SoftSentry v2.0

I'm trying to crack Dicom Dental Imaging v1.73.3 that it is protected with SoftSentry v2.0. Also examining the code it seems a blend of VB and assember... ie assembler with calls to VB routines, and the routines that call to the protecition are within the VB code.

Any technical pointers on how SoftSentry works or how to attack this porject?

Thanks!

I know fairly well the 3.0 version (a stupid protection), but I guess that same concepts apply to the 2.0 one ( even more stupid; I cracked only a program protected with it).

SoftSentry may work in two modes: as an external protection (i.e. a DLL that exports functions called by the protected program), or as a wrapper (appending code and data sections to main program, and varying the PE header as needed).

As you do not mention any DLL and talk about VisualBasic, I think that 'your' mode is the latter; probably, your target was written in VB; this is the reason why you've found that 'medley'.

The wrapper of the 3.0 version crypted the 80 starting bytes in the code section; not so, AFAIK, the 2.0 version. You need only to find the program OEP; by simply changing the corresponding PE header value, the main program will work flawlessly. Alternatively, you can find the unlock function and crack it.

The various function exported are only a banal trick; this is quoted from SSentry help:

"To enhance security by making it more difficult to determine the purpose of the softSENTRY DLL when monitoring the calls to it, softSENTRY provides several alternative function calls that can be use in place of the default softSENTRY() call."

All functions execute a JUMP to the softSENTRY() one.

IMHO, SoftSentry was a well written program, a very nice application, a wonderful example of programming techniques, but n appalling protection...

Hope it helps

Hi Vox Humana,

Firs of all thanks for your promopt response. Actually I really forgot to mention the dll, becasue there is one exedss.dll that protects the main program, and a WhitenSS.dll that protects another .ocx.

Not very smart name to use for a dll, even though it has the hidden bit on.

The only import in the .exe & .ocx is msvbvm60.dll. That is why I said after disassembling the code that the call to the softsentry protection is within a VB part. Also there are no extra sections in the PE file, just .txt, .data & .rsrc.

What you are sugguesting is cracking the exedss.dll? Because I can't find the jumps to softsentry() within the compiled VB code.

Thanks for your help!

TGD

Quote:

Firs of all thanks for your promopt response.

You're welcome! In past times I've been given a lot from the community, and I reply (and I'll do it) whenever I can. No matter what people think about it, this is my own way of trying to pay my debt.

Quote:

What you are sugguesting is cracking the exedss.dll?

Yes, sure. Usually the weakness of such old protections (external functions in a DLL) dwells in the external calls performed by the protected program; but in case odf SoftSENTRY, the protection scheme is very simple and very easy to crack, and the DLL is very small.

Quote:

Because I can't find the jumps to softsentry() within the compiled VB code.

This because the main program uses Run-Time Dynamic Linking, i.e. LoadLibrary and GetProcAddress. In VB, this method is implemented inside DllFunctionCall, exported by the VB runtime library. If you examine the strings contained in the main program (by means any hex editor, for example), you'll find "exesdss.dll" and , after some bytes, SoftSentry, GetString, and so on;a SmartCheck session will easily show where and when the calls come.

Have fun!

Hi Vox Humana,

Following your pointers, I was able to crack the app... After checking the code with IDA, I found the following:

...
.text:004875AD call ds:__vbaOnError
.text:004875B3 mov dword ptr [ebp-4], 7
.text:004875BA call sub_0_407034
.text:004875BF mov [ebp-0C8h], eax
.text:004875C5 call ds:__vbaSetSystemError
...


And on the sub_0_407034 is the reference to the DLLFunctionCall
you mentioned:
...
text:00407034 sub_0_407034 proc near ; CODE XREF: .text:004875BAp
.text:00407034 mov eax, dword_0_48E950
.text:00407039 or eax, eax
.text:0040703B jz short loc_0_40703F
.text:0040703D jmp eax
.text:0040703F ; --------------------------------------------------------------
.text:0040703F
.text:0040703F loc_0_40703F: ; CODE XREF:sub_0_407034+7j
.text:0040703F push offset off_0_40701C
.text:00407044 mov eax, offset DllFunctionCall
.text:00407049 call eax ; DllFunctionCall
.text:0040704B jmp eax
.text:0040704B sub_0_407034 endp
...

and at offset off_0_40701C is the reference that comes after the softSENTRY name:

...

.text:00407000 45 78 45 64 53 53 2E 64-6C 6C 00 00 0B 00 00 00 "ExEdSS.dll....."
.text:00407010 73 6F 66 74 53 45 4E 54-52 59 00 00 00 70 40 00 "softSENTRY...p@."
.text:00407020 10 70 40 00 00 00 04 00-48 E9 48 00 00 00 00 00 "p@....HTH....."
.text:00407030 00 00 00 00 A1

So what I did was made a patcher that searches for softSENTRY and inserts a ret 27 bytes after the name (change A1 for C3).

It worked like a charm with the .exe and the .ocx... no more checks or nags...

In a later version of the program I found a second check but only after the SS.dll... so I had to patch that too.

Actually I made a "generic" patcher that will search for that sequence of bytes in any file... so it migth crack other softSENTRY apps too...

Again thanks for the help!!!

Cheers,

TGD

congratulations, TGD! where can we find your generic patcher for softsentry v2.0 and v3.0?

Testing999,

My patcher is only tested with some .exes & .ocxs (specifically Dicom Imaging Suite) that use softSENTRY 2.0 (not 3.0).

What I did was make a Code Fusion 3.0 patcher that does the byte hunt & replace I mentinoed before, so it might work with other apps.

All the info on my patcher makes reference to Dicom's apps... I can either upload it "as is" if you want, or change the patcher text to refelect something more "generic".

Cheers,

TGD

I'm glad to know I've been of use.

IMHO, you should consider cracking the DLL to build an universal patcher; the DLL is always the same (only the file name is different), and you don't need to search any sequence.

Beside, it will work on each protected executable.

Have fun!

Hi people, can I get the link to the Dental Software and any other SoftSentry 2.0 / 1.0 protected application please! Thanks in advance