Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > General Forum
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 07-11-2010, 12:22 PM
jarm jarm is offline
Member
 
Join Date: Aug 2009
Posts: 19
Default Tracing wlscgen 8.0???

Im trying to trace the emulated dongle calls in olly. I have 8.0 working with toro 1.7 and im trying to locate the point where the cell values are read. I have run memorywatch on all registers and never see any of the known cell values. I dont understand.
Is this a anti-debugging issue or something else. The sentinal monitor indicates communication with the emulator at least 50 times at start up. What am i missing here?
Reply With Quote
  #2  
Old 07-11-2010, 05:53 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Communication between the app and driver, and between the driver and dongle(or emulated dongle), are encrypted.

Git
Reply With Quote
  #3  
Old 07-11-2010, 07:47 PM
jarm jarm is offline
Member
 
Join Date: Aug 2009
Posts: 19
Default

so the key is the driver... the sentinel system driver ver 7.2
is this the driver you refer too?

Last edited by jarm : 07-11-2010 at 08:02 PM.
Reply With Quote
  #4  
Old 07-12-2010, 06:19 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Yes. By the way, by using the sentinel monitor you are adding another level of indirection/hooking to the situation so I think it will make things harder to understand, not easier.

I suggest you use SproEval tool and the Sentinel SDK manual to make simple API calls that you can more easily trace. You will not understand any of the transfer protocols without disassembly of the driver. If you use IDA to disassemble a protected app, you can gain a good understanding of what is happening and use it's excellent debugger. If you apply the IDA sentinel SIG you will see all the API calls inside your app by name.

The app talks to the driver with a 1028 byte API struct packet. It is undocumented but well known by now. The app fills in various fields of this struct (function code, data, etc) then encrypts this packet with TEAN encryption with linked in routines from the SDK libs, and sends it to the driver. The driver decrypts this packet and talks to the USB layer/dongle with an 8 byte Request packet and gets an 8 byte Response packet back from the dongle. These use a proprietary undocumented encryption but again it is well known by now. After decrypting the Response packet, the driver will fill in various field of the API struct packet, encrypts it with TEAN and send it back to the app.

Git
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.