uku
01-01-2009, 07:25 PM
Hello all Engineers. At first Happy new Year to everyone. I admit- I am newbie, but I have studied this area about 3 months on my free time beside work and I am really interested in that (that information is mentioned to say that I do not want to ask crack etc... I want to know how is it done:) ) The software that I have requires SENTINEL SSPRO parallel port dongle that I don't have. So I googled and searched all the information that was possible and read a lot of tutorials and found out that dongles are possible to "remove" :) . After some while I was able to get some programs
: Olly 1.10 (with GodUP and other plugins), IDA Pro (and all sentinel sspro signatures I founded: Sentinel SuperPro Lib - Killer_3K, Sentinel SuperPro (v6.0 lib) by CyberHeg, Sentinel Super Pro 6.2 lib (sope), Sentinel SuperPro C/C++ library by pRT (rev3), Sentinel SuperPro C/C++ library by pRT (rev7), Sentinel SuperPro (v6.0 lib) by CyberHeg, Sentinel SuperPro C/C++ library by pRT (rev8), sentinel dll lib, sentinel static lib), 010 Hex editor, PEID, W32Dasm, SoftICE (still unable to start that program), Toro sentinel sspro emulator and monitor 1.6, 1.7 and 2.1, Edge's SENTINEL.Emulator.2007 and 2008 and some others :)
So next I looked little into that software and just tried to execute the exe file step by step with Olly and NOP out places where were JNZ and at one place program probably started (a box "Program is loading..." came visible and program crashed :rolleyes: . As I know that it is really expensive software and there are a lot of modules so it was too easy to be true.
Two places where I NOPED out JNZ-s
First:
00420D4A |> /FFD3 /CALL EBX
00420D4C |> |6A 00 PUSH 0 ; /Arg2 = 00000000
00420D4E |. |68 649D4300 |PUSH 00439D64 ; |Arg1 = 00439D64
00420D53 |. |E8 88FEFFFF |CALL 00420BE0 ; \LocSrv.00420BE0
00420D58 |. |83C4 08 |ADD ESP,8
00420D5B |. |8BD8 |MOV EBX,EAX
00420D5D |. |85C0 |TEST EAX,EAX
00420D5F |.^\75 E9 \JNZ SHORT 00420D4A
Second:
00420D88 |> /43 /INC EBX
00420D89 |> |8A03 MOV AL,[EBX]
00420D8B |. |84C0 |TEST AL,AL
00420D8D |. |74 08 |JE SHORT 00420D97
00420D8F |. |3AD0 |CMP DL,AL
00420D91 |. |74 04 |JE SHORT 00420D97
00420D93 |. |3C 09 |CMP AL,9
00420D95 |.^\75 F1 \JNZ SHORT 00420D88
Then I started to check what Toro monitor shows when I start software (without NOP modifications) and results are here:
In:> Initialize
Out:> Initialize
In:> FindFirstUnit DeveloperId=xxxx (xxxx)
Out:> FindFirstUnit DeveloperId=xxxx (xxxx ) -> Status=0x3
In:> FindFirstUnit DeveloperId= (xxxx)
Out:> FindFirstUnit DeveloperId=xxxx (xxxx) -> Status=0x3
It didn' find dongle. Then I also installed a software (let's call it soft2) that is made by the same company and has the same protection (so it has the same DevID) and has dongle emulator (Rainbow Sentinel SPRO dongle emulator v1.05beta by Dim0n – when I googe.com a little I found that it is a russian guy and that emulator contains 1 exe file and one sentemu.sys file). When I ran that emulator and then I tried to run my software and at the same time monitored with Toro, got result:
In:> FindFirstUnit DeveloperId=xxxx (xxxx)
Out:> FindFirstUnit DeveloperId=xxxx (xxxx) -> Status=0x0
In:> Read Address=8 (0x8)
Out:> Read Address=8 (0x8) -> Status=0x0
Data=62610 (0xF492)
In:> Read Address=9 (0x9)
Out:> Read Address=9 (0x9) -> Status=0x0
Data=25 (0x19)
In:> SetUnitInfo
Out:> SetUnitInfo
In:> FindNextUnit
Out:> FindNextUnit-> Status=0x1
It found the dongle, but realized that it is not the right one and probably checked cells 8 and 9 and compared the data in the cells.
Meanwhile I dumped the emulator made for that other soft. and now I know what data all the cells have and the soft2 runs nicely with SENTEMUL2007 made by Edge (dumping took about 30 hours and it dumped perfectly - respect to EDGE team).
Next step I installed IDA and looked the software in there. I included all the signatures availible into the libary and only 2 signatures found some functions:
Sentinel SuperPro Lib - Killer_3K (found 1 function)
Sentinel SuperPro C/C++ library by pRT (rev3) (found 5 functions)
Everything else- 0 functions. Then in Name box I tried to look for typical sspro functions starting with „spro“ I found only 1 function: sproFormatPacket, nothing more =( no sproFindFirstUnit etc..
Same results with Olly when I used GODUP plugin. How could I find other functions?
When I did the same with soft2 that is working, I found all sentinel functions.
Little more information abot that software:
From PEID:
exe file- Borland C++; Linker info 2.25, Subsystem Win32 GUI, Plugin KryptoANalyzer gives : BLOWFISH: Sbox 2, CRC32 precomputed table for byte transform, CRC32 precomputed table for byte transform, MD4 transform & init constants (also used in SHA, RIPEMD, partly in CAST), MD5 transform ("compress") constants, MD5 transform ("compress") constants, Fractional part of PI number - 640 bits. Used e.g. in BLOWFISH (pbox & sbox) or NIMBUS (fixed key). And if execute the software start file then I see that it uses 18 .dll files (18 modules).
I also add the sproFormatPacket from IDA:
CODE:00417314
CODE:00417314 ; =============== S U B R O U T I N E =======================================
CODE:00417314
CODE:00417314 ; Attributes: library function bp-based frame
CODE:00417314
CODE:00417314 sproFormatPacket proc near ; CODE XREF: sub_4113AC+2D1#p
CODE:00417314 ; CODE:00416F23#p ...
CODE:00417314
CODE:00417314 arg_0 = dword ptr 8
CODE:00417314 arg_4 = dword ptr 0Ch
CODE:00417314
CODE:00417314 push ebp
CODE:00417315 mov ebp, esp
CODE:00417317 push ebx
CODE:00417318 push esi
CODE:00417319 push edi
CODE:0041731A mov esi, [ebp+arg_4]
CODE:0041731D mov eax, [ebp+arg_0]
CODE:00417320 test eax, eax
CODE:00417322 jnz short loc_41732A
CODE:00417324 mov ax, 2
CODE:00417328 jmp short loc_417373
CODE:0041732A ; ---------------------------------------------------------------------------
CODE:0041732A
CODE:0041732A loc_41732A: ; CODE XREF: sproFormatPacket+E#j
CODE:0041732A cmp si, 404h
CODE:0041732F jnb short loc_417337
CODE:00417331 mov ax, 0Fh
CODE:00417335 jmp short loc_417373
CODE:00417337 ; ---------------------------------------------------------------------------
CODE:00417337
CODE:00417337 loc_417337: ; CODE XREF: sproFormatPacket+1B#j
CODE:00417337 push eax
CODE:00417338 call sub_411A24
CODE:0041733D pop ecx
CODE:0041733E mov ebx, eax
CODE:00417340 mov edi, esi
CODE:00417342 sub di, 4
CODE:00417346 push edi
CODE:00417347 push 0
CODE:00417349 push ebx
CODE:0041734A call sub_411AD0
CODE:0041734F add esp, 0Ch
CODE:00417352 push 3
CODE:00417354 push edi
CODE:00417355 push ebx
CODE:00417356 call sub_411D34
CODE:0041735B add esp, 0Ch
CODE:0041735E push 4
CODE:00417360 lea eax, [ebx+38h]
CODE:00417363 push eax
CODE:00417364 call sub_411E4C
CODE:00417369 add esp, 8
CODE:0041736C or word ptr [ebx+12h], 8
CODE:00417371 xor eax, eax
CODE:00417373
CODE:00417373 loc_417373: ; CODE XREF: sproFormatPacket+14#j
CODE:00417373 ; sproFormatPacket+21#j
CODE:00417373 pop edi
CODE:00417374 pop esi
CODE:00417375 pop ebx
CODE:00417376 pop ebp
CODE:00417377 retn 8
CODE:00417377 sproFormatPacket endp
Finnaly I would like to ask some questions:
1.How could I find other sentinel functions in Olly or IDA? (sproFindFirstUnit... etc)
2.How is it possible to find out what data is software looking from dongle cells? (perhaps I can find that data and change dongle emulator cells?)
3.Please advise how is the best way to keep going.
I really hope that it didn't get too long and that I didn't break any board rules (I avoided to show any DevID-s etc...).
Regards to anyone who takes a little time and tries to help.
=)
: Olly 1.10 (with GodUP and other plugins), IDA Pro (and all sentinel sspro signatures I founded: Sentinel SuperPro Lib - Killer_3K, Sentinel SuperPro (v6.0 lib) by CyberHeg, Sentinel Super Pro 6.2 lib (sope), Sentinel SuperPro C/C++ library by pRT (rev3), Sentinel SuperPro C/C++ library by pRT (rev7), Sentinel SuperPro (v6.0 lib) by CyberHeg, Sentinel SuperPro C/C++ library by pRT (rev8), sentinel dll lib, sentinel static lib), 010 Hex editor, PEID, W32Dasm, SoftICE (still unable to start that program), Toro sentinel sspro emulator and monitor 1.6, 1.7 and 2.1, Edge's SENTINEL.Emulator.2007 and 2008 and some others :)
So next I looked little into that software and just tried to execute the exe file step by step with Olly and NOP out places where were JNZ and at one place program probably started (a box "Program is loading..." came visible and program crashed :rolleyes: . As I know that it is really expensive software and there are a lot of modules so it was too easy to be true.
Two places where I NOPED out JNZ-s
First:
00420D4A |> /FFD3 /CALL EBX
00420D4C |> |6A 00 PUSH 0 ; /Arg2 = 00000000
00420D4E |. |68 649D4300 |PUSH 00439D64 ; |Arg1 = 00439D64
00420D53 |. |E8 88FEFFFF |CALL 00420BE0 ; \LocSrv.00420BE0
00420D58 |. |83C4 08 |ADD ESP,8
00420D5B |. |8BD8 |MOV EBX,EAX
00420D5D |. |85C0 |TEST EAX,EAX
00420D5F |.^\75 E9 \JNZ SHORT 00420D4A
Second:
00420D88 |> /43 /INC EBX
00420D89 |> |8A03 MOV AL,[EBX]
00420D8B |. |84C0 |TEST AL,AL
00420D8D |. |74 08 |JE SHORT 00420D97
00420D8F |. |3AD0 |CMP DL,AL
00420D91 |. |74 04 |JE SHORT 00420D97
00420D93 |. |3C 09 |CMP AL,9
00420D95 |.^\75 F1 \JNZ SHORT 00420D88
Then I started to check what Toro monitor shows when I start software (without NOP modifications) and results are here:
In:> Initialize
Out:> Initialize
In:> FindFirstUnit DeveloperId=xxxx (xxxx)
Out:> FindFirstUnit DeveloperId=xxxx (xxxx ) -> Status=0x3
In:> FindFirstUnit DeveloperId= (xxxx)
Out:> FindFirstUnit DeveloperId=xxxx (xxxx) -> Status=0x3
It didn' find dongle. Then I also installed a software (let's call it soft2) that is made by the same company and has the same protection (so it has the same DevID) and has dongle emulator (Rainbow Sentinel SPRO dongle emulator v1.05beta by Dim0n – when I googe.com a little I found that it is a russian guy and that emulator contains 1 exe file and one sentemu.sys file). When I ran that emulator and then I tried to run my software and at the same time monitored with Toro, got result:
In:> FindFirstUnit DeveloperId=xxxx (xxxx)
Out:> FindFirstUnit DeveloperId=xxxx (xxxx) -> Status=0x0
In:> Read Address=8 (0x8)
Out:> Read Address=8 (0x8) -> Status=0x0
Data=62610 (0xF492)
In:> Read Address=9 (0x9)
Out:> Read Address=9 (0x9) -> Status=0x0
Data=25 (0x19)
In:> SetUnitInfo
Out:> SetUnitInfo
In:> FindNextUnit
Out:> FindNextUnit-> Status=0x1
It found the dongle, but realized that it is not the right one and probably checked cells 8 and 9 and compared the data in the cells.
Meanwhile I dumped the emulator made for that other soft. and now I know what data all the cells have and the soft2 runs nicely with SENTEMUL2007 made by Edge (dumping took about 30 hours and it dumped perfectly - respect to EDGE team).
Next step I installed IDA and looked the software in there. I included all the signatures availible into the libary and only 2 signatures found some functions:
Sentinel SuperPro Lib - Killer_3K (found 1 function)
Sentinel SuperPro C/C++ library by pRT (rev3) (found 5 functions)
Everything else- 0 functions. Then in Name box I tried to look for typical sspro functions starting with „spro“ I found only 1 function: sproFormatPacket, nothing more =( no sproFindFirstUnit etc..
Same results with Olly when I used GODUP plugin. How could I find other functions?
When I did the same with soft2 that is working, I found all sentinel functions.
Little more information abot that software:
From PEID:
exe file- Borland C++; Linker info 2.25, Subsystem Win32 GUI, Plugin KryptoANalyzer gives : BLOWFISH: Sbox 2, CRC32 precomputed table for byte transform, CRC32 precomputed table for byte transform, MD4 transform & init constants (also used in SHA, RIPEMD, partly in CAST), MD5 transform ("compress") constants, MD5 transform ("compress") constants, Fractional part of PI number - 640 bits. Used e.g. in BLOWFISH (pbox & sbox) or NIMBUS (fixed key). And if execute the software start file then I see that it uses 18 .dll files (18 modules).
I also add the sproFormatPacket from IDA:
CODE:00417314
CODE:00417314 ; =============== S U B R O U T I N E =======================================
CODE:00417314
CODE:00417314 ; Attributes: library function bp-based frame
CODE:00417314
CODE:00417314 sproFormatPacket proc near ; CODE XREF: sub_4113AC+2D1#p
CODE:00417314 ; CODE:00416F23#p ...
CODE:00417314
CODE:00417314 arg_0 = dword ptr 8
CODE:00417314 arg_4 = dword ptr 0Ch
CODE:00417314
CODE:00417314 push ebp
CODE:00417315 mov ebp, esp
CODE:00417317 push ebx
CODE:00417318 push esi
CODE:00417319 push edi
CODE:0041731A mov esi, [ebp+arg_4]
CODE:0041731D mov eax, [ebp+arg_0]
CODE:00417320 test eax, eax
CODE:00417322 jnz short loc_41732A
CODE:00417324 mov ax, 2
CODE:00417328 jmp short loc_417373
CODE:0041732A ; ---------------------------------------------------------------------------
CODE:0041732A
CODE:0041732A loc_41732A: ; CODE XREF: sproFormatPacket+E#j
CODE:0041732A cmp si, 404h
CODE:0041732F jnb short loc_417337
CODE:00417331 mov ax, 0Fh
CODE:00417335 jmp short loc_417373
CODE:00417337 ; ---------------------------------------------------------------------------
CODE:00417337
CODE:00417337 loc_417337: ; CODE XREF: sproFormatPacket+1B#j
CODE:00417337 push eax
CODE:00417338 call sub_411A24
CODE:0041733D pop ecx
CODE:0041733E mov ebx, eax
CODE:00417340 mov edi, esi
CODE:00417342 sub di, 4
CODE:00417346 push edi
CODE:00417347 push 0
CODE:00417349 push ebx
CODE:0041734A call sub_411AD0
CODE:0041734F add esp, 0Ch
CODE:00417352 push 3
CODE:00417354 push edi
CODE:00417355 push ebx
CODE:00417356 call sub_411D34
CODE:0041735B add esp, 0Ch
CODE:0041735E push 4
CODE:00417360 lea eax, [ebx+38h]
CODE:00417363 push eax
CODE:00417364 call sub_411E4C
CODE:00417369 add esp, 8
CODE:0041736C or word ptr [ebx+12h], 8
CODE:00417371 xor eax, eax
CODE:00417373
CODE:00417373 loc_417373: ; CODE XREF: sproFormatPacket+14#j
CODE:00417373 ; sproFormatPacket+21#j
CODE:00417373 pop edi
CODE:00417374 pop esi
CODE:00417375 pop ebx
CODE:00417376 pop ebp
CODE:00417377 retn 8
CODE:00417377 sproFormatPacket endp
Finnaly I would like to ask some questions:
1.How could I find other sentinel functions in Olly or IDA? (sproFindFirstUnit... etc)
2.How is it possible to find out what data is software looking from dongle cells? (perhaps I can find that data and change dongle emulator cells?)
3.Please advise how is the best way to keep going.
I really hope that it didn't get too long and that I didn't break any board rules (I avoided to show any DevID-s etc...).
Regards to anyone who takes a little time and tries to help.
=)