Сейчас на форуме: rmn (+3 невидимых)

 eXeL@B —› WorldWide —› Please help me with this Sentinel protection before I get crazy!
Посл.ответ Сообщение

Ранг: 5.7 (гость)
Активность: 0=0
Статус: Участник

Создано: 31 марта 2009 06:30
· Личное сообщение · #1

Hi all,

I'm dealing with a Sentinel protected target.
On a previous version of the target, trivial patching succeeded, it was only finding a "Key not found" string which was shown in a messagebox, and jumping over it. THAT easy. It was just next to SproFindFirstUnit.

Now, the API seems to be applied in a better way, and the "Key not found" message is not on the strings, and next to SproFindFirstUnit nothing seems to appear related to it.

This time, the "Key not found" message is not on the strings so I bet they encrypted it somehow, so I can't know for sure where in the code it is being shown. I mean if I BP MessageBoxA, I get somewhere but tracing back is very difficult because the program loads many modules so I can't know for sure which one originates the call, for example, the one I think that does does not have any dongle code inside :S

I did some patching inside sproRead, and got the "Key not found" message away, and the program starts, but there are no toolbars so the program can't be used. I think they are reading some address or something from the dongle to show them, but there are no CMPs around and I'm not good at analysing ALL the code. I understand parts of it but not all.

Another approach was to use an existing dongle emulator and experiment with cell values during the trace. Vendor ID is 2212h. I filled the cells with ABCDEFGHIJK... etc and found out that during the analysis of sproRead, the cell #25 was being read. I understood that first by analysing the dump, and then by a push 19h before sproRead

By experimenting with various values, I got rid of the "Key not found" message with no patching (Yee-haw!), but now it says "Please register application with serial number A70GP00000A". A70GP00000A is the serial number I used when installing the app so it's basicalling telling me to register using the serial I already used (no good). I patched this away by returning eax=1 in the previous call.

What I can't "tame" yet is how to get the toolbars to appear (the most important thing).
I think sproRead is not scaring me now, what is scaring me is sproQuery, because right before returning from it, I get a cmp [eax], [ecx] with eax and esi being completely different values like (1abff39d for eax and d1927dda for ecx). If I patch the previous pushes to push eax the two times, the program crashes. Tried with push ecx the two times as well but it crashes too so it seems none of the values of the cmp are correct. But maybe I'm not analysing the right spot. This is driving me crazy, I dedicated like 25 hours total to this target and I'm sooo frustrated that I cannot get it working

I read many tutorials including a very nice and big one from Shub-nigurrath, which is very clear and I see everything in there, I just can't find out how to know what the application is expecting from the dongle. I know it is no easy task, tho... but maybe someone can point me in the right direction...

There's one thing on the tutorial that I can't get...
On sproQuery, there are two hardcoded values: cb93c50d at 4776fd and dbadfa6d at 477705... are they the seed value? I assume they are specific for the target in the tutorial...

Heeeeelp!!

Marton



Ранг: 397.0 (мудрец), 179thx
Активность: 0.170.1
Статус: Участник

Создано: 31 марта 2009 16:17
· Личное сообщение · #2

we can talk about the target if you ready to pay for the solutions ;)

-----
...или ты работаешь хорошо, или ты работаешь много...




Ранг: 5.7 (гость)
Активность: 0=0
Статус: Участник

Создано: 31 марта 2009 19:57
· Личное сообщение · #3

My solution would be learn how to solve it ;)


 eXeL@B —› WorldWide —› Please help me with this Sentinel protection before I get crazy!
:: Ваш ответ
Жирный  Курсив  Подчеркнутый  Перечеркнутый  {mpf5}  Код  Вставить ссылку 
:s1: :s2: :s3: :s4: :s5: :s6: :s7: :s8: :s9: :s10: :s11: :s12: :s13: :s14: :s15: :s16:


Максимальный размер аттача: 500KB.
Ваш логин: german1505 » Выход » ЛС
   Для печати Для печати