Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 05-17-2010, 10:26 AM
bbpigpig bbpigpig is offline
Junior Member
 
Join Date: Feb 2009
Posts: 3
Default

All,

i have read this forum for *some time ago,
at first, i would simply want a Dongle Emul. software to simply do the job

but, later on , i found that almost everyone saying that SHK cannot be broken ....

of course, it is, base on my limited programming skills( i just can write some command prompt C++, php , VBA, )

softice and IDA just in a kindergarten level.

ok, after my BS enough, here is my experience just done by today


i have a software it use sentinel pro, i have the real dongle, but i am stupid enough not able to clone it anyway ..

just so lucky that the newer software it use SHK.
i open IDA again and see it .
very simple to see a SFNTGetLicense.

double-click twice ( depends.) and go back to where this fn is called... see the line below ,

mov edx, offset aCannotFindAVal ; "Cannot find a lock."

okok , the line above can see
CODE:007698B3 mov esi, eax
CODE:007698B5 test esi, esi
CODE:007698B7 jz short loc_769900

actually , i don't know if it is jump or not ..
by my limited knowledge ..
jz changed to jnz , 74 -> 75
similar to do for
"Query key failed"
and another message,
the programe can finally open ....


BUT !!! ...
after several minutes, the program closed suddenly

it is same when i use a real dongle while using the software , and unplug it

so now i am working on another line to see what wrong. ..

Hope this could help somebody , with luck , that the sw he wants is as weak as mine..







double click , then go back to the fn it call

[ Please DO NOT reply to yourself. If you have information to add to your post then use the Edit button ]


finally ,
after getting lots of trial and improve..
i figured something to share

the program can be run , seem ok for the first 90 seconds, after that , it close.

so i try to find "settimer" in the program..
before that sentence, there are few jumps (jz) pointing to the same location (after settimer)

so i think i may by pass the "enable of timer" by forcing the jz to jnz
(again , i don't know what code is for jmp , so i simply reverse the code from 74 to 75 or vice verse ... )

now the program looks ok .

i will try to by tmr for whole day , see if something is wrong..

so far:
i changed 6 nos Jz to JNZ, then the program is ok .
by using IDA free
and Hex Edit (free ware as well).

very lovely.
^^

my procedure:
find the program
no need dongle.
use IDA to open it ( wait for an hour)
in the "names windows" , find SFNTGetLicense
go back to fn who called it ,
find somthing like "test esi esi" before "dongle not found" message
reverse the jz <> jnz

do similar for SFNTQueryFeature,SFNTREADString

then found "settimer"
lookup few lines (in my case ..)
see killtimer
below with few line
CODE:0043D9C5 call KillTimer
CODE:0043D9CA mov esi, [ebx+30h]
CODE:0043D9CD test esi, esi
CODE:0043D9CF jz short loc_43DA11
CODE:0043D9D1 cmp byte ptr [ebx+40h], 0
CODE:0043D9D5 jz short loc_43DA11
CODE:0043D9D7 cmp word ptr [ebx+3Ah], 0
CODE:0043D9DC jz short loc_43DA11
CODE:0043D9DE push 0 ; lpTimerFunc
CODE:0043D9E0 push esi ; uElapse
CODE:0043D9E1 push 1 ; nIDEvent
CODE:0043D9E3 mov eax, [ebx+34h]
CODE:0043D9E6 push eax ; hWnd
CODE:0043D9E7 call SetTimer ;
CODE:0043D9EC test eax, eax

i simply changed the line in bold to jnz,

lots of trials in there .
everyone, you may find this useful.
hope this would help ~

Last edited by Git : 05-17-2010 at 01:48 PM.
Reply With Quote
  #2  
Old 05-17-2010, 12:53 PM
besoeso besoeso is offline
Senior Member
 
Join Date: Dec 2008
Posts: 118
Default

@bbpigpig

Thank you for share your experience here.

I will test your procedure. i have two software with shk protection.

I did work one in 99%.
Reply With Quote
  #3  
Old 05-17-2010, 01:50 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Nobody has said we can't crack SHK. It entirely depends on how the developer has implemented it. It can be anything from simnple to almost impossible.

What we HAVE said on many occasions is that there is no free emulator.

Git
Reply With Quote
  #4  
Old 05-17-2010, 02:13 PM
bbpigpig bbpigpig is offline
Junior Member
 
Join Date: Feb 2009
Posts: 3
Default

as i have searched the forum few times,
i know most of answer out there were "no free emul."

so, i go back to where we are: reverse it!

and from the tutorial i read from woodman,
the weakest part, most of time come from the implementation .

so , that is why i try to do the crack myself.

be honest , i have no experience before , and this is the first time i have done *successfully .

hope everybody else find this helpful to crack your own software.
Reply With Quote
  #5  
Old 05-17-2010, 02:17 PM
benito benito is offline
Senior Member
 
Join Date: Jul 2007
Posts: 685
Default

Funny on this topic is that author think that bypas one of simple api is 50% of the shk protection
Reply With Quote
  #6  
Old 05-19-2010, 02:22 PM
besoeso besoeso is offline
Senior Member
 
Join Date: Dec 2008
Posts: 118
Default

My experience:

I only need patch one instruction in SFNTGetLicense.
Four instructions for full options and skip message error protocol connection.

Now working with full options + no dongle.
Reply With Quote
  #7  
Old 05-19-2010, 02:39 PM
bbpigpig bbpigpig is offline
Junior Member
 
Join Date: Feb 2009
Posts: 3
Default

may be i didn't stop it from query ..
so even i stop it from quitting due to "fail getlicence"
i still need to do similar for SFNTQueryFeature,SFNTREADString

strange .. any it was my first time, so far these days , the sw run great ....

beyond that , the sw i use has a older version (but still worth to use it ) using Sentinel Pro (not any newer )

i just changed one byte, then it became dongle free !

so far i got
1 sw in SHK
4 sw in Sentinel Pro,
all using IDA Pro Free + Hexedit only, no real dongle needed.
Reply With Quote
  #8  
Old 05-19-2010, 02:53 PM
md.ashik md.ashik is offline
Member
 
Join Date: Sep 2009
Posts: 36
Default

help me sir, my dongle SafeNet Sentinel Hardware key (SHK)

i need my software Backup. i am try IDA but Failed.

md.ashik
edithome@yahoo.com
Reply With Quote
  #9  
Old 06-03-2010, 06:37 AM
bgptlmzyh bgptlmzyh is offline
Member
 
Join Date: Dec 2009
Posts: 30
Default help me too!

help me sir, My email :bgptlmzyl@hotmail.com

I also have a soft protected by shk, I use IDA and hexedit, but unsucess. Thanks!
Reply With Quote
  #10  
Old 06-03-2010, 07:12 AM
besoeso besoeso is offline
Senior Member
 
Join Date: Dec 2008
Posts: 118
Default

@bgptlmzyh

Upload your installer in rapidshare
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.