Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 01-14-2013, 08:40 AM
respeto14 respeto14 is offline
Member
 
Join Date: Aug 2011
Posts: 20
Default Got WP, but where is owp1 and owp2?

I have got Write Password on the following code, the WP is 5DEF(Address 004027D6).
but anyone maybe know about OWP1 and OWP2?

This is the assembly code that i have read.

Code:
.text:004027A0 sub_4027A0      proc near               ; CODE XREF: sub_401010+118p
.text:004027A0
.text:004027A0 var_404         = byte ptr -404h
.text:004027A0
.text:004027A0                 sub     esp, 404h
.text:004027A6                 lea     eax, [esp+404h+var_404]
.text:004027A9                 push    1
.text:004027AB                 push    eax
.text:004027AC                 call    sub_401CC0
.text:004027B1                 add     esp, 8
.text:004027B4                 test    ax, ax
.text:004027B7                 jz      short loc_4027C2
.text:004027B9                 xor     al, al
.text:004027BB                 add     esp, 404h
.text:004027C1                 retn
.text:004027C2 ; ---------------------------------------------------------------------------
.text:004027C2
.text:004027C2 loc_4027C2:                             ; CODE XREF: sub_4027A0+17j
.text:004027C2                 push    ebx
.text:004027C3                 push    3
.text:004027C5                 push    0FA31h
.text:004027CA                 push    8
.text:004027CC                 push    1298h
.text:004027D1                 push    0C6E0h
.text:004027D6                 push    5DEFh
.text:004027DB                 lea     ecx, [esp+420h+var_404]
.text:004027DF                 push    ecx
.text:004027E0                 xor     bl, bl
.text:004027E2                 call    _RNBOsproOverwrite@28 ; RNBOsproOverwrite(x,x,x,x,x,x,x)
.text:004027E7                 test    ax, ax
.text:004027EA                 jnz     short loc_402815
.text:004027EC                 push    3
.text:004027EE                 push    0F0A0h
.text:004027F3                 push    9
.text:004027F5                 push    1298h
.text:004027FA                 push    0C6E0h
.text:004027FF                 push    5DEFh
.text:00402804                 lea     edx, [esp+420h+var_404]
.text:00402808                 push    edx
.text:00402809                 call    _RNBOsproOverwrite@28 ; RNBOsproOverwrite(x,x,x,x,x,x,x)
.text:0040280E                 test    ax, ax
.text:00402811                 jnz     short loc_402815
.text:00402813                 mov     bl, 1
.text:00402815
.text:00402815 loc_402815:                             ; CODE XREF: sub_4027A0+4Aj
.text:00402815                                         ; sub_4027A0+71j
.text:00402815                 push    0
.text:00402817                 push    0
.text:00402819                 lea     eax, [esp+410h+var_404]
.text:0040281D                 push    eax
.text:0040281E                 call    _RNBOsproCleanup@0_9
.text:00402823                 mov     al, bl
.text:00402825                 pop     ebx
.text:00402826                 add     esp, 404h
.text:0040282C                 retn
.text:0040282C sub_4027A0      endp
__________________
Thanks in advance.



Respeto
Reply With Quote
  #2  
Old 01-14-2013, 11:26 AM
7777777 7777777 is offline
Member
 
Join Date: Aug 2008
Posts: 12
Default

You can use a dongle monitor to capture the OWPs in the case the target use sproOverwrite function
Reply With Quote
  #3  
Old 01-14-2013, 01:10 PM
BfoX BfoX is online now
Senior Member
 
Join Date: Aug 2007
Posts: 2,231
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

OWP2 push 1298h
OWP1 push 0C6E0h
WP push 5DEFh
....
call _RNBOsproOverwrite

just RTFM about sspro api =)
__________________
... Either you work well or you work much ....
Reply With Quote
  #4  
Old 01-14-2013, 06:12 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

SP_STATUS SP_API RNBOsproOverwrite
(
RBP_SPRO_APIPACKET thePacket,
RB_WORD writePassword,
RB_WORD overwritePassword1,
RB_WORD overwritePassword2,
RB_WORD address,
RB_WORD data,
RB_BYTE accessCode
);

As fox says, last parameter is Pushed first.

Code:
.text:004027EC                 push    3               <-  accessCode 
.text:004027EE                 push    0F0A0h       <-  data
.text:004027F3                 push    9               <-  address
.text:004027F5                 push    1298h         <-  overwritePassword2
.text:004027FA                 push    0C6E0h       <-  overwritePassword1
.text:004027FF                 push    5DEFh         <-  writePassword
.text:00402804                 lea     edx, [esp+420h+var_404]
.text:00402808                 push    edx             <-  thePacket
.text:00402809                 call    _RNBOsproOverwrite@28 ; RNBOsproOverwrite(x,x,x,x,x,x,x)
Git
Reply With Quote
  #5  
Old 01-14-2013, 07:55 PM
respeto14 respeto14 is offline
Member
 
Join Date: Aug 2011
Posts: 20
Default

Ok, thanks all.

We finally got it, after long time ago .

But now, my problem is when I've try to overwrite the dongle cell above 07 and it's have a Password_Counter Feature, the return code say 4(access denied), so is another way to overwrite the dongle if it's counter has been up(wp counter and owp counter)? Can the problem solve, if we use activates an inactive algorithm(now we have the following value: WP, OWP1, OWP2, Algorithm cell at address 08, 09?

I think it's have solutions, but I'm still not found for it(still searching), and it is not possible (if we have a dongle and the counter is up then we throw it away)?

Any answer would be greatly appreciated.
__________________
Thanks in advance.



Respeto
Reply With Quote
  #6  
Old 01-15-2013, 12:15 AM
kjms kjms is offline
Senior Member
 
Join Date: Aug 2009
Posts: 336
Default

@ respeto14 & jabrix check this reg, may be its work!
Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Multikey\Dumps\0000D9DA]
"Name"="Sentinel SuperPro D9DA"
"Copyright"="Kjms"
"Created"="Tue Jan 15 10:10:34 2013"
"DongleType"=dword:00000003
"Type"=dword:00000001
"Option"=hex:02,00,03,80,7F,00,00,00
"CellType"=hex:\
01,01,03,03,03,01,03,01,\
03,03,00,00,00,00,00,00,\
00,00,00,00,01,00,00,01,\
00,00,01,00,00,01,00,00,\
00,00,00,00,00,00,00,00,\
00,01,00,00,00,00,00,00,\
00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
03,03,01,01,01,00,00,00
"sntMemory"=hex:\
57,14,DA,D9,E0,C6,98,12,EF,5D,00,00,DE,59,11,00,\
31,FA,A0,F0,00,00,00,00,A8,54,00,00,A8,54,00,00,\
A8,54,00,00,A9,54,00,00,0A,00,03,1F,DD,07,0A,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,0A,00,03,1F,DD,07,00,00,00,00,00,00,00,00,\
00,00,00,00,0A,00,03,1F,DD,07,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
04,41,13,D4,80,90,2D,13,00,00,00,00,00,00,00,00
Reply With Quote
  #7  
Old 01-15-2013, 01:26 AM
respeto14 respeto14 is offline
Member
 
Join Date: Aug 2011
Posts: 20
Default

@kjms. thanks for your sharing.

i have try and it's work perfectly, but my problem is when i try in real dongle that has Password Counter Capabilities it wouldn't work, because the counter is up, so how to fix this problem?
Can the problem solved, if we use activates an inactive algorithm(now we have the following value: WP, OWP1, OWP2, Algorithm cell at address 08, 09) at real dongle(not emulator)?
__________________
Thanks in advance.



Respeto
Reply With Quote
  #8  
Old 01-15-2013, 02:30 AM
Lomex Lomex is offline
Senior Member
 
Join Date: Dec 2009
Posts: 139
Default

problem fixed.

Last edited by Lomex : 01-15-2013 at 06:41 PM.
Reply With Quote
  #9  
Old 01-15-2013, 04:27 AM
respeto14 respeto14 is offline
Member
 
Join Date: Aug 2011
Posts: 20
Default Test sepro

Try this, it's work for me, and tested.

http://www.mediafire.com/download.php?mu8wts98gib5wgr

Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\MultiKey\Dumps\D9DA0000]
"DongleType"=dword:00000003
"Copyright"="Git"
"Created"="Mon Dec 21 08:10:14.437 2009"
"Name"="D9DA Sentinel SuperPro Dump"
"Type"=dword:00000000
"CellType"=hex:\
01,01,03,03,03,03,03,03,03,03,00,00,00,00,00,00,\
00,00,00,00,01,00,00,01,00,00,01,00,00,01,00,00,\
01,00,00,00,00,00,00,00,00,01,00,00,01,00,00,01,\
00,00,01,00,00,01,00,00,01,00,00,00,00,00,00,01
"sntMemory"=hex:\
6d,13,da,d9,e0,c6,98,12,ef,5d,00,00,de,59,00,00,\
31,fa,a0,f0,00,00,00,00,a2,52,00,00,a2,52,00,00,\
a2,52,00,00,a1,52,01,01,01,00,01,01,fc,08,01,00,\
01,01,fc,08,01,00,01,01,fc,08,01,00,01,01,fc,08,\
01,00,01,01,fc,08,01,01,01,01,01,01,01,00,01,01,\
01,01,01,00,01,01,fc,08,01,00,01,01,fc,08,01,00,\
01,01,fc,08,01,00,01,01,fc,08,01,00,01,01,fc,08,\
01,00,01,01,fc,08,01,01,01,00,01,01,fc,08,00,00
__________________
Thanks in advance.



Respeto
Reply With Quote
  #10  
Old 01-15-2013, 08:09 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

respeto - if you have exceeded the WP counter then your dongle is toast. If you are brave, return it for exchange and say it just stopped working

Git
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.