|
End of the dongle old aera ~ Dongles bye bye or "How a single +HCU reverser can easily blow a whole commercial sector out of history" |
Advanced | |
|
|
||
That's it, nothing more to add... let's hope we get a new dongle aera to work on. Awesome essay. Frog's Print's incredible work should be printed (44 pages !) and sipped slowly, it's 'cracking for conoisseurs'... fravia's vintage 1998 "grand reserve"! Bye bye to all those that wanted to do some quick bucks selling hardware protections that were NOT protections at all. This is good, nobody will mourn the disappearing of smoke-sellers and bogus protectors. Bye bye to all those that never cared to study assembly. This is good. Bye bye to all the creations of the poor programmers that blindly trusted commercial (and THEREFORE bogus) dongle protections to defend their valuable software instead of writing their own much more solide protections. Tsch Tsch. You had better read +ORC's students essays first... next time. And learn. And now don't come to the silly idea to blame Frog's Print... blame those dilettantes that have sold you smoke. Blame yourself. A little reality cracking would have done you some good, probably. Well, one never ends learning, does one? I would never have believed myself that (almost) all implementations of the dongle protections scheme were so stupid. Oh my, how low, how deep have the programmers fallen, since Micro$oft introduced its frilly-dizzy rattamazz operating system :-) Of course anyone of my readers could now just 'go shopping' and download, fetch or get hundred thousand dongle protected software programs, each one of them -incidentally- extremely expensive. DO NOT DO IT. You'll only stuff your already exploding harddisks to death for nothing and bore yourself to death. See, you don't need to do it: that poor software won't disappear, nor it will go away. It will always be there. It wont be dongle protected any more after this, oh no, no, no :-) Yet, probably it will be as poorly protected as before by some other charlatans, smoke-selling some other 'infallible' protection scheme... people never learn. Unless they study. That's why you are here, my good reader, to master a difficult but POWERFUL art: reversing. So don't steal the software that Frog's Print has now stripped naked. Look at those protection schemes, pathetically whining and sobbing under Frog's streng and mighty reversing blick. They wont be ever able to run away, the poor scared things. Of course -as it happens- this essay could be useful AGAINST THEFT.. for our underfunded public universities for instance, where (as I very well know) hardware dongles are regularly and phisycally stolen from their parallel ports (it's difficult to find a way to fest them there and students don't show any respect for public property any more, having being corrupted by the 'sacrality' of private gains and property)... so this essay may be a good reading, for all colleagues in the public sector, in order to protect against stupid vandalic theft their legally bought software as well :-) See: +crackers bring solutions for the good ones and ruin for the evil ones :-) |
Dongles Programmers Corner |
|
So, Dongles could be a very powerful and strong way to protect a soft...as long as the programmer willing to utilize one knows how to use it. Unfortunately, most of them don't (note that we are not talking about shareware programmers but professional guys! ) and are still using our "beloved" Test eax,eax//jnz Bad_Guy stupid routine, thinking that they don't have to worry about the protection because the dongle will take care of it (same old problem discussed so much often here -: ). Some of them use ridiculous $5 shareware tricks to protect $4.000 professional softs (see Vision XXL) and, worse, others just forgot to read the Dongle documentation manual shipped with their hardware key (see ABBCS31), you'll even find some of the most amazingly stupid protections I can't find any words to describe them (see DigiSHOW). Too bad...specially when those programs are available for free download on the Net.
Sometimes it may be useful to know which dongle is needed for the
program you want to crack (Aladdin's Hasp, Rainbow Technologies' Sentinel,
Dinkey, Everlock...) or, very important if you plan to use SoftICE
and some Breakpoints, the type of dongle (parallel or serial key, internal
or PCMCIA card, Network dongle...), sometimes you won't even have to care
about that. And, finally, in just few cases, you may not be able to crack
a program if you don't have the right dongle (but if you have the dongle
why should you crack it? -: ) or because the program is strongly encrypted
and/or uses too many anti-debugger and anti-w32dasm/IDAPro protections
(usually, those anti-crackers protections are not written by the programer
himself :- ).
For this, never forget to read carefully the program's doc or HLP
files, to visit it's company home page (specially the "installation help"
or "FAQ" pages) to collect the maximum infos about the dongle needed. You'll
find them most of the time, but sometimes you may only find that the program
needs a "green" or "red" dongle. So don't forget to monitor the program
installation on your Hard Drive : for all the programs of this essay, during
their installation I used CleanSweep, WinDelete and TechFacts, all 3 programs
running at the same time. Then check for new .Vxd, .Drv, .Sys and .Dll
files in you windows(/system) or the programs directories. Do the same
the first time you'll run the program because it may use/create and hide
a lot of "~x34_m-!.sys" or similar strange named files anywhere on your
HD. If you can identify the Dongle manufacturer, then visit its WWW/FTP
sites, newsgroups, read newspaper articles about it and visit programmers'
tools retailers companies sites like SOSdevelopers
(if you can understand French), download their softs/demos (SOSdevelopers
download section),
get their free catalogue where you'll find all products for programers
and the latest protections tools of the market (BTW, SOSdevelopers is probably
actually one of the rare place where you can still find SoftICE 3.01 and
all others Numega 14 days trial version products available for downloading
since Numaga lately removed their Download section from their WWW home
site -: ). And finally, if you plan to crack several dongle protected softs,
install and monitor the first one, crack it and then delete it before
installing the second one, third one... otherwise it'll be to messy and
complicated to monitor and crack.
Here is now, for instance, some infos I found at Aladdin
SoftWares (Hasp/NetHasp dongles). They wrote this to help programers
to write a "good" protection for their dongle (blue comments are mine of
course!):
The golden rule of HASP-based software protection is that the
protection system is only as secure as the routines that call the key and
decide whether to allow execution of the protected program. In other words,
since the hardware of HASP keys is too complicated to break
or duplicate, hackers will usually try to trace the protection code
and eliminate the protection routines.
Emulating the Dongle by re-writing its main
routine is much funnier than boring tracing and patching (and sometimes
a lot easier, specially the Hasp protection routine! )
While we supply you with the best hardware and software protection
tools available, and while the HASP Envelope can by itself provide an excellent
protection for application programs, if possible, you should enhance
your protection system by implementing the Application Programming Interface
(API) as well.
If only they knew how to do it...
Please keep in mind that while no single technique can defeat
every hacker, the more traps and safeguards you use, the more difficult
it will be to break your software. In order to achieve maximum protection
with HASP, we suggest you implement at least some of the procedures outlined
below:
Issue as many calls as possible with many different Seed
Codes.
The more calls and expected responses you use, the more difficult
it will be to trace and remove them.
Boring yes, difficult not really.
Perform logical divisions of the checking procedure. Divide
the checking procedure, and if possible, spread it across your program
at far-away points.
A logical division would be: calling, checking, and reacting
routines, each situated in a different section of the program.
Hide parts of the checking code within a regular source code.
For example, the calling routine can be hidden within a general initialization
routine.
Easy to find with a BPIO 278/378
Use complicated mathematical expressions. In order to
confuse hackers, check for the Return Codes using complicated mathematical
expressions. For example, if you are expecting a Return Code which
equals 26387, incorporate an expression such as the one below to perform
the check:
If (ReturnCode1 -
7)/4 = (ExpectedReturnCode1 - 6602)/3 then...
To further enhance your level of security, follow the same procedure
throughout your software for any mathematical constants used in implementing
your HASP software protection solution.
Yes, and add a beautiful jnz_Bad_Guy at the
end...
Use delayed reactions. Do not react immediately to a checking
call. For example,do not test for a certain value and then issue an error
message if you do not like the result. If you do, the hacker will easily
understand what you are doing.
It is better to store the value in a variable A, check A's value
a few subroutine calls later, and set a new variable B to say whether or
not you like it. Several calls after that, test the value of B, and only
then issue the error message.
Force hackers to work backward to figure out how B got a certain
value and why the program fails because of that. The relation to the original
returned value should no longer be obvious.
See above
Perform check-sums. Perform a check-sum on the program
to find out if it has been
tampered with. The most effective means to do this is with the
HASP Pro Kit.
Otherwise, the simplest way to do so is to use the following
pattern:
Calculate check-sum.
Compare with correct
value.
If the two do not
match,
issue an error message;
otherwise, continue.
Unfortunately, this technique is vulnerable to several attacks.
Bad luck!
etc,etc...
After that, there are different ways to crack it:
1/Reverse engineering the dongle protection main routine in order
to emulate the dongle (see ABBCS31).
-This is very efficient specially if this routine is called dozens
or sometimes hundreds of times throughout the program (otherwise we would
have to patch all those cross-references!).
-With this method, you don't need to have the dongle driver loaded
(if you have 10 programs using different dongles, you'll need to have 10
different drivers always loaded).
2/Patching some Call, Test or jnz instructions.
Not the most elegant method but useful if:
-you don't know how the dongle protection routine works but you
quickly found the right Bad_Guy Flag.
-your program is to slow to start/run . Some overbloated EXE or
DLL will check for a dongle, dongle ID and Seed Code and, if they can't
find them, will check again and again before telling you that you don't
have the requested hardware key. For that reason, those programs may check
for the dongle for 15 or sometimes +30 seconds. This even happens sometimes
after you "emulated" the Dongle. A real waste of time! (see WellCAD).
3/Brute force approach:
Close to the above solution, this one may be quite useful for program
that may react strangely when they are modified. This method just force
them to work the way you want (see Ai Damage).
4/You may use your own tips/findings like searching with Hiew the
bytes sequence 0xE900000000
jmp Next_Instruction (see OmniMark).
In this essay, we'll just assume that you are familiar with cracking because I won't give a lot of comments about all usual protections routines/tricks... that don't have anything to see with the dongle protection nor will I spend time to explain how to crack it when it will be quite obvious (most of the time).
As said above, all programs cracked in this essay can be found and
download on their companies homepages (see links below).
You'll find plenty of dongle softs to download for free on the
Net. Just learn how to search and you'll see what I mean.
OK, now let's have some fun!
Hiew 5.66
SoftICE 3.22
W32Dasm v6.x and W32Dasm8.5
+IDA PRO v3.7
A taste of Zen Cracking
1) Micro-Cap V (Spectrum SoftWare) v2.01
900Kb
2) Vision XL/XXL v2.0
(Impuls) 9.5Mb
3) ABBCS31 v1.02
Klinkmann Automation Softs (DDE Servers) 420Kb
4) WellCAD v2.30 : Full
version 10.5Mb or Lite
version 2.5Mb (similar but without help files and sample data files)
5) Label Craft v6.01
(Axicon Softs) 1.2Mb
6) Ai Damage v1.4
(Ai Training Services Ltd) 185Kb (requires the DK2 DESkey dongle
drivers -dk2wn95.386, dk2win32.dll...- if not installed on your system,
you can download them here: Bdk2wn32.exe
720Kb - read the essay for more infos-: )
7) Electro Chemistry 12
Nov.1997 version (Sycopel Scientific Ltd) 531Kb.
8) IPLab v1.7
(Signal Analytics Corp.) 1.5Mb
9) DigiSHOW.vld v1.24
1.59Mb
A) Axon Engineer Pro v2.11e
2.09Mb
B) FTI/DOE v.2.3.1.4
2.78Mb
C) S-Tagger for FrameMaker v2.0
1.32Mb
D) XinTianMa C version
1.04Mb
E) OmniMark V3R1a
Win95 1.88Mb
Apparently, Micro-Cap V programmers are the only guys who understood
that the dongle will not do all the job. They tried to add some improvements
to the protection scheme:
-Fake flags (Bad or Good_Guy).
-Several flags hidden at different locations (using different registers).
-Delayed reactions (calling, checking and reacting routines).
-Mathematical expressions for checking the RetCodes (though they
could improve this part).
-Several calls with different Seed Codes.
...
This is the first Hasp dongle of this essay. I hope you read Zafer's essay about the various hasp-dongle services because I will not explain this again. However, I will show you the main Hasp routine from Micro-Cap as it is just a little different from the one describe by Zafer, but it works just the same:
:0054141A 55
push ebp
:0054141B 89E5
mov ebp, esp
:0054141D 60
pushad
:0054141E 88C7
mov bh, al
; Service called
:00541420 52
push edx
:00541421 58
pop eax
:00541422 8B5508 mov edx, dword
ptr [ebp+08]
:00541425 8B750C mov esi, dword
ptr [ebp+0C]
:00541428 8B3E
mov edi, dword ptr [esi]
:0054142A 80FF32 cmp bh, 32
:0054142D 7205
jb 00541434
:0054142F 8B7518 mov esi, dword
ptr [ebp+18]
:00541432 8B06
mov eax, dword ptr [esi]
:00541434 8B7510 mov esi, dword
ptr [ebp+10]
:00541437 8B36
mov esi, dword ptr [esi]
:00541439 55
push ebp
:0054143A E8B1D00000 call 0054E4F0
; Haspreg
:0054143F 5D
pop ebp
:00541440 8B7D0C mov edi, dword
ptr [ebp+0C]
:00541443 8907
mov dword ptr [edi], eax ; RetCode1
:00541445 8B7D10 mov edi, dword
ptr [ebp+10]
:00541448 891F
mov dword ptr [edi], ebx ; RetCode2
:0054144A 8B7D14 mov edi, dword
ptr [ebp+14]
:0054144D 890F
mov dword ptr [edi], ecx ; RetCode3
:0054144F 8B7D18 mov edi, dword
ptr [ebp+18]
:00541452 8917
mov dword ptr [edi], edx ; RetCode3
:00541454 61
popad
:00541455 5D
pop ebp
:00541456 C21400 ret 0014
We will rewrite this routine in order to emulate the dongle because there will be too may occurences to patch in this soft.
Running Micro-Cap will display the message box: 'Security Key
missing. Replace the key'.
With SoftICE, Bpx the above routine and run Micro-Cap.
The first break occures here:
:00422C39 B801000000 mov eax, 00000001
; Service#1
...
:00422C5B E8BAE71100 call 0054141A
; IsHasp
:00422C60 8B45F0 mov eax, dword
ptr [ebp-10] ; Store RetCode1 in EAX
:00422C63 89EC
mov esp, ebp
:00422C65 5D
pop ebp
:00422C66 5A
pop edx
:00422C67 59
pop ecx
:00422C68 5B
pop ebx
:00422C69 C3
ret
The caller:
:00422AEC E82F010000 call 00422C20
:00422AF1 85C0
test eax, eax
; Check if OK
:00422AF3 752D
jne 00422B22
; Good_Guy jump
Of course, the RetCode1 should be equal to 1.
The second break:
:00422E8D B805000000 mov eax,
00000005
; Service#5
:00422E92 89542414
mov dword ptr [esp+14], edx
:00422E96 E87FE51100 call 0054141A
; HaspStatus
:00422E9B 8B442408
mov eax, dword ptr [esp+08] ;
Parallel Port # (RetCode3)
:00422E9F 8B7C2404
mov edi, dword ptr [esp+04] ;
Type of Hasp (Retcode2)
:00422EA3 A37CF65500 mov dword
ptr [0055F67C], eax
:00422EA8 83FF01
cmp edi, 00000001
; Is it a Memo-Hasp?
:00422EAB 740D
je 00422EBA
:00422EAD B8FCFFFFFF mov eax,
FFFFFFFC
; Bad_Guy
:00422EB2 83C410
add esp, 00000010
:00422EB5 5F
pop edi
:00422EB6 5A
pop edx
:00422EB7 59
pop ecx
:00422EB8 5B
pop ebx
:00422EB9 C3
ret
* Referenced by a (C)onditional Jump at Address:00422EAB
:00422EBA 31C0
xor eax, eax
; Good_Guy
:00422EBC 83C410
add esp, 00000010
:00422EBF 5F
pop edi
:00422EC0 5A
pop edx
:00422EC1 59
pop ecx
:00422EC2 5B
pop ebx
:00422EC3 C3
ret
No surprises yet: after checking if there
is a Hasp dongle connected, it checks its type (Memo-Hasp). It doesn't
care if it is a Memo-Hasp-1 or a Memo-Hasp-4 as Retcode1 is not verified.
Both
The 3rd break:
:00422C0E B802000000
mov eax, 00000002
; Service#2
:00422C13 E802E81100
call 0054141A
; HaspCode
:00422C18 5D
pop ebp
:00422C19 5F
pop edi
:00422C1A 5E
pop esi
:00422C1B C20400
ret 0004
The caller:
:00422B5B E864000000
call 00422BC4
:00422B60 8B1424
mov edx, dword ptr [esp] ;
Store RetCode1 in Edx
:00422B63 81EACA190000
sub edx, 000019CA
; Edx-0x19CA
:00422B69 B905000000
mov ecx, 00000005
:00422B6E 89D0
mov eax, edx
; Store in Eax
:00422B70 C1FA1F
sar edx, 1F
:00422B73 F7F9
idiv ecx
; Eax/5 and store result in Eax
:00422B75 3D982D0000
cmp eax, 00002D98
; Is it correct?
:00422B7A 7405
je 00422B81
; jmp over if OK
:00422B7C BE01000000
mov esi, 00000001
; Set Bad_Guy#1 Flag discreetly so that stupid
; crackers will never find it!
:00422B81 817C24046DF60000 cmp dword
ptr [esp+04],F66D ; Check RetCode2
:00422B89 0F8566FFFFFF
jne 00422AF5
; Bad_Guy#2 jump
:00422B8F 817C24086CD60000 cmp dword
ptr [esp+08],D66C ; Check RetCode3
:00422B97 0F8558FFFFFF
jne 00422AF5
; Bad_Guy#2 jump
:00422B9D 817C240C973B0000 cmp dword
ptr [esp+0C],3B97 ; Check RetCode4
:00422BA5 0F854AFFFFFF
jne 00422AF5
; Bad_Guy#2 jump
:00422BAB EB80
jmp 00422B2D
; JUMP if OK and make him believe everything
; is fine...
...
...
:00422B2D 85F6
test esi, esi
; ...and check Bad_Guy#1 Flag!
:00422B2F 7507
jne 00422B38
; Bad_Guy_Jump.
RetCodes 2, 3 and 4 are displayed in the code (0xF66D, 0xD66C,
0x3B97). To check the RetCode1, the program uses simple mathematical expressions
from offset 422B63 to offset 422B75.
Finding the RetCode1 value is simple.
We have:
0x2D98 = (RetCode1 - 0x19CA) / 5
So:
RetCode1 = (0x2D98 * 5) + 0x19CA)
RetCode1 = 0xFDC2
You can see that if one of the 3 last RetCodes is wrong, it will
clearly send you on the Bad_Guy#2.
But it will discreetly set the Bag_guy#1 flag (mov esi,1) if the
first RetCode is wrong and will go ahead as if everything was fine before
checking it later at offset 422B2F.
The 4th break:
This time, the program will read a block from the dongle, and check if no error occured (RetCode3)
:00422CE2 B832000000 mov
eax, 00000032
; Service#32
:00422CE7 31D2
xor edx, edx
:00422CE9 E82CE71100
call 0054141A
; ReadBlock
:00422CEE 807D02EA
cmp byte ptr [ebp+02], EA ; Check correct
value
:00422CF2 741F
je 00422D13
; jmp if OK
:00422CF4 837D7A00
cmp dword ptr [ebp+7A], 0 ; Check RetCode3
(status Code)
:00422CF8 7519
jne 00422D13
; jmp if NOT correct as well
:00422CFA B801000000
mov eax, 00000001
; Bad_Guy flag
but make it looks
; like a Good_Guy Flag!
:00422CFF 8DA582000000 lea esp, dword
ptr [ebp+82]
..
:00422D0A C3
ret
; Back to caller
...
...
:00422D13 8B457A
mov eax, dword ptr [ebp+7A] ; store status code in
Eax
:00422D16 8DA582000000 lea esp, dword
ptr [ebp+82]
..
:00422D21 C3
ret
; Back to caller
...
...
:00422B22 E831030000
call 00422E58
:00422B27 89C6
mov esi, eax
; store in esi as well
:00422B29 85C0
test eax, eax
; Check if OK
:00422B2B 7418
je 00422B45
; je Good_Guy
:00422B2D 85F6
test esi, esi
; Check again to confuse...
:00422B2F 7507
jne 00422B38
; jne Bad_Guy
We could think that the mov eax,1 is our Good_Guy because
right above, it checks the RetCode3 (equal to 0x0 if no error) and jump
if an error was returned.
But it stores this RetCode into Eax (:422D13) and later will store
it into Esi too, and will check both registers to see if it's OK. It is
clear that, if the dongle was connected, the program should never reach
offset :422CF4.
0xEA is probably a byte calculated somewhere depending on the dongle
RetCode (it is not RetCode1, 2, 3 or 4). To crack this will have
to store 0xEa into ebp+2 and to ensure that the RetCode3 will be equal
to 0x0.
Now, Micro-Cap V seems to work fine but it still check for the dongle
depending on which key is pressed.
The 5th break:
Here, the program will check again Service#1 (IsHasp) but in another location.
The 6th break:
Now it calls again Service 2.
:00422C0E B802000000
mov eax, 00000002
:00422C13 E802E81100
call 0054141A
:00422C18 5D
pop ebp
:00422C19 5F
pop edi
:00422C1A 5E
pop esi
:00422C1B C20400
ret 0004
The Caller:
:00422D6A E855FEFFFF
call 00422BC4
:00422D6F 6681FE8203
cmp si, 0382
:00422D74 7527
jne 00422D9D
:00422D76 813C24C7710000
cmp dword ptr [esp], 000071C7
:00422D7D 75C8
jne 00422D47
:00422D7F 817C2404935B0000 cmp dword
ptr [esp+04], 00005B93
:00422D87 75BE
jne 00422D47
:00422D89 817C2408E1BF0000 cmp dword
ptr [esp+08], 0000BFE1
:00422D91 75B4
jne 00422D47
:00422D93 817C240C900D0000 cmp dword
ptr [esp+0C], 00000D90
:00422D9B 75AA
jne 00422D47
:00422D9D 6681FEE486
cmp si, 86E4
:00422DA2 752B
jne 00422DCF
:00422DA4 813C248BF60000
cmp dword ptr [esp], 0000F68B
:00422DAB 759A
jne 00422D47
:00422DAD 817C2404D3B40000 cmp dword
ptr [esp+04], 0000B4D3
:00422DB5 7590
jne 00422D47
:00422DB7 817C2408FE0E0000 cmp dword
ptr [esp+08], 00000EFE
:00422DBF 7586
jne 00422D47
:00422DC1 817C240CD43F0000 cmp dword
ptr [esp+0C], 00003FD4
:00422DC9 0F8578FFFFFF
jne 00422D47
:00422DCF 6681FE9907
cmp si, 0799
:00422DD4 7537
jne 00422E0D
:00422DD6 813C2411560000
cmp dword ptr [esp], 00005611
:00422DDD 0F8564FFFFFF
jne 00422D47
:00422DE3 817C2404BB6E0000 cmp dword
ptr [esp+04], 00006EBB
:00422DEB 0F8556FFFFFF
jne 00422D47
:00422DF1 817C2408925C0000 cmp dword
ptr [esp+08], 00005C92
:00422DF9 0F8548FFFFFF
jne 00422D47
:00422DFF 817C240C8EB60000 cmp dword
ptr [esp+0C], 0000B68E
:00422E07 0F853AFFFFFF
jne 00422D47
:00422E0D 6681FE3E05
cmp si, 053E
:00422E12 7537
jne 00422E4B
:00422E14 813C24EB6F0000
cmp dword ptr [esp], 00006FEB
:00422E1B 0F8526FFFFFF
jne 00422D47
:00422E21 817C2404945D0000 cmp dword
ptr [esp+04], 00005D94
:00422E29 0F8518FFFFFF
jne 00422D47
:00422E2F 817C24087D200000 cmp dword
ptr [esp+08], 0000207D
:00422E37 0F850AFFFFFF
jne 00422D47
:00422E3D 817C240CCEAE0000 cmp dword
ptr [esp+0C], 0000AECE
:00422E45 0F85FCFEFFFF
jne 00422D47
:00422E4B 31C0
xor eax, eax
; Good_Guy
:00422E4D 83C410
add esp, 00000010
:00422E50 5E
pop esi
:00422E51 5A
pop edx
:00422E52 59
pop ecx
:00422E53 5B
pop ebx
:00422E54 C3
ret
..
..
:00422D47 B8B13A0000
mov eax, 00003AB1
; Bad_Guy
:00422D4C 83C410
add esp, 00000010
:00422D4F 5E
pop esi
:00422D50 5A
pop edx
:00422D51 59
pop ecx
:00422D52 5B
pop ebx
:00422D53 C3
ret
Depending on the value of Esi ( 0x0382, 0x86E4,
0x0799 or 0x053E) the program will check for different RetCodes (they all
are shown in the code) and if it's OK, will clear Eax (Good_Guy) otherwise
will make you jump to offset :422D47.
If Esi has a different value (this shouldn't
happen) the program will get to the Good_Guy as well.
To crack this, we will simply xor Ecx (on
the stack as it is saved there before the call to the Hasp routine) during
a call to Service 2 and therefore we will always reach our Good_Guy. Clearing
Ecx will not affect the call to Service 2 I described before this one as
it is unused (saved on the stack).
There is a last break when exiting the program:
The 7th break:
:00422F38 B806000000
mov eax, 00000006
:00422F3D EBDC
jmp 00422F1B
...
:00422F1B E8FAE41100
call 0054141A
:00422F20 8B45F8
mov eax, dword ptr [ebp-08]
:00422F23 85C0
test eax, eax
:00422F25 7418
je 00422F3F
Here, the program just check if any error occured.
There are still few xrefs to the main Hasp routine (services 1,
6...) but it doesn't matter as we will 'emulate' the dongle and this will
work for thoses xrefs as well. However, one of them is a call to service
0x29 (HaspID) at offset :422BF6 that apparently the program doesn't reach.
We will not crack it.
As there's not enough room in the main Hasp routine to write our
own one, we will do it mostly at offset :514E4F0 that is called by this
routine:
All changes are shown in red:
.0514141A: 55
push ebp
.0514141B: 89E5
mov ebp,esp
.0514141D: 60
pushad
.0514141E: 88C7
mov bh,al
; bh=Hasp Service called
.05141420: 80FF02
cmp bh,02
; Is it Service#2 ?
.05141423: 0F8510000000
jne .00141439
; jump over if not
.05141429: 66C745240000
mov w,[ebp][00024],00000 ;
otherwise clear Esi
.0514142F: E905000000
jmp .000141439
; Go ahead
.05141434: 8B7510
mov esi,[ebp][00010]
; unused
.05141437: 8B36
mov esi,[esi]
; unused
.05141439: 55
push ebp
; back to original code
.0514143A: E8B1D00000 call
.00514E4F0
; call our new routine
.0514143F: 5D
pop ebp
.05141440: 8B7D0C
mov edi,[ebp][0000C]
.05141443: 8907
mov [edi],eax
; RetCode1
.05141445: 8B7D10
mov edi,[ebp][00010]
.05141448: 891F
mov [edi],ebx
; RetCode2
.0514144A: 8B7D14
mov edi,[ebp][00014]
.0514144D: 890F
mov [edi],ecx
; RetCode3
.0514144F: 8B7D18
mov edi,[ebp][00018]
.05141452: 8917
mov [edi],edx
; RetCode4
.0514E4F0:
80FF01 cmp
bh,001
; Is it Service#1 ?
.0514E4F3: 7505
jne .00014E4FA
.0514E4F5: B801000000
mov eax,000000001
; RetCode1
.0514E4FA: 80FF02
cmp bh,002
; Is it Service#2 ?
.0514E4FD: 7519
jne .00014E518
.0514E4FF: B8C2FD0000
mov eax,00000FDC2
; RetCode1
.0514E504: BB6DF60000
mov ebx,00000F66D
; RetCode2
.0514E509: B96CD60000
mov ecx,00000D66C
; RetCode3
.0514E50E: BA973B0000
mov edx,000003B97
; RetCode4
.0514E513: E925000000
jmp .00014E53D
.0514E518: 80FF05
cmp bh,005
; Is it Service#5 ?
.0514E51B: 750C
jne .00014E529
.0514E51D: BB01000000
mov ebx,000000001
; RetCode2
.0514E522: B901000000
mov ecx,000000001
; RetCode3
.0514E527: EB14
jmps .00014E53D
.0514E529: 80FF06
cmp bh,006
; Is it Service#6 ?
.0514E52C: 740D
je .00014E53B
.0514E52E: 80FF32
cmp bh,032
; Is it Service#32 ?
.0514E531: 0F8504000000
jne .00014E53B
.0514E537: C6451CEA
mov b,[ebp][0001C],0EA ;
store our 0xEA
.0514E53B: 33C9
xor ecx,ecx
; clear RetCode3 (NO error)
.0514E53D: C3
retn
; back to Hasp main routine
.0514E53E: 8D3534FC5600
lea esi,[00056FC34]
; will never reach this part.
Everything works quite well but it may be safer not to forget the
call to Service 0x29 that we didn't patch, just in case the program would
reach it one of these days...
Vision XL/XXL v2.0
-Description:
High performance image processing and image analysis system.
-OS:
Win95/NT
-Protection:
Dongle (parallel or serial key). Driver: Hardlock.vxd (c:\windows\system).
-Misc.:
Run as a DEMO if no dongle detected (Save, save as, copy disabled,
macros disabled after 30 program runs...).
Described as "seeing the invisible", this is a very sophisticated and extremely expensive soft. For those reasons, we could only expect a strong or at least, a good protection. Unfortunately, its protection is really stupid, and then, the most amazing is that we won't even have to care about the dongle to crack it!
During its installation, the program added the file Hardlock.vxd and told us that we need to restart Windows before running it (to load the dongle driver!).
Put a BPIO -H 378 with SoftICE and then run VisionXXL.
Nothing happens! The program doesn't seem to check
the parallel port.
After a quick check at the huge documentation (25Mb is MS-Word format!),
I found this:
"The security key can be reversed to be used
on a serial interface port...".
I read that there are some lines to add to
your Autoexec.bat as well (SET HL_SEARCH=2f8s,...where 2f8 denotes
the IO address of the serial port,and s denotes the serial port. The ellipsis
... is used to indicate that you can check several ports one after the
other.).
OK, but let's just forget the dongle for now!
Re-run the program. You'll get the big nagscreen/bitmap
telling you that the program is running in demo mode.
As the "Save" feature is disabled, press
it in the target's toolbar. The following message box pops up:
"Sorry, this function is not available in
demo mode"
Put a BPX MessageBoxA and press "Save" again.
SoftICE pops. Press <F11>, click 'OK'
and press <F12> 3 times. You'll land here:
.000CA432: E899820600
call .0001326D0 ;
Check if Full or Demo mode
.000CA437: 85C0
test eax,eax
.000CA439: 740A
je .0000CA445
; Good_Guy_Jump
.000CA43B: E840EBF4FF
call .000018F80 ;
Our MessageBoxA
.000CA440: E975040000
jmp .0000CA8BA ;
Bad_Guy_Exit
.000CA445: E8127D0B00
call .00018215C ;
Good_Guy_Go_Ahead
Those who are familiar with "disabled features"
cracking won't need to read my comments to understand this: this is a stupid
typical protection used so much often for this kind of program.
Let's have a look at the .0001326D0 routine:
001326D0: 8B81E8000000 mov
eax,[ecx][0000000E8]
001326D6: 85C0
test eax,eax
001326D8: 740D
je .0001326E7
001326DA: 8B4804
mov ecx,[eax][00004]
001326DD: 85C9
test ecx,ecx
001326DF: 7406
je .0001326E7
001326E1: B801000000
mov eax,000000001 ;
Bad_Guy_Flag
001326E6: C3
retn
001326E7: 33C0
xor eax,eax
; Good_Guy_Flag
001326E9: C3
retn
This routine is called as soon as you run
the program (to decide if it's a Demo or full working version) and each
time you'll press or try to use one of the disabled features.
Obviously, patching the first test eax,eax
or changing the mov eax,1 will be enough to crack this dongle protection.
ABBCS31 v1.02
-Description:
DDE (Dynamic Data Exchange) Server allowing other Windows application
programs to access the data from the ABB Procontic CS31 automation system.
-OS:
Win95/NT
-Protection:
Dongle (parallel key). Driver: Hasp95.vxd (c:\windows\system).
-Misc.:
Run as a time-limited DEMO if no dongle detected (will only run 1 hour).
At the end of the installation setup, we get a "reboot to activate HASP driver!" message. So we know where we are and where we going! The program added the file C:\Windows\System\Hasp95.vxd and the following line in the Registry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\HASP95'.
With HIEW5.66, we can quickly find the Hasp main routine located
in the Abbcs31.exe file (193Kb).
It starts at offset :00001AC9. Now we can BPX it with SoftICE (don't
forget to add 0x400000 to the offset from Hiew to SoftICE ):
BPX 401AC9
Running ABBCS32, we'll get 3 breaks. Callers are:
:401C9D
:401D0C
:401D8A
Here is the code (again from Hiew):
.00001C97: A1C40A4200
mov eax,[000420AC4] ;
eax=0x05
.00001C9C: 50
push eax
.00001C9D: E827FEFFFF
call .000001AC9
; Hasp routine service #5
.00001CA2: 83C424
add esp,024
.00001CA5: 8B45CC
mov eax,[ebp][-0034]
.00001CA8: A3A0204200
mov [0004220A0],eax
.00001CAD: 837DD000
cmp d,[ebp][-0030],0 ;
Is it a Hasp-3 (RetCode2=0)?
.00001CB1: 0F850C000000
jne .000001CC3
.00001CB7: C745C401000000
mov d,[ebp][-003C],1 ;
Yes: Good_Guy_Flag
.00001CBE: E907000000
jmp .000001CCA
.00001CC3: C745C400000000
mov d,[ebp][-003C],0 ;
Bad_Guy_Flag
.00001CCA: 837DC400
cmp d,[ebp][-003C],0 ;
Is it OK?
.00001CCE: 0F8446000000
je .000001D1A
; No, send_Him_Away...
.00001CD4: C705C40A420001000000 mov d,[000420AC4],1
; otherwise Go_Ahead
...
.00001D06: A1C40A4200
mov eax,[000420AC4] ;
eax=0x01
.00001D0B: 50
push eax
.00001D0C: E8B8FDFFFF
call .000001AC9
; Hasp routine service #1
.00001D11: 83C424
add esp,024
.00001D14: 8B45D4
mov eax,[ebp][-002C]
.00001D17: 8945C4
mov [ebp][-003C],eax
.00001D1A: 837DC400
cmp d,[ebp][-003C],0 ;
Is it a Hasp Dongle (RetCode1=1)?
.00001D1E: 0F84E7000000
je .000001E0B
; Bad_Guy_Jump...
.00001D24: C705C40A420002000000 mov d,[000420AC4],2
; otherwise Go_Ahead
...
.00001D84: A1C40A4200
mov eax,[000420AC4] ;
eax=0x02
.00001D89: 50
push eax
.00001D8A: E83AFDFFFF
call .000001AC9
; Hasp routine service #2
.00001D8F: 83C424
add esp,024
.00001D92: C705C00A420000000000 mov d,[000420AC0],0
.00001D9C: A1AC204200
mov eax,[0004220AC]
.00001DA1: C1E004
shl eax,004
.00001DA4: 8B4DD4
mov ecx,[ebp][-002C]
.00001DA7: 398818204200
cmp [eax][000422018],ecx; Is RetCode1=0x7A17
?
.00001DAD: 0F8551000000
jne .000001E04
; Bad_Guy_Jump
.00001DB3: A1AC204200
mov eax,[0004220AC]
.00001DB8: C1E004
shl eax,004
.00001DBB: 8B4DD0
mov ecx,[ebp][-0030]
.00001DBE: 39881C204200
cmp [eax][00042201C],ecx; Is RetCode2=0x768A
?
.00001DC4: 0F853A000000
jne .000001E04
; Bad_Guy_Jump
.00001DCA: A1AC204200
mov eax,[0004220AC]
.00001DCF: C1E004
shl eax,004
.00001DD2: 8B4DCC
mov ecx,[ebp][-0034]
.00001DD5: 398820204200
cmp [eax][000422020],ecx; Is RetCode3=0x554C
?
.00001DDB: 0F8523000000
jne .000001E04
; Bad_Guy_Jump
.00001DE1: A1AC204200
mov eax,[0004220AC]
.00001DE6: C1E004
shl eax,004
.00001DE9: 8B4DC8
mov ecx,[ebp][-0038]
.00001DEC: 398824204200
cmp [eax][000422024],ecx; Is RetCode4=0xE6EB
?
.00001DF2: 0F850C000000
jne .000001E04
; Bad_Guy_Jump
.00001DF8: C745C401000000
mov d,[ebp][-003C],1 ;
Good_Guy_Flag
.00001DFF: E907000000
jmp .000001E0B
.00001E04: C745C400000000
mov d,[ebp][-003C],0 ;
Bad_Guy_Flag
.00001E0B: 837DC400
cmp d,[ebp][-003C],0
.00001E0F: 0F8515000000
jne .000001E2A
; Dongle_OK
.00001E15: 837DC002
cmp d,[ebp][-0040],2 ;
No_Dongle
This routine is INCREDIBLY STUPID!!
As I said at the very beginning of this essay, the programmer just
forgot to read the Hasp documentation shipped with his dongle:
Usually, you first check if there is a Hasp dongle connected to
the parallel port (Service #1) and then, if there is one, the type of Hasp
(Service #5).
We can see here that the program check the type of Hasp before
verifying if there is a dongle connected.
And so?
The only problem is that we can see that ABBCS32 is expecting a
Hasp-3 dongle (RetCode2=0). But, after a call to Service #5, if you don't
have any dongle connected the RetCode2 will be equal to... 0x00 as
well!
This just means that if you have the correct dongle or nothing
at all, the program will just assume that you have the right Hasp-3! Unbelievable...
Fortunately, it checks Service #1 later.
There are a lot of different ways to crack this crap (patching the
Bad_Guy_Flag...) but let's emulate the dongle by reverse engineering the
main Hasp routine again:
Offsets changed are shown in red :
.00001AC9: 55 push
ebp
.00001ACA: 8BEC mov
ebp,esp
.00001ACC: 50 push
eax
.00001ACD: 53 push
ebx
.00001ACE: 51 push
ecx
.00001ACF: 52 push
edx
.00001AD0: 57 push
edi
.00001AD1: 56 push
esi
.00001AD2: 8B751C mov
esi,[ebp][0001C]
.00001AD5: 8B3E mov
edi,[esi]
.00001AD7: B900000000 mov
ecx,000000000 ; Clear ecx.
.00001ADC: 8B5D08
mov ebx,[ebp][00008] ; bl=Service
called.
.00001ADF: 80FB02
cmp bl,002
; Is it Service #2?
.00001AE2: 7512
jne .000001AF6
.00001AE4: 66B8177A mov
ax,07A17 ;
correct RetCode#1
.00001AE8: 66BB8A76 mov
bx,0768A ;
correct RetCode#2
.00001AEC: 66B94C55 mov
cx,0554C ;
correct RetCode#3
.00001AF0: 66BAEBE6 mov
dx,0E6EB ;
correct RetCode#4
.00001AF4: EB0F
jmps .000001B05
.00001AF6: 80FB01
cmp bl,001
; Is it Service #1?
.00001AF9: 7506
jne .000001B01
.00001AFB: 66B80100 mov
ax,00001 ;
correct RetCode#1
.00001AFF: EB04
jmps .000001B05
.00001B01: 33DB
xor ebx,ebx
; Xor unused registers
.00001B03: 33C0
xor eax,eax
; just in case.
.00001B05: 8B7D1C mov
edi,[ebp][0001C] ; Back to original code.
.00001B08: 8907 mov
[edi],eax
.00001B0A: 8B7D20 mov
edi,[ebp][00020]
.00001B0D: 891F mov
[edi],ebx
.00001B0F: 8B7D24 mov
edi,[ebp][00024]
.00001B12: 890F mov
[edi],ecx
.00001B14: 8B7D28 mov
edi,[ebp][00028]
.00001B17: 8917 mov
[edi],edx
.00001B19: 5E pop
esi
.00001B1A: 5F pop
edi
.00001B1B: 5A pop
edx
.00001B1C: 59 pop
ecx
.00001B1D: 5B pop
ebx
.00001B1E: 58 pop
eax
.00001B1F: 5D pop
ebp
.00001B20: C3 retn
Abbcs31 is cracked.
Searching for the main Hasp routine, we easily find it at offset
:44D528 in the main program (wellcad.exe 1.42Mb). It has 2 X-refs and then,
the 14 X-refs (called several times) calling the Hasp services.
Here are two of them:
:0049ECFE 6A01
push 00000001
; Service #1
:0049ED00 E87B080000
call 0049F580
; Is_It_A_Hasp_Dongle ?
:0049ED05 8B442408
mov eax, dword ptr [esp+08]
:0049ED09 8D4C2410
lea ecx, dword ptr [esp+10]
:0049ED0D 48
dec eax
:0049ED0E 8D54240C
lea edx, dword ptr [esp+0C]
:0049ED12 83F801
cmp eax, 00000001
:0049ED15 8D442414
lea eax, dword ptr [esp+14]
:0049ED19 1BFF
sbb edi, edi
:0049ED1B 50
push eax
:0049ED1C 8D44240C
lea eax, dword ptr [esp+0C]
:0049ED20 51
push ecx
:0049ED21 52
push edx
:0049ED22 8BCE
mov ecx, esi
:0049ED24 F7DF
neg edi
:0049ED26 50
push eax
:0049ED27 6868200000
push 00002068
:0049ED2C 6A02
push 00000002
; Service # 2
:0049ED2E E84D080000
call 0049F580
; Get_Hasp_Code
:0049ED33 817C2408A5F70000 cmp dword ptr [esp+08], 0000F7A5;Is
RetCode1 OK ?
:0049ED3B 7529
jne 0049ED66
; Bad_Guy jump
:0049ED3D 817C240C8E420000 cmp dword ptr [esp+0C], 0000428E;Is
RetCode2 OK ?
:0049ED45 751F
jne 0049ED66
; Bad_Guy jump
:0049ED47 817C2410E54F0000 cmp dword ptr [esp+10], 00004FE5;Is
RetCode3 OK ?
:0049ED4F 7515
jne 0049ED66
; Bad_guy jump
:0049ED51 817C24144E470000 cmp dword ptr [esp+14], 0000474E;Is
RetCode4 OK ?
:0049ED59 750B
jne 0049ED66
; Bad_Guy jump
:0049ED5B 83E701
and edi, 00000001
:0049ED5E 8BC7
mov eax, edi
; Set Good_Guy flag (eax=0x01)
:0049ED60 5F
pop edi
:0049ED61 5E
pop esi
:0049ED62 83C410
add esp, 00000010
:0049ED65 C3
ret
* Referenced by a (C)onditional:0049ED3B(C), :0049ED45(C), :0049ED4F(C),
:0049ED59(C)
:0049ED66 33FF
xor edi, edi
:0049ED68 8BC7
mov eax, edi
; Bad_Guy (clear eax)
:0049ED6A 5F
pop edi
:0049ED6B 5E
pop esi
:0049ED6C 83C410
add esp, 00000010
:0049ED6F C3
ret
Let's crack it:
:0049ED66 66B80100
mov ax,00001
Now if you run the program, it will ask you for your name and company
name to type in. Then, it will take about 12 seconds on a P233 before WellCAD
main window appears on your screen. Let's solve this problem.
As there a too many checks and comparisons occuring even before
the calls to the dongle, with SoftICE, BPX the main Hasp routine (:44D528)
and try to find some interesting cross references that we'll lead us to
the fatal(s) jnz_Bad_Guy.
Without any problem, we find several of them but only 2 seem very
interesting:
:004C01E7 E8684A0200 MFC40.MFC40:NoName0713
:004C01EC 8D8BC8000000 lea ecx, dword
ptr [ebx+000000C8]
:004C01F2 E829E6FDFF
call 0049E820
; Verify_Dongle (+ Misc routines)
:004C01F7 85C0
test eax, eax
; Is_Dongle_OK ?
:004C01F9 0F8455FDFFFF je 004BFF54
; Bad_Guy jump
:004C01FF 68C8030000
push 000003C8
; Good_Guy go ahead
...
...
:004C025F E8E4490200
MFC40.MFC40:NoName0711
:004C0264 8D8BC8000000
lea ecx, dword ptr [ebx+000000C8]
:004C026A E881F0FDFF
call 0049F2F0
; Verify_Dongle (+ Misc routines)
:004C026F 85C0
test eax, eax
; Is_Dongle_OK ?
:004C0271 0F84DDFCFFFF
je 004BFF54
; Bad_Guy jump
:004C0277 8D4DC8
lea ecx, dword ptr [ebp-38] ;
Good_Guy go ahead
Just get rid of the two Verify_Dongle calls and replace them with mov eax,1.
This will considerabely speed up the program (just 1 little second
to start) and the crack is done.
OK, it seems very easy to crack but it takes longer that you may
think. The protection is not too bad: a lot of calls to sub-routines that
will call other sub-routines etc.. and then comparisons in one of them
with the conditional jump in another one... It may fool or confuse you
during a Live approach, but could not resist a good Dead listing.
This program doesn't require any external known driver. The dongle
protection is located in the main executable: plabel.exe (379Kb).
Since this soft uses its own routines to check if there is a dongle,
let's have a quick look at its HLP file:
'This software is protected with a hardware
key which must be plugged into the parallel printer port at the back of
your PC. Without the key LabelCraft runs in demo mode. The following message
is then shown when you choose Label Printing or Label Editing from the
main menu: 'Missing key lock! Continue as Demoversion?'.
I have to say that this is not really helpful!
Never mind, let's Zen crack:
With SoftICE:
BPIO -H 378
Run the program and a dialog box pops asking you to choose between
"Editing" or "Printing a label"
Press "Editing" and SoftICE will break here:
.0001BFEA: EE
out dx,al ;
Here
.0001BFEB: EB00
jmps .00001BFED
.0001BFED: 8B0ECA3B mov
cx,[03BCA]
.0001BFF1: E2FE
loop .00001BFF1
.0001BFF3: A17C09
mov ax,[0097C]
.0001BFF6: 050200
add ax,00002
This is the main routine that will checks your // port for the
dongle.
To find the caller, it is very important to disable any BPIO before
pressing the <F12> key otherwise SoftICE will break several times.
With SoftICE:
BD *
<F12> (press it 3 times)
We land here:
.00015575: 9ADA543B55 call
001:054DA ; Check // port
.0001557A: 83C404
add sp,004
.0001557D: 3D457F
cmp ax,07F45 ; Is there a
dongle?
.00015580: 7408
je .00001558A ; Yes, jump...
.00015582: 46
inc si
.00015583: 83FE03
cmp si,003
.00015586: 7EC6
jle .00001554E
.00015588: EB06
jmps .000015590 ; Bad_Guy_Jump
.0001558A: B80100
mov ax,00001 ; Good_Guy
.0001558D: 5E
pop si
.0001558E: C9
leave
.0001558F: C3
retn
When I reached the cmp ax,7F45 instruction, I saw in the
registers windows that ax=FFFF. I quickly patched the je 1558A with
jumps 1558A.
The program seems to work well and we don't get any warning message
about the missing dongle. As the "Save" feature is disabled, I check the
main menu and...there are no "Save', "Save as" submenus!
There is a screw loose somewhere.
In fact, I just did a little mistake here: I said above to disable
the BPIO before pressing the <F12> key and realized that I didn't re-enable
it again right after. When running a Dongle protected soft, it is necessary
to always have a BPIO enable, because the program may check at any time
the presence of the dongle.
Exit Label Craft. Enable the BPIO until you reach the above code.
Disable it, press <F12> 3 times and patch the je 1558A again.
Now re-enable the BPIO and let the program run. SoftICE will pops
at offset .0001BFEA again.
With SoftICE:
BD *
<F12> (press it 3 times)
And we'll finally land here:
.000147F7: 9ADA540748 call
001:054DA ; Check
// port
.000147FC: 83C404
add sp,004
.000147FF: 3D9E6F
cmp ax,06F9E
; Is there a dongle?
.00014802: 740B
je .00001480F ;
Yes, jump...
.00014804: 9A58531248 call
001:05358 ; otherwise
disable "Save/Save as".
.00014809: C706FC4E0100 mov w,[04EFC],00001
; Set Bad_Guy_Flag.
.0001480F: 9A9E53AC46 call
001:0539E
.00014814: B80100
mov ax,00001
.00014817: 8D66FE
lea sp,[bp][-0002]
.0001481A: 1F
pop ds
.0001481B: 5D
pop bp
.0001481C: 4D
dec bp
.0001481D: CB
retf
Just make it always jump at offset .00014802.
Now, it may be a good idea to disasm the file to see if there is any other similar check (another -slow- solution would be to enable the BPIO and, with SoftICE, to test ALL features of the program -copy, printing...- but I don't have that much time to waste -:). W32Dasm v6.xx should be fine (plabel.exe is a 16bit file).
And here is what we find:
.00050461: 9ADA547704 call 001:054DA
; Check // port
.00050466: 83C404
add sp,004
.00050469: 3D64D4
cmp ax,0D464
; Is there a dongle?
.0005046C: 740B
je .000050479 ;
Yes, jump otherwise...
.0005046E: C706FC4E0100 mov w,[04EFC],00001
; set Bad_Guy_Flag and
.00050474: 9A58538C04 call
001:05358 ; add
garbages to the printing function...
.00050479: 833EFC4E00 cmp
w,[04EFC],000
.0005047E: 7503
jne .000050483
.00050480: E90E01
jmp .000050591 ;
Go ahead if Dongle_OK.
.00050483: 9AFFFF0000 call
GETTICKCOUNT
.00050488: 50
push ax
.00050489: 9A1E852001 call
001:0851E
Patching the je .000050479 will fully crack this soft.
As we can see, there's nothing really amazing in this protection but it is a bit more 'personal' and more discreet than the usual routines used by important dongle manufacturer. It would be more complicated to crack if some strong anti-softICE/disasm tricks would be added.
If you didn't understand the program description here is another
one:
"AiTS was founded to teach accident investigation, and to provide
software to assist accident investigators in their task.
Ai Damage calculates changes in speed from the damage caused
to vehicles. The program not only uses the tried and tested Crash3 algorthims,
but also uses the principle of the conservation of linear momentum (in
two dimensions) to fully analyse your accident".
To resume, this is just another crap I will erase from my HD right
after this essay.
This program requires the DK2 DESkey dongle driver (dk2wn95.386
for Win95) not available with the downloaded program (you can download
it here: Bdk2wn32.exe
720Kb -: ). If its installation failed, you can do it manually as per follows:
Open 'system.ini'.Find the section of system.ini which is headed
[386Enh]. Insert the following line into this section:
device=C:\AIDAMGE\DK2WN95.386
If you changed the installation directory from C:\AIDAMAGE, you
should adjust the path in the above line accordingly.
A quick look at AiDamage doc gives us some infos about the protection:
On the first time of starting, you will be requested to enter
a code. This code is needed before the dongle can be activated.
To obtain the code contact Ai Training Services on 01452 862798 and ask
for a code. You will also need to advise the operator of the number
quoted in the box. (Marked User code:)
Type in the code supplied EXACTLY as given. Press 'OK'
and the dongle will be activated and Ai Damage will start. To activate
the dongle contact AiTS with the code displayed on the Enable Dongle dialog.
You will be given a return code which you should enter, exactly as quoted.
Once entered press ‘OK’ and Ai Damage will start properly. If you fail
to enter the code as given, Ai Damage will not function.
You should not need to enter any other codes until the dongle
is automatically de-activated at the expiry of your licence. Ai Damage
will function for three months following the expiry of the licence.
Any attempt beyond this date to start the program will fail., with the
display of this dialog.
If you try and remove the dongle whilst Ai Damage is running,
then Ai Damage will detect this and close down. You may not have
any opportunity to save your data once the dongle has been removed.
Replacing the dongle will have no effect. You must re-start Ai Damage
and re-enter any of the lost data.
On the expiry of the annual licence, the dongle will detect
this condition and cause Ai Damage to display this dialog box. You
need to follow the instructions on screen, and your dongle will be activated
for further use.
As you can see, if you are working with AiDamage and then, by mistake,
remove or disconnect the dongle, ALL your work will be lost! Nice people...
That's not all:
Ai Damage will run under Windows NT. However it has not
been tested fully under NT and support with configuration of NT is not
provided as part of your licence agreement.
And finally:
It has been noticed that with some hardware / printer configurations
the presence of the dongle can cause corruption of the output to the printer.
What an encouragement to buy this soft!!
So, let's crack it "black & blue" ; this will solve some of those troubleshootings.
Run the program and you get the message box:
DONGLE ERROR - Cannot find a valid dongle
Disasm the main exe file (aidamage.exe 341Kb)with W32dasm85.
I simple search through the String Datas References will give us
all we need:
:0041257C FF1544EE4200 MSVCRT40._mbscmp
:00412582 83C408
add esp, 00000008
:00412585 85C0
test eax, eax
; Is_Driver_Loaded?
:00412587 7425
je 004125AE
; Jump if OK
:00412589 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041258C E8DF0E0000 call 00413470
; "Dongle driver not loaded"
:00412591 85C0
test eax, eax
:00412593 0F8487FEFFFF je 00412420
:00412599 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041259C E8FF100000 call 004136A0
; "Unable to read license info"
:004125A1 85C0
test eax, eax
:004125A3 0F85C9000000 jne 00412672
:004125A9 E972FEFFFF jmp 00412420
; Exit
:004125AE 6A00
push 00000000
:004125B0 8D8D3CFFFFFF lea ecx, dword ptr [ebp+FFFFFF3C]
:004125B6 E8A5030100 call 00422960
:004125BB C745FC04000000 mov [ebp-04], 00000004
:004125C2 8D8D3CFFFFFF lea ecx, dword ptr [ebp+FFFFFF3C]
:004125C8 E809080100 MFC40.MFC40:NoName0113
; Message Box:"Please Enter your password"
:004125CD 83F801
cmp eax, 00000001
; "OK" pressed?
:004125D0 0F85AD040000 jne 00412A83
; if not=>Exit
:004125D6 682CC24200 push 0042C22C
:004125DB 8D4DE4
lea ecx, dword ptr [ebp-1C] ; Store our password
:004125DE E833070100 MFC40.MFC40:NoName0081
; Calculate correct password
:004125E3 C645FC05 mov
[ebp-04], 05
:004125E7 8B459C
mov eax, dword ptr [ebp-64] ; Store correct password
in eax
:004125EA 8B4DE4
mov ecx, dword ptr [ebp-1C] ; Store our password
in ecx
:004125ED 50
push eax
:004125EE 51
push ecx
:004125EF FF1544EE4200 MSVCRT40._mbscmp
; Compare both
:004125F5 83C408
add esp, 00000008
:004125F8 85C0
test eax, eax
; Is_Password_OK?
:004125FA 7428
je 00412624
; Yes, jump and go ahead...
:004125FC 6A00
push 00000000
; otherwise...
:004125FE 6A30
push 00000030
...
:00412600 6800C24200 push 0042C200
:0041261F E9FCFDFFFF jmp 00412420
; "Password incorrect, closing down"
A lot of interesting things are going on here.
I tried to nicely reververse engineer this routine but the program acted
so strangely that I prefer to use a brute force approach.
What we are going to do is:
-force the program to recognize the dongle
driver (even if it is not loaded)
-Get rid of the "Enter your password" message
box.
-Make it believe we typed a password and
pressed "OK"
-Feed it with the right password
-Force it to accept it
Changed offset are shown in red:
:0041257C FF1544EE4200 MSVCRT40._mbscmp
:00412582 83C408
add esp, 00000008
:00412585 33C0
xor eax, eax
; Driver_Always_Loaded
:00412587 7425
je 004125AE
; Jump
:00412589 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041258C E8DF0E0000 call 00413470
:00412591 85C0
test eax, eax
:00412593 0F8487FEFFFF je 00412420
:00412599 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041259C E8FF100000 call 004136A0
:004125A1 85C0
test eax, eax
:004125A3 0F85C9000000 jne 00412672
:004125A9 E972FEFFFF jmp 00412420
:004125AE 6A00
push 00000000
:004125B0 8D8D3CFFFFFF lea ecx, dword ptr [ebp+FFFFFF3C]
:004125B6 E8A5030100 call 00422960
:004125BB C745FC04000000 mov [ebp-04], 00000004
:004125C2 8D8D3CFFFFFF lea ecx, dword ptr [ebp+FFFFFF3C]
:004125C8 B801000000
mov eax,000000001
; No more Message Box
:004125CD 83F801
cmp eax, 00000001
; "OK" pressed
:004125D0 0F85AD040000 jne 00412A83
:004125D6 682CC24200 push 0042C22C
:004125DB 8D4DE4
lea ecx, dword ptr [ebp-1C] ; Store our password
:004125DE E833070100 MFC40.MFC40:NoName0081
; Calculate correct password
:004125E3 C645FC05 mov
[ebp-04], 05
:004125E7 8B459C
mov eax, dword ptr [ebp-64] ; Store correct password
in eax
:004125EA 8B4D9C
mov ecx, dword ptr [ebp-64] ; Store correct password
in ecx
:004125ED 50
push eax
:004125EE 51
push ecx
:004125EF FF1544EE4200 MSVCRT40._mbscmp
; Compare both
:004125F5 83C408
add esp, 00000008
:004125F8 85C0
test eax, eax
; Password_ALWAYS_OK
:004125FA 7428
je 00412624
; jump and go ahead.
:004125FC 6A00
push 00000000
; Will never reach this part.
:004125FE 6A30
push 00000030
...
:00412600 6800C24200 push 0042C200
:0041261F E9FCFDFFFF jmp 00412420
There are still few enhancements to do because
running the program with these changes will give you the following message:
"This dongle does not support AIDamage"
Back to W32dasm85 we quickly find the problem:
:0041293A FF1544EE4200 MSVCRT40._mbscmp
:00412940 83C408
add esp, 00000008
:00412943 85C0
test eax, eax
; Is_Dongle_OK?
:00412945 7420
je 00412967
; Yes, jump otherwise...
:00412947 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041294A E8F10B0000
call 00413540
; "This dongle doesn't support..."
We notice that the program is always checking if the dongle is still present:
:0041450A FF1544EE4200 MSVCRT40._mbscmp
:00414510 83C408
add esp, 00000008
:00414513 85C0
test eax, eax
; Is_Dongle_Still_Connected?
:00414515 7511
jne 00414528
:00414517 33C0
xor eax, eax
; Good_Guy
:00414519 8B4DF4
mov ecx, dword ptr [ebp-0C]
:0041451C 64890D00000000 mov dword
ptr fs:[00000000], ecx
:00414523 5E
pop esi
:00414524 8BE5
mov esp, ebp
:00414526 5D
pop ebp
:00414527 C3
ret
:00414528 685CC64200
push 0042C65C
; "Dongle is no longer connected"
For those 2 checks, you just have to patch
both test eax,eax.
Finally, I deeper look at the ASM listing and you'll find some other error messages:
"Your dongle has not been updated"
x-refs:
:00413C77
:00413F47
:00413FF0
"Invalid enable code, closing down"
x-refs:
:00413BFC
:00413C05
"Your licence has expired."
X-Ref:
:00413966
I didn't patch those occurences as the program
worked well. I put some BPX at those offsets but SoftICE never broke (even
when changing the OS date). So I just assume the program may check inside
the dongle to see if the license has expired or not but since we forced
it to accept the dongle we may not need to patch them.
Anyway, now you won't loose any data if you
have a dongle connected or not and you can print safely!
Note: you can remove the DK2 DESkey driver, it is not needed any
more.
During its installation, this Visual Basic 3 soft added a key.dll
(18Kb) file to the windows/system directory.
Though we could use Dodi's VB discompiler to disasm the main executable
(ecprog.exe 231Kb) and find all references to the dongle through
the source code, a live approach will be enough to get rid of the protection.
Running the program will display a Nagscreen:
"The software key was not detected! The software will run in
demonstration mode only"
With SoftICE:
BPIO -H 378
Run ecprog.exe and SoftICE pops. We are inside Make.dll,
an Exported function from Key.dll.
Press <F12> 3 times, and you can't miss the dongle protection:
.000105C8: E88EFE call .000010459
; Check I/O
.000105CB: 08C0 or
al,al
; Is_Dongle_OK?
.000105CD: 7506 jne
.0000105D5
.000105CF: C646FF00 mov b,[bp][-0001],000
; Bad_Guy_Flag
.000105D3: EB04 jmps
.0000105D9
.000105D5: C646FF01 mov b,[bp][-0001],001
; Good_Guy_Flag
.000105D9: 8A46FF mov
al,[bp][-0001] ; Store Flag
in AL
.000105DC: C9
leave
.000105DD: CA0C00 retf
0000C
; Back to caller
This routine is very important:
You'll find it in most stupid dongle programs you'll have to crack,
so get familiar with it!
.0001004B: 9AFFFF0000 call 001:004EE
; Call the above routine
.00010050: 08C0 or
al,al
; Good_Guy_flag set?
.00010052: 7407 je
.00001005B
.00010054: C746FC0100 mov w,[bp][-0004],00001
; Full_Program_Flag
.00010059: EB05 jmps
.000010060
.0001005B: 31C0 xor
ax,ax
; Demo_Program_Flag
.0001005D: 8946FC mov
[bp][-0004],ax ; Bad_Guy
=> Xor AX
.00010060: 8B46FC mov
ax,[bp][-0004] ; Good_Guy=>
AX=0x01
.00010063: 5F
pop di
.00010064: 5E
pop si
.00010065: 8D66FE lea
sp,[bp][-0002]
.00010068: 1F
pop ds
.00010069: 5D
pop bp
.0001006A: 4D
dec bp
.0001006B: CB
retf
If you disasm the DLL, you'll see that there is only 1 x-ref for
both routine: the program just checks for the dongle at the very beginning
but will not during its execution (but it will check the Full_Program/Demo_Program
flag).
You can patch the conditional jump at 00010052 or the first routine....
there are plenty of ways to do so.
That's all for this dongle.
IPLab v1.7
-Description:
Scientific image analysis program.
-OS:
Win95/NT4
-Protection:
Dongle (parallel ). Driver: Sentinel.vxd.
-Misc.:
Does NOT run if no dongle detected + SetUp password protected.
The Setup will prompt you for a password. Let's crack it:
BPX DialogBoxParam
Type in any password + <Enter>.
SoftICE pops:
<F11>
You'll get the "Incorrect Password" message. Press <OK>.
<F12>
Now just look at the end of the routine:
xxxx:4494 B80100 mov ax,0001 ;
SetUP cancelled
xxxx:4497 EB02 jmp 449B
xxxx:4499 33C0 xor ax,ax
; Install program
xxxx:449B 5E pop si
xxxx:449C 5F pop di
xxxx:449D C9 leave
xxxx:449E CB ret
Just patch the mov ax,0001 so that the Setup will think you have typed the right password.
The program will be installed in the c:\IPLabDir directory (you
can't choose another destination directory).
Running the main exe file IPLab.exe (1.22 Mb) will display:
"KEY NOT FOUND"
WDasm it and here is what we find:
:0040D626 E815630200
call 00433940
; Check_If_Dongle_OK
:0040D62B 85C0
test eax, eax
:0040D62D 7516
jne 0040D645
; Good_Guy
:0040D62F 56
push esi
:0040D630 56
push esi
:0040D631 68A8C64B00
push 004BC6A8
; "Key not found" + Exit
:0040D636 E8A5E50400
MFC40.MFC40:NoName0029
:0040D63B C7837C02000002000000 mov dword ptr
[ebx+0000027C], 2
:0040D645 8D4DC0
lea ecx, dword ptr [ebp-40]
Just make it always jump.
When running, the program will check is the key is still plugged in:
* Referenced by a CALL at Addresses :0043379C, :0043BCD1, :0043BD23,
:0043BD75, :0043BDC3, :0044CF15
:00433AB0 6A00
push 00000000
:00433AB2 6A00
push 00000000
:00433AB4 6894E14B00
push 004BE194
; "Key Missing"
It is called by 6 different routines. Here is just the first one of them (they all use the same following piece of code):
:00433787 E894830000
call 0043BB20
; Check // port
:0043378C 85C0
test eax, eax
; Is_Dongle_OK?
:0043378E 740C
je 0043379C
; Bad_Guy_Jump
:00433790 99
cdq
:00433791 B907000000
mov ecx, 00000007
:00433796 F7F9
idiv ecx
:00433798 85D2
test edx, edx
:0043379A 7425
je 004337C1
; Good_Guy jump
* Referenced by (C)onditional Jump :0043378E
:0043379C E80F030000
call 00433AB0
; "Key Missing" + Exit
:004337A1 6A00
push 00000000
:004337A3 6A01
push 00000001
This routine check the parallel port by calling offset :0043BB20. The 5 other similar ones call 4 different routines:
1) 0043BB20
2) 0043BC20
3) 0043BB60
4) 0043BBB0
Now let's see those 4 routines that call the Sentinel driver:
1)
:0043BB20 A1B4094C00
mov eax, dword ptr [004C09B4]
:0043BB25 0FBF00
movsx eax, word ptr [eax]
:0043BB28 99
cdq
:0043BB29 33C2
xor eax, edx
:0043BB2B 2BC2
sub eax, edx
:0043BB2D 8B15BC094C00
mov edx, dword ptr [004C09BC]
:0043BB33 8BC8
mov ecx, eax
:0043BB35 0FBF02
movsx eax, word ptr [edx]
:0043BB38 99
cdq
:0043BB39 33C2
xor eax, edx
:0043BB3B 2BCA
sub ecx, edx
:0043BB3D 03C8
add ecx, eax
:0043BB3F 7512
jne 0043BB53
; Make it always jump 43BB41
:0043BB41 FF1580794C00
MSVCRT40.rand
; Good_Guy
:0043BB47 8D0CC500000000
lea ecx, dword ptr [8*eax+00000000]
:0043BB4E 2BC8
sub ecx, eax
:0043BB50 8BC1
mov eax, ecx
:0043BB52 C3
ret
* Referenced by a jump:0043BB3F(C)
:0043BB53 33C9
xor ecx, ecx
; Bad_Guy
:0043BB55 8BC1
mov eax, ecx
:0043BB57 C3
ret
2)
:0043BC20 53
push ebx
:0043BC21 56
push esi
:0043BC22 668B5C240C
mov bx, word ptr [esp+0C]
:0043BC27 57
push edi
:0043BC28 33FF
xor edi, edi
...
:0043BC54 85FF
test edi, edi
:0043BC56 750E
jne 0043BC66
; Make it always jump 43BC58
:0043BC58 FFD6
call esi
; Good_Guy
:0043BC5A 40
inc eax
:0043BC5B 5F
pop edi
:0043BC5C 8BC8
mov ecx, eax
:0043BC5E 5E
pop esi
:0043BC5F C1E003
shl eax, 03
:0043BC62 5B
pop ebx
:0043BC63 2BC1
sub eax, ecx
:0043BC65 C3
ret
* Referenced by a (C)onditional Jump :0043BC56
:0043BC66 33C0
xor eax, eax
; Bad_Guy
:0043BC68 5F
pop edi
:0043BC69 5E
pop esi
:0043BC6A 5B
pop ebx
:0043BC6B C3
ret
3)
:0043BB60 A1B8094C00
mov eax, dword ptr [004C09B8]
:0043BB65 0FBF00
movsx eax, word ptr [eax]
...
:0043BB7F A1B0094C00
mov eax, dword ptr [004C09B0]
:0043BB84 0FBF00
movsx eax, word ptr [eax]
:0043BB87 99
cdq
:0043BB88 33C2
xor eax, edx
:0043BB8A 2BCA
sub ecx, edx
:0043BB8C 03C8
add ecx, eax
:0043BB8E 7512
jne 0043BBA2
; Make it always jump 43BB90
:0043BB90 FF1580794C00
MSVCRT40.rand
; Good_Guy
:0043BB96 8D0CC500000000
lea ecx, dword ptr [8*eax+00000000]
:0043BB9D 2BC8
sub ecx, eax
:0043BB9F 8BC1
mov eax, ecx
:0043BBA1 C3
ret
* Referenced by a (C)onditional Jump :0043BB8E(C)
:0043BBA2 33C9
xor ecx, ecx
; Bad_Guy
:0043BBA4 8BC1
mov eax, ecx
:0043BBA6 C3
ret
4)
:0043BBB0 A1B4094C00
mov eax, dword ptr [004C09B4]
:0043BBB5 0FBF00
movsx eax, word ptr [eax]
:0043BBB8 99
cdq
...
:0043BBF6 33C2
xor eax, edx
:0043BBF8 2BCA
sub ecx, edx
:0043BBFA 03C8
add ecx, eax
:0043BBFC 7512
jne 0043BC10
; Make it always jump 43BBFE
:0043BBFE FF1580794C00
MSVCRT40.rand
; Good_Guy
:0043BC04 8D0CC500000000
lea ecx, dword ptr [8*eax+00000000]
:0043BC0B 2BC8
sub ecx, eax
:0043BC0D 8BC1
mov eax, ecx
:0043BC0F C3
ret
* Referenced by a (C)onditional Jump :0043BBFC(C)
:0043BC10 33C9
xor ecx, ecx
; Bad_Guy
:0043BC12 8BC1
mov eax, ecx
:0043BC14 C3
ret
That was just another stupid protection which didn't need any dongle. A simple 'password protected' program or a good .Reg/.Key file would have done the same (and would have save money to those programers -:).
DigiSHOW.vld v1.7
-Description:
Virtual Laser Disk program.
-OS:
Win95
-Protection:
Dongle (parallel ). Driver: DK47wn32.dll
-Misc.:
Does NOT run if no dongle detected.
Disasm the main exe (vld.exe 145Kb).
There're no words to describe the following; just read it and
forget it.
:00405E4F E8ECD7FFFF call 00403640
; Get_That_stupid_dongle_driver
:00405E54 83F801 cmp
eax, 00000001
; Is_Dongle_OK?
:00405E57 0F8515010000 jne 00405F72
; Jump if not
:00405E5D 8B44243C mov eax, dword
ptr [esp+3C]
:00405E61 8B4C2430 mov ecx, dword
ptr [esp+30]
...
* Referenced by a (C)onditional Jump :00405E57(C)
:00405F72 6A00
push 00000000
; "The DigiSHOW.vld key
:00405F79 68F8824100 push 004182F8
; has not been found"
And now, ladies and gentlemen, THE CALL :
* Referenced by a (C)onditional Jump :00405E57
:00403640 81EC08080000 sub esp, 00000808
:00403646 56
push esi
:00403647 33F6
xor esi, esi
:00403649 E8C4490000 DK47wn32.DK47DriverInstalled
; No comments
:0040364E 83F801 cmp
eax, 00000001
:00403651 7549
jne 0040369C
:00403653 E8B4490000 DK47wn32.FindDK47
; No comments
:00403658 83F801 cmp
eax, 00000001
:0040365B 753F
jne 0040369C
:0040365D 8D442404 lea eax, dword
ptr [esp+04]
:00403661 6806080000 push 00000806
:00403666 50
push eax
:00403667 6A3B
push 0000003B
:00403669 6A06
push 00000006
:0040366B 6A1E
push 0000001E
:0040366D E894490000 DK47wn32.DK47ReadRandomNumbers
; No comments
:00403672 B847040000 mov eax, 00000447
:00403677 33C9
xor ecx, ecx
:00403679 8A4C0404 mov cl, byte ptr
[esp+eax+04]
:0040367D 03F1
add esi, ecx
:0040367F 40
inc eax
:00403680 3D06080000 cmp eax, 00000806
:00403685 7CF0
jl 00403677
:00403687 81FECAFE0100 cmp esi, 0001FECA
:0040368D 750D
jne 0040369C
:0040368F B801000000 mov eax, 00000001
; Guess?
:00403694 5E
pop esi
:00403695 81C408080000 add esp, 00000808
:0040369B C3
ret
* Referenced by a (C)onditional Jump :00403651, :0040365B, :0040368D
:0040369C 33C0
xor eax, eax
; Guess here too?
:0040369E 5E
pop esi
:0040369F 81C408080000 add esp, 00000808
:004036A5 C3
ret
Everything is here. I would insult you if I explained how to crack
this crap, so I will not.
The Help/About menu displays:
DESIN & CODING:
Chris Fulton
GRAPHICS:
Chris Fulton
MANUAL:
Chris Fulton
Sorry, Chris, but you're an asshole: keep working on the Manual,
but for God's sake, just forget the Coding!
Axon Engineer Pro v2.11e
-Description:
Neurocellular modeling tool.
-OS:
DOS/Win3.xx/Win95
-Protection:
Dongle (parallel ). Driver: Sentinel.vxd.
-Misc.:
The DOS .exe file Does NOT run if no dongle detected. InstallShield
password protected.
Crackers are very serious peoples, look: we are going to crack a dongle protected cellular electrochemical dynamics simulator! Nice isn't it? But don't worry, as usual the program is far more complicated to understand than its dongle protection is.
Before downloading it, I read at Axon's home page the following:
"If you are not currently a licensed user of Axon Engineer,
the downloads below will be of no use to you since they require the presence
of a hardware key ('dongle') to run.
If you are a licensed user of Axon Engineer Pro, you will need
a password to run the setup program for the upgrade."
The setup (that stupid InstallShield Wizard) is protected with a password. A simple BPX Lstrcmp will show you that you should better type 'opengate1' if you ever want to have the opportunity to install this soft.
There are 2 .exe files:
- aewin.exe (375Kb) for Window$
- eapro.exe (400Kb) for DOS.
Strangely, the Windows' file doesn't seem to require any dongle
(or did I miss something??) but the DOS'one does. That's just because it
is much more sophisticated than aewin.exe which doesn't appear to
be able to create new file.
Let's work on the DOS app. For this I would prefer to use Sourcer
7.0 but since +IDA Pro is an official +HCU tool we will use it for this
crack.
Running eapro.exe will display the following message (and
nearly crash your computer, BTW -:):
'Hardware Key Violation'
Open it with IDA Pro and search for the string "key":
ALT-B type=> "key"
IDA send you there:
dseg:019E aHardwareKeyVio db 'Hardware Key Violation',0 ; DATA XREF:
sub_0_0+1347
Just click on the XREF:
000:1346 loc_0_1346:
; CODE XREF: sub_0_0+35B
000:1346
push ds
000:1347
push offset aHardwareKeyVio
000:134A
push 0FFFFh
000:134C
call sub_D49_2
000:1351
add sp, 6
000:1354
jmp short loc_0_13A0
As there is only 1 XREF, click on it again and you'll get what you were looking for:
000:034C
push ds
000:034D
push offset aAxonEngineer
000:0350
call sub_DED_28A
; Check_Dongle
000:0355
add sp, 4
000:0358
cmp ax, 2231h
; Is_Dongle_OK?
000:035B
jnz loc_0_1346
; Bad_Guy_jump
000:035F
imul bx, [bp+var_10], 46h
Here again, there's no need to tell you how to crack it.
FTI/DOE v2.3.1.4
-Description:
Tools for performing the process of dynamic energy analysis.
-OS:
DOS/Win3.xx/Win95/NeXTStep/VMS and most Unix systems.
-Protection:
Dongle (parallel ). Driver: none.
-Misc.:
The 2 main DOS .exe files do NOT run if no dongle detected
For infos, here is the more complete description of this soft:
'This software enables architects and engineers to perform a
comprehensive analysis of dynamic heating and cooling loads, simulation
of heating and cooling distribution systems, modeling of equipment supplying
the required energy and calculation of the life-cycle costs of owning and
operating energy systems for buildings. The program can simulate hour-by-hour
performance for buildings ranging in size from a small one-room residence
to a large multi-storied structure for each of the 8760 hours in a year.
FTI/DOE is based on the work conducted by the Simulation Research
Group at Lawrence Berkeley Laboratories (LBL).'
I really have no use of this soft, but as this DOS app was written in Fortran and as I like this language, I downloaded it. If you never saw the source code of a file in Fortran, you can go to FTI/DOE site and download the source of one of the .exe of this program (the 'weather processor' file - wth.exe) and you'll see how beautiful it looks!
The 2 main softs (ble.exe 1Mb and sim.exe 1.57Mb) are dongle protected (own routines linked inside both programs) and will display the following message:
'Invalid Hardware Key or Key Error
Check the key for proper installation
...Exiting!!!'
We will only have a look at ble.exe as both program use exactly the same protection scheme.
BPIO -h 378 with SoftICE and run it. SoftICE pops, then <P RET> 2 times and here we go:
0002B285: E873EBFFFF
call 000029DFD ;
get dongle RetCode in ax
0002B28A: 8BE5
mov esp,ebp
0002B28C: 25F0FFFFFF
and eax,0FFFFFFF0
0002B291: 663B0500560800
cmp ax,[000085600] ;
compare to correct RetCode (0x8010)
0002B298: 6693
xchg bx,ax
0002B29A: 0F8502000000
jne 00002B2A2
; Bad_Guy jump
0002B2A0: 33C0
xor eax,eax
; Clear ax for Good_Guy
0002B2A2: 5A
pop edx
0002B2A3: 59
pop ecx
0002B2A4: 5B
pop ebx
0002B2A5: C3
retn
A couple of <P RET> later we have:
00032393: E88DB30300
call 00006D725
; the caller
00032398: 83C40C
add esp,00C
0003239B: F705E41C090001000000 test d,[000091CE4],000000001
000323A5: 753E
jne 0000323E5
; make it always jump
Again I just can't believe it: those guys wrote a sophisticated
soft, powerful and reliable with a complicated language (Fortran) but were
just unable to write a good protection scheme!
If you run it now, you'll get:
'Fortran runtime error on external file "C:\xxxxxx\xxxxxx\xxxxxx\input2.tmp"
(1046):
Attempt to open non-existing file with STATUS = OLD'
This error message is just due to the fact that the soft doesn't
run without command line arguments (see the batch files in the Script
directory if you plan to use this soft).
S-Tagger for FrameMaker v2.0
-Description:
Tools for extracting text from MIF files created with Adobe FrameMaker
5.xx.
-OS:
Win95/NT3.51 (with Service Pack 2 or later installed)/NT 4.0 and Windows
3.x (with Win32s).
-Protection:
Dongle (parallel ). Driver: ACTIVATOR & UniKey (SSIACT.386
for Win95/3.xx and SSIPDDP.SYS for WinNT).
-Misc.:
Run in DEMO mode if NO dongle detected (see below).
If no dongle is connected, the program will run in demo mode with
the following limitations:
'The demonstration version is a full working version of The
S-Tagger for FrameMaker, with the limitation that only files of a particular
size, up to 180KB for MIF files and 30KB for STF/RTF files, can be processed.'
Running it will display a message box:
'While no dongle is connected to the parallel port, the program
only runs in Demo mode.'
Disasm the main file (staggerf.exe 650Kb) :
We can quickly find the 'While no dongle...' string data ref:
:004047B6 6A01
push 00000001
:004047B8 E8A3F6FFFF
call 00403E60
; Check Dongle
:004047BD 85C0
test eax, eax
:004047BF 7544
jne 00404805
; Good_Guy jump
:004047C1 6A01
push 00000001
:004047C3 8D4DC8
lea ecx, dword ptr [ebp-38]
:004047C6 6A05
push 00000005
:004047C8 E893F6FFFF
call 00403E60
; Check Dongle
:004047CD 85C0
test eax, eax
:004047CF 7534
jne 00404805
; Good_Guy jump
:004047D1 8D4DE4
lea ecx, dword ptr [ebp-1C]
:004047D4 E8237B0400
call 0044C2FC
:004047D9 68BE000000
push 000000BE
; 'While no dongle is connected...'
The program check the dongle by calling twice the routine located at offset :00403E60. I don't know a lot about the Activator dongle, but it seems to be similar with the Hasp dongle as, each time it calls this routine, we can see the parameter pushed on the stack push 1, push 5 that could be 'check_if_dongle_present' and 'type of dongle' but I am not sure.
When running, S-Tagger displays the About thumbnail where
we can read:
'The S-Tagger 2.0 for FrameMaker is running in Demo mode'
Searching again in the String data refs, we find 2 locations but
only one is interesting:
:0042F9FE 687A170000
push 0000177A ; '%s is running
in'
...
...
:0042FA42 6A01
push 00000001
:0042FA44 E81744FDFF
call 00403E60
:0042FA49 85C0
test eax, eax
:0042FA4B 7436
je 0042FA83
:0042FA4D 6898170000
push 00001798 ; 'comprehensive
mode.'
...
...
:0042FAC7 EB21
jmp 0042FAEA
* Referenced by a Jump at Address:0042FA91(C)
:0042FAC9 688E170000
push 0000178E ; 'demo mode.'
Again, it calls the same routine (:00403E60). We can see that it
will run either in 'demo mode' or in 'comprehensive mode'.
Let's have a look at this routine:
* Referenced by a CALL at Addresses:004047B8, :004047C8, :0040756D, :0040757D, :00417EF8, :00417F08, :00417F9B, :00417FAB, :0042E6AD, :0042FA44, :0042FA8A
:00403E60 807C240474 cmp byte ptr [esp+04], 74
; check last 'push xxxxxxxx'
:00403E65 53
push ebx
:00403E66 56
push esi
:00403E67 8BF1
mov esi, ecx
:00403E69 733F
jnb 00403EAA
; jnb Bad_Guy#2 **Change to jmp 00403E89**
:00403E6B 8A5C2410 mov bl, byte ptr [esp+10]
:00403E6F 80FB01 cmp bl, 01
:00403E72 7236
jb 00403EAA
; jb Bad_Guy~2
:00403E74 80FB08 cmp bl, 08
:00403E77 7731
ja 00403EAA
; ja Bad_Guy#2
:00403E79 E882000000 call 00403F00
:00403E7E 85C0
test eax, eax
:00403E80 7507
jne 00403E89
; jne Good_Guy
:00403E82 33C0
xor eax, eax
; Bad_Guy#1
:00403E84 5E
pop esi
:00403E85 5B
pop ebx
:00403E86 C20800 ret 0008
* Referenced by a Jump at Address:00403E80(C)
:00403E89 8B44240C mov eax, dword ptr [esp+0C]
:00403E8D 8BCE
mov ecx, esi
:00403E8F 50
push eax
:00403E90 E88BFFFFFF call 00403E20
:00403E95 B201
mov dl, 01
:00403E97 8D4BFF lea ecx, dword
ptr [ebx-01]
:00403E9A D2E2
shl dl, cl
:00403E9C 22D0
and dl, al
:00403E9E 5E
pop esi
:00403E9F 5B
pop ebx
:00403EA0 80FA01 cmp dl, 01
:00403EA3 1BC0
sbb eax, eax
; eax= -1
:00403EA5 F7D8
neg eax
; set Good_Guy flag
:00403EA7 C20800 ret 0008
* Referenced by a Jump at Addresses:00403E69(C), :00403E72(C), :00403E77(C)
:00403EAA 33C0
xor eax, eax
; Bad_Guy#2
:00403EAC 5E
pop esi
:00403EAD 5B
pop ebx
:00403EAE C20800 ret 0008
Obviously, patching the jnb Bad_Guy#2 is enough to a have
a full working version ('comprehensive mode').
There are two calls to offsets :00403F00 and :00403E20. Here is
the code for the first one:
:00403F00 83EC04 sub esp, 00000004
:00403F03 8D442402 lea eax, dword ptr [esp+02]
:00403F07 50
push eax
:00403F08 E8B3FFFFFF call 00403EC0
:00403F0D 85C0
test eax, eax
:00403F0F 752B
jne 00403F3C
:00403F11 6A3A
push 0000003A
* Reference To: W32SSI.wSSIMemR, Ord:0015h
:00403F13 E8A8410300 Call 004380C0
:00403F18 3D6E610000 cmp eax, 0000616E
:00403F1D 7517
jne 00403F36
:00403F1F 6A3B
push 0000003B
* Reference To: W32SSI.wSSIMemR, Ord:0015h
:00403F21 E89A410300 Call 004380C0
:00403F26 3D00210000 cmp eax, 00002100
:00403F2B 7509
jne 00403F36
:00403F2D B801000000 mov eax, 00000001
:00403F32 83C404 add esp, 00000004
:00403F35 C3
ret
* Referenced by a Jump at Addresses:00403F1D(C), :00403F2B(C)
:00403F36 33C0
xor eax, eax
; Bad_Guy
:00403F38 83C404 add esp, 00000004
:00403F3B C3
ret
* Referenced by a Jump at Address:00403F0F(C)
:00403F3C B801000000 mov eax, 00000001
:00403F41 83C404 add esp, 00000004
:00403F44 C3
ret
Nothing to explain here, everything is clear again: W32ssi.dll
is the DLL that will check for your dongle by calling its driver.
I was just wondering if this 'comprehensive mode' was the full
version, so I created a 300Kb MIF file with FrameMaker 5.5 and converted
it with S-Tagger without any problem and the program works well.
XinTianMa C
-Description:
CJK (Chinese-Japanese-Korean) language software for word processing
and viewing of CJK encoded web pages for E-Windows 95/3.1, C-Windows (Traditional
& Simplified), J-Windows and DOS.
-OS:
Win95/Win3.xx/DOS.
-Protection:
Dongle (parallel ). Driver: unknown (internal).
-Misc.:
Does NOT run if no dongle detected.
If you ever get connected to XinTianMa's site, you'll be surprised
to read on top of each page:
'This page generated by an evaluation copy of the Microsoft
Merchant Server.'
Ohhh, Naughty boys...
This DOS tool doesn't use any external dongle driver, but its own
one linked inside the main .exe : xtmg.exe 413Kb. Only this file
is protected.
Running it will display the following message: 'error : XTMG
requires dongle.'
Bpio -h 378 and SoftICE pops here:
00018939: 42
inc dx
0001893A: 42
inc dx
0001893B: EC
in al,dx
0001893C: 8AE0
mov ah,al
0001893E: 0C04
or al,004
00018940: 24BF
and al,0BF
00018942: EE
out dx,al
00018943: 51
push cx
00018944: 8B0E7822 mov
cx,[02278]
00018948: E2FE
loop 000018948
0001894A: 59
pop cx
0001894B: 4A
dec dx
0001894C: 4A
dec dx
0001894D: B0FF
mov al,0FF
0001894F: EE
out dx,al
........
There's another similar one located elsewhere in the program. Both
routines are called alternatively. The reason is that the program will
search for 2 different RetCodes.
3 pret later, we land in the middle of this routine:
00018611: 55
push bp
00018612: 8BEC
mov bp,sp
00018614: 57
push di
00018615: 56
push si
00018616: 8B7E06 mov
di,[bp][00006]
00018619: C706F040C96E mov w,[040F0],06EC9
; Store correct RetCode#1 in [40F0]
0001861F: C706F2404B3F mov w,[040F2],03F4B
; Store correct RetCode#2 in [40F2]
00018625: 0BFF
or di,di
; Is it the first time we get here?
00018627: 7512
jne 00001863B
00018629: 6A29
push 029
0001862B: FF363C22 push
w,[0223C]
0001862F: FF363A22 push
w,[0223A]
00018633: 9A1E001725 call 02517:0001E
00018638: 83C406 add
sp,006
0001863B: 2BF6
sub si,si
0001863D: 3BF7
cmp si,di
; Have both RetCodes been checked and OKayed?
0001863F: 7327
jae 000018668
; jmp to Good_Guy
00018641: 1E
push ds
00018642: 683E22 push
0223E
; Prepare welcome message...
00018645: 0E
push cs
00018646: E8A7FF call
0000185F0 ;
Check // port for dongle
00018649: 5B
pop bx
0001864A: 5B
pop bx
0001864B: 3B06F040 cmp
ax,[040F0] ;
Check if RetCode#1 OK
0001864F: 7513
jne 000018664
; If not, jump and try again
00018651: 1E
push ds
00018652: 685722 push
02257
; Prepare copyright message...
00018655: 0E
push cs
00018656: E897FF call
0000185F0 ;
Check // port for dongle
00018659: 5B
pop bx
0001865A: 5B
pop bx
0001865B: 3B06F240 cmp
ax,[040F2] ;
Check if RetCode#2 OK
0001865F: 7503
jne 000018664
; If not, jump and try again
00018661: 46
inc si
; inc Check_Dongle counter
00018662: EBD9
jmps 00001863D ;
jmp back
00018664: 2BC0
sub ax,ax
; Bad_Guy (clear ax)
00018666: EB03
jmps 00001866B
00018668: B80100 mov
ax,00001 ;
Set Good_Guy flag
0001866B: 5E
pop si
0001866C: 5F
pop di
0001866D: C9
leave
0001866E: CB
retf
; Back to caller
0001866F: 55
push bp
00018670: 8BEC
mov bp,sp
00018672: 56
push si
00018673: BE0100 mov
si,00001
00018676: 83FE04 cmp
si,004
; Check_Dongle counter =<4 ?
00018679: 7720
ja 00001869B
; jmp to Bag_Guy if >=5
0001867B: 56
push si
0001867C: 9A1B003215 call 01532:0001B -
00018681: 5B
pop bx
00018682: 0BC0
or ax,ax
00018684: 740C
je 000018692 -
00018686: FF7606 push
w,[bp][00006]
00018689: 0E
push cs
0001868A: E884FF call
000018611 ;
Call previous routine
0001868D: 5B
pop bx
0001868E: 0BC0
or ax,ax
; Is it OK?
00018690: 7503
jne 000018695
; jmp Good_Guy
00018692: 46
inc si
; inc Check_Dongle counter
00018693: EBE1
jmps 000018676
; jmp back and try your
luck again.
00018695: B80100 mov
ax,00001 ;
Set Good_Guy flag...
00018698: 5E
pop si
00018699: C9
leave
0001869A: CB
retf
0001869B: 2BC0
sub ax,ax
; Bad_Guy flag
0001869D: 5E
pop si
0001869E: C9
leave
0001869F: CB
retf
...
000186F8: E874FF call
00001866F ;
Call the above routine
000186FB: 5B
pop bx
000186FC: 0BC0
or ax,ax
; Dongle or no dongle ?
000186FE: 7521
jne 000018721
...
00018721: B80100 mov
ax,00001 ;
found it, go ahead
00018724: CB
retf
0001869B: 2BC0
sub ax,ax
; otherwise clear ax and exit
0001869D: 5E
pop si
0001869E: C9
leave
0001869F: CB
retf
The program check the RetCode#1 and, if it is not correct, will
check it again 3 times. After that, if it is still the wrong RetCode you
are sent away otherwise it will do the same job for the RetCode#2.
The stupid part of this code is when the program stores the 2 correct
RetCodes, and the fact that everything is located in same area. Hard to
miss it!
As there are at least one dozen different ways to patch and crack
this, I let you decide which one you prefer, there's no need to explain
this.
OmniMark v3R1a Win95
-Description:
Perform large-scale conversion and mark-up of text and data for delivery
in print or on CD-ROM, as well as allow Intranet and website builders to
automate the presentation of individualized content
-OS:
Win95 (there are other versions for DOS/Win3.XX, NT, OS/2).
-Protection:
Dongle (parallel ). Driver: Hasp95.vxd.
-Misc.:
Does NOT run if no dongle detected.
This 32bit app will run in a DOS box. I tried it and it appears to be fast and very efficient.
That's another Hasp dongle! Let's bash it too.
With Hiew, we can quickly locate the main hasp routine in the main
executable (omnimark.exe 1.5Mb): 00133548 (:00533548 with SoftICE
or W32Dasm).
Running the program will display:
'Authorization failed. Exiting OmniMark.'
Though it's just another stupid protection, I add it here for 2
reasons:
1) though I cracked several Hasp protected softs, this is the first
one I found that will clear eax for the Good_Guy and set it to 1 for the
Bad_Guy:
:0041104A 6A01
push 00000001
:0041104C E8F7241200 call 00533548
; Call Hasp Service#1
:00411051 83C424 add
esp, 00000024
:00411054 837DFC00 cmp dword ptr
[ebp-04], 00000000 ; Is it a Hasp (RetCode#1 should
be =0x01)
:00411058 0F850A000000 jne 00411068
; Good_Guy jump
:0041105E B801000000 mov eax, 00000001
; Set Bad_Guy_Flag
:00411063 E9A6020000 jmp 0041130E
; terminate
The first time I ran it, I just put a BPX on the main Hasp routine,
get back to the caller and make it jump (as usual) until the mov eax,1
at the end of this routine and.. got this 'Authorization failed' message.
2) one tip, that works sometimes, is to search for some ofently used instructions like the Jmp Next_Instruction (0xe90000000)located at the end of the main routine that will call the dongle routine. It is useless and only used instead of 5 nop:
:00410BD1 E8AA030000
call 00410F80
:00410BD6 83C404
add esp, 00000004
:00410BD9 E900000000
jmp 00410BDE
; useless
:00410BDE 5F
pop edi
:00410BDF 5E
pop esi
:00410BE0 5B
pop ebx
:00410BE1 C9
leave
:00410BE2 C3
ret
...
...
:004112EA 85C0
test eax, eax
:004112EC 0F8412000000
je 00411304
:004112F2 8B45E0
mov eax, dword ptr [ebp-20]
:004112F5 A34C2C5600
mov dword ptr [00562C4C], eax
:004112FA C7059C3E56009A1F4100 mov dword ptr
[00563E9C], 00411F9A
:00411304 B801000000
mov eax, 00000001
:00411309 E900000000
jmp 0041130E
; useless
:0041130E 5F
pop edi
:0041130F 5E
pop esi
:00411310 5B
pop ebx
:00411311 C9
leave
:00411312 C3
ret
Well, that's all to say about this soft, because if you disasm it and have a look in the String data refs, you'll get:
:004018ED E828F30000 call 00410C1A
; Check dongle
:004018F2 85C0
test eax, eax
:004018F4 0F8512000000 jne 0040190C
:004018FA 687C115400 push 0054117C
; 'Authorization failed. Exiting OmniMark'.
:004018FF E894F20000 call 00410B98
:00401904 83C404 add
esp, 00000004
:00401907 E864F20000 call 00410B70
:0040190C E92F000000 jmp 00401940
No comments here as well about how to crack it...
And now, just for the fun, as I started my essay with Aladdin informations
and tips about 'how_to_protect_better_your_soft_with_our_state_of_the_art_dongle',
I though it may be worth having a quick look at one of the free tools you
can get on their site: Haptest.exe
Description:
'Hasptest is a simple program that checks the existency of FotoWare
protection dongles. It will report the different dongles found on your
system. This can be used to check that all dongles are found, and that
they are working properly.'
Here is just one piece of code from this 60Kb .exe file (all other calls to the dongle are strictly similar):
:00401BD6 6A02
push 00000002
:00401BD8 E823F4FFFF
call 00401000
; Hasp routine service #2
:00401BDD 83C424
add esp, 00000024
:00401BE0 817C240867B80000 cmp dword ptr [esp+08], 0000B867
; Is RetCode1=0xB867 ?
:00401BE8 752C
jne 00401C16
; Bad_Guy_Jump
:00401BEA 817C240C964D0000 cmp dword ptr [esp+0C], 00004D96
; Is RetCode2=0x4D96 ?
:00401BF2 7522
jne 00401C16
; Bad_Guy_Jump
:00401BF4 817C241098BD0000 cmp dword ptr [esp+10], 0000BD98
; Is RetCode3=0xBD98 ?
:00401BFC 7518
jne 00401C16
; Bad_Guy_Jump
:00401BFE 817C2414366A0000 cmp dword ptr [esp+14], 00006A36
; Is RetCode4=0x6A36 ?
:00401C06 750E
jne 00401C16
; Bad_Guy_Jump
:00401C08 6A40
push 00000040
; Good_Guy
:00401C0A 6838514000
push 00405138
; 'HASP TEST'
:00401C0F 68C0504000
push 004050C0
; 'FotoSync CSF HASP found'
:00401C14 EB0C
jmp 00401C22
:00401C16 6A10
push 00000010
; 'HASP TEST'
:00401C18 6838514000
push 00405138
; '** NO FotoSync CSF HASP found **'
...
...
Well, since they advise programmers to better protect their softs,
I thought they might have taken this opportunity to do the same with their
own programs...
That's all.
If I don't get a 'Dongle overdose' within the next few hours, and
if I am smart enough, I may go and try to fetch all free dongle softs available
on the Net, put them in a list and mail it to +Fravia for the +HCU.
Frog's Print - January 29, 1998