Im trying to trace the emulated dongle calls in olly. I have 8.0 working with toro 1.7 and im trying to locate the point where the cell values are read. I have run memorywatch on all registers and never see any of the known cell values. I dont understand.
Is this a anti-debugging issue or something else. The sentinal monitor indicates communication with the emulator at least 50 times at start up. What am i missing here?

Communication between the app and driver, and between the driver and dongle(or emulated dongle), are encrypted.

Git

so the key is the driver... the sentinel system driver ver 7.2
is this the driver you refer too?

Yes. By the way, by using the sentinel monitor you are adding another level of indirection/hooking to the situation so I think it will make things harder to understand, not easier.

I suggest you use SproEval tool and the Sentinel SDK manual to make simple API calls that you can more easily trace. You will not understand any of the transfer protocols without disassembly of the driver. If you use IDA to disassemble a protected app, you can gain a good understanding of what is happening and use it's excellent debugger. If you apply the IDA sentinel SIG you will see all the API calls inside your app by name.

The app talks to the driver with a 1028 byte API struct packet. It is undocumented but well known by now. The app fills in various fields of this struct (function code, data, etc) then encrypts this packet with TEAN encryption with linked in routines from the SDK libs, and sends it to the driver. The driver decrypts this packet and talks to the USB layer/dongle with an 8 byte Request packet and gets an 8 byte Response packet back from the dongle. These use a proprietary undocumented encryption but again it is well known by now. After decrypting the Response packet, the driver will fill in various field of the API struct packet, encrypts it with TEAN and send it back to the app.

Git