http://www.ktx.com - Webpage.
Installation Files available on request.
Updated 6th October 1999
Welcome to this updated dongle tutorial where I'm re-examining an old foe, a Sentinel. I'll assume you have downloaded the pertinent files for this tutorial or have access to them, the first step is to run maxauth.exe to authorise your copy of 3D Studio Max. I'm not particularly concerned how you crack this part, bpx GetDlgItemTextA and trace, patch by working back from the message box (disassembly), or simply type 1039120D.
Running 3DSMax produces unsurprisingly an error, however you should easily be able to find out the address of the nag with a well-timed bpx MessageBoxA. 00450F21 looks like the offending routine, note the CALL EBP instruction, which of course is really a call to [MessageBoxA]. We can now *attempt* to examine 3dsmax.exe in W32Dasm, however somethings up, try it and see, instead of disassembling, W32Dasm appears to involuntarily launch 3DSMax and if your lucky the worst you'll get is a return to SoftICE with an error.
At this point, we have several options, either figure out what tricks are being used to fool W32Dasm or use IDA which does not seem to have the same problem. I played with W32Dasm for a little while with a bpx ReadFile at the file open dialog and traced painstakingly through the memory allocation, file opening and found the offending instruction at 0045C6D2, unfortunately reversing the zero flag here still gives an error inside cw3220.dll which I couldn't see much point in trying to solve.
This leaves us with IDA, however disassembling 3dsmax.exe I fear may take a while. In the interim lets commence our probes using SoftICE, a possible line of attack maybe with a bpx CreateFileA, the reason being as follows. It is known that the program must open a driver file to communicate with the dongle (in this case sentinel.vxd) and as this file is not installed on our system the API call is certain to fail so we can impose an IF condition upon this breakpoint. Lets do the following:
bpx CreateFileA if EAX==ffffffff <-- 2 equals signs.
* Note you can use bpio -h 378 rw also.
Sure enough, after several irrelevant returns SoftICE stops on the following:
:0055214C PUSH 00552120 <-- //Sentinel.vxd
:00552151 CALL KERNEL32!CreateFileA
This code is now where we want to start tracing from, its probably easier
to continue probing using the SoftICE loader and the g command. Needless to say
the conditional jump after this break needs to be reversed. Once back at this
code we'll work out how many times we can press F12 before our message box snaps,
you should find that 6 or so presses or address 00450DFD is as far as you can go.
Evidently, 00450DFD is a good entry point, recalling that we know the address of the message box (0045FD21), this is not too far away and an analysis of the code in between is certainly desirable. Just simple stepping and perhaps some zen feeling ought to make this code suspicious (the following is taken from IDA).
:00450E5C MOV EDX, DWORD_561248 <-- D30Eh.
:00450E62 XOR EDX, 73ADh <-- EDX = A0A3h.
:00450E68 PUSH EDX <-- Push it.
:00450E69 LEA EDX, [ESP+678+var_464] <-- Start of packet record.
:00450E70 PUSH EAX <-- Push it.
:00450E71 CALL SUB_552A50 <-- Note the delay.
:00450E76 TEST AX,AX <-- AX=3 here, (dongle not present).
:00450E79 JZ loc_450F23 <-- Jump over the message box.
Look at this code and understand why this *must* be a check, also look at what happens when we fail the first JZ, incredible as it may seem, the program does a trite repetition of the code above, 3DSMax obviously attempts to access the dongle 3 times before displaying the message box. We can using Sentinel's own API guide attempt to match this code to a specific function, it looks to me like sproFindFirstUnit() or something equivalent, A0A3 I think is Kinetix's developer ID. Naturally we'll use this '7242' as a search string to identify any other Sentinel checks.
As I've seen a few Sentinel's over the years I would expect to find 15 or so other references to '7242', the proximity of the addresses should be clear because this I am certain is a library which every developer is using regardless of whether they use all of its functions. Using IDA you'll be able to see that most of these functions are never reached, thats the great thing about IDA, its following all the execution paths so unless you receive pages of errors you can be pretty confident of its results.
As an aside, there is also a check inside util.dll, one of which is provided as an interface for use by plugin developers, unmangled its exported as HardwareLockID, and it seems to call sproFindFirstUnit (CALL 2802BEF0) & sproRead() (CALL 2802C0C0) to retrieve the serial number, you'll need to patch this as you see fit, at the end of this function EAX must hold your dongle serial number :-), else XOR EAX, EAX no dongle.