DongleSpy v1.0   by Independent (IND)

DongleSpy v1.0 by The Slavic This program was designed to deal with Rainbow Technologies SentinelSuperPro hardware key protected Windows NT/ Windows95 applications. In particular it will work only with apps that use dynamic linked Sentinel's libraries (DLLs). Once it is started, the program intercepts dongle <-> app- lication data exchange and after converting it to the human-readable format stores it in the *.out log file. Because of the necessity to work around Windows NT/95 security, the program turned out to be rather complicated. You can figure out how it works spending some time fishing around in the currently available books or in the MSDN libraries. The usage of the program is very simple. Just make sure rnbospy.dll and dongspy.exe files are in the same directory. Start dongspy.exe and type in the full path and the file name of the dongle-protected application and Sentinel's DLL (you can use a built-in browser). The default name of the DLL is sx32w.dll, but it could have any name. Make sure you specify the right DLL, otherwise it's not going to work! In the next version I'll include auto-search but for right now it's your job to find the DLL. But that's about it. Just press `RUN' and work with your application as you would do without the spying utility. There's a very small overhead, mostly due to the writing to the log file. Probably you wont even notice the difference in speed. After you exit the application, you'll see the new file with the same name as the name of your application and extension `out'. It is the ascii log file which you can open with any text editor and examine the information. Generally, the longer you run the application, the more data you get. This version of the utility works in a passive mode: it's waiting for the application to request the data from the dongle. Because of this, you may not get all the data cells that are used by the application. The next version (if will ever be finished) will pull out the data from ALL available data cells before the application exits, which will guarantee 100% success for emulating the sentinel dongles that use only the data cells. It's not likely that the program will try to overwrite the data (or algorithm) cells because of the limited number of overwrites allowed for a given cell ( the physical limit is about 100000). But even in case it happens, it doesn't seem to be a big deal to keep track of all the overwrites. In addition, if the protection scheme attempts to overwrite data or algorithm cells, the spy utility will intercept the `write' and two `overwrite' passwords! The more complicated case is the algorithm cells. They cannot be read even by developers. The only thing we can do right now is to intercept and log all the Queries and dongle's answers. All the algorithm activate passwords will also be logged (if used). The Increments and Decrements of the Counter cell (i.e. could be used in demo versions to keep track of the number of times the application was executed, etc..) will be logged as well. The `return address' that will be found in the log file after every API call, indicates the address where API function will return control after it's done. If the application doesn't do any tricks, that address could be pretty useful for finding the place in the code where the call was originated from. Well. that's about it. At the end of this file you'll find an example of the output you can expect to see after running the application. It's a part of the real log file that was created when I tested the utility on the Rainbow's test program that is available from Rainbow Technologies's web site (www.rnbo.com). The spy utility will intercept ALL the documented API calls (only part of them is shown on the sample output). Have fun... The Slavic 04.07.96 SentinelSuperPro(tm) is a trade mark of Rainbow Technologies, Inc. Microsoft Windows(tm), Microsoft Windows NT(tm), Microsoft Windows 95(tm) are trademarks of Microsoft Corp. All other product names referenced herein are trademarks or registered trademarks of their respective manufactures. ************************************************************** Start of the sample log file ( check out the developer ID, write and activate passwords, data cells, queries, etc.... that were captured by utility ) The last three calls show the query to the algorithm cell: -before the activation (error response) -unlocking the algorithm cell (the passwords are captured) -after the activation (the correct response) ************************************************************** RNBOsproInitialize(PPACKET:0041E820) RNBOsproInitialize returns: 0 Return Address: 4082E4 RNBOsproInitialize(PPACKET:0041E820) RNBOsproInitialize returns: 0 Return Address: 407BDF RNBOsproGetFullStatus(PPACKET:0041E820) RNBOsproGetFullStatus returns: 410400 Return Address: 407D61 RNBOsproGetVersion(PPACKET:0041E820,GVPMJV:0012FD50,GVPMV:0012FD60,GVPR:0012FD4C,GVPODT:0012FD5C) RNBOsproGetVersion returns: 0 Major Version: 5 Minor Version: 1 Rev: 4 OSDrvType: 5 Return Address: 4047FE RNBOsproFindFirstUnit(PPACKET:0041E820,DID:11830) RNBOsproFindFirstUnit returns: 0 Developer ID: 2378 Return Address: 405749 RNBOsproFindNextUnit(PPACKET:0041E820) RNBOsproFindNextUnit returns: 410003 Return Address: 407867 RNBOsproGetFullStatus(PPACKET:0041E820) RNBOsproGetFullStatus returns: 410209 Return Address: 407882 RNBOsproRead(PPACKET:0041E820,RA:10008,RPD:0041E520) RNBOsproRead returns: 9 Cell: 8 Data: FFFF Return Address: 406A3E RNBOsproGetFullStatus(PPACKET:0041E820) RNBOsproGetFullStatus returns: 410209 Return Address: 406A63 RNBOsproRead(PPACKET:0041E820,RA:10010,RPD:0041E520) RNBOsproRead returns: 9 Cell: 10 Data: FFFF Return Address: 406A3E RNBOsproGetFullStatus(PPACKET:0041E820) RNBOsproGetFullStatus returns: 410209 Return Address: 406A63 RNBOsproFindFirstUnit(PPACKET:0041E820,DID:11830) RNBOsproFindFirstUnit returns: 0 Developer ID: 2378 Return Address: 405749 RNBOsproRead(PPACKET:0041E820,RA:10010,RPD:0041E520) RNBOsproRead returns: 0 Cell: 10 Data: 1F2F Return Address: 406A3E RNBOsproRead(PPACKET:0041E820,RA:10011,RPD:0041E520) RNBOsproRead returns: 0 Cell: 11 Data: ABCD Return Address: 406A3E RNBOsproRead(PPACKET:0041E820,RA:10012,RPD:0041E520) RNBOsproRead returns: 0 Cell: 12 Data: 23EF Return Address: 406A3E RNBOsproExtendedRead(PPACKET:0041E820,ERA:10007,ERPD:0041E518,ERPAC:0041E58C) RNBOsproExtendedRead returns: 4 Cell: 7 Data: FFFF Access Code: FF Return Address: 4071D4 RNBOsproGetFullStatus(PPACKET:0041E820) RNBOsproGetFullStatus returns: 410404 Return Address: 4071F9 RNBOsproExtendedRead(PPACKET:0041E820,ERA:10010,ERPD:0041E518,ERPAC:0041E58C) RNBOsproExtendedRead returns: 0 Cell: 10 Data: 1F2F Access Code: 0 Return Address: 4071D4 RNBOsproExtendedRead(PPACKET:0041E820,ERA:10011,ERPD:0041E518,ERPAC:0041E58C) RNBOsproExtendedRead returns: 0 Cell: 11 Data: ABCD Access Code: 1 Return Address: 4071D4 RNBOsproExtendedRead(PPACKET:0041E820,ERA:10012,ERPD:0041E518,ERPAC:0041E58C) RNBOsproExtendedRead returns: 0 Cell: 12 Data: 23EF Access Code: 0 Return Address: 4071D4 RNBOsproWrite(PPACKET:0041E820,WP:10DBD,WA:10021,WD:1ACAC,WAC:10001) RNBOsproWrite returns: 0 Write Pswrd: DFG Address: 21 Data: ACAC Access Code: 1 Return Address: 406E7D RNBOsproExtendedRead(PPACKET:0041E820,ERA:10020,ERPD:0041E518,ERPAC:0041E58C) RNBOsproExtendedRead returns: 0 Cell: 20 Data: 0 Access Code: 0 Return Address: 4071D4 RNBOsproExtendedRead(PPACKET:0041E820,ERA:10021,ERPD:0041E518,ERPAC:0041E58C) RNBOsproExtendedRead returns: 0 Cell: 21 Data: ACAC Access Code: 1 Return Address: 4071D4 RNBOsproExtendedRead(PPACKET:0041E820,ERA:1000B,ERPD:0041E518,ERPAC:0041E58C) RNBOsproExtendedRead returns: 0 Cell: B Data: 5555 Access Code: 2 Return Address: 4071D4 RNBOsproDecrement(PPACKET:0041E820,WP:10DBD,WA:1000B) RNBOsproDecrement returns: 0 Write Password: DFG Address: B Return Address: 40547D RNBOsproExtendedRead(PPACKET:0041E820,ERA:1000B,ERPD:0041E518,ERPAC:0041E58C) RNBOsproExtendedRead returns: 0 Cell: B Data: 5554 Access Code: 2 Return Address: 4071D4 RNBOsproQuery(PPACKET:0041E820,QA:10008,QD:0041E598,QR:0041E530,QR32:0041E528,QL:10004) RNBOsproQuery returns: 0 Address: 8 Response32: 861CFFE3 Lenght: 4 Query string sent: 12121212 Response from dongle: 1C86E3FF Return Address: 406415 RNBOsproQuery(PPACKET:0041E820,QA:1000A,QD:0041E598,QR:0041E530,QR32:0041E528,QL:10004) RNBOsproQuery returns: 0 Address: A Response32: 12121212 Lenght: 4 Query string sent: 12121212 Response from dongle: 12121212 Return Address: 406415 RNBOsproQuery(PPACKET:0041E820,QA:1000C,QD:0041E598,QR:0041E530,QR32:0041E528,QL:10004) RNBOsproQuery returns: 0 Address: C Response32: 12121212 Lenght: 4 Query string sent: 12121212 Response from dongle: 12121212 Return Address: 406415 RNBOsproActivate(PPACKET:0041E820,WP:10DBD,AP1:13333,AP2:14444,WA:1000C) RNBOsproActivate returns: 0 Write Password: DFG Activate Pswrd1: 3334 Activate Pswrd2: 4445 Address: C Return Address: 404DA5 RNBOsproQuery(PPACKET:0041E820,QA:1000C,QD:0041E598,QR:0041E530,QR32:0041E528,QL:10004) RNBOsproQuery returns: 0 Address: C Response32: 7F3441D4 Lenght: 4 Query string sent: 12121212 Response from dongle: 347FD441 Return Address: 406415