Dongle DEJAVU
Revealing sentinel Pro main code
dongle
Project 3
03 March 1998
by MaD
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
980303
MaD
0100
P3
XX

Poor dongles! Another bashing, their value as "sure" protection does not seem to be very high any more.
Hey, this is interesting: a good cracker in fieri shows us techniques (and very interesting code snippets) instead of repeating the (almost useless) "how I cracked target program so and so..."
An interesting essay for beginner and intermediate dongle crackers...
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate ()Advanced ( )Expert

This essay probably reveals the main code for all sentinel Pro dongles, the complete code is linked in this page from
a zip-file...
Dongle DEJAVU
Revealing sentinel Pro main code
Written by MaD [CPT]

Introduction
Okay here is my third dongle essay... Today's target also uses the dongle like a switch, if the dongle is there (and stays there during run) keep running, if not then stall. This target is protected by a device from Rainbow Technologies inc., called Sentinel Pro. It's a rather expensive parasite (isn't even the cheapest dongle??) and also not doing the job it's suppose to do...
A shame because the software this piece should protect is a very handy tool indeed. It scans your pages through any scanner but instead of making a picture, it converts the image back to editable asc-II sources! Again the software is the weakling in this partnership... like we have seen in my 2 other essays...(look in project 3)... So why don't we get our hands-on and start exploring...
Tools required
The best debugger ever produced SOFT-ICE 3.22, your own hex-editor I prefer Ultraedit 5.00a... And Filemon (this can be found here at fravias' site) and WDASM 8.X... (I used 8.0)

Target's URL/FTP
The software house is Caere and it should be on the web... I got the 7 disks and the dongle for an 'observation'... so I didn't had to go out on this digital highway.....
Program History
The program is called Omnipage and is at version level 5.00, so it's pretty proven I think by it's version number.
Essay
Yep yep... another dongle within 3 weeks, where I could
lay my hands on, even more important I got to 'try' it at home... 
After installing the 7 disks and clicker-the-clicking on the
icon, the usual screen appears nagging about the dongle ain't on
the LPT port. 
We set our famous breakpoint (BPIO -H 378 RW) and launch our target...
We are right in the "is dongle there check" -
routine... We can see in our soft-ice screen
that the target-source is located in a SSWIN(0)... After stepping through the
code with RET P
We come across a very interesting cmp AX,xxxx instruction...
(fools!) (btw. 16bit source)
Well , it's boring but this compare does the great trick...
ax will contain FA80 if the
dongle is plugged to LPT1 and it contains 0000 if
the dongle is not there... Again loads a
money down the drain...  (well there are more checks within the
program, when certain
functions are called) Okay I like to see the dongle be called for
I/O addy 278 and 3BC ..
(set the breakpoints...)
After setting the 3 BPIO-s we come up with the folowing
conclusions: which LPT is called at
which address and ax is then checked with which value
...

We can see at these addresses that the same routine (as you see later in your dissassembled source-listing)is called all the time... All these addresses are located in a resource call OMNIPAGE ... okay let's disassemble omnipage.exe and earlier we found that sswin(0) was also a resource... see there we have sswin.dll in our target directory... also let this one be nursed by wdasm 8.x... I included a zipped ascII version of sswin.dll because I have a feeling they are all the same, so it could be good reference... I can only get one sentinel pro so if someone else out could verify, this would for sure be an helpful add-on

When you run the target and take away the dongle (or patch it... I gave all the clues for that) during run time nothing happens but only if certain functions are called it naggs for the dongle .. the functions I try to find in 5 secs are save and editing the user-dictionary (ax=5e3e)... There are more! but I have no scanner and no time to press every button and option , I don't care about the program... I want this dongles' ass! I like to see dongles in a more advanced erea, lets say encryption, jumps-outof-the-box, shifting data-blocks through memory maybe some hard-code in the dongle that can be copied in various places in the memory...

Okay back to the essay... look here at a part of the header of sswin.dll

Very interesting information... might this be a general DLL for these dongles? (it would be interesting if someone with such a dongle could verify this!) this SSQUERY is called from omnipage.exe and then compared with a value (example)... Lots of times... okay let's explore this ssquery...

I pick some highlights out of this source (again you can view the complete source here). At call 016E some kind of table is copied to a location in memory ... after this table is copied, dongle transferred data is placed in that area. ( at a really dumb way , look for yourself...)

This is only a part of it... after that is done we come in the next nice piece of code .. It's called at cs:03EE call 063D

Here the IO-addy for the LPT-port is fetched from address ds:[0040], in the same order as we set our 3 breakpoints earlier... After this is done a series of bytes is send to the dongle (FF,FF,BE,AA,AE,AA,AE,BE) (cs:0712 - cs:076D) I reckon it's to enable the software switch with in the dongle... When this is done the BX is reset to FFFF at cs:0778...

The value BX is changed (when the dongle is connected) by this piece of code...

Here we can see that BX is changed by a rol carry left depending if DI is positive or negative and odd or even. Also the value in [005E] interacts on condition, it decides if odd/even is used or positive/negative... so depending on the 2 compement of AL (if al = 0 c-flag = low) a zero or a one is clocked into the LSB of BX. Let's see where DI depends on

As we can see here the first value of 'OMNIPAGE' is fetched, pointer is increased then we have some bit-juggling and after the XCHG opcode we have our DI which will be tested in the piece of code we saw earlier (cs:07EB cs:07F3) only some of the ASCII values give odd numbers and those the fall through on CS:07F7 and BX will change in order if there is a 1 or 0 in de carry- flag...

Man... concluding this... LOOK it's the same as my first dongle essay... (DONG_MAD.HTM) I can't look at the other dongle at the moment if it's also a sentinel pro (but if so, this means that this code is used all the time for this kind of dongle) in other words:

The dongle is just used to deliver bytes which will be used after testing and checking some bits to effect the carry throught the command on cs:07F9 (neg al).

If we search through the disassembled source of omnipage.exe and search for ssquery .. we see that there is a lot of difference in numbers, So now we know that these number are related to names... I checked a few , (example . trainOCR) If you want to know what words they use trace in side the call KERNEL.LSTRLEN which is just in front for the ssquery call.

And look at location ES:DI and you will find the name they want use to calc the number to compare...

Final Notes

I discovered while cracking and writing this essay that the same routine were used in a previous essay of mine .. I decided to post it to fravia+ anyway because all the dongle-routines are in these one DLL-file, really handy! And it proves that the same (I mean 100% identical) code is used... I think by reading this essay all of the Sentinel Pro dongles can be reversed in an instant.. I tried not to give away too much on where exactly to patch, because it's the dongle we want not the software... Again the dongle is used as a dumb key to spit some bytes at order to verify a value .. I think dongles should be used MUCH more actively, like I summed up earlier

Have a nice day and keep hunting! MaD.. =o)


Would you send a space-shuttle in orbit...
if the onboard-computer is running an O$ with an graphical user interface?
if the austronaut has to use a mouse to controle it?

That's why bill gate$ will never rule the computer industry...
Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse engineering, choose your way out:
projecT3
Back to project 3

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?