Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 05-16-2009, 07:22 AM
gus gus is offline
Senior Member
 
Join Date: Nov 2007
Posts: 331
Default

Quote:
Originally Posted by dgtzaga View Post
@gus Do you have any info about reg structure ??
thanks to GIT

Quote:
Originally Posted by Git View Post
Read the SuperPro developer guide :

http://rapidshare.com/files/221980588/DevGuide.zip

The superpro has 64 cells of 16bits each. The first 8 cells are reserved. The other cells can contain data, counters or algorithms. Each Algorithm takes 2 cells and can be Simple or Enhanced. Each cell has associated permissions and can be Read/Write, Read-Only or No-Access, Decrement-Only.

The data in your dmp file first shows 64 bytes of 00, 01, 02 or 03. This is the Access Code stored as 1 byte per cell and has the following meaning :

0 Read/Write
1 Read-Only
2 Decrement-Only (Counter cell)
3 No-Access (Reserved cell or Algo cell)

The next 64 Words (2 bytes/Word) are the data contents of the 64 cells, stored byte reversed. The first 8 cells are reserved and have special meaning in as follows :

00 Serial Number
01 Developer ID
02 Overwrite Password 1 (emulator only)
03 Overwrite Password 2 (emulator only)
04 Write Password
05 License Hardlimit
06 Cell 6
07 ----

So if the first 4 bytes were 34 12 49 76 , it would be Serial Number = 0x1234 and DevID = 0x7649

You will often see that the access Code for cells 0 and 1 is '1' for read-Only and for cells 2 to 7 is '3' for Reserved or No-Access.

When you see 2 consequetive cells between 8 and 64 with access code '3' then that is an Algo cell. In an emulator, the 4 bytes of those 2 cells may be for example 05, 7B, 9E, EC . That cell would then have Descriptor = 0xEC9E7B05. When a Query of length 4 to 56 bytes is sent to a cell with an active algorithm, the Response is formulated from the Descriptor and Cell 6 if it is an Enhanced Algorithm cell, or the Descriptor and the WP if a Simple Algorithm cell. If you are looking at the data from a real dongle or a dump, then the contents of the algo cell (the Descriptor) is not visible. You can tell from the Descriptor if the algorith is Enhanced or Simple, and if it is Active or Inactive. If bit 15 =1 then it is Active, else it is Inactive. If bit 14 = 1 then it is Enhanced, else it is Simple.

The "pairs" you refer to are probably sets of Query/Response data and in the case of most superpro emulators, they don't seem to support Table data these days. The algorithms are known, so it is preferable to solve the algorithm and store the Descriptor and Cell 6 which define the algorithm. Then it is possible to calculate the Response for *any* Query.

The other block of data you show probably comes from sentemul DNG file and will be highly encrypted data. I think it is fair to say most people are using VusbBus emulators in preference to DNG these days.

Git
Reply With Quote
  #12  
Old 05-16-2009, 02:13 PM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

Dear all.
Reading an article "Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking" by Shub-Nigurrath of ARTeam, several archive of this forum, and short explanation by Git, i am getting start to understand.

I have two usb sentinel dongles. Developer ID is differ each other. These two dongles labeled Rainbow Sentinel Super Pro. The part of output on Toro's Sentinel monitor for these two 'actual dongle (not emulator),i saw an output : KeyType=4 -> SSP USB.

I followed several threads in this forum, The first dongle can be emulated after the use of the following utilities :
1. PVA 3.3 dumper with option BruteWP selected.
2. tcsh2000's sspro solver ( f1_nodongle.exe )
3. dump to reg converter for vusbbus-based emulator such as y8y8y8y,s ssp2reg.exe and Git's dmp2mkey.exe.
4. Chingachguk & Denger2k's vusbbus-based emulator such as multikey 3 in 1 improved by RUSSIAN guys.
5. sentinel.reg as reference which is be distributed on the multikey's Example directory.

Using the same procedures of the first dongle, the second sspro dongle can not be emulated. I try another alternative, I used Sataron's UniDmp2Reg 1.1b5 PB to convert my SSP and manualy edit the reg based on reference given by http://www.reteam.org/board/showpost...64&postcount=1 , sad to say, no luck.

Reading several threads, we should reverse the protected s/w under debugger but as a newbie, i still don't understand how to begin. I want to try gamebit emulator but i can not find it.

The first dongle can be solved by Team EDGE's edgepro11.exe and emulated by Sentemul2007. The second dongle only can be solved by edgeprofix.1.1 and load on Sentemul2007. But the s/w which is protected by the second sspro dongle wouldn't work. Output of Toro's monitor (emulating mode) displayed : GetKeyType -> Status=0x0.

For my second dongle, I realy want to use vusbbus-based emulator such as multikey and find out why the generated dng of the second sspro dongle unable to emulate the s/w runing on 32 bit Wind Xp pro.

Questions :
1. What is the meaning of Simply/Standard algorithm and Enhanced algorithm on the field of dongles reversing ?
2. On the sentinel.reg (distributed together with multikey 0.18.3 package), why there is not an entrie "Option"=hex:..,.., like several hasp.reg sample ?



TIA
SonofabiT

Last edited by SonofabiT : 05-22-2009 at 09:33 AM. Reason: Focusing the questions
Reply With Quote
  #13  
Old 05-25-2009, 11:42 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

Quote:
Originally Posted by fejkus View Post
depends on software, doesn't matter, if it is hasp, sentinel, hardlock

if license information is stored in dongle memory, it should be done, if you figure out, how other functionality is blocked.

upload a regfile for vusb and we will see.

succesfully done with sentinel, hasp, hasphl
@fejkus
Do you mean this trick usualy work if a s/w only protected by dongle only ?

What i mean, Should it be done, if any s/w on which protected by donlge, doesn't need aditional protection scheme such as a serial number or any separated license files ?

Last edited by SonofabiT : 05-25-2009 at 12:18 PM.
Reply With Quote
  #14  
Old 05-25-2009, 01:25 PM
benito benito is offline
Senior Member
 
Join Date: Jul 2007
Posts: 685
Default

Do you see edit button? I do!
Reply With Quote
  #15  
Old 06-07-2009, 12:49 AM
mrcdcn mrcdcn is offline
Member
 
Join Date: Jul 2007
Posts: 26
Default

Quote:
Originally Posted by gus View Post
thanks to GIT
Hi.. I have hardlock dongle reg file for vusb.How can I modify its license or data.
The software is protected with both dongle and serial number.
Reply With Quote
  #16  
Old 06-07-2009, 01:05 AM
fejkus fejkus is offline
Member
 
Join Date: Dec 2007
Posts: 46
Default

some sw uses only dongle to protect. just upload regfile, and we will see.


Quote:
Originally Posted by SonofabiT View Post
@fejkus
Do you mean this trick usualy work if a s/w only protected by dongle only ?

What i mean, Should it be done, if any s/w on which protected by donlge, doesn't need aditional protection scheme such as a serial number or any separated license files ?
Reply With Quote
  #17  
Old 06-09-2009, 09:52 PM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

@fejkus
My s/w protected by sspro dongle and a key number.
Refer to my protected s/w, Did you have experiences to enable all features by edit only in the reg ?

btw, for hasp dongle, thank's for your useful post at http://reteam.org/board/showpost.php?p=5495&postcount=2
Enabling all features, Could you please explain us for hardlock and sentinel dongle ?
Reply With Quote
  #18  
Old 06-10-2009, 03:46 AM
benito benito is offline
Senior Member
 
Join Date: Jul 2007
Posts: 685
Default

there is no universal way to do it. You have to try it.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.