Return
to Dongles Return
to Main IndexCPSWin32 v1.3
GeoPath Power CAD/CAM
CPSWin32
v2.0.5.2 (updated 12th July 2007), download files here
1.68Mb (this is v2.0.5.2 despite the file information saying 2.0.4.1).
This tutorial covers 2 implementation instances of the Rainbow Cplus dongle (a cheaper model than the SuperPro, you'll soon see why). I've followed this particular program since v1.16, the protection has been a one way evolution to nowhere. The Rainbow Cplus range of dongles use 3 main dll's, in the real world I've run into only 2 of them, sc16w.dll & sc32w.dll, there seems to be no clear guidelines which to use, I've seen pure 32-bit applications link the 16-bit dll and vice-a-versa. This particular target uses sc32w.dll, which exports 6 functions (prefix RNBOcplus.....), we only need concern ourselves with 3 of them RNBOcplusFormatPacket, RNBOcplusInitialize & RNBOcplusRead.
I'll introduce an elegant idea here (one which isn't originally mine), what we will do is write our own sc32w.dll which will of course act as an efficient replacement for the useless Sentinel code (and if by accident we should eliminate the need for the dongle then so be it). Lets familiarise ourselves with these 3 API functions and their parameters :-
:0041B4AE PUSH 00000404 <-- Packet record length.
:0041B4B3 PUSH 00912A84 <-- -> Packet record.
:0041B4B8 CALL RNBOcplusFormatPacket
:0041B508 MOV CX, WORD PTR [EBP-24] <-- 0x4.
:0041B50C PUSH ECX
:0041B50D PUSH 00912A84 <-- -> Packet record.
I won't show the RNBOcplusRead code application side, you can see the idea, all of the Cplus functions seem to be very similar to the corresponding SuperPro functions (including the parameters), one might therefore conclude that the SuperPro is something of a lazy port of the Cplus code. Using TASM I quickly created a skeleton dll with these 3 functions as exports (all the source code can be found at the end of this document), now we are going to see exactly what answers our application wants from our functions using SoftICE.
With CPSWin32 recovering the dongles contents is very easy, the first 5 words (0-4) and word 3F are all checked against explicit values. Words F & 10 must equal 2020h for version checks. The final 2 words A & B are a little trickier as they are checked against explicit pairs of values to set a very important version information flag, (3421h & 3734h are one such combination). With these values in place our emulated dll CPSWin32 now runs perfectly.
Sentinel Cplus dll Source Code (3k).
http://www.solution-ware.com :- Webpage.
GeoPath Power CAD/CAM uses a Sentinel similar to CPSWin32 (early versions used the 16-bit dll which is still bundled with the application today). I'll just show some of the code snippets, words 0,1,2,7,8 & 3Fh are read from the dongle in a single function which must return AL=1, words 1 & 2 are saved and should be bpr'd as they are checked when certain options are used.
:00465F96 PUSH 3F ; Word to read.
:00465F98 PUSH EAX
:00465F99 CALL ESI ; RNBOcplusRead().
:00465F9B CMP AX,BX ; Status_OK.
:00465F9E JNZ 004660A2 ; Bad.
:00465FA4 CMP WORD PTR [ESP+10],268F ; Check word.
:00465FAB JNZ 004660A2
:00465FBD PUSH EBX ; Word to read (0).
:00465FBE PUSH EDX
:00465FBF CALL ESI ; RNBOcplusRead().
:00465FC1 CMP WORD PTR [ESP+10],1F1F ; Check word.
:00465FC8 JNZ 004660A2 ; Bad jump obviously (see Status_OK).
Known good values for this dongle are as follows :-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now one only needs configure the dll above and another cplus bites the dust.
7 years after originally looking at this application, I'm back to see if anything has changed. The answer somewhat surprisingly is not really. The entire strategy is still dependent on RNBOcplusRead. Analysis of the x-refs leads us to conclude the entire protection can be found in 2 main code locations, 4 x-refs from 43EAE7 to 43ECEE & 4 x-refs from 440429 to 440767, this represents a very small amount of code spacially and provides little difficulty for analysis.
The first check made is in a loop of words 0-4, these are checked against explicit values which make up the string 'CPSWIN-STD', if this does not match newer Sentinel access routines linked to the main program will be used instead to try and access developer ID 0xFFCB. Assuming words 0-4 matched, word 3Fh will be checked next against the explicit value 5460h. The program will then proceed to check Words Fh & 10h against 2020h, Word Ah against 3631h & Word Bh against 3237h, the reads are actually performed in the order Fh, Ah, 10h & Bh perhaps to try and separate the read from the return checking logic, assuming all these checks pass we are free of the protection and can run the application.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Return
to Dongles Return
to Main Index