:00435CFD: 0FB74C2410 movzx ecx,w, get the cell address to read from from stack The address in EDX will point to the entry :00435CF9: 8D551E lea edx, the displacement 0x1E will be added and :00435CF8: 5D pop ebp the Delta offset will be placed in EBP now The following emulation made in hiew showing that Having read Goatass's essay on FlexiSIGN along with Crackz's on other Sentinel By identifying the parameters we will get this: Putting a bpx on it in Softice makes it breakĪt 00423079. Jump and move right after returns SP_SUCCESS. Replacing the code at address 00435B06 with a xor eax, eax and NOP'ing the :0042348F push 0A870h Developer ID of the Meter Key Symbol loader making it more clear what we do when working in Softice.įirst we will find SproFindFirstUnit at 00423495. Make a wlscgen.map file, and convert it so we use the map with the So first we disassemble wlscgen.exe in IDA and apply the sspro.sig. When running the program we get a error msg with a problem accesing the meter SproActivate() activates a algorithm which was deactivated before. SproDecrement() decrements a counter cell (access code 2) and takes cell address Query value and store addresses used are put in as input parameters.
That is why emulation of it is different for every program. Since the DWORD algorithm is access code 3 you can't read it out of Store address of the read is specified as input parameters. SproRead() will read a WORD value from a specific cell. Take the Developer ID as a parameter in order to look for the correct dongle. SproFindFirstUnit() is the first api called when looking for the dongle. Here below is a list of the most important api's needed to emulate in general: That if it is 0 then dongle is found and 3 dongle is not foundĪnd everything else also means error of some kind. AtĪssembler level this allways refers to EAX. Once an api calls, a return variable will hold the error code. The following table shows the different types:Ģ | Counter cell which can only be decremented (no access)Ĩ-63 | User read and writeable (full access)Įach cell has a value of it's access type | in production of the dongles) (readonly)ġ | Developer ID (to ensure you get hold of a dongle from the right vendor) (readonly)ĥ | Reserved by Rainbow Tech. Heres a little table of the use of those 8:Ġ | Dongle serial number which is unique for every dongle (the number just gets incremented Values of these go from 0x0000 (0) till 0xFFFF (65635). This is split into 64 WORDs (2 bytes long),Īlso called cell's counted from 0-63. Replacement for the real manual which is really a must to read in order to Here's a little info on how the dongle and api works. "netls" package, but the key generation appears to be totally different. The models for licensing appear to come from the ancient
Uncertain - this appears to be a descendant of the earlier Sentinel License ManagerĪnd the Elan license manager. (from CrackZ site) and the Sentinel LM sigs: Interface availble from and Killer_3K's superpro flirt sig for IDA
Hexworkshop), SuperPro Developer's Guide from api.txt from the C/C++ Wslcgen.exe from Sentinel LM SDK v7.1.0, IDA v4.04+, Softice v4.05, hex editor (I use hiew and Managed to use their own protection methods. What makes this target interesting is to see how well Rainbow Tech. My initial guess was that it was a standard Sentinel Super Pro dongle with a counterĪnd I was right. Also when you haveĮxhausted your key you will have to buy a new one. Make any licenses and you will have to buy one from Rainbow Tech. SDK says that it needs a special "License meter key". Sentinel LM protected programs activated to a usable state. Wslcgen is a part of Sentinel LM SDK v7.1.0 and it is the license generator that makes The target audience for this essay is reasonably experienced crackers with some ASM coding experience who wish to generate keys for Sentinel License Manger protected products. There is a crack, a crack in everything That's how the light gets in Removing need for dongle in Sentinel LM WlscgenĬourtesy of Fravia's page of reverse engineering
0 kommentar(er)
