Unplugging a dongle protection

	Unplugging a dongle protection `unplugging technical library from Micro house`	Project 3
13 February 1998	by MaD
	Courtesy of Fravia's page of reverse engineering
fra_00E6 981302 MAD 1100 P3 PC	Great essay, dongle cracking takes another rithm!
	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner (x)Intermediate ( )Advanced ( )Expert

This is another undongling ... And again the software side is the weak partner here !!!!!

Unplugging a dongle protection
unplugging technical library from Micro houseWritten by MaD [CPT]

Introduction

I read a few essays here at Fravia's site about dongles. Two days ago I got an offer to
unprotect a dongle-protection. I didn't had to think twice ... This is not the only 
protection used in this target ... There's also a serial-entry dialog. I decided not to
implement this, because this is the dongle-project ....

The target today is a very expensive piece of software and very handy for people who
also like to play around with hardware but lost their manuals/ don't have manuals...
this program will provide you all the information you need .... jumpers,layout,specs.. (etc) 
of all PC-related products from all vendors (digital,compaq,adaptec.. clone-pc )

As we will go on in this essay we will see that a expensive protection (hardware keying)
will also flunk with a stupid piece of software handling it !!!!

Tools required

Well a usual soft-ice 3.x and
your own hex-editor , I like ultra-edit 5.00a

Target's URL/FTP

Well I guess a good store because this target is containing a install-floppy and a data-cdrom which
explains why there is not a download-URL.... But I think you will get some info from their site at www.mircohouse.com.

Program History

I don't know but I saw a hand full of older releases going back to 1996 , sorry no real data

Essay

Okay like I already said before , dongles are one of the most expensive protections but when
the software part of this alliance is weak .... bye bye money !!!!

When installing the software from the floppy the dongle is not checked yet (remember a serial
is needed to complete the setup, I didn't include this here because this about dongles
not about serial-checks). After clicking on the newly created shortcut we can see a nice
picture and a little window checking for the dongle ....

When run the program without the dongle it will return a dialog-window telling us it wants
to see dongle and waits for input (OK or cancel). If we run the program with the dongle and
we unplug the dongle while using the target it will start nagging for the dongle after
about 20sec (approx.).

Well after plugging the dongle back to the parallel-port, we'll set a break-point in soft-ice
BPIO -H 378 R. Run the program again and we crash inside the code at this point

:0001.051D 83EA02                 sub dx, 0002
:0001.0520 58                     pop ax
:0001.0521 EC                     in al, dx           <<<< HERE
:0001.0522 A27800                 mov [0078], al
:0001.0525 B0FF                   mov al, FF
:0001.0527 EE                     out dx, al
:0001.0528 51                     push cx
:0001.0529 8B0E5D00               mov cx, [005D]
:0001.052D E2FE                   loop 052D
:0001.052F 59                     pop cx
:0001.0530 B0FF                   mov al, FF
:0001.0532 EE                     out dx, al
:0001.0533 EB00                   jmp 0535

As we can see we are right in the IO part which is chatting with the dongle, note we have a
16-bit program. Before we have a closer look at this dongle-talk, I like to find the big call
who is executing this code. After pressing F12 (P RET) 3 times we'll get this VERY interesting
piece of code.

:0002.0280 FF36C200               push word ptr [00C2]
:0002.0284 FF36C000               push word ptr [00C0]
:0002.0288 6A02                   push 0002
:0002.028A 9AFFFF0000             call 0001.0164h
:0002.028F 8BF0                   mov si, ax
:0002.0291 1E                     push ds
:0002.0292 68CE00                 push 00CE
:0002.0295 6A0C                   push 000C
:0002.0297 9AFFFF0000             call 0001.0164h
:0002.029C 8BF0                   mov si, ax               <<<< 'HERE' POINT OF ENTRY
:0002.029E 81FEEAE6               cmp si, E6EA
:0002.02A2 750A                   jne 02AE
:0002.02A4 C706BE000000           mov word ptr [00BE], 0000
:0002.02AA 33FF                   xor di, di
:0002.02AC EB13                   jmp 02C1

'HERE' we can see a nice piece of code and which we will soon see is the weak part of the dongle
protection. The call 0001.0164h executes the dongle-chat code, the second one is the one we 
want, it returns a value in AX which is moved to SI and check with a absolute (read hard-wired)
value of 'E6EAh'. When 7the dongle plugged to the port it will return this value, when missing
it returns '0000' !!!! SO THIS MEANS WE FOUND THE MAIN CHECK AND UNPROTECTED THE TARGET, THIS WE
DO BY COMPARING SI WITH 0000, OR NOPPING JNE 02AE AWAY (I did it by cmp si with 0000).

(BTW. the first call at 0002.028a is probably a check on which LPT port the dongle is located
I didn't work that one out... I think it ain't so important...)

This is what I meant with the weakling in the alliance...... Note the zero-ing at 0002.02a4, 
remember that the dongle was check every 'XX' secs this mem-loc. this is the flag for the 
periodly dongle check, set to '1' it will go to this piece of code and the dongle is checked

:0002.023B BF0100                 mov di, 0001
:0002.023E 833EBE0000             cmp word ptr [00BE], 0000   <<<< Check flag
:0002.0243 7405                   je 024A
:0002.0245 33C0                   xor ax, ax
:0002.0247 E98200                 jmp 02CC
:0002.024A C706BE000100           mov word ptr [00BE], 0001    <<<< SET CHECK-FLAG

So after this action the target knows that he needs to check the dongle again, BUT since
our target makes use of the same dongle_is_there-check (0002.029E) we don't need to worry
about that !!!!

Okay let's also have a quick look at that dongle_chat routine ....
It's a very long-treated routine, their for I didn't completely reverse it but I just pick a few 
high lights out of it (the important ones, in my opinion) and explained them.

I ran the program a few times and stepped thought the complete chat_to_dongle-routine a few 
times (NOT completing the loop (takes ages)). I found out that a series of digits were send to 
the parallel-port, dongle present or not (FF,FF,77,63,67,63,67,77). I think this is to activate
the hardware in the dongle. The same goes for ending a dongle-chat (00,FF,04,0C,0C)....

The data send and received from the dongle where related to a piece of data that looked like...

51.3A.4E.Lollapalooza

This was in memory as plain ASCII the hex look-a-like values were checked in the first call.

The Lollapalooza was used to manipulate the bits in DI. I couldn't find any piece of code in the
dead-listing which was using DI as offset.

:0001.05BD 51                     push cx
:0001.05BE B90400                 mov cx, 0004
:0001.05C1 97                     xchg ax,di             <<<<<
:0001.05C2 8AE0                   mov ah, al 
:0001.05C4 268A04                 mov al , es:[si]       <<< get char of Lollapalooza
:0001.05C7 46                     inc si
:0001.05C8 D2C0                   rol al, cl 
:0001.05CA D3C8                   ror ax, cl 
:0001.05CC D3C8                   ror ax, cl 
:0001.05CE 97                     xchg ax,di             <<<<<

I found out that DI was used to determine if the manipulated value in DI was odd or even.

:0001.0606 F7C70100               test di, 0001          <<< test is value is odd or even
:0001.060A 7504                   jne 0610               <<< odd then no changing BX

:0001.060C F6D8                   neg al
:0001.060E D1D3                   rcl bx, 01             <<< change value bx rol carry

The value BX is only changed if DI was even, so only at these times bx is changed and at the last one BX will hold E6EA,
which is moved to AX just before leaving this complete CALL, which then can be checked by E6EA

Okay end of transmission ..... maybe some other time or state .....

Final Notes

I think that the dongle-prinicple missed it's target in this protection scheme, or it's just
a stupid written piece of software. It could also be that I missed a few important facts
about this scheme because a stepped quickly throught it in order to write and support this 
essay....

This may all be true , or held against me ... but still it's curious that at the end of this 
dongle-protection, a register is  checked with a 'hard-wired' value to protect the bits and
bytes  ... it's also curious that the same routine is used to initialize the software and  do
the periodly check during the up-time of the software ( I mean the same routine and the same
'physical mem-location' !!! and not a second different looking routine).

If you ask me, the dongle missed it's target and has the same effect as a serial check ..... 
(why not using the dongle to make jumps in memory !!!!)..

Today I had a quick (and unexpected) look at the latest version of this software, which seem to
be 'dongle-less' but now for every library you needed to key-in a serial ;).... I wonder why 
they let the dongle go ??? Did somebody else already made an essay ... ;o).... Or did they see 
the dongle missed target ???? We'll never know ...



Have a nice day .... MaD [CPT]

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside Fravia's page of reverse engineering, choose your way out:

Back to project 3

mail_Fravia

Is reverse engineering legal?