Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   rainbow new api (https://forum.exetools.com/showthread.php?t=8218)

farzadfarzad 09-27-2005 14:16
rainbow new api
 
hi

i found some of sentinel api functiong which are changed.
and none of sig's(killer,cyberheg..)can distinguish the function
1-have you any new sig
2-anyone have any experiance for reversing new rainbow dongle for sharing

thanx

this is part of firstfindunit
----------------------------------------------text:10005B30 var_46 = word ptr -46h
.text:10005B30 var_44 = word ptr -44h
.text:10005B30 var_40 = byte ptr -40h
.text:10005B30 arg_0 = dword ptr 4
.text:10005B30 arg_4 = word ptr 8
.text:10005B30
.text:10005B30 sub esp, 48h
.text:10005B33 mov [esp+48h+var_46], 0
.text:10005B3A push ebx
.text:10005B3B push esi
.text:10005B3C mov ebx, [esp+50h+arg_0]
.text:10005B40 push edi
.text:10005B41 push ebp
.text:10005B42 test ebx, ebx
.text:10005B44 jz loc_10005DD5
.text:10005B4A mov bp, [esp+58h+arg_4]
.text:10005B4F test bp, bp
.text:10005B52 jz loc_10005DD5
.text:10005B58 cmp bp, 0FFFFh
.text:10005B5D jnz short loc_10005B6D
.text:10005B5F mov ax, 3
.text:10005B63 pop ebp
.text:10005B64 pop edi
.text:10005B65 pop esi
.text:10005B66 pop ebx
.text:10005B67 add esp, 48h
.text:10005B6A retn 8
.text:10005B6D ; ---------------------------------------------------------------------------
.text:10005B6D
.text:10005B6D loc_10005B6D: ; CODE XREF: RNBOsproFindFirstUnit+2Dj
.text:10005B6D push ebx
.text:10005B6E call sub_1000F2A0
.text:10005B73 mov esi, eax
.text:10005B75 mov ax, [esi]
.text:10005B78 cmp ax, 7242h
.text:10005B7C jz short loc_10005B89
.text:10005B7E cmp ax, 7243h
.text:10005B82 jz short loc_10005B89
.text:10005B84 mov edi, [ebx+54h]
.text:10005B87 jmp short loc_10005B94
.text:10005B89 ; ---------------------------------------------------------------------------
.text:10005B89
.text:10005B89 loc_10005B89: ; CODE XREF: RNBOsproFindFirstUnit+4Cj
.text:10005B89 ; RNBOsproFindFirstUnit+52j
.text:10005B89 mov [esp+58h+var_46], 1
.text:10005B90 mov edi, dword ptr [esp+58h+var_40]
.text:10005B94
.text:10005B94 loc_10005B94: ; CODE XREF: RNBOsproFindFirstUnit+57j
.text:10005B94 lea eax, [esp+58h+var_40]
.text:10005B98 push 40h
.text:10005B9A push eax
.text:10005B9B push ebx
.text:10005B9C call RNBOsproGetContactServer
.text:10005BA1 test ax, ax
.text:10005BA4 jnz loc_10005DD9
.text:10005BAA lea eax, [esp+58h+var_40]
.text:10005BAE push offset aRnbo_standalon ; char *
.text:10005BB3 push eax ; char *
.text:10005BB4 call ds:_stricmp
.text:10005BBA add esp, 8
.text:10005BBD test eax, eax
.text:10005BBF jz loc_10005CF1
.text:10005BC5 lea eax, [esp+58h+var_40]
.text:10005BC9 push offset aRnbo_spn_drive ; char *
.text:10005BCE push eax ; char *
.text:10005BCF call ds:_stricmp
.text:10005BD5 add esp, 8
.text:10005BD8 test eax, eax
.text:10005BDA jz loc_10005CF1
.text:10005BE0 lea eax, [esp+58h+var_40]
.text:10005BE4 push offset aNoNet ; char *
.text:10005BE9 push eax ; char *
.text:10005BEA call ds:_stricmp
.text:10005BF0 add esp, 8
.text:10005BF3 test eax, eax
.text:10005BF5 jz loc_10005CF1
.text:10005BFB lea eax, [esp+58h+var_40]
.text:10005BFF push offset aRnbo_spn_all_m ; char *
.text:10005C04 push eax ; char *
.text:10005C05 call ds:_stricmp
.text:10005C0B add esp, 8
.text:10005C0E test eax, eax
.text:10005C10 jz short loc_10005C2A
.text:10005C12 cmp [esp+58h+var_40], 0
.text:10005C17 jz short loc_10005C2A
.text:10005C19 push ebp
.text:10005C1A push ebx
.text:10005C1B call sub_10007140
.text:10005C20 pop ebp
.text:10005C21 pop edi
.text:10005C22 pop esi
.text:10005C23 pop ebx
.text:10005C24 add esp, 48h
.text:10005C27 retn 8
.text:10005C2A ; ---------------------------------------------------------------------------
.text:10005C2A
.text:10005C2A loc_10005C2A: ; CODE XREF: RNBOsproFindFirstUnit+E0j
.text:10005C2A ; RNBOsproFindFirstUnit+E7j
.text:10005C2A cmp word ptr [esi], 7242h
.text:10005C2F jz short loc_10005C60
.text:10005C31 push 404h
.text:10005C36 push ebx
.text:10005C37 call sub_10004BF0
.text:10005C3C push ebx
.text:10005C3D call sub_10004C10
.text:10005C42 test ax, ax
.text:10005C45 jz short loc_10005C60
.text:10005C47 push ebp
.text:10005C48 mov [ebx+54h], edi
.text:10005C4B mov word ptr [esi], 8DBDh
.text:10005C50 push ebx
.text:10005C51 call sub_10007140
.text:10005C56 pop ebp
.text:10005C57 pop edi
.text:10005C58 pop esi
.text:10005C59 pop ebx
.text:10005C5A add esp, 48h
.text:10005C5D retn 8
.text:10005C60 ; ---------------------------------------------------------------------------
.text:10005C60
.text:10005C60 loc_10005C60: ; CODE XREF: RNBOsproFindFirstUnit+FFj
.text:10005C60 ; RNBOsproFindFirstUnit+115j
.text:10005C60 push 1
.text:10005C62 push ebp
.text:10005C63 push ebx
.text:10005C64 call sub_10004C40
.text:10005C69 mov [esp+58h+var_44], ax
.text:10005C6E test ax, ax
.text:10005C71 jz short loc_10005C8C
.text:10005C73 push ebp
.text:10005C74 mov [ebx+54h], edi
.text:10005C77 mov word ptr [esi], 8DBDh
.text:10005C7C push ebx
.text:10005C7D call sub_10007140
.text:10005C82 pop ebp
.text:10005C83 pop edi
.text:10005C84 pop esi
.text:10005C85 pop ebx
.text:10005C86 add esp, 48h
.text:10005C89 retn 8

peterg70 09-30-2005 17:07
why not create new signatures using IDA that way we can tell.
Also document what version of driver and sentinel coding you find or think it is.

farzadfarzad 10-02-2005 15:51
sentinel driver and sig
 
1 Attachment(s)
hi
I posted towice ur answer but i dontknow why they r not shown.
the driver version (is 5.42.1 32bit).but i dont know how can i make sig
with a dissasembeled a dll file in ida .by the way i found new sentinel superpro some where (up to 6.3 ver).so if it posible tel me in detail
1-how can imake sig with ida pro(i'm working with 4.7 ver)

thanx


All times are GMT +8. The time now is 14:27.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX