|
Bashing
LPT-Parasites
DONGLES: The weak brothership between hard- and software
|
Dongles
|
16 February 1998
|
by MaD
|
|
|
Courtesy of Fravia's page of reverse engineering
|
slightly
edited
by Fravia+
|
fra_00E8
980216
Mad
1100
P3
PC
|
Well, Mad is slowly specialisying in dongles, and
this essays brings very important teachings for ALL shareware protectors too: the point of
using a dongle (if you really think you should, in our opinion that is a waste of money, a good
protection in assembly coded by you yourself will be MUCH more strong than a dongle
protection)... anyway, if you use a dongle, then use it as an encryption machine, play
with the return values, use filters and mathematical gimmicks INSIDE it... never never never
never just perform a "IS dongle there? No: ax=0, yes:ax=1" stupid check... or else blame
yourself... The 'spaghetti' code of the dongle calling snippets is also pretty intersting...
clearly someone had very funny ideas about how to use dongles here :-)
|
Very useful for
Programmers
|
|
There is a crack, a crack in everything That's how the light
gets in
|
|
Rating
|
(x)Beginner
(x)Intermediate ( )Advanced ( )Expert
|
|
Like in my last
essay about dongles, this is again a partner-ship where the dongle may be strong (who
knows?) but the software is certainly
the weak and poorly element. It's a very straight forward and simple to see through work.
Bashing
LPT-Parasites
The
weak brothership between hard- and software
Written
by MaD [CPT]
Well no so long ago I wrote my first essay on dongle protections,I got another one in my
hands and had an option the 'try' in at home ;).... Todays target also uses the dongle just
for checking if it's there or not .... and is checked ever time you call a small selection
of routines... (for instants the print-routine ...)
So the dongle once more missed it's target in my option (also see dong_mad.htm), I mean
using the dongle for jump-information in the source or maybe even better, encryption and
decryption on the fly (I think even more powerful)...
Why the simple is_dongle_there,_then_run,_else_nag routine !!!! Anyway just flip your
favorite CD in your CD-ROM player (I recommend any CD from THE DOORS :))))) Come on baby
fight my lighter (or what did jimmy boy sing ???)and look at my essay and see again a
stupid brothership between hard- and software .... :(
Well it's again soft-ice 3.x (what else??) and your own favorite
hex-editor , I always use ultraedit 5.00a
No
URL available.... This software has a very small group of people as target.
(I don't want to say any more)
(Sorry I prefer not to
reveal this target's name... see, it's a very specialized program, which
is very useful for very few people. I don't want to damage the Authors...
hey! What we want is to understand protection schemes, right? Who cares
about the exact bits and bytes?)
Okay ... Let's look at this target, I start to install which was very slow ..
I stopped the installation after the third floppy and there is an executable in the target
directory .... I ran the target and yes in came alive by telling me it didn't
see the dongle on the parallel port and now switched to demo-mode ....
Well as usual I run the program in both states, so I plugged this dongle to the parallel port,
and no message is displayed. When the dongle is disconnected from the PC all seem to work fine
but when certain functions are selected (print for example) it says it won't do that in
the demo version ... when connecting the dongle straight away and hit print again, my
nice Deskjet 690C starts printing away... This could mean that we might have an dongle that
is providing the software jump-info (offset data I mean).
okay let's get physical .... I fired up softice and set the usual breakpoint on LPT1
(BPIO -H 378 R). This will give us an entry in the target on the follow position.
:0003.0130 8B166E09 mov dx, [096E]
:0003.0134 EC in al, dx <<< point of entry
:0003.0135 A27209 mov [0972], al
:0003.0138 E8B505 call 06F0
:0003.013B B000 mov al, 00
:0003.013D EE out dx, al
:0003.013E E87C06 call 07BD
:0003.0141 B001 mov al, 01
:0003.0143 EE out dx, al
:0003.0144 E87606 call 07BD
:0003.0147 C606700901 mov byte ptr [0970], 01
:0003.014C E80706 call 0756
:0003.014F E80406 call 0756
:0003.0152 E8E705 call 073C
We are here right in the middle of the chat_to_dongle routine (16 bit source), since I'm a very
curious and impulsive person, I like to see the call that is responsible for the execution. So
I just hit on the F12-button a few times (p ret) and I come across the wonderful code (later on
I'll conclude the chat_to_dongle code ...)
:0002.0034 C8020000 enter 0002, 00
:0002.0038 C646FE00 mov byte ptr [bp-02], 00 <<< reset flag dongle_there
:0002.003C 6A00 push 0000
:0002.003E 6A01 push 0001
:0002.0040 8D7EFE lea di, [bp-02]
:0002.0043 16 push ss
:0002.0044 57 push di
:0002.0045 9AFFFF0000 call 0002.005Bh
:0002.004A 807EFE03 cmp byte ptr [bp-02], 03 <<<< point of entry ....
:0002.004E B000 mov al, 00
:0002.0050 7501 jne 0053
:0002.0052 40 inc ax
Well well, we see a call 0002.005b which hold among other things the dongle_chat routine. After
this call there's a cmp-action, which compares the location [bp-02) with 03 (and it will hold 03
if the dongle is attached to the parallel-port). If you run the target without the dongle
[bp-02] will hold 00 so ... I ran the program with the dongle, on the fly I unplugged it ....
press the print-button (which gives you the nag ... this to verify if the program responded)
now patch the program at 0002.004A, so it compares loc. [bp-02] with 00,and press the print
button .... tatatatataaaaa !!!! If you now patch it on the disk, you will see the same routine
is used also for startup ... :(
So again we found a dongle-protection that will only use the dongle as reference, instead of
encryption or jumping !!!
I can't understand why software houses want to protect their software with this crap !!!!
Okay let's look at the dongle-chat routine .... I just picked some highlights out of this
scheme and explain them ...
The follow routine (0003.0013 - 0003.0079) is used to determine on which LPT-device the
dongle is plugged.
:0003.0013 A4 movsb
:0003.0014 06 push es
:0003.0015 1F pop ds
:0003.0016 813E6E097803 cmp word ptr [096E], 0378
:0003.001C 745E je 007C
:0003.001E 813E6E09BC03 cmp word ptr [096E], 03BC
:0003.0024 7456 je 007C
:0003.0026 813E6E097802 cmp word ptr [096E], 0278
:0003.002C 744E je 007C
Here mem.loc. DS:[096E] is check if it contains 0378 ,0278 (in other words LPT1 and LPT2).
As we can see here that our target must be old or is still compatible with the good old
hercules card because 03BC is used on the hercules graphic-adaptor (integrated)... (I'm not
talking about the hercules 3D color-adaptor but the ancient mono-hercules). This was also seen
as LPT1 (long time ago since I've last seen that).
This checking is done, so they can use the same routine at 1.)start-up to check on which port
the dongle is and 2.)check the dongle later on in the program if it's still there BUT without
having to check on which LPT port the dongle is ('cause the routine is very long threaded and
takes time which would be bad for performance).
:0003.002E E83F07 call 0770
In this call a check is preformed to test how fast your CPU is so that they can (later on
in the program, using this info to) time with a simple loop, the delay they need in between
transfers to the dongle. This is stored in ds:0977 and used by a call 07BD (for me that value
is 1E = pentium 200)
The timing is done by checking on 1017:006C (this is the LSB of the clock-count,see int. 1A/00)
while executing a number of loops in 1/18 of a sec. Okay let's go on before we get to detailed..
:0003.0031 C7066E097803 mov word ptr [096E], 0378
:0003.0037 BE7A09 mov si, 097A
:0003.003A E8E300 call 0120
:0003.003D E8A901 call 01E9
:0003.0040 3C7B cmp al, 7B
:0003.0042 743E je 0082
Here we can see that the program assumes that the dongle is plugged to LPT1, before entering
the actual check-routines call 0120,call 01e9. which return in case of an dongle 7B and
no dongle FF. If the dongle is not found the target will try the next option (see 0003.0044 -
0003.0079)
:0003.0044 E86B06 call 06B2
Here it looks like the previous LPT-port is reset so that any printer attached will not be
effected later when the program is ended.
:0003.0047 C7066E09BC03 mov word ptr [096E], 03BC
:0003.004D BE7A09 mov si, 097A
:0003.0050 E8CD00 call 0120
:0003.0053 E89301 call 01E9
:0003.0056 3C7B cmp al, 7B
:0003.0058 7428 je 0082
:0003.005A E85506 call 06B2
:0003.005D C7066E097802 mov word ptr [096E], 0278
:0003.0063 BE7A09 mov si, 097A
:0003.0066 E8B700 call 0120
:0003.0069 E87D01 call 01E9
:0003.006C 3C7B cmp al, 7B
:0003.006E 7412 je 0082
:0003.0070 E83F06 call 06B2
:0003.0073 C7066E090000 mov word ptr [096E], 0000
:0003.0079 EB07 jmp 0082
If no dongle is found DS:[096E] is set with 0 so the program knows that there is no dongle
present.
I like to show you the timing-routine,
:0003.0770 50 push ax
:0003.0771 53 push bx
:0003.0772 51 push cx
:0003.0773 1E push ds
:0003.0774 B8FFFF mov ax, OFFSET ADDR of KERNEL.LOCALLOCK
:0003.0777 8ED8 mov ds, ax
:0003.0779 B9FFFF mov cx, FFFF
:0003.077C A06C00 mov al, [006C] <<< get current LSB of clock
:0003.077F B30A mov bl, 0A
:0003.0781 90 nop
:0003.0782 FECB dec bl
:0003.0784 75FB jne 0781
:0003.0786 49 dec cx
:0003.0787 742A je 07B3
:0003.0789 3A066C00 cmp al , [006C] <<< Has the clock changed since
:0003.078D 74F0 je 077F <<< last performed loops,no then again
:0003.078F B90000 mov cx, 0000 <<< {I don't understand this reset
CX is left unused at this time}
:0003.0792 A06C00 mov al, [006C] |
:0003.0795 B30A mov bl, 0A |This piece of code is performing
:0003.0797 90 nop |the same check as the one above
:0003.0798 FECB dec bl |but now the number of executions
:0003.079A 75FB jne 0797 |is held in CX
:0003.079C 41 inc cx |
:0003.079D 3A066C00 cmp al , [006C] |And stored in DS:0977 if it's 6 or
:0003.07A1 74F2 je 0795 |more !!! else DS:0977 will contain 1
:0003.07A3 80FD05 cmp ch, 05 |The slow CPUs.... :)
:0003.07A6 7302 jnb 07AA |
:0003.07A8 B501 mov ch, 01 |
:0003.07AA 1F pop ds |
:0003.07AB 882E7709 mov [0977], ch |
:0003.07AF 59 pop cx
:0003.07B0 5B pop bx
:0003.07B1 58 pop ax
:0003.07B2 C3 ret
I just commented to lines so I don't have to write down the line-numbers all the time.. (LAZY)
This value stored in DS:0977 is used in the following delay-routine
:0003.07BD 51 push cx
:0003.07BE 8A0E7709 mov cl , [0977]
:0003.07C2 FEC9 dec cl
:0003.07C4 75FC jne 07C2
:0003.07C6 59 pop cx
:0003.07C7 C3 ret
I don't need to comment that I hope ..... And a example of this routine in action looks like
this ....
:0003.018C E82E06 call 07BD
:0003.018F 0C80 or al, 80
:0003.0191 EE out dx, al
:0003.0192 E82806 call 07BD
:0003.0195 24BF and al, BF
:0003.0197 EE out dx, al
:0003.0198 E82206 call 07BD
:0003.019B 0C40 or al, 40
:0003.019D EE out dx, al
Also no comment needed ....
Okay about the dongle_chat routines, I decided not to include code, it's specific for this
dongle and won't add any value for later essays or reversals. I will make a conclusion here
about the chat-routine, which is more general and has value for later on.
The CALL 0120 was a very long and spaghetti like structure. Sub_routines would be called 10's
of times after each other to form LONG strings of binary code which were sent to the dongle.
But not once a value was read back, not at port 0379 or 037A and the semi-bi-directional way
(write FFh to the IO-port 0378 (out 0378,ff) and read in right back (in al,378) so that
all the low bits (read zeros) are displayed ....) So this routine is used to enable the hardware
in the dongle. The Call 01E9 there was again a lot of bytes send to the dongle, after this was
done the target started to read data from IO-port 0379. Testing the received value for bit 20h
, which meant OR CL,CH or don't OR CL,CH. This was following by a SHL CH,1 (okay a little code).
:0003.022E EC in al, dx
:0003.022F A820 test al, 20
:0003.0231 7402 je 0235
:0003.0233 0ACD or cl , ch
:0003.0235 D0E5 shl ch, 01
:0003.0237 75EF jne 0228
This would give FFh in case the dongle was unplugged and 7Bh in case the dongle was connected.
Well today we see that in this case of a dongle protection, the dongle could also be replaced
by a good serial-scheme. Because the program doesn't really need the dongle to run. The dongle
here will only slow down the program (in theory) in stead of protecting it. I see it as a
parasite, consuming power and time but doesn't REALLY do what it's suppose to do because the
combination of the software and the dongle is again to simple....
I said in my essay also something about using the dongle as encryption-key on the fly.. Well
thinking over this statement I now must concluded that in will slow down the software
performance. But still it's a nice thought, though.
Anyway another dongle has revealed it's true protection capabilities and I hope they will be
improved in the future, otherwise it's a dying bread of protect, I reckon (well ain't it already
by the cost of it ....???)
Have a nice day and keep hunting
MaD [CPT]
btw. I want to THANK Fravia , for not publishing this essay right away... (he knows why ..!!)
I wont even bother explaining you that you should BUY this
target program if you intend to use it for a longer period than the allowed
one. Should you want to STEAL this software instead, you don't need to
crack its protection scheme at all: you'll find it on most Warez sites,
complete and already regged, farewell.
You are deep inside Fravia's page of reverse engineering, choose
your way out:
Back to project 3
homepage
links
search_forms
+ORC
students'
essays academy
database
reality
cracking how
to search javascript
wars
tools
anonymity
academy cocktails
antismut
CGI-scripts mail_Fravia
Is
reverse engineering legal?