Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 04-03-2008, 11:08 PM
vernon vernon is offline
Senior Member
 
Join Date: Dec 2007
Posts: 50
Default Overwrite password for SSPro DevID=3B38

Does anyone here happen to know the two overwrite password for Sentinel Superpro dongle from DEVID=3B38? I wish to play around with this dongle by reprogramming it and use it to test my program before contacting Rainbow. I understand that for me to be able to use enhanced algo.. i need to define cell06.

I tried to bruteforce it but i have calculated that it will take me 97 years do it.

thanks for your help
Reply With Quote
  #2  
Old 04-04-2008, 01:43 AM
benito benito is offline
Senior Member
 
Join Date: Jul 2007
Posts: 685
Default

Quote:
Originally Posted by vernon View Post
Does anyone here happen to know the two overwrite password for Sentinel Superpro dongle from DEVID=3B38? I wish to play around with this dongle by reprogramming it and use it to test my program before contacting Rainbow. I understand that for me to be able to use enhanced algo.. i need to define cell06.

I tried to bruteforce it but i have calculated that it will take me 97 years do it.

thanks for your help
hi, may i know how you try bruteforce it ?
In my case i cacth OP1,2 by toros monitor, but it is specific for each software distribution
Reply With Quote
  #3  
Old 04-04-2008, 08:23 AM
vernon vernon is offline
Senior Member
 
Join Date: Dec 2007
Posts: 50
Default

Quote:
Originally Posted by benito View Post
hi, may i know how you try bruteforce it ?
In my case i cacth OP1,2 by toros monitor, but it is specific for each software distribution
hmm.. how could toro monitor been able to catch contents of those cells? as i know, cells 02 to 07 are non readable that is why WPs has to be bruteforced or calculated and cell06 calculated along with the algo descriptors.

As for my procedure.. i was able to download triple-9 software which records actions done during record session and writes a macro for later run. I made some modifications and used the tool from safeNET (sproEval2) for testing the dongle.

do you have dongle with devID=3b38? if you do.. could you please share OP1 and OP2? thanks

Last edited by vernon : 04-30-2008 at 08:33 PM.
Reply With Quote
  #4  
Old 04-04-2008, 09:10 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Dump the dongle with PVA3.3 dumper. Solve it with Dmp2SSP which will give you C6 and the Algo parameters. Choose an emulator - Vusb is good. Use UniDmpToReg1.15b to convert the SSP file to a "Chingachguk & Denger2k" Vusb Registry file. Search on this forum how to correct the file (it writes 16bit Words rather than 2 8bit Bytes). Beofre importing the reg file into the registry and starting the emulator, you can edit it to make OWP1 and OWP2 whatever you want. The Memory or sntMemory section of the reg file rtepresents the 64 cells of the dongle, 0 to 63.

Cell 0 = Dongle Serial number
Cell 1 = Developer ID
Cell 2 = Overwrite Password 1
Cell 3 = Overwrite Password 2
Cell 4 = Write Password
Cell 5 = Hard License Limit
Cell 6 = C6
Cell 7 = not usually used

Each cell value is a 16 bit Word and is recorded in reverse byte order as LSB, MSB.

I would change WP, OWP1 and OWP2 to something arbitrary and then use SproEval2 to play with the emulator as if it were the dongle - it should act identically.

As for finding the real OWP1 & OWP2, you may be lucky. If they are used by the program then you may find them by monitoring dongle communications or by reversing the application in IDA, applying Sentinel Sig, looking for function names that use OWP's and seeing if the OWP1 & OWP2 parameters are there being pushed on the stack. If they are not, put a breakpoint on the sentinel function and look at the stack. But beware - most programs don't use any of the OWP protected functions and those that do often obfurscate the values in upgrade license files or similar.

Another way you may be able to retreive them is by bruteforce overwriting a couple of dongle cells that (hopefully) don't matter (or record the values and put them back after bruteforce). It will take a while.

Git

Last edited by Git : 04-04-2008 at 09:13 AM. Reason: added info
Reply With Quote
  #5  
Old 04-04-2008, 12:14 PM
zhjd zhjd is offline
Member
 
Join Date: Jan 2008
Posts: 14
Unhappy to git

Quote:
Originally Posted by Git View Post
Cell 0 = Dongle Serial number
Cell 1 = Developer ID
Cell 2 = Overwrite Password 1
Cell 3 = Overwrite Password 2
Cell 4 = Write Password
Cell 5 = Hard License Limit
Cell 6 = C6
Cell 7 = not usually used
im making a copy dongle .i ve pass the developer ID check . and i ve wrote the same data with the original dongle .but the software does not work . i think the software must check the cell 6(c6),but i don`t known how to patch it until now.
Quote:
Originally Posted by Git View Post
If they are used by the program then you may find them by monitoring dongle communications or by reversing the application in IDA, applying Sentinel Sig, looking for function names that use OWP's and seeing if the OWP1 & OWP2 parameters are there being pushed on the stack. If they are not, put a breakpoint on the sentinel function and look at the stack. But beware - most programs don't use any of the OWP protected functions and those that do often obfurscate the values in upgrade license files or similar.
im interesting in your method.but i don`t known how to use the Sig file and how to find the API and how to put a breakpoint on sentinel function.can you make a tutorial about above that you told us . thanks
Quote:
Originally Posted by Git View Post
Another way you may be able to retreive them is by bruteforce overwriting a couple of dongle cells that (hopefully) don't matter (or record the values and put them back after bruteforce). It will take a while.
it will take a looong looong times ,i ve tried.

BTW , fogive my english.
Reply With Quote
  #6  
Old 04-07-2008, 01:58 AM
vernon vernon is offline
Senior Member
 
Join Date: Dec 2007
Posts: 50
Default Problem Solved

The application this dongle was originally used did not use enhanced algo. I was able to write on cell10h and cell11h to define the algo descriptors and gave them an access code of 3. I then used PVA dumper to dump the algo on cell 10h then used f1_nodongle shared by CEngineer to solve contents of cell10h, cell11h and cell06h.

can't we use the same method in solving cell02h and cell03h?

i mean we try to reprogram rnbosproquery to use cell02 or cell03 instead of cell06?

to zhjd : I wasnt able to work on your problem because i cant install your program on my machine. but i think your problem can easily be solved by using IDA and any good hex editor then patch your program to look for the same dongle number. knowing the OPs wont help you edit a dng file. or better yet, use Vusb... although i havent tried it myself.. they claim that this emu will be able to simulteneously emulate dongles with the same devID.

Last edited by vernon : 04-07-2008 at 02:12 AM. Reason: msg for zhjd
Reply With Quote
  #7  
Old 04-07-2008, 07:50 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

> can't we use the same method in solving cell02h and cell03h?

No, cells 0 to 7 are reserved and cannot contain algos. The driver would return a SP_INVALID_MEMORY_ADDRESS error if you tried.

> they claim that this emu will be able to simulteneously
> emulate dongles with the same devID.

Do they?. I don't think so. It can certainly emulate many dongles at once but not two with the same DevID because they would both need the same registry entry name.

Later... having thought about this I may be wrong. I'll have a look at the source.

Git

Last edited by Git : 04-07-2008 at 08:26 AM. Reason: possible error
Reply With Quote
  #8  
Old 04-07-2008, 11:03 AM
gamebit0 gamebit0 is offline
Senior Member
 
Join Date: Mar 2007
Posts: 98
Default

Quote:
Originally Posted by vernon View Post
can't we use the same method in solving cell02h and cell03h?
Sometimes (rarely) cell2 can respond as key algo.
Quote:
they claim that this emu will be able to simulteneously emulate dongles with the same devID.
yes, it's posible with ru-board vusb & safe-key emu's
Reply With Quote
  #9  
Old 04-07-2008, 09:53 PM
vernon vernon is offline
Senior Member
 
Join Date: Dec 2007
Posts: 50
Default

Thanks to all.

i didn't say that we put algo on cell02h. what i want to try and do is use cell02h as replacement of seed instead of cell06h. for example, we have algo on cell10h and cell11h.. by default, the driver will generate response to a query based on cell06h as the seed code. instead of using cells 10h,11h and 06h to respond to sproquery.. we use cell02h as seed and then after that cell03h.

i hope what i am saying makes sense.

P.S. after trying the following dumpers : pva3.3, dumper1.4m / 1.5m used by neo-bit and edge solver. I was amazed that neo-bit people are able to calculate algos with just 50 query-response pair as againts pva3.3 with 1024 and the worst is edge.

Last edited by vernon : 04-07-2008 at 09:58 PM.
Reply With Quote
  #10  
Old 04-08-2008, 04:01 AM
benito benito is offline
Senior Member
 
Join Date: Jul 2007
Posts: 685
Default

Quote:
Originally Posted by vernon View Post
hmm.. how could toro monitor been able to read those cells? as i know cells 03 to 07 are non readable that is why WPs has to be bruteforced.

As for my procedure.. i was able to download triple-9 software which records actions done during record session and writes a macro for later run. I made some modifications and used the tool from safekey for testing the dongle.

do you have dongle with devID=3b38? if you do.. could you please share OP1 and OP2? thanks
Toros monitor doesnt read anything, it is not a dumper It just catch communication between dongle and protected application. Sometimes also (when used) OP1,OP2
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.