This is another
undongling ... And again the software side is the weak partner here !!!!!
Introduction |
I read a few essays here at Fravia's site about dongles. Two days ago I got an offer to unprotect a dongle-protection. I didn't had to think twice ... This is not the only protection used in this target ... There's also a serial-entry dialog. I decided not to implement this, because this is the dongle-project ....
The target today is a very expensive piece of software and very handy for people who also like to play around with hardware but lost their manuals/ don't have manuals... this program will provide you all the information you need .... jumpers,layout,specs.. (etc) of all PC-related products from all vendors (digital,compaq,adaptec.. clone-pc )
As we will go on in this essay we will see that a expensive protection (hardware keying) will also flunk with a stupid piece of software handling it !!!!
Tools required |
Well a usual soft-ice 3.x and
your own hex-editor , I like ultra-edit 5.00a
Target's URL/FTP |
Well
I guess a good store because this target is containing a install-floppy
and a data-cdrom which
explains why there is not a download-URL.... But I think you will get some
info from their site at www.mircohouse.com.
Program History |
I don't know but I
saw a hand full of older releases going back to 1996 , sorry no real data
Essay |
Okay like I already said before , dongles are one of the most expensive protections but when the software part of this alliance is weak .... bye bye money !!!!
When installing the software from the floppy the dongle is not checked yet (remember a serial is needed to complete the setup, I didn't include this here because this about dongles not about serial-checks). After clicking on the newly created shortcut we can see a nice picture and a little window checking for the dongle ....
When run the program without the dongle it will return a dialog-window telling us it wants to see dongle and waits for input (OK or cancel). If we run the program with the dongle and we unplug the dongle while using the target it will start nagging for the dongle after about 20sec (approx.).
Well after plugging the dongle back to the parallel-port, we'll set a break-point in soft-ice BPIO -H 378 R. Run the program again and we crash inside the code at this point
:0001.051D 83EA02 sub dx, 0002 :0001.0520 58 pop ax :0001.0521 EC in al, dx <<<< HERE :0001.0522 A27800 mov [0078], al :0001.0525 B0FF mov al, FF :0001.0527 EE out dx, al :0001.0528 51 push cx :0001.0529 8B0E5D00 mov cx, [005D] :0001.052D E2FE loop 052D :0001.052F 59 pop cx :0001.0530 B0FF mov al, FF :0001.0532 EE out dx, al :0001.0533 EB00 jmp 0535
As we can see we are right in the IO part which is chatting with the dongle, note we have a 16-bit program. Before we have a closer look at this dongle-talk, I like to find the big call who is executing this code. After pressing F12 (P RET) 3 times we'll get this VERY interesting piece of code.
:0002.0280 FF36C200 push word ptr [00C2] :0002.0284 FF36C000 push word ptr [00C0] :0002.0288 6A02 push 0002 :0002.028A 9AFFFF0000 call 0001.0164h :0002.028F 8BF0 mov si, ax :0002.0291 1E push ds :0002.0292 68CE00 push 00CE :0002.0295 6A0C push 000C :0002.0297 9AFFFF0000 call 0001.0164h :0002.029C 8BF0 mov si, ax <<<< 'HERE' POINT OF ENTRY :0002.029E 81FEEAE6 cmp si, E6EA :0002.02A2 750A jne 02AE :0002.02A4 C706BE000000 mov word ptr [00BE], 0000 :0002.02AA 33FF xor di, di :0002.02AC EB13 jmp 02C1
'HERE' we can see a nice piece of code and which we will soon see is the weak part of the dongle protection. The call 0001.0164h executes the dongle-chat code, the second one is the one we want, it returns a value in AX which is moved to SI and check with a absolute (read hard-wired) value of 'E6EAh'. When 7the dongle plugged to the port it will return this value, when missing it returns '0000' !!!! SO THIS MEANS WE FOUND THE MAIN CHECK AND UNPROTECTED THE TARGET, THIS WE DO BY COMPARING SI WITH 0000, OR NOPPING JNE 02AE AWAY (I did it by cmp si with 0000).
(BTW. the first call at 0002.028a is probably a check on which LPT port the dongle is located I didn't work that one out... I think it ain't so important...)
This is what I meant with the weakling in the alliance...... Note the zero-ing at 0002.02a4, remember that the dongle was check every 'XX' secs this mem-loc. this is the flag for the periodly dongle check, set to '1' it will go to this piece of code and the dongle is checked
:0002.023B BF0100 mov di, 0001 :0002.023E 833EBE0000 cmp word ptr [00BE], 0000 <<<< Check flag :0002.0243 7405 je 024A :0002.0245 33C0 xor ax, ax :0002.0247 E98200 jmp 02CC :0002.024A C706BE000100 mov word ptr [00BE], 0001 <<<< SET CHECK-FLAG
So after this action the target knows that he needs to check the dongle again, BUT since our target makes use of the same dongle_is_there-check (0002.029E) we don't need to worry about that !!!!
Okay let's also have a quick look at that dongle_chat routine .... It's a very long-treated routine, their for I didn't completely reverse it but I just pick a few high lights out of it (the important ones, in my opinion) and explained them.
I ran the program a few times and stepped thought the complete chat_to_dongle-routine a few times (NOT completing the loop (takes ages)). I found out that a series of digits were send to the parallel-port, dongle present or not (FF,FF,77,63,67,63,67,77). I think this is to activate the hardware in the dongle. The same goes for ending a dongle-chat (00,FF,04,0C,0C)....
The data send and received from the dongle where related to a piece of data that looked like...
51.3A.4E.Lollapalooza
This was in memory as plain ASCII the hex look-a-like values were checked in the first call.
The Lollapalooza was used to manipulate the bits in DI. I couldn't find any piece of code in the dead-listing which was using DI as offset.
:0001.05BD 51 push cx :0001.05BE B90400 mov cx, 0004 :0001.05C1 97 xchg ax,di <<<<< :0001.05C2 8AE0 mov ah, al :0001.05C4 268A04 mov al , es:[si] <<< get char of Lollapalooza :0001.05C7 46 inc si :0001.05C8 D2C0 rol al, cl :0001.05CA D3C8 ror ax, cl :0001.05CC D3C8 ror ax, cl :0001.05CE 97 xchg ax,di <<<<<
I found out that DI was used to determine if the manipulated value in DI was odd or even.
:0001.0606 F7C70100 test di, 0001 <<< test is value is odd or even :0001.060A 7504 jne 0610 <<< odd then no changing BX :0001.060C F6D8 neg al :0001.060E D1D3 rcl bx, 01 <<< change value bx rol carry
The value BX is only changed if DI was even, so only at these times bx
is changed and at the last one BX will hold E6EA,
which is moved to AX just before leaving this complete CALL, which then
can be checked by E6EA
Okay end of transmission ..... maybe some other time or state .....
Final Notes |
I think that the dongle-prinicple missed it's target in this protection scheme, or it's just a stupid written piece of software. It could also be that I missed a few important facts about this scheme because a stepped quickly throught it in order to write and support this essay....
This may all be true , or held against me ... but still it's curious that at the end of this dongle-protection, a register is checked with a 'hard-wired' value to protect the bits and bytes ... it's also curious that the same routine is used to initialize the software and do the periodly check during the up-time of the software ( I mean the same routine and the same 'physical mem-location' !!! and not a second different looking routine).
If you ask me, the dongle missed it's target and has the same effect as a serial check ..... (why not using the dongle to make jumps in memory !!!!)..
Today I had a quick (and unexpected) look at the latest version of this software, which seem to be 'dongle-less' but now for every library you needed to key-in a serial ;).... I wonder why they let the dongle go ??? Did somebody else already made an essay ... ;o).... Or did they see the dongle missed target ???? We'll never know ...
Have a nice day .... MaD [CPT]
Ob Duh |
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.