Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   Reverse Code Engineering (http://www.reteam.org/board/forumdisplay.php?f=23)
-   -   Sentinel vUSB Emulator How-To (http://www.reteam.org/board/showthread.php?t=662)

bbk 09-23-2010 05:25 PM

@aarima

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ru-board\mulators\Dump\1C090000]
"Type"=dword:00000000
"DongleType"=dword:00000003
"Name"="Dump 1C09"
"CellType"=hex:\
01,01,03,03,03,03,03,03,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"sntMemory"=hex:\
81,04,09,1C,00,00,00,00,08,00,00,00,00,00,00,00,\
FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FC,FF,FC,FF,\
FC,FF,FC,FF,FC,FF,00,FF,FC,FF,FF,FF,FF,FF,FF,FF,\
FA,FF,FF,FF,F8,FF,FF,FF,FF,FF,FE,FF,FF,FF,FF,FF,\
FF,FF,07,00,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FE,FD,\
FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,\
FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,\
FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF

aarima 09-24-2010 03:09 PM

SafeNet SENTINEL Emulator
 
I changed my reg file with this still my software not working.

I have compared with TORO_Sentinel_Monitor_v2.01 with dongle connected & without dongle connected screen dump , log file & 1c09.reg which I am using with vusbus attached in a link as under for your Information:-


1. http://rapidshare.com/files/421031266/Compare.bmp

2. http://rapidshare.com/files/421031267/WITH_DONGLE.txt

3. http://rapidshare.com/files/42103126...OUT_DONGLE.txt

4. http://rapidshare.com/files/421031269/1c09.reg

1933 09-30-2010 11:04 AM

Sorry but i am a noob. i got sentimul2007 running on XP great. now i want to emulate sentinel safenet pro ultra on win 7 x64. i create a dmp file from my png created for my old windows. but i cant create the reg file. anybody can help?

hp3 10-06-2010 05:32 PM

hi
 
i have two dng file for one software and work fine , but Any dng active Different option in the my software
i convert 2 dng to reg and emul it and work good

i want to merge 2 reg or dng for work option 2 dongle with Together one time
Difference betwen reg file is in the sntMemory"=hex:\

this program have many option i thing with change in the sntMemory active all option

if can please help me
or
Explain a little about sntMemory
thanks

yogi_saw 10-06-2010 10:58 PM

@hp3
snt memory contains memory of dongle made of 2 bytes against each cell stored in intells format
0 to 6 are resrved cells
0 = serial no
1 = dev. Id
2 = owp1
3 = owp2
4 = wp
5 = hard limit
6 = cell 6 for solving algos
7 = resevered
8 ahead is used by programme
this is the format of cell type

u will hav to add any letter infront of ur devid in reg to make other dongle for same dongle to work see manual for mk

SonofabiT 10-06-2010 11:58 PM

Quote:

Originally Posted by hp3 (Post 23753)
this program have many option i this with change in the sntMemory active all option

@hp3 - Show to us these dng...If the installer not to big then upload it... May be several members will try it...

daviddwilson 10-08-2010 05:57 PM

Quote:

Originally Posted by aasa (Post 5547)
This is a informative/practical post.
I did successfully emulate one of my dongles.
I have a question about the sentinel API_Decrement. Any idea about how it works between dongle and the software? Is it possible for vUSB emulator to respond to the software to execute a decrement?

Anything that writes to the dongle like SPROWrite, SPROOverWrite, SPRODecrement, has only a temporary effect. The Write is done to the copy of the dongle in memory but as soon as you reboot or reload the driver that write is lost.

BfoX 10-09-2010 12:50 AM

@daviddwilson: he not hold anything that writes to the dongle like SPROWrite, SPROOverWrite, SPRODecrement in the registry...

burhanuddinmna 10-09-2010 11:07 AM

I Don Successfully With Your Instructions
 
Hi!, I Done Sentinel Superpro Dongle Emulator With Your Instructions, And My Software Works Successfully Without Asking Dongle.

Thanks

kb0118 10-11-2010 06:54 PM

I have a safenet usb sentinel dongle that I would like to emulate. I have been reading this thread and trying to understand how to emulate my dongle for a few weeks now. Since I am still unsure and getting tired of downloading files to my computer, only to be disappointed it didn't work. I am sure since I am a noobie, I am doing something wrong.
I was wondering if someone would kindly walk me through this - one step at a time, or recommend an emulator with a working link... that will actually work. My device manager says superpro/ultrapro, I am unsure which it is.
Some files I have downloaded and tried include, Edgespro, Edgesprofix, ssunshl, spuica, superpro_reader, safekeysentinel, sentinel_vusb_emulator, Multikey_.17_32bit

I know everyone here has put a lot of work and time into this post, and probably not cool for me to just want someone to help, but it really would be so much appreciated!

robin1044 10-11-2010 10:34 PM

Quote:

Originally Posted by kb0118 (Post 23836)
Some files I have downloaded and tried include, Edgespro, Edgesprofix, ssunshl, spuica, superpro_reader, safekeysentinel, sentinel_vusb_emulator, Multikey_.17_32bit

Tools Collectioner ? :)

Find PVA3.3 and make a dump - Needed for Emulation
Find Toro sentinel Monitor and make a log - For dongle type detection

kb0118 10-14-2010 06:33 PM

I know, embarrassing!

When I use PVA3.3, it says it is done, but never gives me a file. If it does make one, I have no idea where it is located?
I'm guessing I need the dump to make the Toro Sentinel Monitor log.

Thanks sooo much for helping.

yogi_saw 10-14-2010 10:55 PM

R u sure ur dongle is sentinel superpro? Chk with dongle identifying utils.
Btw pva makes dump in the same folder...

pivasik 10-15-2010 03:14 AM

You must extract dumper first, then execute. Don't start it from archive.

kb0118 10-19-2010 09:56 PM

pivasik was right, that I needed to extract first.

But a BIG uhhhh ohhhhhh. I plug in my dongle to work with the program, and it doesn't work now!! What in the world can I do?????

yogi_saw 10-19-2010 10:38 PM

Oh my god what model the dongle is? didnt u unchecked bruteforce wp?

robin1044 10-19-2010 11:43 PM

Quote:

Originally Posted by kb0118 (Post 23876)
I know, embarrassing!
When I use PVA3.3, it says it is done, but never gives me a file.

Quote:

Originally Posted by kb0118 (Post 23957)
pivasik was right, that I needed to extract first.

In the earlier post there was no Password Counter present.
Try your dongle on a fresh PC.

If possible, upload the source.

pivasik 10-20-2010 04:48 AM

Finally, v3.3 is old enough. Use the latest dumpers which have WP bruteforce disabled by default. Most of them have the same or similar format. So, if you understand what you do you can easily convert it to v3.3 and solve with the public tools.

yogi_saw 10-20-2010 06:33 AM

@kb0118 safedump is the good, it checks if password counter is present and inform u accordingly...
@pivasik btw pva3.3 is one of the best and widely used tool to dump sentinel:), I wonder if u r going to release new dumper which supports superpro xm/ultrapro with higher memory:rolleyes:
waiting for nice release pivasik...and thanks for pva3.3
btw I want to see source for pva....can u pls link me?:)

pivasik 10-20-2010 07:54 AM

Updated dumpers owned by n*.biz team. So, you may download them there. But they don't have a GUI, console only. Qt GUIded dumpers were released as well (Win, Unix), but their size was few Mbs each. So, they didn't put to public.
PVA v3.3 sources has been released on the cracklab website about year ago.

yogi_saw 10-20-2010 08:47 AM

Thanks for the info, I had source for pva 3.3 but like a lazy guy forgot to take backup...thanks

kb0118 10-20-2010 12:29 PM

Quote:

Oh my god what model the dongle is? didnt u unchecked bruteforce wp?
Says UltaPro, that is all I can find. Toro doesn't give any info. I cannot find any programs that will give me the info.

I accidentally did not un-check bruteforce and tried to exit, opps. The program does work on other compters, thankfully.

yogi_saw 10-20-2010 09:17 PM

Use ssumd from mk 18.2.4 to dump log with toro monitor this mk support ultrapro but not for x64

burhanuddinmna 10-23-2010 07:47 AM

Done Successfully
 
I Done Successfuly With Your Instructions,
Very Very Thanks

SonofabiT 10-23-2010 11:00 AM

Quote:

Originally Posted by pivasik (Post 23970)
So, if you understand what you do you can easily convert it to v3.3 and solve with the public tools.

I understand if we deal with an old sspro which contains 64 cell & there is not AESTunnel Capabilities in the dongle. Converting an output of nodongle's supapi v4.1 to PVA 3.3 could be done by hand with the help of HexEditor. Later, let f1_nodongle solver finished it & the public emulator emulate it. Ideally, typical sentmon 2.01b's log of both "real dongle" & "emulator" is not too differs. The different is only for those who want to emulate the LPT type based on virtual usb. Dealing with GetKeyType API, Toro sentmon2.01 will record the real dongle as SSP LPT & the vusbbus emul as SSP USB. Okey! This is perfect soluton for old sspro 64 cell. Thank you very much to tch2k, Chingachguk & Denger2k for their great works.

One things which make me confuse is if we deal with sspro/ulpro dongle (cell>64, AES Capeabilities). If we rip several bytes then the *dmp would have similar format to pva3.3. Consequently, the impact of converting supapi 4.1 (*.dmp>64) into pva3.3 will guide me into the old solution of 64 cell sspro dongle. In fact, the sspro dongle has more than 64 cell. As i know, when pva3.3 dumps sspro/ulpro (cell>64) then only the first 64 cell would be dumped.

@ Pivasik
1. Is it possible to emulate sspro/ulpro which consists of more than 64 cell based on only the first 64 cell-*dmp data ? :confused:
2. Would you like to upload several sample of supapi-*.dmp files of sspro (aec tunnel capabilities) & ultrapro dongle which has 64, 128, 256, 512, ... cells please ?

Anyway, you may fill these *dmp with fake data.

Another things which make me confuse is that Git's safedump (console based dumper) able to record the sum of sspro cell (64, 128, 256, etc) but this dumper also only dump the first 64 cell memory. It's mean that safedump collect data similar to pva3.3. Most newbies like me who has sspro/ulpro >64 cell have to go back to the old sspro 64 cell solution. However, i realy appreciate that this dumper will checks the password counter & it's solver (dmp2mkey) realy fast running in multi core CPU. Thank's a lot to Git !!

@Git
If i have sspro more than 64 cell, dump it with safedump, solve it with dmp2mkey, emulate with vusub/mkey and emulating impact to the ambiguity results, what should we do ? :confused:
Quote:

@pivasik btw pva3.3 is one of the best and widely used tool to dump sentinel:), I wonder if u r going to release new dumper which supports superpro xm/ultrapro with higher memory:rolleyes:
@ yogi_saw
There were two console based spro/ulpro dumper which able to do it. They are sspro/ulpro dumper by ngoksun(Safenet_dump.exe) & nodonge.biz (spapi.exe). spapi v 4.1 stores more detail info especially in the last 8 bytes of *.dmp file.
Code:

C:\nodongle_biz_dumper>spapi.exe -h
 .......................................................
 * Sentinel SuperPro backup module. Version 4.1 (public)
 * Greetings to chucha66, Dmit, HarmEr, tch2000.

 * Use:
        spapi.exe [-w] devId
                w - Brute write password (WP)
                h - Show help
 .......................................................

Here is a sample .*dmp which has cell=128 (256 bytes) :
Code:

00000000:  01 01 01 01│01 01 01 01│00 00 00 00│00 00 00 00  ☺☺☺☺☺☺☺☺
........:  .. .. .. ..|.. .. .. ..|.. .. .. ..|.. .. .. ..
000000F0:  FF FF FF FF│FF FF FF FF│FF FF FF FF│FF FF FF FF  ************  ************
........:  .. .. .. ..|.. .. .. ..|.. .. .. ..|.. .. .. ..
00000300:  00 00 01 00│00 01 02 06│05 B2 17 7C│00 04          ☺  ☺☻♠♣▓↨| ♦

Unfortunately i don't understand exactly if it is a sspro (aes tunnel capeabilities) or ultrapro type. Let us see & correct me if i make any mistake :
0xF0 - 0xFF : FF...FF --> celltype of reserved cells
0x300 - 0x301 : ?? --> I don't know
0x302 - 0x303 : 0x0100 --> Sum of memory (100h = 256 bytes)
0x306 - 0x309 : GetKeyType ??? --> Imho
0x30A - 0x30D : ?? --> I don't know.

SonofabiT
PS.
I ask about it because as a newbie i realy confuse. Please do not answer me "make your own dumper, solver & emulator". I could not make them.

Git 10-23-2010 01:20 PM

I don't understand "emulating impact to the ambiguity results".

The Secure Tunnel uses AES encryption, not heard of AEC.

Git

kb0118 10-23-2010 02:34 PM

I've got my reg file, if that is correct, what do I do with it now. I also would really love for it to not block my key anymore.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\MultiK ey\Dumps\00002212]
"Name"="SSPRO dump without algo!"
"CopyLeft"="(c)Elite"
"DongleType"=dword:00000003
"Type"=dword:00000000
"CellType"=hex:\
01,01,03,03,03,01,03,01,\
03,03,03,03,03,03,03,03,\
03,03,03,03,03,03,03,03,\
00,00,00,00,03,03,03,03,\
00,00,00,02,03,03,03,03,\
03,03,03,03,03,03,03,03,\
03,03,03,03,03,03,03,03,\
03,03,03,03,03,03,03,03

"sntMemory"=hex:\
03,0E,12,22,00,00,00,00,00,00,00,00,00,00,11,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,19,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,C8,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

pivasik 10-23-2010 03:26 PM

Quote:

Originally Posted by SonofabiT (Post 24030)
@ Pivasik
1. Is it possible to emulate sspro/ulpro which consists of more than 64 cell based on only the first 64 cell-*dmp data ? :confused:
2. Would you like to upload several sample of supapi-*.dmp files of sspro (aec tunnel capabilities) & ultrapro dongle which has 64, 128, 256, 512, ... cells please?

1. It is not possible. AFAIK, spapi is the old version of supapi. The last can dump all available memory and a bit more. Then you may use hexedit to split file into few parts and solve all algos with public tools. Then build the full dump back and use with emulators.
2. Sure, I can't.

yogi_saw 10-23-2010 11:19 PM

@pivasik imho superpro >64 has aes tunnel which available solvers cannot solve so it is not worth to hexedit and solve part of dump then merge back
insted i use ssumd with adding q/a pairs in reg

SonofabiT 10-24-2010 12:16 AM

@kb0118 - Dump your dongle with nodongle's biz 4.1 dumper & SSUMD v1.1. The last version of SSUMD is the one which is packed together with mkey 0.18.2.4. In the SSUMD 1.1, clcik the "Extended mode (save dumping log). Also get log with sentmon2.01. Save the log & the dongleInfo.txt.
Quote:

Originally Posted by Git (Post 24035)
I don't understand "emulating impact to the ambiguity results".

@Git - I mean that the emulator would not work because the real dongle has cell >64 meanwhile safedump & dmp2mkey solve it only the first 64 cell memory. BTW, i have already got an answer from pivasik that "It is not possible."
Quote:

Originally Posted by Git (Post 24035)
The Secure Tunnel uses AES encryption, not heard of AEC.

sorry for my misstype. I have edited it.
Quote:

Originally Posted by pivasik (Post 24040)
2. Sure, I can't.

@pivasik -It's only a sample file isn't it ? The public solution ready in public, doesn't it ? :)

You may fill it with fake data. The important things are these *.dmp realy represent a sspro/ulpro file which has > 64 cell and support AES Tunnel.

anyway, i hope there are many applications which will migrate from Ultrapro to SHK. ;) :D :D

Git 10-24-2010 06:40 AM

I think some confusion is creeping in about sentinel AES. It can (optionally) be used at 2 levels on later dongles. The communications between the dongle and driver can be AES encrypted (so called Secure Tunnel) and also the later dongles can use AES encryption for the Q/R algo. SO there are two distinct (possibly different) AES keys. I say 'optionally' because the developer can choose to use the secure tunnel or not, and can choose the encryption cell algo from simple, enhanced or AES on a cell by cell basis.

No emulator to date has managed to solve both. to my knowledge.

Hasp SRM is worse still, it has THREE distinct different AES keys. 1 for secure dongle/driver communications, 1 for SRM encryption algo and 1 for old HL encryption algo. Current emulators retrieve the comms key, then use table emulation for the two algos.

Git

yogi_saw 10-24-2010 12:34 PM

Ok...so spro/upro does not nesscerily AES enabled by default it is in the hands of protector how to protect...


So...if it is protected with simple or enhanced algo then the trick pvasik has described will work
Then in that case what data will be in reserved cell which is at the end in spro XM? Can we fill it with 0 and will it work?

pivasik 10-24-2010 03:12 PM

It doesn't matter which data in the reserved cells because software can't read them.
AES tunnel is used only when key has AES option enabled.
For the AES cells use table-based emulation.

SonofabiT 10-29-2010 08:23 AM

@All - Well then, What are the differents between an UltraPro dongle and a Sspro family which has AES Tunnel Capeabilities & Password Counter ?

badz 10-30-2010 08:45 AM

Sentemul2007 - Need Help how to remove from my System
 
I may not be in the correct thread, just in case someone can help me uninstall my Sentemul2007 in my system.

From the program message itself, i successfully uninstall the emulator. However, it seems that all the information, registry entries and files added by this program is not totally removed. It is because I noticed that whenever i used my physical dongle/key with the new version of the program i'm using, it always crash and identified the physical key a different key.

Hoping to recieved help from you guys..

Thanks..

yogi_saw 10-31-2010 12:15 PM

@git/pivasik
is the optional use of aes is applied to superpro XM only or ultrapro/shk can also be (optionally) programmed to use aes?

Git 10-31-2010 12:41 PM

Use of AES as cell algorithm and for Secure Tunnel encryption applies to all later SuperPro (so called SuperPro+), all SuperPro XM, and all UltraPro. Put another way, all SSP and ULP except early non-XM SSP.

Git

pfonseca 11-01-2010 03:01 PM

I friend's.
It is possible to upload converter from ssp to reg ver 1.11 and old version for Vusb Emulator?

O lost my disc and my old files, and I like to make a new reg for one of my dongle super pro.

My *.ssp have 64kb, and a can make a new reg that work fine.

Some one can help me?

Regards
Paulo

SonofabiT 11-02-2010 12:49 AM

@ pfonseca - You don't tell us from where your .ssp come from. There are two *.ssp file format deal with sspro dongle reversing.

The first one is a ssp which is generated by glasha's sspro dumper & the second one is a ssp for the use Safekey sspro emulator. If the .ssp come from an old glasha's sspro dumper then you should solve it with public sspro solver. The output of the solver also would have .ssp extension.

Pay attention to the second ssp. As i know that the SSP stand for SafeKey Super Pro file format. This .ssp firstly used by SafeKey emulator to emulate Rainbow superpro dongle. Recently, modern emulator such as vusbbus & multikye use .*reg entries as set data of superpro-emulating. Both the .ssp & .reg basicly is not too differs because they are the output of tch2k's solvers (f1_xxx series).

If you understand the SafeKey Super Pro file format (solver result) & read the sspro Dev Guide then you can convert the .ssp into .reg by your hand.

pfonseca 11-02-2010 09:57 PM

@SonofabiT.

My *.ssp came from a sproread.exe (33.5kb), and make my *.ssp (64.2kb).

I need to find a ssp2reg like my old file to convert direct *.ssp to *.reg like i made on 2009 http://www.2shared.com/file/8i8LxuPf/files_larry.html

I use a "Sentinel_vUSB_Emulator" for my *.reg file and work fine.

Paswword= larry

Can you help me?

Regards


All times are GMT -4. The time now is 02:19 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.