Does anyone here happen to know the two overwrite password for Sentinel Superpro dongle from DEVID=3B38? I wish to play around with this dongle by reprogramming it and use it to test my program before contacting Rainbow. I understand that for me to be able to use enhanced algo.. i need to define cell06.

I tried to bruteforce it but i have calculated that it will take me 97 years do it.

thanks for your help

Does anyone here happen to know the two overwrite password for Sentinel Superpro dongle from DEVID=3B38? I wish to play around with this dongle by reprogramming it and use it to test my program before contacting Rainbow. I understand that for me to be able to use enhanced algo.. i need to define cell06.

I tried to bruteforce it but i have calculated that it will take me 97 years do it.

thanks for your help

hi, may i know how you try bruteforce it ?
In my case i cacth OP1,2 by toros monitor, but it is specific for each software distribution :(

hi, may i know how you try bruteforce it ?
In my case i cacth OP1,2 by toros monitor, but it is specific for each software distribution :(

hmm.. how could toro monitor been able to catch contents of those cells? as i know, cells 02 to 07 are non readable that is why WPs has to be bruteforced or calculated and cell06 calculated along with the algo descriptors.

As for my procedure.. i was able to download triple-9 software which records actions done during record session and writes a macro for later run. I made some modifications and used the tool from safeNET (sproEval2) for testing the dongle.

do you have dongle with devID=3b38? if you do.. could you please share OP1 and OP2? thanks

Dump the dongle with PVA3.3 dumper. Solve it with Dmp2SSP which will give you C6 and the Algo parameters. Choose an emulator - Vusb is good. Use UniDmpToReg1.15b to convert the SSP file to a "Chingachguk & Denger2k" Vusb Registry file. Search on this forum how to correct the file (it writes 16bit Words rather than 2 8bit Bytes). Beofre importing the reg file into the registry and starting the emulator, you can edit it to make OWP1 and OWP2 whatever you want. The Memory or sntMemory section of the reg file rtepresents the 64 cells of the dongle, 0 to 63.

Cell 0 = Dongle Serial number
Cell 1 = Developer ID
Cell 2 = Overwrite Password 1
Cell 3 = Overwrite Password 2
Cell 4 = Write Password
Cell 5 = Hard License Limit
Cell 6 = C6
Cell 7 = not usually used

Each cell value is a 16 bit Word and is recorded in reverse byte order as LSB, MSB.

I would change WP, OWP1 and OWP2 to something arbitrary and then use SproEval2 to play with the emulator as if it were the dongle - it should act identically.

As for finding the real OWP1 & OWP2, you may be lucky. If they are used by the program then you may find them by monitoring dongle communications or by reversing the application in IDA, applying Sentinel Sig, looking for function names that use OWP's and seeing if the OWP1 & OWP2 parameters are there being pushed on the stack. If they are not, put a breakpoint on the sentinel function and look at the stack. But beware - most programs don't use any of the OWP protected functions and those that do often obfurscate the values in upgrade license files or similar.

Another way you may be able to retreive them is by bruteforce overwriting a couple of dongle cells that (hopefully) don't matter (or record the values and put them back after bruteforce). It will take a while.

Git

Cell 0 = Dongle Serial number
Cell 1 = Developer ID
Cell 2 = Overwrite Password 1
Cell 3 = Overwrite Password 2
Cell 4 = Write Password
Cell 5 = Hard License Limit
Cell 6 = C6
Cell 7 = not usually used

im making a copy dongle .i ve pass the developer ID check . and i ve wrote the same data with the original dongle .but the software does not work . i think the software must check the cell 6(c6),but i don`t known how to patch it until now.

If they are used by the program then you may find them by monitoring dongle communications or by reversing the application in IDA, applying Sentinel Sig, looking for function names that use OWP's and seeing if the OWP1 & OWP2 parameters are there being pushed on the stack. If they are not, put a breakpoint on the sentinel function and look at the stack. But beware - most programs don't use any of the OWP protected functions and those that do often obfurscate the values in upgrade license files or similar.

im interesting in your method.but i don`t known how to use the Sig file and how to find the API and how to put a breakpoint on sentinel function.can you make a tutorial about above that you told us . thanks

Another way you may be able to retreive them is by bruteforce overwriting a couple of dongle cells that (hopefully) don't matter (or record the values and put them back after bruteforce). It will take a while.


it will take a looong looong times ,i ve tried.

BTW , fogive my english.:D

The application this dongle was originally used did not use enhanced algo. I was able to write on cell10h and cell11h to define the algo descriptors and gave them an access code of 3. I then used PVA dumper to dump the algo on cell 10h then used f1_nodongle shared by CEngineer to solve contents of cell10h, cell11h and cell06h.

can't we use the same method in solving cell02h and cell03h?

i mean we try to reprogram rnbosproquery to use cell02 or cell03 instead of cell06?

to zhjd : I wasnt able to work on your problem because i cant install your program on my machine. but i think your problem can easily be solved by using IDA and any good hex editor then patch your program to look for the same dongle number. knowing the OPs wont help you edit a dng file. or better yet, use Vusb... although i havent tried it myself.. they claim that this emu will be able to simulteneously emulate dongles with the same devID.

> can't we use the same method in solving cell02h and cell03h?

No, cells 0 to 7 are reserved and cannot contain algos. The driver would return a SP_INVALID_MEMORY_ADDRESS error if you tried.

> they claim that this emu will be able to simulteneously
> emulate dongles with the same devID.

Do they?. I don't think so. It can certainly emulate many dongles at once but not two with the same DevID because they would both need the same registry entry name.

Later... having thought about this I may be wrong. I'll have a look at the source.

Git

can't we use the same method in solving cell02h and cell03h?
Sometimes (rarely) cell2 can respond as key algo.
they claim that this emu will be able to simulteneously emulate dongles with the same devID. yes, it's posible with ru-board vusb & safe-key emu's

Thanks to all.

i didn't say that we put algo on cell02h. what i want to try and do is use cell02h as replacement of seed instead of cell06h. for example, we have algo on cell10h and cell11h.. by default, the driver will generate response to a query based on cell06h as the seed code. instead of using cells 10h,11h and 06h to respond to sproquery.. we use cell02h as seed and then after that cell03h.

i hope what i am saying makes sense.

P.S. after trying the following dumpers : pva3.3, dumper1.4m / 1.5m used by neo-bit and edge solver. I was amazed that neo-bit people are able to calculate algos with just 50 query-response pair as againts pva3.3 with 1024 and the worst is edge.

hmm.. how could toro monitor been able to read those cells? as i know cells 03 to 07 are non readable that is why WPs has to be bruteforced.

As for my procedure.. i was able to download triple-9 software which records actions done during record session and writes a macro for later run. I made some modifications and used the tool from safekey for testing the dongle.

do you have dongle with devID=3b38? if you do.. could you please share OP1 and OP2? thanks

Toros monitor doesnt read anything, it is not a dumper ;) It just catch communication between dongle and protected application. Sometimes also (when used) OP1,OP2

to benito : sorry for my earlier comment. I agree that toro can capture data sent by and to the dongle. I tried it myself. thanks for the info.

One more thing the app from DevID=3b38 used WP to write new data as part of their protection scheme.

Actually, the f1_nodongle / dmp2ssp uses most of the 1024 responses for statistical analysis to determine if the algorithm is standard or enhanced. Finding the actual parameters of the algorithm is done with just the first 2 responses.

Git

Git, only two responses? wow.. i never knew that.

I have read from somewhere that:

standard algo can be solved with two responses since the function is linear.

enhanced algo requires at least 32 to be solved.

since f1_nodongle and dmpssp are out in the public already.. can you discuss how they are being solved?

Neither of them are protected in any way, so why don't you disassemble them and have a look?. You'll learn much more about the principals that way.

Git

thanks Git. I disassembled them last night. and it is pretty simple.

Git: would i be allowed to disclose to the public the information i have learned so that everyone can benefit from it or someone may be offended if i do?

I would most definitely keep it to yourself.

Git

How to use f1_nodongle.exe ?
I'm getting [ERROR]: Use:

what i'm wanted to do is to convert my .dmp file

How to use f1_nodongle.exe ?
I'm getting [ERROR]: Use:

what i'm wanted to do is to convert my .dmp file

i think you have wrong dump, this is for dumps from pva dumper

f1_nodongle.exe should be renamed to f1_pva.exe :)

It has already been renamed, it was originally dmp2ssp.exe. The one starting in f1 is f1__spor.exe which is for sp0raw dumps.

Git

It has already been renamed, it was originally dmp2ssp.exe. The one starting in f1 is f1__spor.exe which is for sp0raw dumps.

Git

hmm.. Git, does this mean f1__spor is the tool to convert bin files to ssp? i never had this.

f1_pva is for dmp files

i was able to get a hold of dmp2ssp but the one i have sucks as it takes a lot of time to make the ssp file and uses huge amount of cpu resources.

All solver use similar brute force to get the std algo, so all version is almost same. it need most time and uses huge amount of cpu resources when process std algo but for enhance algo it's fast.

All solver use similar brute force to get the std algo, so all version is almost same. it need most time and uses huge amount of cpu resources when process std algo but for enhance algo it's fast.

but the dongle i tried it with does not have std algo.. only enh algos

hmm.. Git, does this mean f1__spor is the tool to convert bin files to ssp? i never had this.


Yes. Original names are f1_sp0r.exe for sp0raw format .bin files, and dmp2ssp.exe for PVA format .dmp files.

Git