov ax, word ptr [esp+arg_0] // store read dongle data.
retn
dongleread endp
Continue tracing the program, after sprofindfirstunit success, the program will make the dongle read and here is the code which calculate the read value:
(after the push then call dongleread() ):
call ExceptionLink_Construct
lea ecx, [ebp+var_58]
push ebx
push ecx
call _setjmp3
add esp, 8
test eax, eax
jnz loc_601060E9
push 63Eh ; uID
call strRscLoad
mov esi, eax
push 0ACA3h
push offset unk_601276B0
mov [ebp+var_8], esi
call sprofindfirstunit// find dongle
test ax, ax
jz short loc_60105D2D
push offset simpleNotFoundException
call Exception__Throw
loc_60105D2D: ; CODE XREF: sub_60105C70+B1j
push 1 //location to read
call dongleread
add esp, 4
cmp ax, 0ACA3h
jz short loc_60105D47
push offset simpleNotFoundException
call Exception__Throw
loc_60105D47: ; CODE XREF: sub_60105C70+CBj
push 8
call dongleread
add esp, 4
mov edi, offset aDoNotTransla_0 ; "<DO NOT TRANSLATE> - OEM Product ID"
mov ecx, 24h
xor edx, edx
repe cmpsb
mov ebx, eax
jnz short loc_60105D7A
cmp bx, 0D341h
jz short loc_60105D96
cmp bx, 0D342h
jz short loc_60105D96
cmp bx, 0D343h
jz short loc_60105D96
jmp short loc_60105D8C
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
loc_60105D7A: ; CODE XREF: sub_60105C70+F1j
mov eax, [ebp+var_8]
push eax ; char *
call ds:atoi
add esp, 4
cmp bx, ax
jz short loc_60105D96
loc_60105D8C: ; CODE XREF: sub_60105C70+108j
push offset simpleNotFoundException
call Exception__Throw
loc_60105D96: ; CODE XREF: sub_60105C70+F8j
; sub_60105C70+FFj ...
push 0
call dongleread
add esp, 4
cmp word_60127F98, ax
jz nghingo
mov ecx, 138h
mov esi, offset unk_60123918
mov edi, offset word_60127AB8
push 34h
rep movsd
call dongleread
not al
mov edi, 0FFh
push 1Fh
and eax, edi
mov word_60127AC4, 1
shl eax, 1Ch
or eax, 0EFFFFFFFh
mov dword_60127AD8, eax
or eax, 0FFFFFFFFh
mov dword_60127ADC, eax
mov dword_60127AE0, eax
mov dword_60127AE4, eax
mov dword_60127AE8, eax
call dongleread
push 9
mov word_60127AC0, ax
call dongleread
push 0Bh
mov word_60127AC6, ax
call dongleread
mov si, ax
push 0Ah
and esi, 0FFFFh
shl esi, 10h
call dongleread
and eax, 0FFFFh
push 17h
or esi, eax
mov dword_60127DFC, esi
call dongleread
push 16h
mov word_60127ACA, ax
call dongleread
push 1Eh
mov word_60127ACC, ax
call dongleread
push 1Dh
mov word_60127ACE, ax
call dongleread
push 20h
mov word_60127AD0, ax
call dongleread
push 21h
mov word_60127AEC, ax
call dongleread
push 0Ch
mov word_60127DFA, ax
call dongleread
push 0Dh
mov word_60127F04, ax
mov word_60127ABA, ax
call dongleread
push 0Eh
mov word_60127F06, ax
call dongleread
push 0Fh
mov word_60127F08, ax
call dongleread
push 10h
mov word_60127F0A, ax
call dongleread
add esp, 40h
mov word_60127F0C, ax
push 11h
call dongleread
push 12h
mov word_60127F0E, ax
call dongleread
push 13h
mov word_60127F10, ax
call dongleread
push 14h
mov word_60127F12, ax
call dongleread
mov word_60127F14, ax
push 15h
call dongleread
push 18h
mov word_60127F16, ax
call dongleread
add esp, 18h
cmp ax, 1
mov word_60127AD2, ax
jb short loc_60105F56
lea ecx, [ebp+var_14]
push 8
push ecx
push 4
push 19h
call what
add esp, 10h
lea edx, [ebp+var_14]
push 103h ; __int16
push edx ; void *
push offset byte_60127E00 ; void *
call strLengthCopy
mov ax, word_60127AD2
loc_60105F56: ; CODE XREF: sub_60105C70+2B9j
mov esi, ds:strncat
cmp ax, 2
jb short loc_60105F95
lea eax, [ebp+var_14]
push 8
push eax
push 4
push 24h
call what
push 1 ; size_t
push offset asc_60123E38 ; ","
push offset byte_60127E00 ; char *
call esi ; strncat
lea ecx, [ebp+var_14]
push 9 ; size_t
push ecx ; char *
push offset byte_60127E00 ; char *
call esi ; strncat
mov ax, word_60127AD2
add esp, 28h
loc_60105F95: ; CODE XREF: sub_60105C70+2F0j
cmp ax, 3
jnz short loc_60105FC8
lea edx, [ebp+var_14]
push 8
push edx
push 4
push 28h
call what
push 1 ; size_t
push offset asc_60123E3C ; ","
push offset byte_60127E00 ; char *
call esi ; strncat
lea eax, [ebp+var_14]
push 9 ; size_t
push eax ; char *
push offset byte_60127E00 ; char *
call esi ; strncat
add esp, 28h
loc_60105FC8: ; CODE XREF: sub_60105C70+329j
push 0
call dongleread
mov word_60127F98, ax
mov ax, word_60127AC0
add esp, 4
cmp ax, 33h
jb short loc_60105FEA
cmp ax, 64h
jb short loc_60105FF8
loc_60105FEA: ; CODE XREF: sub_60105C70+372j
mov cx, word_60123920
mov word_60127AC0, cx
loc_60105FF8: ; CODE XREF: sub_60105C70+378j
mov ax, word_60127ACA
cmp ax, 1
jb short loc_60106009
cmp ax, di
jb short loc_60106017
loc_60106009: ; CODE XREF: sub_60105C70+392j
mov dx, word_6012392A
mov word_60127ACA, dx
loc_60106017: ; CODE XREF: sub_60105C70+397j
mov ax, word_60127ACC
cmp ax, 1
jb short loc_60106028
cmp ax, di
jb short loc_60106034
loc_60106028: ; CODE XREF: sub_60105C70+3B1j
mov ax, word_6012392C
mov word_60127ACC, ax
loc_60106034: ; CODE XREF: sub_60105C70+3B6j
mov ax, word_60127ACE
cmp ax, 1
jb short loc_60106045
cmp ax, di
jb short loc_60106053
loc_60106045: ; CODE XREF: sub_60105C70+3CEj
mov cx, word_6012392E
mov word_60127ACE, cx
loc_60106053: ; CODE XREF: sub_60105C70+3D3j
mov ax, word_60127AD0
cmp ax, 1
jb short loc_60106064
cmp ax, di
jb short loc_60106072
loc_60106064: ; CODE XREF: sub_60105C70+3EDj
mov dx, word_60123930
mov word_60127AD0, dx
loc_60106072: ; CODE XREF: sub_60105C70+3F2j
cmp word_60127AEC, di
jb short loc_60106087
mov ax, word_6012394C
mov word_60127AEC, ax
loc_60106087: ; CODE XREF: sub_60105C70+409j
cmp word_60127DFA, di
jb short loc_6010609E
mov cx, word_60123C5A
mov word_60127DFA, cx
loc_6010609E: ; CODE XREF: sub_60105C70+41Ej
mov al, byte_60127E00
test al, al
jz short loc_601060B9
mov ax, word_60127AD2
cmp ax, 1
jb short loc_601060B9
cmp ax, 3
jbe short nghingo
loc_601060B9: ; CODE XREF: sub_60105C70+435j
; sub_60105C70+441j
mov dx, word_60123932
push 103h ; __int16
push offset unk_60123C60 ; lpString
push offset byte_60127E00 ; void *
mov word_60127AD2, dx
call _strBufferCopy
lea eax, [ebp+var_5C]
push eax
call ExceptionLink_Destruct
mov eax, [ebp+var_4]
jmp short loc_60106141
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
loc_601060E9: ; CODE XREF: sub_60105C70+8Aj
push offset NotFoundException__RuntimeClass
call Exception__CatchProc
test eax, eax
jz short nghingo
mov ecx, 138h
mov esi, offset unk_60123918
mov edi, offset word_60127AB8
mov word_60127F98, bx
rep movsd
mov [ebp+var_4], 1
nghingo: ; CODE XREF: sub_60105C70+137j
; sub_60105C70+447j ...
lea eax, [ebp+var_5C]
push eax
call ExceptionLink_Destruct
mov eax, [ebp+var_4]
jmp short loc_60106141
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
loc_60106124: ; CODE XREF: sub_60105C70+62j
; sub_60105C70+6Cj
mov ecx, 138h
mov esi, offset unk_60123918
mov edi, offset word_60127AB8
mov word_60127F98, bx
rep movsd
mov eax, 1
loc_60106141: ; CODE XREF: sub_60105C70+477j
; sub_60105C70+4B2j
mov edi, [ebp+arg_4]
mov ecx, 118h
mov esi, offset word_60127AB8
rep movsd
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
sub_60105C70 endp
With that dump, the program said that the dongle need upgrade so I need some hint from some pro person:
- So which value of dump need change and change to what?
- I see a lot of cmp the dongle data with 1, what does it mean?
.. and more question ?
Some one help me?