Unplugging a dongle protection
unplugging technical library
from Micro house

project3
Project 3

13 February 1998
by MaD

Courtesy of Fravia's page of reverse engineering

 
fra_00E6
981302
MAD
1100
P3
PC

Great essay, dongle cracking takes another rithm!

There is a crack, a crack in everything That's how the light gets in

Rating
(x)Beginner (x)Intermediate ( )Advanced ( )Expert


This is another undongling ... And again the software side is the weak partner here !!!!!


Unplugging a dongle protection
unplugging technical library from Micro house
Written by MaD [CPT]

Introduction

I read a few essays here at Fravia's site about dongles. Two days ago I got an offer to
unprotect a dongle-protection. I didn't had to think twice ... This is not the only 
protection used in this target ... There's also a serial-entry dialog. I decided not to
implement this, because this is the dongle-project .... 
The target today is a very expensive piece of software and very handy for people who
also like to play around with hardware but lost their manuals/ don't have manuals...
this program will provide you all the information you need .... jumpers,layout,specs.. (etc) 
of all PC-related products from all vendors (digital,compaq,adaptec.. clone-pc )
As we will go on in this essay we will see that a expensive protection (hardware keying)
will also flunk with a stupid piece of software handling it !!!!


Tools required

Well a usual soft-ice 3.x and
your own hex-editor , I like ultra-edit 5.00a

Target's URL/FTP

Well I guess a good store because this target is containing a install-floppy and a data-cdrom which
explains why there is not a download-URL.... But I think you will get some info from their site at www.mircohouse.com.

Program History

I don't know but I saw a hand full of older releases going back to 1996 , sorry no real data

Essay

Okay like I already said before , dongles are one of the most expensive protections but when
the software part of this alliance is weak .... bye bye money !!!!
When installing the software from the floppy the dongle is not checked yet (remember a serial
is needed to complete the setup, I didn't include this here because this about dongles
not about serial-checks). After clicking on the newly created shortcut we can see a nice
picture and a little window checking for the dongle .... 
When run the program without the dongle it will return a dialog-window telling us it wants
to see dongle and waits for input (OK or cancel). If we run the program with the dongle and
we unplug the dongle while using the target it will start nagging for the dongle after
about 20sec (approx.).
Well after plugging the dongle back to the parallel-port, we'll set a break-point in soft-ice
BPIO -H 378 R. Run the program again and we crash inside the code at this point
As we can see we are right in the IO part which is chatting with the dongle, note we have a
16-bit program. Before we have a closer look at this dongle-talk, I like to find the big call
who is executing this code. After pressing F12 (P RET) 3 times we'll get this VERY interesting
piece of code.
'HERE' we can see a nice piece of code and which we will soon see is the weak part of the dongle
protection. The call 0001.0164h executes the dongle-chat code, the second one is the one we 
want, it returns a value in AX which is moved to SI and check with a absolute (read hard-wired)
value of 'E6EAh'. When 7the dongle plugged to the port it will return this value, when missing
it returns '0000' !!!! SO THIS MEANS WE FOUND THE MAIN CHECK AND UNPROTECTED THE TARGET, THIS WE
DO BY COMPARING SI WITH 0000, OR NOPPING JNE 02AE AWAY (I did it by cmp si with 0000).
(BTW. the first call at 0002.028a is probably a check on which LPT port the dongle is located
I didn't work that one out... I think it ain't so important...)
This is what I meant with the weakling in the alliance...... Note the zero-ing at 0002.02a4, 
remember that the dongle was check every 'XX' secs this mem-loc. this is the flag for the 
periodly dongle check, set to '1' it will go to this piece of code and the dongle is checked
So after this action the target knows that he needs to check the dongle again, BUT since
our target makes use of the same dongle_is_there-check (0002.029E) we don't need to worry
about that !!!!
Okay let's also have a quick look at that dongle_chat routine ....
It's a very long-treated routine, their for I didn't completely reverse it but I just pick a few 
high lights out of it (the important ones, in my opinion) and explained them. 
I ran the program a few times and stepped thought the complete chat_to_dongle-routine a few 
times (NOT completing the loop (takes ages)). I found out that a series of digits were send to 
the parallel-port, dongle present or not (FF,FF,77,63,67,63,67,77). I think this is to activate
the hardware in the dongle. The same goes for ending a dongle-chat (00,FF,04,0C,0C)....
The data send and received from the dongle where related to a piece of data that looked like...
This was in memory as plain ASCII the hex look-a-like values were checked in the first call. 
The Lollapalooza was used to manipulate the bits in DI. I couldn't find any piece of code in the
dead-listing which was using DI as offset.
I found out that DI was used to determine if the manipulated value in DI was odd or even.


The value BX is only changed if DI was even, so only at these times bx is changed and at the last one BX will hold E6EA,
which is moved to AX just before leaving this complete CALL, which then can be checked by E6EA

Okay end of transmission ..... maybe some other time or state .....

Final Notes

I think that the dongle-prinicple missed it's target in this protection scheme, or it's just
a stupid written piece of software. It could also be that I missed a few important facts
about this scheme because a stepped quickly throught it in order to write and support this 
essay.... 
This may all be true , or held against me ... but still it's curious that at the end of this 
dongle-protection, a register is  checked with a 'hard-wired' value to protect the bits and
bytes  ... it's also curious that the same routine is used to initialize the software and  do
the periodly check during the up-time of the software ( I mean the same routine and the same
'physical mem-location' !!! and not a second different looking routine).
If you ask me, the dongle missed it's target and has the same effect as a serial check ..... 
(why not using the dongle to make jumps in memory !!!!)..
Today I had a quick (and unexpected) look at the latest version of this software, which seem to
be 'dongle-less' but now for every library you needed to key-in a serial ;).... I wonder why 
they let the dongle go ??? Did somebody else already made an essay ... ;o).... Or did they see 
the dongle missed target ???? We'll never know ...

Have a nice day .... MaD [CPT]



Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.


You are deep inside Fravia's page of reverse engineering, choose your way out:

project3
Back to project 3

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?