Log in

View Full Version : sentinel superpro dongle confused


k66473
March 2nd, 2006, 06:06

I found the dll file which contains sentinel api function. Functions are :
0001:000251E0 sproFormatPacket
0001:00025240 sproFindNextUnit
0001:00025370 sproGetVersion
0001:00025490 sprofindfirstunit
0001:000255A0 sproFindNextUnit_0
0001:000256B0 sproread
0001:00025780 sproExtendedRead
0001:00025860 sproActivate
0001:00025920 sproOverwrite
0001:000259F0 sproDecrement
0001:00025AA0 sproActivate_0
0001:00025B60 sproQuery
0001:00025C90 sproFullStatus
I guess that, we must only deal with sprofindfirstunit, sproread functions. I found that no sproquery called.

Follow some tuts on this site, I Bypass sprofindfirstunit like this:
sprofindfirstunit proc near ; CODE XREF: sub_60105C70+A9p

arg_0 = dword ptr 0Ch

push ebx
push esi
mov eax, [esp+arg_0]
or eax, eax
nop
nop
mov ax, 0
pop esi
pop ebx
retn 8
sprofindfirstunit endp
With sproread(), I use the standard code which released by Crackz. Dump data is pushed next to sproread emu code. Here is the dump :
API majVer=5, minVer=37, rev=6, osDrvrType=5
Dumping Key: id=0x5246, developerID=0xACA3
WORD awMem[64] = {
0x5246/*1*/, 0xACA3/*1*/, _ALGO_/*4*/, _ALGO_/*4*/,
_N_AV_/*3*/, _N_AV_/*3*/, _N_AV_/*3*/, _N_AV_/*3*/,
0xD341/*1*/, 0x0001/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0034/*0*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/,
0x0000/*1*/, 0x0000/*1*/, 0x0000/*1*/, 0x0000/*0*/,
};

BYTE abAc[64] = {
1, 1, 4, 4, 3, 3, 3, 3, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0,
};

Key #0 write pw: 0CEE

Tracing the program by IDA48! I found the subroutine make the read of dongle. Here is that subroutine:
dongleread proc near ; CODE XREF: sub_60105C70+BFp
; sub_60105C70+D9p ...

arg_0 = dword ptr 4

mov ecx, [esp+arg_0]
lea eax, [esp+arg_0]
push eax
push ecx
push offset unk_601276B0
call sproread // has been emulated
test ax, ax
jz short loc_60106195
movsx eax, ax
push eax
push eax ; arglist
push offset aErrorRainbowSu ; "Error: Rainbow SuperPro error code '%d "...
call apiCTrace // ???
add esp, 0Ch
push offset simpleNotFoundException
call Exception__Throw // dongle error...

loc_60106195: ; CODE XREF: dongleread+17j
mov ax, word ptr [esp+arg_0] // store read dongle data.
retn
dongleread endp

Continue tracing the program, after sprofindfirstunit success, the program will make the dongle read and here is the code which calculate the read value:
(after the push then call dongleread() ):
call ExceptionLink_Construct
lea ecx, [ebp+var_58]
push ebx
push ecx
call _setjmp3
add esp, 8
test eax, eax
jnz loc_601060E9
push 63Eh ; uID
call strRscLoad
mov esi, eax
push 0ACA3h
push offset unk_601276B0
mov [ebp+var_8], esi
call sprofindfirstunit// find dongle
test ax, ax
jz short loc_60105D2D
push offset simpleNotFoundException
call Exception__Throw

loc_60105D2D: ; CODE XREF: sub_60105C70+B1j
push 1 //location to read
call dongleread
add esp, 4
cmp ax, 0ACA3h
jz short loc_60105D47
push offset simpleNotFoundException
call Exception__Throw

loc_60105D47: ; CODE XREF: sub_60105C70+CBj
push 8
call dongleread
add esp, 4
mov edi, offset aDoNotTransla_0 ; "<DO NOT TRANSLATE> - OEM Product ID"
mov ecx, 24h
xor edx, edx
repe cmpsb
mov ebx, eax
jnz short loc_60105D7A
cmp bx, 0D341h
jz short loc_60105D96
cmp bx, 0D342h
jz short loc_60105D96
cmp bx, 0D343h
jz short loc_60105D96
jmp short loc_60105D8C
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

loc_60105D7A: ; CODE XREF: sub_60105C70+F1j
mov eax, [ebp+var_8]
push eax ; char *
call ds:atoi
add esp, 4
cmp bx, ax
jz short loc_60105D96

loc_60105D8C: ; CODE XREF: sub_60105C70+108j
push offset simpleNotFoundException
call Exception__Throw

loc_60105D96: ; CODE XREF: sub_60105C70+F8j
; sub_60105C70+FFj ...
push 0
call dongleread
add esp, 4
cmp word_60127F98, ax
jz nghingo
mov ecx, 138h
mov esi, offset unk_60123918
mov edi, offset word_60127AB8
push 34h
rep movsd
call dongleread
not al
mov edi, 0FFh
push 1Fh
and eax, edi
mov word_60127AC4, 1
shl eax, 1Ch
or eax, 0EFFFFFFFh
mov dword_60127AD8, eax
or eax, 0FFFFFFFFh
mov dword_60127ADC, eax
mov dword_60127AE0, eax
mov dword_60127AE4, eax
mov dword_60127AE8, eax
call dongleread
push 9
mov word_60127AC0, ax
call dongleread
push 0Bh
mov word_60127AC6, ax
call dongleread
mov si, ax
push 0Ah
and esi, 0FFFFh
shl esi, 10h
call dongleread
and eax, 0FFFFh
push 17h
or esi, eax
mov dword_60127DFC, esi
call dongleread
push 16h
mov word_60127ACA, ax
call dongleread
push 1Eh
mov word_60127ACC, ax
call dongleread
push 1Dh
mov word_60127ACE, ax
call dongleread
push 20h
mov word_60127AD0, ax
call dongleread
push 21h
mov word_60127AEC, ax
call dongleread
push 0Ch
mov word_60127DFA, ax
call dongleread
push 0Dh
mov word_60127F04, ax
mov word_60127ABA, ax
call dongleread
push 0Eh
mov word_60127F06, ax
call dongleread
push 0Fh
mov word_60127F08, ax
call dongleread
push 10h
mov word_60127F0A, ax
call dongleread
add esp, 40h
mov word_60127F0C, ax
push 11h
call dongleread
push 12h
mov word_60127F0E, ax
call dongleread
push 13h
mov word_60127F10, ax
call dongleread
push 14h
mov word_60127F12, ax
call dongleread
mov word_60127F14, ax
push 15h
call dongleread
push 18h
mov word_60127F16, ax
call dongleread
add esp, 18h
cmp ax, 1
mov word_60127AD2, ax
jb short loc_60105F56
lea ecx, [ebp+var_14]
push 8
push ecx
push 4
push 19h
call what
add esp, 10h
lea edx, [ebp+var_14]
push 103h ; __int16
push edx ; void *
push offset byte_60127E00 ; void *
call strLengthCopy
mov ax, word_60127AD2

loc_60105F56: ; CODE XREF: sub_60105C70+2B9j
mov esi, ds:strncat
cmp ax, 2
jb short loc_60105F95
lea eax, [ebp+var_14]
push 8
push eax
push 4
push 24h
call what
push 1 ; size_t
push offset asc_60123E38 ; ","
push offset byte_60127E00 ; char *
call esi ; strncat
lea ecx, [ebp+var_14]
push 9 ; size_t
push ecx ; char *
push offset byte_60127E00 ; char *
call esi ; strncat
mov ax, word_60127AD2
add esp, 28h

loc_60105F95: ; CODE XREF: sub_60105C70+2F0j
cmp ax, 3
jnz short loc_60105FC8
lea edx, [ebp+var_14]
push 8
push edx
push 4
push 28h
call what
push 1 ; size_t
push offset asc_60123E3C ; ","
push offset byte_60127E00 ; char *
call esi ; strncat
lea eax, [ebp+var_14]
push 9 ; size_t
push eax ; char *
push offset byte_60127E00 ; char *
call esi ; strncat
add esp, 28h

loc_60105FC8: ; CODE XREF: sub_60105C70+329j
push 0
call dongleread
mov word_60127F98, ax
mov ax, word_60127AC0
add esp, 4
cmp ax, 33h
jb short loc_60105FEA
cmp ax, 64h
jb short loc_60105FF8

loc_60105FEA: ; CODE XREF: sub_60105C70+372j
mov cx, word_60123920
mov word_60127AC0, cx

loc_60105FF8: ; CODE XREF: sub_60105C70+378j
mov ax, word_60127ACA
cmp ax, 1
jb short loc_60106009
cmp ax, di
jb short loc_60106017

loc_60106009: ; CODE XREF: sub_60105C70+392j
mov dx, word_6012392A
mov word_60127ACA, dx

loc_60106017: ; CODE XREF: sub_60105C70+397j
mov ax, word_60127ACC
cmp ax, 1
jb short loc_60106028
cmp ax, di
jb short loc_60106034

loc_60106028: ; CODE XREF: sub_60105C70+3B1j
mov ax, word_6012392C
mov word_60127ACC, ax

loc_60106034: ; CODE XREF: sub_60105C70+3B6j
mov ax, word_60127ACE
cmp ax, 1
jb short loc_60106045
cmp ax, di
jb short loc_60106053

loc_60106045: ; CODE XREF: sub_60105C70+3CEj
mov cx, word_6012392E
mov word_60127ACE, cx

loc_60106053: ; CODE XREF: sub_60105C70+3D3j
mov ax, word_60127AD0
cmp ax, 1
jb short loc_60106064
cmp ax, di
jb short loc_60106072

loc_60106064: ; CODE XREF: sub_60105C70+3EDj
mov dx, word_60123930
mov word_60127AD0, dx

loc_60106072: ; CODE XREF: sub_60105C70+3F2j
cmp word_60127AEC, di
jb short loc_60106087
mov ax, word_6012394C
mov word_60127AEC, ax

loc_60106087: ; CODE XREF: sub_60105C70+409j
cmp word_60127DFA, di
jb short loc_6010609E
mov cx, word_60123C5A
mov word_60127DFA, cx

loc_6010609E: ; CODE XREF: sub_60105C70+41Ej
mov al, byte_60127E00
test al, al
jz short loc_601060B9
mov ax, word_60127AD2
cmp ax, 1
jb short loc_601060B9
cmp ax, 3
jbe short nghingo

loc_601060B9: ; CODE XREF: sub_60105C70+435j
; sub_60105C70+441j
mov dx, word_60123932
push 103h ; __int16
push offset unk_60123C60 ; lpString
push offset byte_60127E00 ; void *
mov word_60127AD2, dx
call _strBufferCopy
lea eax, [ebp+var_5C]
push eax
call ExceptionLink_Destruct
mov eax, [ebp+var_4]
jmp short loc_60106141
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

loc_601060E9: ; CODE XREF: sub_60105C70+8Aj
push offset NotFoundException__RuntimeClass
call Exception__CatchProc
test eax, eax
jz short nghingo
mov ecx, 138h
mov esi, offset unk_60123918
mov edi, offset word_60127AB8
mov word_60127F98, bx
rep movsd
mov [ebp+var_4], 1

nghingo: ; CODE XREF: sub_60105C70+137j
; sub_60105C70+447j ...
lea eax, [ebp+var_5C]
push eax
call ExceptionLink_Destruct
mov eax, [ebp+var_4]
jmp short loc_60106141
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

loc_60106124: ; CODE XREF: sub_60105C70+62j
; sub_60105C70+6Cj
mov ecx, 138h
mov esi, offset unk_60123918
mov edi, offset word_60127AB8
mov word_60127F98, bx
rep movsd
mov eax, 1

loc_60106141: ; CODE XREF: sub_60105C70+477j
; sub_60105C70+4B2j
mov edi, [ebp+arg_4]
mov ecx, 118h
mov esi, offset word_60127AB8
rep movsd
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
sub_60105C70 endp

With that dump, the program said that the dongle need upgrade so I need some hint from some pro person:
- So which value of dump need change and change to what?
- I see a lot of cmp the dongle data with 1, what does it mean?
.. and more question ?
Some one help me?

CrackZ
March 4th, 2006, 12:33
Hiya,

I recognise the developer ID of this particular target (naturally I'll omit any further mention of the program name). I don't know what version of the program you are working with but these are my notes from v5.3. Perhaps this will help you.

Word 1 = Developer ID ACA3
Word 8 = D341h (explicit check)
Word 1F = 35 (version info v5.3)
Word 9 = Full (Value) = 7FFFh
Word A = Point Count (Low Value)
Word B = Point Count (High Value) 7FFFh
Word C = OEM Code (Value)
Word 16 = Manager Clients (Value)
Word 17 = Display Clients (Value)
Word 1D = Internet Manager Clients (Value)
Word 1E = Internet Display Clients
Word 20 = Connectivity (Value)
Word 21 = P2SQL (Value)
Word 22/23 = Serial Number
24-3F = 0

Protected files: CiUSafe.exe, Ctutil32.dll, Usafe32.dll

Regards

CrackZ.

mr.x
March 5th, 2006, 23:27
As I seen, this dongle also has come enhaced-cells algo, and I also can detect what is software name too like CrackZ;-)

k66473, contact with me, pls.

k66473
March 6th, 2006, 07:29
I cannot message to mr.x because :
"mr.x has exceeded their stored private messages quota and can not accept further messages until they clear some space."

Information comes from Crackz helps me a lot. Now the program has run.
But there are some different with crackz's notes:
Word 1F = 35 (version info v5.3)
this data, I changed it to 46h and the program does not said that dongle need upgrade any more. Here is the code which compare this value:
mov word_60127F98, ax
mov ax, word_60127AC0 //1F value (46H)
add esp, 4
cmp ax, 33h //??
jb short loc_60105FEA
cmp ax, 64h //??
jb short loc_60105FF8

loc_60105FEA: ; CODE XREF: sub_60105C70+372j
mov cx, word_60123920
mov word_60127AC0, cx
I saw it cmp with 33, and 64 H but if I changed this dongle memory to 33 and 64, the program still said it must be update dongle. I changed to 46H and program does not said any more. But I do not know why??

Word 9 = Full (Value) = 7FFFh
Word A = Point Count (Low Value)
Word B = Point Count (High Value) 7FFFh

Mine data is different. If I follow the above value then points count exceeds limits.?
So I follow the data in my dump.

I found the code which cmp read data with some value :
mov ax, word_60127ACC
cmp ax, 1
jb short loc_60106028
cmp ax, di // here DI=FF
jb short loc_60106034


I do not know why it compare with 1 ?? Hint me please !
But when I saw the value in DI at cmp ac,di. I change the rest data in dump to that value.
Maybe my program need time to test but now it is running well.
Thanks Crackz
Thanks all.

k66473
March 6th, 2006, 07:39
Quote:
[Originally Posted by mr.x]As I seen, this dongle also has come enhaced-cells algo,

...


I don't understand this.
There are sproextendread() function but there is no call to it.
I can only see sproread() called.
Am I miss something ?

k66473
March 6th, 2006, 22:06
today, I found that, the program will not work if network is present, It only work if mode is stand alone server.
I will do more researching.

k66473
March 8th, 2006, 06:04
it is alright now.
Thanks all

yijing
April 25th, 2006, 03:07
Quote:
[Originally Posted by CrackZ]Hiya,

I recognise the developer ID of this particular target (naturally I'll omit any further mention of the program name). I don't know what version of the program you are working with but these are my notes from v5.3. Perhaps this will help you.

Word 1 = Developer ID ACA3
Word 8 = D341h (explicit check)
Word 1F = 35 (version info v5.3)
Word 9 = Full (Value) = 7FFFh
Word A = Point Count (Low Value)
Word B = Point Count (High Value) 7FFFh
Word C = OEM Code (Value)
Word 16 = Manager Clients (Value)
Word 17 = Display Clients (Value)
Word 1D = Internet Manager Clients (Value)
Word 1E = Internet Display Clients
Word 20 = Connectivity (Value)
Word 21 = P2SQL (Value)
Word 22/23 = Serial Number
24-3F = 0

Protected files: CiUSafe.exe, Ctutil32.dll, Usafe32.dll

Regards

CrackZ.

how to calc Word 8 = D341h

FoxB
April 25th, 2006, 03:14
Quote:
[Originally Posted by yijing]how to calc Word 8 = D341h


See carefull:

---------------Cut-------------------
push 8
call dongleread
add esp, 4
mov edi, offset aDoNotTransla_0 ; "<DO NOT TRANSLATE> - OEM Product ID"
mov ecx, 24h
xor edx, edx
repe cmpsb
mov ebx, eax
jnz short loc_60105D7A
cmp bx, 0D341h
jz short loc_60105D96
cmp bx, 0D342h
jz short loc_60105D96
cmp bx, 0D343h
jz short loc_60105D96
jmp short loc_60105D8C
-----End Cut----------------

peterg70
April 29th, 2006, 07:51
Quote:
I saw it cmp with 33, and 64 H but if I changed this dongle memory to 33 and 64, the program still said it must be update dongle. I changed to 46H and program does not said any more. But I do not know why??


Simple solution the value is in Hex. i.e. 0x35 = 53 which is version 5.3
So your 0x46 = 70 is now Version 7.0
0x33 = Version 5.1
0x64 = Version 10.0

So find your version Probably 6.0 convert to decimal 60 then Hex it 3C and our done.
Of course there are more cells with heaps of other options.

for 08 memory
0xD341 = One type of Product
0xD342 = Is Another Type of Product
0xD343 = and another type of Product

I swear that Developer ID was burnt into my memory.