greetings everyone..

i just cant help but notice that almost everyone here have conveniently been using vbusb as it is very easy to implement. However, as can anyone may notice.. vbusb is quite slow as compared to sentemul et.al.

can we look at the file structure of dng file please?

thanks.

1- Install Vusb
2- Use edgespro ->create dng
3- Uninstall Vusb
4- Use sentinel 2007 -> load ndg

Thanks gus.. that's a quick fix. However, as you may be aware.. EdgePro sometimes does not write the dng file correctly which will leave the user with incorrect dump.

So this is the reason for using mkeyemu :)

So this is the reason for using mkeyemu :)

I'm sorry.. but isn't mkeyemu still a vbusb derivative?

Yes, find Mkey emu 0.18.0.3 for 32 or 64 bit. Edit your reg file and emu'em all :)

Yes, find Mkey emu 0.18.0.3 for 32 or 64 bit. Edit your reg file and emu'em all :)

I agree that vbusb is a great emu. No argue in that. This forum is already flooded with tons of tools and info regarding vbusb but very little info about dng file format.

What i am trying to get at is for our friends here to have a look in dng's file format. Team EDGE obviously has reversed it and according to them the protection used were -> RSA-512, RC6, MD5, Custom, Obfuscation.

+1 I also like to see pure structure of dng format(decrypted). I think the only person here could tell us is: cE
But i havent see him here long time

I have partially¹ decrypted sentinel DNG files and encrypted to DNG. The work is no complete enough to publish though. I can confirm RSA, RC6 and MD5 are used but didn't see any particular use of custome encryption. There is some obfuscation around the algo stuff which is where I got stuck. It uses the most popular Big Number library though. Cracking the private key was difficult - took less than 1 minute as my first guess was right. The EdgePro tools are not packed with anything so there is nothing to stop you disassembling it yourself. If you do google searches for the encryption source code you will find it is all open source.

¹ I have decrypted the sentinel DNG cell values and access codes, but not Algo descriptors. I may have another look sometime. I'll post the struct I used to represent the dng file which may help someone get started.

typedef struct _licstruct
{
DWORD length; // 0x0000 length of entire struct, i.e. filelength
DWORD boolA; // 0x0004 1
DWORD licLen; // 0x0008 length of embedded license
BYTE LicBuffer[64]; // 0x000C embedded license
BYTE body[96]; // 0x004C dunno
DWORD dwAC; // 0x00AC 1
DWORD dwB0; // 0x00B0 -1
DWORD dwB4; // 0x00B4 3
DWORD devID; // 0x00B8 what it says on the tin
WORD cellData[64]; // 0x00BC sentinel super pro cell data (WORDs)
BYTE accessCodes[64]; // 0x013C sentinel super pro Access Codes (BYTEs)
BYTE buff[16]; // 0x017C dunno yet
BYTE extMD5[16]; // 0x018C MD5 of all data from ext[] onward
BYTE MD5B[16]; // 0x019C MD5 of 96 bytes from inp[0] to bufB[15])
WORD inp[16]; // 0x01AC obfurscated cell[0] Serial WORDs : these 4 buffers used to obfurscate LFSR2 and Descriptor2
WORD bufX[16]; // 0x01CC obfurscated cell[1] DevID WORDs
BYTE bufA[16]; // 0x01EC obfurscated cell[0] Serial BYTEs
BYTE bufB[16]; // 0x01FC obfurscated cell[1] DevID BYTEs
BYTE bigBuf[128]; // 0x020C
DWORD extLen; // 0x028C length of all data from ext[] onward
BYTE ext[28*1802]; // 0x0290 Simple algo=8bytes, Enhanced=1802bytes, Allow for maximum.
}licstruct;

Git

Ok. Correction cE or Git :)

Cracking the private key was difficult - took less than 1 minute as my first guess was right.

How it is possible? Where did they make mistake? ;)

Well, the source code that complies with the standards has validation tests with it. In those validations tests are some example public/private key pairs. I think you can guess the rest.

Git

hehe really? its funny !

I have partially¹ decrypted sentinel DNG files and encrypted...
Git

Thanks for sharing your find Git.. I hope that this would encourage anyone who has further information regarding the subject to put forward their work as well.

Can we please use this Thread for this purpose?

Thanks.

Sure. The algo descriptor part needs sorting next if we are to have a full convertor. The entry in the struct :

BYTE ext[28*1802]; // 0x0290 Simple algo=8bytes, Enhanced=1802bytes

shows I got somewhere towards it. I used these structs to represent the algo entries :

typedef struct _enalgostruct
{
BYTE cellNum;
BYTE type;
DWORD Descriptor1;
DWORD LFSR1;
WORD Wout[28*32];
}enalgostruct;


typedef struct _algostruct
{
BYTE cellNum;
BYTE type;
WORD WP;
WORD descripLO;
WORD descripHI;
}algostruct;

All these structs are surrounded by :
#pragma pack(1)
...
#pragma pack()

I think the Wout array is used to obfuscate the rest of an initialised Query struct. The 'type' field identifies the type of algo, it is 0x86 for a Simple algo and 0x84 for an Enhanced algo.

Git

@Git
amazing information as usual , those information should be in main topic :rolleyes:

who will continue from the point Git finished at :)

we was JUST playing with DNG files :D

thanks again

theodore - I'm not sure which dongle emulation gave you slow execution, but if it was HaspHL, there is an option to remove the delay in MultiKey V18.1.0. Set the first byte of the Option array to 0x69.

Git

It is SSPro Git. I have successfully been using either toro's, safekey's, ucl's, sentemul and the emu that requires .SE file. However, the updated app requires the updated sentinel driver knocking out safekey's, ucl's and toro's. Vbusb and sentemul are the only ones currently working for me. Recently, I have managed to enable an exciting feature on the said app by updating several cells. EdgePro can't give me a working dng file hence the interest in its file structure. Vbusb is working fine and the only issue I have with it is that it is slow and that the app isn't showing the correct dongle number during start-up.

On another topic, I am currently working on a new app which would run with either scribe or hasp. I have the hasp key but wish not to use it for this project as a challenge. With the aid of ucl's hasp emulator and toro's monitor v3.2, the app gave me the required passwords. Knowing the passwords, I updated my .reg file to emulate it and fortunate enough I have stopped the app complaining about "No dongle found". However, the issue now is.. I have no module enabled and I can't use toro's monitor to see how the app interact with the dongle as my pc crashes with blue screen upon app execution. Using hMon I learned that the app issues a "WriteWord" command and a lot of "ReadWord" command. Now I am reading HaspMan.pdf as I am new with hasp.

I am on Vista 32-bit by the way.

Is their a way for me to emulate a scribe dongle? I searched but have not found a good material other than Bfox's post regarding API --> http://rapidshare.com/files/69651166/scribe.zip.html.

Do we have a working scribe emu?

MeteO's emulator can help you, imho

I tried ucl's haspemu and toro's haspmon on an XP machine and has successfully captured the interaction. I have also loaded the license manager in IDA and learned that it was coded in VB.

Bfox :
Thanks for hinting.. does meteo's sentemu 2.2 support scribe? if so, how?

Meteo's emulator supports almost all the early Sentinel dongles, but I don't know if anybody here can remember how to use it!.

Try the 0x69 trick with MultiKey 18.1, it is possible it affects Sentinel also. If not, you know how to use IDA so load up multikey.sys and see if you can find the 40mS delay. Get rid of it and see if the app still runs.

Git

Meteo's emulator supports almost all the early Sentinel dongles, but I don't know if anybody here can remember how to use it!.Git

This is a good reason why documenting a procedure is so important. Team Edge may have successfully reversed the DNG file format.. but unless they transfer the information to other interested parties.. the process can easily be forgotten.

Git, I tried the 0x69 trick but the app reports "no dongle found".

I have been thinking.. can I emulate scribe even if I do not have a physical LPT? Toro's Monitor has shown me the DeVID.

Yes, of course.

Please don't reply to yourself. Use the Edit button to add to your original post. Thanks.

Git