|
|
|
|
|
Yep yep... another dongle within 3 weeks, where I could lay my hands on, even more important I got to 'try' it at home... After installing the 7 disks and clicker-the-clicking on the icon, the usual screen appears nagging about the dongle ain't on the LPT port. We set our famous breakpoint (BPIO -H 378 RW) and launch our target...
:0001.070A 83EA02 sub dx, 0002 :0001.070D 58 pop ax :0001.070E EC in al, dx <<<< point of entry :0001.070F A24200 mov [0042], al :0001.0712 B0FF mov al, FF :0001.0714 EE out dx, al :0001.0715 51 push cx :0001.0716 8B0E2700 mov cx, [0027] :0001.071A E2FE loop 071A :0001.071C 59 pop cx :0001.071D B0FF mov al, FF :0001.071F EE out dx, al :0001.0720 EB00 jmp 0722
We are right in the "is dongle there check" - routine... We can see in our soft-ice screen that the target-source is located in a SSWIN(0)... After stepping through the code with RET P We come across a very interesting cmp AX,xxxx instruction... (fools!) (btw. 16bit source)
:0004.0106 1E push ds :0004.0107 689B03 push 039B :0004.010A 1E push ds :0004.010B 689203 push 0392 :0004.010E 9A2B010000 call KERNEL.LSTRLEN :0004.0113 50 push ax :0004.0114 9A31010000 call SSWIN.SSQUERY <<<< (familair? sswin.dll!) :0004.0119 3D80FA cmp ax, FA80 :0004.011C 7504 jne 0122 :0004.011E B80100 mov ax, 0001 :0004.0121 CB retf
Well , it's boring but this compare does the great trick... ax will contain FA80 if the dongle is plugged to LPT1 and it contains 0000 if the dongle is not there... Again loads a money down the drain... (well there are more checks within the program, when certain functions are called) Okay I like to see the dongle be called for I/O addy 278 and 3BC .. (set the breakpoints...)
After setting the 3 BPIO-s we come up with the folowing conclusions: which LPT is called at which address and ax is then checked with which value ...
I/O-port offset value 378 :0114 FA80 3BC :01AA BAA2 378 :01DC 40F8 278 :0211 ADD7
We can see at these addresses that the same routine (as you see later in your dissassembled source-listing)is called all the time... All these addresses are located in a resource call OMNIPAGE ... okay let's disassemble omnipage.exe and earlier we found that sswin(0) was also a resource... see there we have sswin.dll in our target directory... also let this one be nursed by wdasm 8.x... I included a zipped ascII version of sswin.dll because I have a feeling they are all the same, so it could be good reference... I can only get one sentinel pro so if someone else out could verify, this would for sure be an helpful add-on
When you run the target and take away the dongle (or patch it... I gave all the clues for that) during run time nothing happens but only if certain functions are called it naggs for the dongle .. the functions I try to find in 5 secs are save and editing the user-dictionary (ax=5e3e)... There are more! but I have no scanner and no time to press every button and option , I don't care about the program... I want this dongles' ass! I like to see dongles in a more advanced erea, lets say encryption, jumps-outof-the-box, shifting data-blocks through memory maybe some hard-code in the dongle that can be copied in various places in the memory...
Okay back to the essay... look here at a part of the header of sswin.dll
Addr:0000.0000 Ord:0000d Type:00h Name: SSWIN Addr:0000.0000 Ord:0000d Type:00h Name: SentinelPro Windows Driver DLL Addr:0001.0341 Ord:0001d Type:FFh Name: SSQUERY {Exported} Addr:0001.0067 Ord:0002d Type:FFh Name: OPEN_SENT {Exported} Addr:0001.00DA Ord:0003d Type:FFh Name: CLOSE_SENT {Exported} Addr:0002.0000 Ord:0007d Type:FFh Name: WEP {Exported}
Very interesting information... might this be a general DLL for these dongles? (it would be interesting if someone with such a dongle could verify this!) this SSQUERY is called from omnipage.exe and then compared with a value (example)... Lots of times... okay let's explore this ssquery...
I pick some highlights out of this source (again you can view the complete source here). At call 016E some kind of table is copied to a location in memory ... after this table is copied, dongle transferred data is placed in that area. ( at a really dumb way , look for yourself...)
:0001.0281 A02400 mov al, [0024] :0001.0284 26884702 mov es:[bx+02], al :0001.0288 A02300 mov al, [0023] :0001.028B 26884703 mov es:[bx+03], al :0001.028F A02500 mov al, [0025] :0001.0292 26884704 mov es:[bx+04], al :0001.0296 A02600 mov al, [0026] :0001.0299 26884705 mov es:[bx+05], al :0001.029D A05B00 mov al, [005B] :0001.02A0 26884706 mov es:[bx+06], al :0001.02A4 A05C00 mov al, [005C] :0001.02A7 26884707 mov es:[bx+07], al :0001.02AB A05D00 mov al, [005D] :0001.02AE 26884708 mov es:[bx+08], al
This is only a part of it... after that is done we come in the next nice piece of code .. It's called at cs:03EE call 063D
:0001.063D 51 push cx :0001.063E 8B164000 mov dx, [0040] <<<Here :0001.0642 F6065E0020 test byte ptr [005E], 20 :0001.0647 7503 jne 064C :0001.0649 EB60 jmp 06A
Here the IO-addy for the LPT-port is fetched from address ds:[0040], in the same order as we set our 3 breakpoints earlier... After this is done a series of bytes is send to the dongle (FF,FF,BE,AA,AE,AA,AE,BE) (cs:0712 - cs:076D) I reckon it's to enable the software switch with in the dongle... When this is done the BX is reset to FFFF at cs:0778...
:0001.0778 BBFFFF mov bx,FFFF <<< set BX checked after RET :0001.077B F6065E0020 test byte ptr [005E], 20 :0001.0780 750B jne 078D :0001.0782 F6063E0001 test byte ptr [003E], 01 :0001.0787 7404 je 078D :0001.0789 59 pop cx :0001.078A E9DA01 jmp 0967 :0001.078D BF0000 mov di, 0000 <<< set DI, condition flag :0001.0790 F6065E0080 test byte ptr [005E], 80 :0001.0795 7412 je 07A9 :0001.0797 59 pop cx :0001.0798 41 inc cx <<< number of times the complete routine should loop (8)
The value BX is changed (when the dongle is connected) by this piece of code...
:0001.07DD F6065E0080 test byte ptr [005E], 80 :0001.07E2 7415 je 07F9 :0001.07E4 F6065E0040 test byte ptr [005E], 40 :0001.07E9 7508 jne 07F3 :0001.07EB F7C70080 test di, 8000 (postive/negative (x000000000000)) :0001.07EF 750C jne 07FD :0001.07F1 EB06 jmp 07F9 :0001.07F3 F7C70100 test di, 0001 (odd/even 000000000000000x)) :0001.07F7 7504 jne 07FD :0001.07F9 F6D8 neg al :0001.07FB D1D3 rcl bx, 01
Here we can see that BX is changed by a rol carry left depending if DI is positive or negative and odd or even. Also the value in [005E] interacts on condition, it decides if odd/even is used or positive/negative... so depending on the 2 compement of AL (if al = 0 c-flag = low) a zero or a one is clocked into the LSB of BX. Let's see where DI depends on
:0001.07B1 268A04 mov al , es:[si] <<< point to 'OMNIPAGE' :0001.07B4 46 inc si :0001.07B5 D2C0 rol al, cl :0001.07B7 D3C8 ror ax, cl :0001.07B9 D3C8 ror ax, cl :0001.07BB 97 xchg ax,di
As we can see here the first value of 'OMNIPAGE' is fetched, pointer is increased then we have some bit-juggling and after the XCHG opcode we have our DI which will be tested in the piece of code we saw earlier (cs:07EB cs:07F3) only some of the ASCII values give odd numbers and those the fall through on CS:07F7 and BX will change in order if there is a 1 or 0 in de carry- flag...
Man... concluding this... LOOK it's the same as my first dongle essay... (DONG_MAD.HTM) I can't look at the other dongle at the moment if it's also a sentinel pro (but if so, this means that this code is used all the time for this kind of dongle) in other words:
Manipulating the ascII values one by one of a string in memory in order to get a odd or even value... only odd values will fall through a cmp-action and depending on carry-bit the value in BX is changed! This is done about 8 times (OMNIPAGE) and then this value is compared (here it's moved to ax)
:0004.0114 9A31010000 call SSWIN.SSQUERY :0004.0119 3D80FA cmp ax, FA80 <<<< is moved to AX before :0004.011C 7504 jne 0122 the RET is executed :0013.0210 9A04030000 call SSWIN.SSQUERY :0013.0215 3DB7F6 cmp ax, F6B7 <<<< another example :0013.0218 7413 je 022D
The dongle is just used to deliver bytes which will be used after testing and checking some bits to effect the carry throught the command on cs:07F9 (neg al).
If we search through the disassembled source of omnipage.exe and search for ssquery .. we see that there is a lot of difference in numbers, So now we know that these number are related to names... I checked a few , (example . trainOCR) If you want to know what words they use trace in side the call KERNEL.LSTRLEN which is just in front for the ssquery call.
:0013.007E 9A0B020000 call KERNEL.LSTRLEN :0013.0083 50 push ax :0013.0084 9A11020000 call SSWIN.SSQUERY :0013.0089 3D45FF cmp ax, FF45 :0013.008C 7413 je 00A1
And look at location ES:DI and you will find the name they want use to calc the number to compare...
|
I discovered while cracking and writing this essay that the same routine were used in a previous essay of mine .. I decided to post it to Fravia+ anyway because all the dongle-routines are in these one DLL-file, really handy! And it proves that the same (I mean 100% identical) code is used... I think by reading this essay all of the Sentinel Pro dongles can be reversed in an instant.. I tried not to give away too much on where exactly to patch, because it's the dongle we want not the software... Again the dongle is used as a dumb key to spit some bytes at order to verify a value .. I think dongles should be used MUCH more actively, like I summed up earlier
Have a nice day and keep hunting! MaD.. =o) Would you send a space-shuttle in orbit... if the onboard-computer is running an O$ with an graphical user interface? if the austronaut has to use a mouse to controle it? That's why bill gate$ will never rule the computer industry...
|