Simple dongle reversing
by 932452
21 October 1998

INTRODUCTION

I have been watching all these sites on cracking and hacking..
and I have not found any crack on EDA tools...may be that 
very few people use it.  Some time back I needed a crack for
VERIWELL and I had posted a request on alt.2600, for which
I did not get any reply, so then and there I decided to get 
into cracking and I learned lot of things about cracking 
from Fravia's page... now I am in a postion to write an essay
on cracking...please understand that this is my first essay
and that I am very bad at writing long essays

	Well in this essay I will tell you how I cracked
some targets which have been protected by STUPID dongles. 
I hope you all will like it, and I hope this will teach all 
shareware programmers reading this, that dongles, contrarily 
to their advertisement, are not a very good option if you 
intend to protect seriously... you don't believe me? Just read 
on...

TOOLS REQUIRED

Hexedit (I like the win 3.1 version, as it is very fast)
Win32dis (You all know it)
(So I won't even use softice to crack a couple of dongles :-)

TARGET URLs

www.wellspring.com
ftp.interhdl.com

THINGS YOU MUST REMEMBER 

1) Always try to find the golden routine that checks for the dongle.
2) Try to understand what it is doing...before jumping into patching it.
3) Have lot of patience.

ESSAY


PART I

Download any PC version tool from interhdl..as all the tools from
interhdl has got same stupid dongle protection (why can't they think
something better :-)
Here my target is verilint..after downloading you have
install it and after that just go to dos prompt and 
type verilint example.v

this will give a error message and then it will terminate.

the error message is "checking out hardware key"

so there are two things going on
1) check for hardware lock
2) terminate if hardware lock not found

first we will disable the call responsible for dongle check
so search for the string "checking out hardware key" 

* Referenced by a CALL at Address:00482081   
|
:00482090 81EC00080000            sub esp, 00000800
:00482096 E895050000              call 00482630
:0048209B 83F803                  cmp eax, 00000003
:0048209E 7507                    jne 004820A7

* Possible StringData Ref from Data Obj ->"Checking out hardware key..."
                                  |
:004820A0 68EC3F5000              push 00503FEC

once you have found this, just scroll up till you find the call which
has called this routine. below is the code which has called this
routine.
you see that this routine has been called by another call instruction at
location 0004821f...so please go to the location 0004821f.

* Referenced by a CALL at Address:0048217F   
|
:00482070 8B44240C                mov eax, dword ptr [esp+0C]
:00482074 8B4C2408                mov ecx, dword ptr [esp+08]
:00482078 8B542404                mov edx, dword ptr [esp+04]
:0048207C 6A00                    push 00000000
:0048207E 50                      push eax
:0048207F 51                      push ecx
:00482080 52                      push edx
:00482081 E80A000000              call 00482090
:00482086 83C410                  add esp, 00000010
:00482089 C3                      ret



this is the code which you find at that location..and this is the
code which refers to that golden call

well what do you see here...
:0048217F E8ECFEFFFF              call 00482070
//just returned from call

:00482184 83C40C                  add esp, 0000000C
:00482187 83F801                  cmp eax, 00000001
//compare eax with 01

:0048218A 740A                    je 00482196
// if good guy jump to 00482196

:0048218C 6A01                    push 00000001
:0048218E E81DF40100              call 004A15B0
//if bad guy call terminate the program...
//you may ask how do I know...well trace the call 004a15b0


:004A15B0 8B442404                mov eax, dword ptr [esp+04]
:004A15B4 6A00                    push 00000000
:004A15B6 6A00                    push 00000000
:004A15B8 50                      push eax
:004A15B9 E832000000              call 004A15F0
// this is the main call which call the KERNEL32.TerminateProcess,
//if you don't think so ...you can trace the above call



* Referenced by a CALL at Addresses:004A15B9   , :004A15D9   
|
:004A15F0 A11C045100              mov eax, dword ptr [0051041C]
:004A15F5 53                      push ebx
:004A15F6 55                      push ebp
:004A15F7 8B6C240C                mov ebp, dword ptr [esp+0C]
:004A15FB 83F801                  cmp eax, 00000001
:004A15FE 56                      push esi
:004A15FF 750E                    jne 004A160F
:004A1601 55                      push ebp

* Reference To: KERNEL32.GetCurrentProcess, Ord:00D3h
                                  |
:004A1602 FF15D8215100            Call dword ptr [005121D8]
:004A1608 50                      push eax

* Reference To: KERNEL32.TerminateProcess, Ord:0246h
                                  |
:004A1609 FF15D4215100            Call dword ptr [005121D4]
//so atlast that compare eax.01 as resulted in this terminate program


all you have to do is make that jump on equal to Always jump

:0048218A 740A                    je 00482196 //change 74 to EB

Don't forget to nop the call that checks for dongle..other
wise your program will waste lot of your time.

:0048217F E8ECFEFFFF              call 00482070
          9090909090              nop
        
        
        PART-II


Second target is a verilog simulator tool from wellsring, this target 
has got bit good protection then the first....it checks for the
hardware lock and if present it stores some values in some 
locations and it checks for dongle four time.from four different 
location...you need to patch only first two..but don't worry 
about it every dongle protection can be cracked............ 
first Download the veriwell.zip from the download page of 
www.wellspring.com and install it. Once you are through this you 
can follow what I'll tell you 

	Now run the veriwell, you see that it shows the following
message " this is free version of bla..bla..bla"
			

Hey I forgot to tell you that this software runs in demo mode
if hardware lock is not present, the above message was therefore 
due to this feature of veriwell. Now that you have found this, you can
fire your win32disa and dissamble the veriwell.exe and search for the
string "this is free bla..bla" or you can search for the string
"serial number"			
 
:0041015F A122785500              mov eax, dword ptr [00557822]
:00410164 50                      push eax

* Possible StringData Ref from Data Obj ->"  Serial number %d"
                                  |
:00410165 68A4255300              push 005325A4
:0041016A E8AD33FFFF              call 0040351C

Veriwell reaches this line only if the hardware lock is preset
so We need to trace where this was done..to do this
we just page-up till we reach this piece of the code

:00410052 F6058078550001          test byte ptr [00557880], 01
:00410059 7522                    jne 0041007D 

//hardware lock is present then jump to 00410070

:0041005B 33C0                    xor eax, eax 

//if bad guy store zero in following locations

:0041005D A35CC95400              mov dword ptr [0054C95C], eax
:00410062 A33CCA5400              mov dword ptr [0054CA3C], eax
:00410067 A324CA5400              mov dword ptr [0054CA24], eax
:0041006C A32CCA5400              mov dword ptr [0054CA2C], eax
:00410071 A348CA5400              mov dword ptr [0054CA48], eax
:00410076 A320CA5400              mov dword ptr [0054CA20], eax
:0041007B EB5F                    jmp 004100DC

I bet this is very easy to patch all you have to do is  open the hexedit
and find the byte and nop them 

jne <= nop
xor <= nop

after you have doen this run the veriwell again, you see that it does not 
show the "free version banner" but still we have a problem...when ever we 
run the veriwell it takes lot of time to run...so we have to disable the
dongle check routine..So we page-up till we reach this peace of code


:0041001E E85FE40500              call 0046E482
//this is tha call that chscks for the dongle..just get into the call and
change the first bye of the call to C3..so that the call returs back as soon
as it executes the reutrn code.

now once again run the veriwell ...we find that it display the following message
                     "this is (%) of free version 
once again we search for the this string and again pageup till
we reach up to this code

* Referenced by a Jump at Address:0042E1E7(C)
|
:0042E1C7 A1A4785500              mov eax, dword ptr [005578A4]
:0042E1CC 03C1                    add eax, ecx
:0042E1CE 83C102                  add ecx, 00000002
:0042E1D1 81F980000000            cmp ecx, 00000080
:0042E1D7 8A10                    mov dl, byte ptr [eax]
:0042E1D9 8A5801                  mov bl, byte ptr [eax+01]
:0042E1DC 8818                    mov byte ptr [eax], bl
:0042E1DE A1A4785500              mov eax, dword ptr [005578A4]
:0042E1E3 885408FF                mov byte ptr [eax+ecx-01], dl
:0042E1E7 7CDE                    jl 0042E1C7
:0042E1E9 B901000000              mov ecx, 00000001
:0042E1EE 66850D80785500          test word ptr [00557880], cx
:0042E1F5 7525                    jne 0042E21C            //change this to nop
:0042E1F7 33C0                    xor eax, eax            //change this to nop

:0042E1F9 890D3CCA5400            mov dword ptr [0054CA3C], ecx
:0042E1FF A35CC95400              mov dword ptr [0054C95C], eax
:0042E204 890D24CA5400            mov dword ptr [0054CA24], ecx
:0042E20A 890D2CCA5400            mov dword ptr [0054CA2C], ecx
:0042E210 A348CA5400              mov dword ptr [0054CA48], eax
:0042E215 A320CA5400              mov dword ptr [0054CA20], eax
:0042E21A EB5F                    jmp 0042E27B

once you have have done this...veriwell is yours..

FINAL NOTES

 This EDA tools are very "costly" compared to normal software, but I don't
understand one thing..if their software is really so costly, why don't they
protect it better? It would be pretty easy, seen the above code...