Marx Crypto Box, the most Secure device ever made
("Protection Plus Professional")
project3
Dongles
03 February 1998
by Dr. Fuhrball
Updated
05 February 1998
Courtesy of Fravia's page of reverse engineering
 
Interesting reading... Dr Fuhrball has already given us the Simple unix busting essay... note that the cracking approach chosen here is perfectly accettable: the Author shows how the protection scheme works inside a target (so that all readers can learn) WITHOUT giving out a ready made crack for a valuable program to all lamers of the planet. Well, with 'our' dongle protection schemes we are getting quite forward, just a request to Dr Furhball for an add on as soon as he has some time:
...when I soldered enough wires to the microprocessor 
and stuck it in the pic burner I was able to read out the 
entire contents of the processor chip
many among our readers do NOT know how to read eeprom data. Could you please (since you are I believe the first one speaking of this subject in an essay published at the HCU) explain with some "length and depth" the whole process? (trial and errors comprised :-)

5 February 1998
Dr Fuhrball has answered with a first essay of a future 'hardware cracking' section, that for the moment will be hosted inside the dongle section. Thank a lot Dr Fuhrball! Hope you (and others :-) will send more and more essays on this gorgeous stuff, since few crackers (at the moment :-) practicize these interesting skills!
Here it is: Dr Fuhrball's redtreatment on the hardware side of accessing eeproms
(with three hand-written dongle wiring schemas and a short basic program)
Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (X)Intermediate ( )Advanced ( )Expert

An useful essay about the reversing of a dongle based protection scheme
Marx Crypto Box, the most Secure device ever made
("Protection Plus Professional")
Written by Dr Fuhrball


Introduction
I've decided to leave the universal dll shim for a later 
effort as i am gonna be seriously busy the next 3 weeks.

Today's cocktail:  40 year old single speyside malt "The Glenrothes"
(got a bottle of this for christmas. Wish I had a case)
Tools required
Wdasm
eprom burner

Target's URL/FTP
http://www.marx.com

Essay
Marx Crypto Box, highly simplified, by Dr. Fuhrball
The most recent and highly excellent essay from Frogs Print covers much of what I could possibly say about this subject. Here is an example of the Marx crypto box dongle. A totally bogus and highly insecure device in many ways. Their advertising on this device (www.marx.com) says that this is the most Secure device ever made, with a custom risc processor. The fact is that The device uses a pic16 processor (low voltage with 2mhz oscillator) and an 8kbit eeprom, both devices made by Microchip Inc. But it's even better, because when I soldered enough wires to the microprocessor and stuck it in the pic burner, I was able to read out the entire contents of the processor chip. This is secure????? And the same thing goes for the data inside the eeprom. Marx also sells a software only protection system (Protection Plus Professional). A free evaluation copy is available from their web site. This should be entertaining. This entire security system is based on one dll. Here is the entire API. CbN_BoxReady(unsigned int port number,unsigned char *boxname) CbN_DecRAM1(unsigned int port number,unsigned int id number,unsigned char *codeid,unsigned char *passwordram1, unsigned int counter address, unsigned int new count) CbN_DecRAM2(same as DecRAM1) CbN_Decrypt(unsigned int port number, unsigned int id number,unsigned char *codeid, unsigned int seed, unsigned int length,unsigned char *outdata) Cbn_Encrypt(same as Decrypt) CbN_IDEA_Decrypt(unsigned int port number, unsigned int id number, unsigned char *codeid, unsigned char *buffer, unsigned long length) CbN_IDEA_Encrypt(same as IDEA Decrypt) CbN_IncRam1(unsigned int port number, unsigned int id number, unsigned char *codeid,unsigned char *passwordram1, unsigned int counter address, unsigned int *net count) CbN_IncRam2(same as IncRam1) CbN_ReadID1(unsigned int port number, unsigned char *code id,unsigned long *idreturn) CbN_ReadID2(same as readid1) CbN_ReadID3(same as readid1) CbN_ReadID4(same as readid1) CbN_ReadID5(same as readid1) CbN_ReadID6(same as readid1) CbN_ReadID7(same as readid1) CbN_ReadID8(same as readid1) CbN_ReadRAM1(I'm getting tired of typing!) CbN_ReadRAM2(...) CbN_ReadSER(...) CbN_WriteRAM1(...) CbN_WriteRAM2(...) And the various return codes 0 the function worked correctly 1 wrong or missing argument 2 crypto-box key not available 3 error on standard encryption 4 error on IDEA encryption 5 crypto-box memory read access error 6 crypto-box memory write access error 7 error on counter increment or decrement 8 error on function call CbN_BoxReady() Part of the supposed security is the increase in number of bytes for successive functions. The serial number is 2 bytes long The id number is 3 bytes long The passwords are 4 bytes long This is similar in many ways to the software sentinel device which they have obviously copied from. Here is an example of it's use in a program. This program is NOT available from the net, and is of absolutely no use to 99% of the people out there. It is a conversion from its original UNIX version, and as such has a few bugs, but is still a highly valuable tool. As I have absolutely nothing against this fine company, and some of this company's instruments are the finest available in the world, I will not divulge the name of the program. * Reference To: CBNDLL.CbN_ReadSER, Ord:0020h | :0043431C E8F3791700 Call 005ABD14 :00434321 0FBFC0 movsx eax, ax :00434324 8985ACFEFFFF mov dword ptr [ebp+FFFFFEAC], eax :0043432A 83BDACFEFFFF00 cmp dword ptr [ebp+FFFFFEAC], 00000000 :00434331 0F8E11000000 jle 00434348 :00434337 6A00 push 00000000 :00434339 8B85ACFEFFFF mov eax, dword ptr [ebp+FFFFFEAC] :0043433F 50 push eax :00434340 E8B2DFFCFF call 004022F7 :00434345 83C408 add esp, 00000008 * Referenced by a Jump at Address:00434331(C) | :00434348 817DE4XXXXXXXX cmp dword ptr [ebp-1C],XXXXXXXX :0043434F 0F840F000000 je 00434364 * StringData Ref from Data Obj ->"The ..." removed for obvious reasons :00434355 68D8EF6100 push 0061EFD8 :0043435A 6A63 push 00000063 :0043435C E896DFFCFF call 004022F7 :00434361 83C408 add esp, 00000008 * Referenced by a Jump at Address:0043434F(C) | :00434364 C685A8FEFFFFXX mov byte ptr [ebp+FFFFFEA8], XX :0043436B C685A9FEFFFFXX mov byte ptr [ebp+FFFFFEA9], XX :00434372 C685AAFEFFFFXX mov byte ptr [ebp+FFFFFEAA], XX :00434379 C685ABFEFFFFXX mov byte ptr [ebp+FFFFFEAB], XX :00434380 C685BCFEFFFFXX mov byte ptr [ebp+FFFFFEBC], XX :00434387 C685BDFEFFFFXX mov byte ptr [ebp+FFFFFEBD], XX :0043438E C685BEFEFFFFXX mov byte ptr [ebp+FFFFFEBE], XX :00434395 C685BFFEFFFFXX mov byte ptr [ebp+FFFFFEBF], XX :0043439C C685C0FEFFFFXX mov byte ptr [ebp+FFFFFEC0], XX :004343A3 8D45EC lea eax, dword ptr [ebp-14] :004343A6 50 push eax :004343A7 8B85B0FEFFFF mov eax, dword ptr [ebp+FFFFFEB0] :004343AD 50 push eax :004343AE 6A14 push 00000014 :004343B0 8D85BCFEFFFF lea eax, dword ptr [ebp+FFFFFEBC] :004343B6 50 push eax :004343B7 8D85A8FEFFFF lea eax, dword ptr [ebp+FFFFFEA8] :004343BD 50 push eax :004343BE 6A01 push 00000001 :004343C0 6A01 push 00000001 * Reference To: CBNDLL.CbN_ReadRAM1, Ord:001Eh | :004343C2 E847791700 Call 005ABD0E :004343C7 0FBFC0 movsx eax, ax :004343CA 8985ACFEFFFF mov dword ptr [ebp+FFFFFEAC], eax :004343D0 83BDACFEFFFF00 cmp dword ptr [ebp+FFFFFEAC], 00000000 :004343D7 0F8E0F000000 jle 004343EC * StringData Ref from Data Obj ->"R..." Removed for obvious reasons | :004343DD 6808F06100 push 0061F008 :004343E2 6A63 push 00000063 :004343E4 E80EDFFCFF call 004022F7 :004343E9 83C408 add esp, 00000008 * Referenced by a Jump at Address:004343D7(C) | :004343EC 8B85B0FEFFFF mov eax, dword ptr [ebp+FFFFFEB0] :004343F2 C64405EC00 mov [ebp+eax-14], 00 :004343F7 8D45C8 lea eax, dword ptr [ebp-38] :004343FA 50 push eax :004343FB 8D45EC lea eax, dword ptr [ebp-14] :004343FE 50 push eax :004343FF E8DC8A1700 call 005ACEE0 :00434404 83C408 add esp, 00000008 :00434407 85C0 test eax, eax :00434409 0F840F000000 je 0043441E * StringData Ref from Data Obj ->"C..." Same here | :0043440F 6810F06100 push 0061F010 :00434414 6A63 push 00000063 :00434416 E8DCDEFCFF call 004022F7 :0043441B 83C408 add esp, 00000008 * Referenced by a Jump at Address:00434409(C) | :0043441E 33C0 xor eax, eax :00434420 E900000000 jmp 00434425 * Referenced by a Jump at Addresses:004342E3(U), :00434420(U) | :00434425 5F pop edi :00434426 5E pop esi :00434427 5B pop ebx :00434428 C9 leave :00434429 C3 ret it's a "no brainer" to replace the beginning of the code with a xor eax,eax pop edi pop esi pop ebx leave ret As I am a programmer (among other things) I have the attitude that software Protection is a waste of time. I believe that some other programmer's have the same opinion, they are forced by their bosses to install crap such as this, and they personally do not care that it can be reversed in minutes.


Ob Duh
I wont even bother explaining you that you should BUY this target program if you ever find it on the web and intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside Fravia's page of reverse engineering, choose your way out:

projecT3
Back to project 3

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?