Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-26-2004, 16:08
RegUser_2
 
Posts: n/a
Did anyone try to find the SLM 7.2 dongle ComputerID Query Algorithm?

In the SLM 7.1 the dongle ComputerId had been retrieved by rather simple procedure. Here's small part of the code I use to emulate that explains the proces. In general RNBOsprQuery to cell address 10 with small query/responce tables is used to retrieve two seeds and the ComputerID is just a xor value of those two.
In the SLM 7.2 however this proces is much more evolved. It includes the SLM 7.1 ComputerID code plus four different checks to ensure that the attached dongle is correct one. It rotates HUGE 16-bit query/responce tables, which are encoded by the feature code the SLM is destined to protect, so if the product have several features the size of the emulator code becomes very unpleasant UNLEAST SOME discover what is the ALGORITHM to convert 16-bit query string into 16-bit responce string


int vlsGetIdFromDongle710(char *ErrStr, int dwNumDongles, char *lpQueryResp, int dwMaxLen)
{

int SJOB;
char QueryStr60[60];
char ConvRespStr60[60];
char TempStr60[60];
U32 dwResp2;
U32 dwQR;
U32 dwResp;
U32 dwTemp;
U32 RdDataA15;
U32 QueryLen;
int i;
U32 r_eax, r_edi;

if((r_eax = RNBOsproFormatPacket(&SJOB, 0x404)) != OK) {

printf("Unknown exception (%d) in accessing SentinelLM portable server(s).", r_eax);
return 0x2F;
}

if(RNBOsproFindFirstUnit(&SJOB, 0x25CF) != OK) {
printf("Error accessing SentinelLM portable server(s). Please make sure one is attached.");
return 0x30;
}

for(i = dwNumDongles; i> 0; i--) {
if(RNBOsproFindNextUnit(&SJOB) != OK) {
printf("Error accessing SentinelLM portable server(s). Please make sure one is attached.");
return 0x30;
}
}


TempStr60[0] = '\0';
strncat(TempStr60, aUbikbalm, 56);

QueryLen = strlen(TempStr60) >> 1;

ConvertQueryStr(TempStr60, QueryStr60);

if((r_eax = RNBOsproQuery(&SJOB, 10, QueryStr60, TempStr60, &dwTemp, QueryLen)) != OK) {
printf("Unknown exception (%d) in accessing SentinelLM portable server(s).", r_eax);
return 0x2F;
}

ConvertResponseStr(TempStr60, ConvRespStr60, QueryLen);

sscanf(ConvRespStr60, "%lx", &dwResp);
printf("********* dwResp1 = %lX\n\n", dwResp);

if((r_eax = RNBOsproRead(&SJOB,15,&RdDataA15)) != OK) {
printf("Unknown exception (%d) in accessing SentinelLM portable server(s).", r_eax);
return 0x2F;
}

if(((RdDataA15 & 0xFF00) != 0x600) || ((RdDataA15 & 0xFF) != 0)) {
printf("Your SentinelLM portable server has an invalid version (%d.%d). Expected %d.%d.", (RdDataA15 & 0xFF00), (RdDataA15 & 0xFF), 0x600, 0);
return 0x31;
}

TempStr60[0] = '\0';
strncat(TempStr60, ConvRespStr60, 56);
TempStr60[8] = '\0';

QueryLen = strlen(TempStr60) >> 1;

ConvertQueryStr(TempStr60, QueryStr60);

if((r_eax = RNBOsproQuery(&SJOB, 8, QueryStr60, TempStr60, &dwTemp, QueryLen)) != OK) {
printf("Unknown exception (%d) in accessing SentinelLM portable server(s).", r_eax);
return 0x2F;
}

ConvertResponseStr(TempStr60, ConvRespStr60, QueryLen);

sscanf(ConvRespStr60, "%lx", &dwResp2);

printf("********* dwResp2 = %lX\n\n", dwResp2);

r_edi = (rand() % 100);

TempStr60[0] = '\0';
strncat(TempStr60, QueryTbl[r_edi], 56);

QueryLen = strlen(TempStr60) >> 1;

ConvertQueryStr(TempStr60, QueryStr60);

if((r_eax = RNBOsproQuery(&SJOB, 8, QueryStr60, TempStr60, &dwTemp, QueryLen)) != OK) {
printf("Unknown exception (%d) in accessing SentinelLM portable server(s).", r_eax);
return 0x2F;
}

ConvertResponseStr(TempStr60, ConvRespStr60, QueryLen);

if(strcmp(ConvRespStr60, RespTbl[r_edi]) != 0) {
printf("Bad %s != %s\n", ConvRespStr60, RespTbl[r_edi]);
return 0x32;
}

srand(time(NULL));

r_eax = (rand() << 16);
r_eax |= (rand() & 0xFFFF);
dwQR = r_eax;

doDongleQuery1(0x25CF, 0, &dwQR);

if(dwQR != r_eax) {
printf("doDongleQuery1() returned wrong value\n");
return 0x32;
}

if((r_eax = RNBOsproQuery(&SJOB, 10, QueryStr60, TempStr60, &dwTemp, QueryLen)) != OK) {
printf("Unknown exception (%d) in accessing SentinelLM portable server(s).", r_eax);
return 0x2F;
}

dwResp ^= dwResp2;
printf("********* SLM 7.1.0 ComputerID = dwResp2^dwResp2 = %lX\n\n", dwResp);
sprintf(ConvRespStr60, "%08lx", dwResp);
ConvRespStr60[8] = '\0';

if(strlen(ConvRespStr60) > (U32)dwMaxLen) {
printf("Bad strlen\n");
return 0xFFFFFFFD;
}

strcpy(lpQueryResp, ConvRespStr60);
convert_toupper(lpQueryResp);

return 0;

}
Reply With Quote
  #2  
Old 04-26-2004, 21:11
nig
 
Posts: n/a
Good way for have dog to TRACE

Sometimes no dog no more Crack.
Rainbow Crypt So bt,waste long time to Crypt Str , long time to Decrypt
Reply With Quote
  #3  
Old 04-27-2004, 12:49
RegUser_2
 
Posts: n/a
The problem is not with the tracing. The reconstruction of the query/responce 64-bit values is easy, so the emulation using look-up tables. The real problem lies with the size of this tables
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Find the Algorithm mcr4ck General Discussion 18 02-06-2020 15:43
[Query - Newbie] Which api gets the following window Numega Softice General Discussion 5 12-06-2004 19:41


All times are GMT +8. The time now is 20:25.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )