End of the dongle old aera ~ Dongles bye bye
(re-uploade version October 1998)
or
"How a single +HCU reverser can easily blow a whole commercial sector out of history"
Advanced
|
End of the dongle old aera ~ Dongles bye bye (re-uploade version October 1998) or "How a single +HCU reverser can easily blow a whole commercial sector out of history" |
Advanced | |
|
|
||
|
This program doesn't require any external known driver. The dongle
protection is located in the main executable: plabel.exe (379Kb).
Since this soft uses its own routines to check if there is a dongle,
let's have a quick look at its HLP file:
'This software is protected with a hardware
key which must be plugged into the parallel printer port at the back of
your PC. Without the key LabelCraft runs in demo mode. The following message
is then shown when you choose Label Printing or Label Editing from the
main menu: 'Missing key lock! Continue as Demoversion?'.
I have to say that this is not really helpful!
Never mind, let's Zen crack:
With SoftICE:
BPIO -H 378
Run the program and a dialog box pops asking you to choose between
"Editing" or "Printing a label"
Press "Editing" and SoftICE will break here:
.0001BFEA: EE
out dx,al ;
Here
.0001BFEB: EB00
jmps .00001BFED
.0001BFED: 8B0ECA3B mov
cx,[03BCA]
.0001BFF1: E2FE
loop .00001BFF1
.0001BFF3: A17C09
mov ax,[0097C]
.0001BFF6: 050200
add ax,00002
This is the main routine that will checks your // port for the
dongle.
To find the caller, it is very important to disable any BPIO before
pressing the <F12> key otherwise SoftICE will break several times.
With SoftICE:
BD *
<F12> (press it 3 times)
We land here:
.00015575: 9ADA543B55 call
001:054DA ; Check // port
.0001557A: 83C404
add sp,004
.0001557D: 3D457F
cmp ax,07F45 ; Is there a
dongle?
.00015580: 7408
je .00001558A ; Yes, jump...
.00015582: 46
inc si
.00015583: 83FE03
cmp si,003
.00015586: 7EC6
jle .00001554E
.00015588: EB06
jmps .000015590 ; Bad_Guy_Jump
.0001558A: B80100
mov ax,00001 ; Good_Guy
.0001558D: 5E
pop si
.0001558E: C9
leave
.0001558F: C3
retn
When I reached the cmp ax,7F45 instruction, I saw in the
registers windows that ax=FFFF. I quickly patched the je 1558A with
jumps 1558A.
The program seems to work well and we don't get any warning message
about the missing dongle. As the "Save" feature is disabled, I check the
main menu and...there are no "Save', "Save as" submenus!
There is a screw loose somewhere.
In fact, I just did a little mistake here: I said above to disable
the BPIO before pressing the <F12> key and realized that I didn't re-enable
it again right after. When running a Dongle protected soft, it is necessary
to always have a BPIO enable, because the program may check at any time
the presence of the dongle.
Exit Label Craft. Enable the BPIO until you reach the above code.
Disable it, press <F12> 3 times and patch the je 1558A again.
Now re-enable the BPIO and let the program run. SoftICE will pops
at offset .0001BFEA again.
With SoftICE:
BD *
<F12> (press it 3 times)
And we'll finally land here:
.000147F7: 9ADA540748 call
001:054DA ; Check
// port
.000147FC: 83C404
add sp,004
.000147FF: 3D9E6F
cmp ax,06F9E
; Is there a dongle?
.00014802: 740B
je .00001480F ;
Yes, jump...
.00014804: 9A58531248 call
001:05358 ; otherwise
disable "Save/Save as".
.00014809: C706FC4E0100 mov w,[04EFC],00001
; Set Bad_Guy_Flag.
.0001480F: 9A9E53AC46 call
001:0539E
.00014814: B80100
mov ax,00001
.00014817: 8D66FE
lea sp,[bp][-0002]
.0001481A: 1F
pop ds
.0001481B: 5D
pop bp
.0001481C: 4D
dec bp
.0001481D: CB
retf
Just make it always jump at offset .00014802.
Now, it may be a good idea to disasm the file to see if there is any other similar check (another -slow- solution would be to enable the BPIO and, with SoftICE, to test ALL features of the program -copy, printing...- but I don't have that much time to waste -:). W32Dasm v6.xx should be fine (plabel.exe is a 16bit file).
And here is what we find:
.00050461: 9ADA547704 call 001:054DA
; Check // port
.00050466: 83C404
add sp,004
.00050469: 3D64D4
cmp ax,0D464
; Is there a dongle?
.0005046C: 740B
je .000050479 ;
Yes, jump otherwise...
.0005046E: C706FC4E0100 mov w,[04EFC],00001
; set Bad_Guy_Flag and
.00050474: 9A58538C04 call
001:05358 ; add
garbages to the printing function...
.00050479: 833EFC4E00 cmp
w,[04EFC],000
.0005047E: 7503
jne .000050483
.00050480: E90E01
jmp .000050591 ;
Go ahead if Dongle_OK.
.00050483: 9AFFFF0000 call
GETTICKCOUNT
.00050488: 50
push ax
.00050489: 9A1E852001 call
001:0851E
Patching the je .000050479 will fully crack this soft.
As we can see, there's nothing really amazing in this protection but it is a bit more 'personal' and more discreet than the usual routines used by important dongle manufacturer. It would be more complicated to crack if some strong anti-softICE/disasm tricks would be added.
If you didn't understand the program description here is another
one:
"AiTS was founded to teach accident investigation, and to provide
software to assist accident investigators in their task.
Ai Damage calculates changes in speed from the damage caused
to vehicles. The program not only uses the tried and tested Crash3 algorthims,
but also uses the principle of the conservation of linear momentum (in
two dimensions) to fully analyse your accident".
To resume, this is just another crap I will erase from my HD right
after this essay.
This program requires the DK2 DESkey dongle driver (dk2wn95.386
for Win95) not available with the downloaded program (you can download
it here: Bdk2wn32.exe 720Kb -: ). If its installation failed, you can do it manually as per follows:
Open 'system.ini'.Find the section of system.ini which is headed
[386Enh]. Insert the following line into this section:
device=C:\AIDAMGE\DK2WN95.386
If you changed the installation directory from C:\AIDAMAGE, you
should adjust the path in the above line accordingly.
A quick look at AiDamage doc gives us some infos about the protection:
On the first time of starting, you will be requested to enter
a code. This code is needed before the dongle can be activated.
To obtain the code contact Ai Training Services on 01452 862798 and ask
for a code. You will also need to advise the operator of the number
quoted in the box. (Marked User code:)
Type in the code supplied EXACTLY as given. Press 'OK'
and the dongle will be activated and Ai Damage will start. To activate
the dongle contact AiTS with the code displayed on the Enable Dongle dialog.
You will be given a return code which you should enter, exactly as quoted.
Once entered press ‘OK’ and Ai Damage will start properly. If you fail
to enter the code as given, Ai Damage will not function.
You should not need to enter any other codes until the dongle
is automatically de-activated at the expiry of your licence. Ai Damage
will function for three months following the expiry of the licence.
Any attempt beyond this date to start the program will fail., with the
display of this dialog.
If you try and remove the dongle whilst Ai Damage is running,
then Ai Damage will detect this and close down. You may not have
any opportunity to save your data once the dongle has been removed.
Replacing the dongle will have no effect. You must re-start Ai Damage
and re-enter any of the lost data.
On the expiry of the annual licence, the dongle will detect
this condition and cause Ai Damage to display this dialog box. You
need to follow the instructions on screen, and your dongle will be activated
for further use.
As you can see, if you are working with AiDamage and then, by mistake,
remove or disconnect the dongle, ALL your work will be lost! Nice people...
That's not all:
Ai Damage will run under Windows NT. However it has not
been tested fully under NT and support with configuration of NT is not
provided as part of your licence agreement.
And finally:
It has been noticed that with some hardware / printer configurations
the presence of the dongle can cause corruption of the output to the printer.
What an encouragement to buy this soft!!
So, let's crack it "black & blue" ; this will solve some of those troubleshootings.
Run the program and you get the message box:
DONGLE ERROR - Cannot find a valid dongle
Disasm the main exe file (aidamage.exe 341Kb)with W32dasm85.
I simple search through the String Datas References will give us
all we need:
:0041257C FF1544EE4200 MSVCRT40._mbscmp
:00412582 83C408
add esp, 00000008
:00412585 85C0
test eax, eax
; Is_Driver_Loaded?
:00412587 7425
je 004125AE
; Jump if OK
:00412589 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041258C E8DF0E0000 call 00413470
; "Dongle driver not loaded"
:00412591 85C0
test eax, eax
:00412593 0F8487FEFFFF je 00412420
:00412599 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041259C E8FF100000 call 004136A0
; "Unable to read license info"
:004125A1 85C0
test eax, eax
:004125A3 0F85C9000000 jne 00412672
:004125A9 E972FEFFFF jmp 00412420
; Exit
:004125AE 6A00
push 00000000
:004125B0 8D8D3CFFFFFF lea ecx, dword ptr [ebp+FFFFFF3C]
:004125B6 E8A5030100 call 00422960
:004125BB C745FC04000000 mov [ebp-04], 00000004
:004125C2 8D8D3CFFFFFF lea ecx, dword ptr [ebp+FFFFFF3C]
:004125C8 E809080100 MFC40.MFC40:NoName0113
; Message Box:"Please Enter your password"
:004125CD 83F801
cmp eax, 00000001
; "OK" pressed?
:004125D0 0F85AD040000 jne 00412A83
; if not=>Exit
:004125D6 682CC24200 push 0042C22C
:004125DB 8D4DE4
lea ecx, dword ptr [ebp-1C] ; Store our password
:004125DE E833070100 MFC40.MFC40:NoName0081
; Calculate correct password
:004125E3 C645FC05 mov
[ebp-04], 05
:004125E7 8B459C
mov eax, dword ptr [ebp-64] ; Store correct password
in eax
:004125EA 8B4DE4
mov ecx, dword ptr [ebp-1C] ; Store our password
in ecx
:004125ED 50
push eax
:004125EE 51
push ecx
:004125EF FF1544EE4200 MSVCRT40._mbscmp
; Compare both
:004125F5 83C408
add esp, 00000008
:004125F8 85C0
test eax, eax
; Is_Password_OK?
:004125FA 7428
je 00412624
; Yes, jump and go ahead...
:004125FC 6A00
push 00000000
; otherwise...
:004125FE 6A30
push 00000030
...
:00412600 6800C24200 push 0042C200
:0041261F E9FCFDFFFF jmp 00412420
; "Password incorrect, closing down"
A lot of interesting things are going on here.
I tried to nicely reververse engineer this routine but the program acted
so strangely that I prefer to use a brute force approach.
What we are going to do is:
-force the program to recognize the dongle
driver (even if it is not loaded)
-Get rid of the "Enter your password" message
box.
-Make it believe we typed a password and
pressed "OK"
-Feed it with the right password
-Force it to accept it
Changed offset are shown in red:
:0041257C FF1544EE4200 MSVCRT40._mbscmp
:00412582 83C408
add esp, 00000008
:00412585 33C0
xor eax, eax
; Driver_Always_Loaded
:00412587 7425
je 004125AE
; Jump
:00412589 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041258C E8DF0E0000 call 00413470
:00412591 85C0
test eax, eax
:00412593 0F8487FEFFFF je 00412420
:00412599 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041259C E8FF100000 call 004136A0
:004125A1 85C0
test eax, eax
:004125A3 0F85C9000000 jne 00412672
:004125A9 E972FEFFFF jmp 00412420
:004125AE 6A00
push 00000000
:004125B0 8D8D3CFFFFFF lea ecx, dword ptr [ebp+FFFFFF3C]
:004125B6 E8A5030100 call 00422960
:004125BB C745FC04000000 mov [ebp-04], 00000004
:004125C2 8D8D3CFFFFFF lea ecx, dword ptr [ebp+FFFFFF3C]
:004125C8 B801000000
mov eax,000000001
; No more Message Box
:004125CD 83F801
cmp eax, 00000001
; "OK" pressed
:004125D0 0F85AD040000 jne 00412A83
:004125D6 682CC24200 push 0042C22C
:004125DB 8D4DE4
lea ecx, dword ptr [ebp-1C] ; Store our password
:004125DE E833070100 MFC40.MFC40:NoName0081
; Calculate correct password
:004125E3 C645FC05 mov
[ebp-04], 05
:004125E7 8B459C
mov eax, dword ptr [ebp-64] ; Store correct password
in eax
:004125EA 8B4D9C
mov ecx, dword ptr [ebp-64] ; Store correct password
in ecx
:004125ED 50
push eax
:004125EE 51
push ecx
:004125EF FF1544EE4200 MSVCRT40._mbscmp
; Compare both
:004125F5 83C408
add esp, 00000008
:004125F8 85C0
test eax, eax
; Password_ALWAYS_OK
:004125FA 7428
je 00412624
; jump and go ahead.
:004125FC 6A00
push 00000000
; Will never reach this part.
:004125FE 6A30
push 00000030
...
:00412600 6800C24200 push 0042C200
:0041261F E9FCFDFFFF jmp 00412420
There are still few enhancements to do because
running the program with these changes will give you the following message:
"This dongle does not support AIDamage"
Back to W32dasm85 we quickly find the problem:
:0041293A FF1544EE4200 MSVCRT40._mbscmp
:00412940 83C408
add esp, 00000008
:00412943 85C0
test eax, eax
; Is_Dongle_OK?
:00412945 7420
je 00412967
; Yes, jump otherwise...
:00412947 8B4DF0
mov ecx, dword ptr [ebp-10]
:0041294A E8F10B0000
call 00413540
; "This dongle doesn't support..."
We notice that the program is always checking if the dongle is still present:
:0041450A FF1544EE4200 MSVCRT40._mbscmp
:00414510 83C408
add esp, 00000008
:00414513 85C0
test eax, eax
; Is_Dongle_Still_Connected?
:00414515 7511
jne 00414528
:00414517 33C0
xor eax, eax
; Good_Guy
:00414519 8B4DF4
mov ecx, dword ptr [ebp-0C]
:0041451C 64890D00000000 mov dword
ptr fs:[00000000], ecx
:00414523 5E
pop esi
:00414524 8BE5
mov esp, ebp
:00414526 5D
pop ebp
:00414527 C3
ret
:00414528 685CC64200
push 0042C65C
; "Dongle is no longer connected"
For those 2 checks, you just have to patch
both test eax,eax.
Finally, I deeper look at the ASM listing and you'll find some other error messages:
"Your dongle has not been updated"
x-refs:
:00413C77
:00413F47
:00413FF0
"Invalid enable code, closing down"
x-refs:
:00413BFC
:00413C05
"Your licence has expired."
X-Ref:
:00413966
I didn't patch those occurences as the program
worked well. I put some BPX at those offsets but SoftICE never broke (even
when changing the OS date). So I just assume the program may check inside
the dongle to see if the license has expired or not but since we forced
it to accept the dongle we may not need to patch them.
Anyway, now you won't loose any data if you
have a dongle connected or not and you can print safely!
Note: you can remove the DK2 DESkey driver, it is not needed any
more.
During its installation, this Visual Basic 3 soft added a key.dll
(18Kb) file to the windows/system directory.
Though we could use Dodi's VB discompiler to disasm the main executable
(ecprog.exe 231Kb) and find all references to the dongle through
the source code, a live approach will be enough to get rid of the protection.
Running the program will display a Nagscreen:
"The software key was not detected! The software will run in
demonstration mode only"
With SoftICE:
BPIO -H 378
Run ecprog.exe and SoftICE pops. We are inside Make.dll,
an Exported function from Key.dll.
Press <F12> 3 times, and you can't miss the dongle protection:
.000105C8: E88EFE call .000010459
; Check I/O
.000105CB: 08C0 or
al,al
; Is_Dongle_OK?
.000105CD: 7506 jne
.0000105D5
.000105CF: C646FF00 mov b,[bp][-0001],000
; Bad_Guy_Flag
.000105D3: EB04 jmps
.0000105D9
.000105D5: C646FF01 mov b,[bp][-0001],001
; Good_Guy_Flag
.000105D9: 8A46FF mov
al,[bp][-0001] ; Store Flag
in AL
.000105DC: C9
leave
.000105DD: CA0C00 retf
0000C
; Back to caller
This routine is very important:
You'll find it in most stupid dongle programs you'll have to crack,
so get familiar with it!
.0001004B: 9AFFFF0000 call 001:004EE
; Call the above routine
.00010050: 08C0 or
al,al
; Good_Guy_flag set?
.00010052: 7407 je
.00001005B
.00010054: C746FC0100 mov w,[bp][-0004],00001
; Full_Program_Flag
.00010059: EB05 jmps
.000010060
.0001005B: 31C0 xor
ax,ax
; Demo_Program_Flag
.0001005D: 8946FC mov
[bp][-0004],ax ; Bad_Guy
=> Xor AX
.00010060: 8B46FC mov
ax,[bp][-0004] ; Good_Guy=>
AX=0x01
.00010063: 5F
pop di
.00010064: 5E
pop si
.00010065: 8D66FE lea
sp,[bp][-0002]
.00010068: 1F
pop ds
.00010069: 5D
pop bp
.0001006A: 4D
dec bp
.0001006B: CB
retf
If you disasm the DLL, you'll see that there is only 1 x-ref for
both routine: the program just checks for the dongle at the very beginning
but will not during its execution (but it will check the Full_Program/Demo_Program
flag).
You can patch the conditional jump at 00010052 or the first routine....
there are plenty of ways to do so.
That's all for this dongle.
IPLab v1.7
-Description:
Scientific image analysis program.
-OS:
Win95/NT4
-Protection:
Dongle (parallel ). Driver: Sentinel.vxd.
-Misc.:
Does NOT run if no dongle detected + SetUp password protected.
The Setup will prompt you for a password. Let's crack it:
BPX DialogBoxParam
Type in any password + <Enter>.
SoftICE pops:
<F11>
You'll get the "Incorrect Password" message. Press <OK>.
<F12>
Now just look at the end of the routine:
xxxx:4494 B80100 mov ax,0001 ;
SetUP cancelled
xxxx:4497 EB02 jmp 449B
xxxx:4499 33C0 xor ax,ax
; Install program
xxxx:449B 5E pop si
xxxx:449C 5F pop di
xxxx:449D C9 leave
xxxx:449E CB ret
Just patch the mov ax,0001 so that the Setup will think you have typed the right password.
The program will be installed in the c:\IPLabDir directory (you
can't choose another destination directory).
Running the main exe file IPLab.exe (1.22 Mb) will display:
"KEY NOT FOUND"
WDasm it and here is what we find:
:0040D626 E815630200
call 00433940
; Check_If_Dongle_OK
:0040D62B 85C0
test eax, eax
:0040D62D 7516
jne 0040D645
; Good_Guy
:0040D62F 56
push esi
:0040D630 56
push esi
:0040D631 68A8C64B00
push 004BC6A8
; "Key not found" + Exit
:0040D636 E8A5E50400
MFC40.MFC40:NoName0029
:0040D63B C7837C02000002000000 mov dword ptr
[ebx+0000027C], 2
:0040D645 8D4DC0
lea ecx, dword ptr [ebp-40]
Just make it always jump.
When running, the program will check is the key is still plugged in:
* Referenced by a CALL at Addresses :0043379C, :0043BCD1, :0043BD23,
:0043BD75, :0043BDC3, :0044CF15
:00433AB0 6A00
push 00000000
:00433AB2 6A00
push 00000000
:00433AB4 6894E14B00
push 004BE194
; "Key Missing"
It is called by 6 different routines. Here is just the first one of them (they all use the same following piece of code):
:00433787 E894830000
call 0043BB20
; Check // port
:0043378C 85C0
test eax, eax
; Is_Dongle_OK?
:0043378E 740C
je 0043379C
; Bad_Guy_Jump
:00433790 99
cdq
:00433791 B907000000
mov ecx, 00000007
:00433796 F7F9
idiv ecx
:00433798 85D2
test edx, edx
:0043379A 7425
je 004337C1
; Good_Guy jump
* Referenced by (C)onditional Jump :0043378E
:0043379C E80F030000
call 00433AB0
; "Key Missing" + Exit
:004337A1 6A00
push 00000000
:004337A3 6A01
push 00000001
This routine check the parallel port by calling offset :0043BB20. The 5 other similar ones call 4 different routines:
1) 0043BB20
2) 0043BC20
3) 0043BB60
4) 0043BBB0
Now let's see those 4 routines that call the Sentinel driver:
1)
:0043BB20 A1B4094C00
mov eax, dword ptr [004C09B4]
:0043BB25 0FBF00
movsx eax, word ptr [eax]
:0043BB28 99
cdq
:0043BB29 33C2
xor eax, edx
:0043BB2B 2BC2
sub eax, edx
:0043BB2D 8B15BC094C00
mov edx, dword ptr [004C09BC]
:0043BB33 8BC8
mov ecx, eax
:0043BB35 0FBF02
movsx eax, word ptr [edx]
:0043BB38 99
cdq
:0043BB39 33C2
xor eax, edx
:0043BB3B 2BCA
sub ecx, edx
:0043BB3D 03C8
add ecx, eax
:0043BB3F 7512
jne 0043BB53
; Make it always jump 43BB41
:0043BB41 FF1580794C00
MSVCRT40.rand
; Good_Guy
:0043BB47 8D0CC500000000
lea ecx, dword ptr [8*eax+00000000]
:0043BB4E 2BC8
sub ecx, eax
:0043BB50 8BC1
mov eax, ecx
:0043BB52 C3
ret
* Referenced by a jump:0043BB3F(C)
:0043BB53 33C9
xor ecx, ecx
; Bad_Guy
:0043BB55 8BC1
mov eax, ecx
:0043BB57 C3
ret
2)
:0043BC20 53
push ebx
:0043BC21 56
push esi
:0043BC22 668B5C240C
mov bx, word ptr [esp+0C]
:0043BC27 57
push edi
:0043BC28 33FF
xor edi, edi
...
:0043BC54 85FF
test edi, edi
:0043BC56 750E
jne 0043BC66
; Make it always jump 43BC58
:0043BC58 FFD6
call esi
; Good_Guy
:0043BC5A 40
inc eax
:0043BC5B 5F
pop edi
:0043BC5C 8BC8
mov ecx, eax
:0043BC5E 5E
pop esi
:0043BC5F C1E003
shl eax, 03
:0043BC62 5B
pop ebx
:0043BC63 2BC1
sub eax, ecx
:0043BC65 C3
ret
* Referenced by a (C)onditional Jump :0043BC56
:0043BC66 33C0
xor eax, eax
; Bad_Guy
:0043BC68 5F
pop edi
:0043BC69 5E
pop esi
:0043BC6A 5B
pop ebx
:0043BC6B C3
ret
3)
:0043BB60 A1B8094C00
mov eax, dword ptr [004C09B8]
:0043BB65 0FBF00
movsx eax, word ptr [eax]
...
:0043BB7F A1B0094C00
mov eax, dword ptr [004C09B0]
:0043BB84 0FBF00
movsx eax, word ptr [eax]
:0043BB87 99
cdq
:0043BB88 33C2
xor eax, edx
:0043BB8A 2BCA
sub ecx, edx
:0043BB8C 03C8
add ecx, eax
:0043BB8E 7512
jne 0043BBA2
; Make it always jump 43BB90
:0043BB90 FF1580794C00
MSVCRT40.rand
; Good_Guy
:0043BB96 8D0CC500000000
lea ecx, dword ptr [8*eax+00000000]
:0043BB9D 2BC8
sub ecx, eax
:0043BB9F 8BC1
mov eax, ecx
:0043BBA1 C3
ret
* Referenced by a (C)onditional Jump :0043BB8E(C)
:0043BBA2 33C9
xor ecx, ecx
; Bad_Guy
:0043BBA4 8BC1
mov eax, ecx
:0043BBA6 C3
ret
4)
:0043BBB0 A1B4094C00
mov eax, dword ptr [004C09B4]
:0043BBB5 0FBF00
movsx eax, word ptr [eax]
:0043BBB8 99
cdq
...
:0043BBF6 33C2
xor eax, edx
:0043BBF8 2BCA
sub ecx, edx
:0043BBFA 03C8
add ecx, eax
:0043BBFC 7512
jne 0043BC10
; Make it always jump 43BBFE
:0043BBFE FF1580794C00
MSVCRT40.rand
; Good_Guy
:0043BC04 8D0CC500000000
lea ecx, dword ptr [8*eax+00000000]
:0043BC0B 2BC8
sub ecx, eax
:0043BC0D 8BC1
mov eax, ecx
:0043BC0F C3
ret
* Referenced by a (C)onditional Jump :0043BBFC(C)
:0043BC10 33C9
xor ecx, ecx
; Bad_Guy
:0043BC12 8BC1
mov eax, ecx
:0043BC14 C3
ret
That was just another stupid protection which didn't need any dongle. A simple 'password protected' program or a good .Reg/.Key file would have done the same (and would have save money to those programers -:).
DigiSHOW.vld v1.7
-Description:
Virtual Laser Disk program.
-OS:
Win95
-Protection:
Dongle (parallel ). Driver: DK47wn32.dll
-Misc.:
Does NOT run if no dongle detected.
Disasm the main exe (vld.exe 145Kb).
There're no words to describe the following; just read it and
forget it.
:00405E4F E8ECD7FFFF call 00403640
; Get_That_stupid_dongle_driver
:00405E54 83F801 cmp
eax, 00000001
; Is_Dongle_OK?
:00405E57 0F8515010000 jne 00405F72
; Jump if not
:00405E5D 8B44243C mov eax, dword
ptr [esp+3C]
:00405E61 8B4C2430 mov ecx, dword
ptr [esp+30]
...
* Referenced by a (C)onditional Jump :00405E57(C)
:00405F72 6A00
push 00000000
; "The DigiSHOW.vld key
:00405F79 68F8824100 push 004182F8
; has not been found"
And now, ladies and gentlemen, THE CALL :
* Referenced by a (C)onditional Jump :00405E57
:00403640 81EC08080000 sub esp, 00000808
:00403646 56
push esi
:00403647 33F6
xor esi, esi
:00403649 E8C4490000 DK47wn32.DK47DriverInstalled
; No comments
:0040364E 83F801 cmp
eax, 00000001
:00403651 7549
jne 0040369C
:00403653 E8B4490000 DK47wn32.FindDK47
; No comments
:00403658 83F801 cmp
eax, 00000001
:0040365B 753F
jne 0040369C
:0040365D 8D442404 lea eax, dword
ptr [esp+04]
:00403661 6806080000 push 00000806
:00403666 50
push eax
:00403667 6A3B
push 0000003B
:00403669 6A06
push 00000006
:0040366B 6A1E
push 0000001E
:0040366D E894490000 DK47wn32.DK47ReadRandomNumbers
; No comments
:00403672 B847040000 mov eax, 00000447
:00403677 33C9
xor ecx, ecx
:00403679 8A4C0404 mov cl, byte ptr
[esp+eax+04]
:0040367D 03F1
add esi, ecx
:0040367F 40
inc eax
:00403680 3D06080000 cmp eax, 00000806
:00403685 7CF0
jl 00403677
:00403687 81FECAFE0100 cmp esi, 0001FECA
:0040368D 750D
jne 0040369C
:0040368F B801000000 mov eax, 00000001
; Guess?
:00403694 5E
pop esi
:00403695 81C408080000 add esp, 00000808
:0040369B C3
ret
* Referenced by a (C)onditional Jump :00403651, :0040365B, :0040368D
:0040369C 33C0
xor eax, eax
; Guess here too?
:0040369E 5E
pop esi
:0040369F 81C408080000 add esp, 00000808
:004036A5 C3
ret
Everything is here. I would insult you if I explained how to crack
this crap, so I will not.
The Help/About menu displays:
DESIN & CODING:
Chris Fulton
GRAPHICS:
Chris Fulton
MANUAL:
Chris Fulton
Sorry, Chris, but you're an asshole: keep working on the Manual,
but for God's sake, just forget the Coding!
Axon Engineer Pro v2.11e
-Description:
Neurocellular modeling tool.
-OS:
DOS/Win3.xx/Win95
-Protection:
Dongle (parallel ). Driver: Sentinel.vxd.
-Misc.:
The DOS .exe file Does NOT run if no dongle detected. InstallShield
password protected.
Crackers are very serious peoples, look: we are going to crack a dongle protected cellular electrochemical dynamics simulator! Nice isn't it? But don't worry, as usual the program is far more complicated to understand than its dongle protection is.
Before downloading it, I read at Axon's home page the following:
"If you are not currently a licensed user of Axon Engineer,
the downloads below will be of no use to you since they require the presence
of a hardware key ('dongle') to run.
If you are a licensed user of Axon Engineer Pro, you will need
a password to run the setup program for the upgrade."
The setup (that stupid InstallShield Wizard) is protected with a password. A simple BPX Lstrcmp will show you that you should better type 'opengate1' if you ever want to have the opportunity to install this soft.
There are 2 .exe files:
- aewin.exe (375Kb) for Window$
- eapro.exe (400Kb) for DOS.
Strangely, the Windows' file doesn't seem to require any dongle
(or did I miss something??) but the DOS'one does. That's just because it
is much more sophisticated than aewin.exe which doesn't appear to
be able to create new file.
Let's work on the DOS app. For this I would prefer to use Sourcer
7.0 but since +IDA Pro is an official +HCU tool we will use it for this
crack.
Running eapro.exe will display the following message (and
nearly crash your computer, BTW -:):
'Hardware Key Violation'
Open it with IDA Pro and search for the string "key":
ALT-B type=> "key"
IDA send you there:
dseg:019E aHardwareKeyVio db 'Hardware Key Violation',0 ; DATA XREF:
sub_0_0+1347
Just click on the XREF:
000:1346 loc_0_1346:
; CODE XREF: sub_0_0+35B
000:1346
push ds
000:1347
push offset aHardwareKeyVio
000:134A
push 0FFFFh
000:134C
call sub_D49_2
000:1351
add sp, 6
000:1354
jmp short loc_0_13A0
As there is only 1 XREF, click on it again and you'll get what you were looking for:
000:034C
push ds
000:034D
push offset aAxonEngineer
000:0350
call sub_DED_28A
; Check_Dongle
000:0355
add sp, 4
000:0358
cmp ax, 2231h
; Is_Dongle_OK?
000:035B
jnz loc_0_1346
; Bad_Guy_jump
000:035F
imul bx, [bp+var_10], 46h
Here again, there's no need to tell you how to crack it.
FTI/DOE v2.3.1.4
-Description:
Tools for performing the process of dynamic energy analysis.
-OS:
DOS/Win3.xx/Win95/NeXTStep/VMS and most Unix systems.
-Protection:
Dongle (parallel ). Driver: none.
-Misc.:
The 2 main DOS .exe files do NOT run if no dongle detected
For infos, here is the more complete description of this soft:
'This software enables architects and engineers to perform a
comprehensive analysis of dynamic heating and cooling loads, simulation
of heating and cooling distribution systems, modeling of equipment supplying
the required energy and calculation of the life-cycle costs of owning and
operating energy systems for buildings. The program can simulate hour-by-hour
performance for buildings ranging in size from a small one-room residence
to a large multi-storied structure for each of the 8760 hours in a year.
FTI/DOE is based on the work conducted by the Simulation Research
Group at Lawrence Berkeley Laboratories (LBL).'
I really have no use of this soft, but as this DOS app was written in Fortran and as I like this language, I downloaded it. If you never saw the source code of a file in Fortran, you can go to FTI/DOE site and download the source of one of the .exe of this program (the 'weather processor' file - wth.exe) and you'll see how beautiful it looks!
The 2 main softs (ble.exe 1Mb and sim.exe 1.57Mb) are dongle protected (own routines linked inside both programs) and will display the following message:
'Invalid Hardware Key or Key Error
Check the key for proper installation
...Exiting!!!'
We will only have a look at ble.exe as both program use exactly the same protection scheme.
BPIO -h 378 with SoftICE and run it. SoftICE pops, then <P RET> 2 times and here we go:
0002B285: E873EBFFFF
call 000029DFD ;
get dongle RetCode in ax
0002B28A: 8BE5
mov esp,ebp
0002B28C: 25F0FFFFFF
and eax,0FFFFFFF0
0002B291: 663B0500560800
cmp ax,[000085600] ;
compare to correct RetCode (0x8010)
0002B298: 6693
xchg bx,ax
0002B29A: 0F8502000000
jne 00002B2A2
; Bad_Guy jump
0002B2A0: 33C0
xor eax,eax
; Clear ax for Good_Guy
0002B2A2: 5A
pop edx
0002B2A3: 59
pop ecx
0002B2A4: 5B
pop ebx
0002B2A5: C3
retn
A couple of <P RET> later we have:
00032393: E88DB30300
call 00006D725
; the caller
00032398: 83C40C
add esp,00C
0003239B: F705E41C090001000000 test d,[000091CE4],000000001
000323A5: 753E
jne 0000323E5
; make it always jump
Again I just can't believe it: those guys wrote a sophisticated
soft, powerful and reliable with a complicated language (Fortran) but were
just unable to write a good protection scheme!
If you run it now, you'll get:
'Fortran runtime error on external file "C:\xxxxxx\xxxxxx\xxxxxx\input2.tmp"
(1046):
Attempt to open non-existing file with STATUS = OLD'
This error message is just due to the fact that the soft doesn't
run without command line arguments (see the batch files in the Script
directory if you plan to use this soft).
S-Tagger for FrameMaker v2.0
-Description:
Tools for extracting text from MIF files created with Adobe FrameMaker
5.xx.
-OS:
Win95/NT3.51 (with Service Pack 2 or later installed)/NT 4.0 and Windows
3.x (with Win32s).
-Protection:
Dongle (parallel ). Driver: ACTIVATOR & UniKey (SSIACT.386
for Win95/3.xx and SSIPDDP.SYS for WinNT).
-Misc.:
Run in DEMO mode if NO dongle detected (see below).
If no dongle is connected, the program will run in demo mode with
the following limitations:
'The demonstration version is a full working version of The
S-Tagger for FrameMaker, with the limitation that only files of a particular
size, up to 180KB for MIF files and 30KB for STF/RTF files, can be processed.'
Running it will display a message box:
'While no dongle is connected to the parallel port, the program
only runs in Demo mode.'
Disasm the main file (staggerf.exe 650Kb) :
We can quickly find the 'While no dongle...' string data ref:
:004047B6 6A01
push 00000001
:004047B8 E8A3F6FFFF
call 00403E60
; Check Dongle
:004047BD 85C0
test eax, eax
:004047BF 7544
jne 00404805
; Good_Guy jump
:004047C1 6A01
push 00000001
:004047C3 8D4DC8
lea ecx, dword ptr [ebp-38]
:004047C6 6A05
push 00000005
:004047C8 E893F6FFFF
call 00403E60
; Check Dongle
:004047CD 85C0
test eax, eax
:004047CF 7534
jne 00404805
; Good_Guy jump
:004047D1 8D4DE4
lea ecx, dword ptr [ebp-1C]
:004047D4 E8237B0400
call 0044C2FC
:004047D9 68BE000000
push 000000BE
; 'While no dongle is connected...'
The program check the dongle by calling twice the routine located at offset :00403E60. I don't know a lot about the Activator dongle, but it seems to be similar with the Hasp dongle as, each time it calls this routine, we can see the parameter pushed on the stack push 1, push 5 that could be 'check_if_dongle_present' and 'type of dongle' but I am not sure.
When running, S-Tagger displays the About thumbnail where
we can read:
'The S-Tagger 2.0 for FrameMaker is running in Demo mode'
Searching again in the String data refs, we find 2 locations but
only one is interesting:
:0042F9FE 687A170000
push 0000177A ; '%s is running
in'
...
...
:0042FA42 6A01
push 00000001
:0042FA44 E81744FDFF
call 00403E60
:0042FA49 85C0
test eax, eax
:0042FA4B 7436
je 0042FA83
:0042FA4D 6898170000
push 00001798 ; 'comprehensive
mode.'
...
...
:0042FAC7 EB21
jmp 0042FAEA
* Referenced by a Jump at Address:0042FA91(C)
:0042FAC9 688E170000
push 0000178E ; 'demo mode.'
Again, it calls the same routine (:00403E60). We can see that it
will run either in 'demo mode' or in 'comprehensive mode'.
Let's have a look at this routine:
* Referenced by a CALL at Addresses:004047B8, :004047C8, :0040756D, :0040757D, :00417EF8, :00417F08, :00417F9B, :00417FAB, :0042E6AD, :0042FA44, :0042FA8A
:00403E60 807C240474 cmp byte ptr [esp+04], 74
; check last 'push xxxxxxxx'
:00403E65 53
push ebx
:00403E66 56
push esi
:00403E67 8BF1
mov esi, ecx
:00403E69 733F
jnb 00403EAA
; jnb Bad_Guy#2 **Change to jmp 00403E89**
:00403E6B 8A5C2410 mov bl, byte ptr [esp+10]
:00403E6F 80FB01 cmp bl, 01
:00403E72 7236
jb 00403EAA
; jb Bad_Guy~2
:00403E74 80FB08 cmp bl, 08
:00403E77 7731
ja 00403EAA
; ja Bad_Guy#2
:00403E79 E882000000 call 00403F00
:00403E7E 85C0
test eax, eax
:00403E80 7507
jne 00403E89
; jne Good_Guy
:00403E82 33C0
xor eax, eax
; Bad_Guy#1
:00403E84 5E
pop esi
:00403E85 5B
pop ebx
:00403E86 C20800 ret 0008
* Referenced by a Jump at Address:00403E80(C)
:00403E89 8B44240C mov eax, dword ptr [esp+0C]
:00403E8D 8BCE
mov ecx, esi
:00403E8F 50
push eax
:00403E90 E88BFFFFFF call 00403E20
:00403E95 B201
mov dl, 01
:00403E97 8D4BFF lea ecx, dword
ptr [ebx-01]
:00403E9A D2E2
shl dl, cl
:00403E9C 22D0
and dl, al
:00403E9E 5E
pop esi
:00403E9F 5B
pop ebx
:00403EA0 80FA01 cmp dl, 01
:00403EA3 1BC0
sbb eax, eax
; eax= -1
:00403EA5 F7D8
neg eax
; set Good_Guy flag
:00403EA7 C20800 ret 0008
* Referenced by a Jump at Addresses:00403E69(C), :00403E72(C), :00403E77(C)
:00403EAA 33C0
xor eax, eax
; Bad_Guy#2
:00403EAC 5E
pop esi
:00403EAD 5B
pop ebx
:00403EAE C20800 ret 0008
Obviously, patching the jnb Bad_Guy#2 is enough to a have
a full working version ('comprehensive mode').
There are two calls to offsets :00403F00 and :00403E20. Here is
the code for the first one:
:00403F00 83EC04 sub esp, 00000004
:00403F03 8D442402 lea eax, dword ptr [esp+02]
:00403F07 50
push eax
:00403F08 E8B3FFFFFF call 00403EC0
:00403F0D 85C0
test eax, eax
:00403F0F 752B
jne 00403F3C
:00403F11 6A3A
push 0000003A
* Reference To: W32SSI.wSSIMemR, Ord:0015h
:00403F13 E8A8410300 Call 004380C0
:00403F18 3D6E610000 cmp eax, 0000616E
:00403F1D 7517
jne 00403F36
:00403F1F 6A3B
push 0000003B
* Reference To: W32SSI.wSSIMemR, Ord:0015h
:00403F21 E89A410300 Call 004380C0
:00403F26 3D00210000 cmp eax, 00002100
:00403F2B 7509
jne 00403F36
:00403F2D B801000000 mov eax, 00000001
:00403F32 83C404 add esp, 00000004
:00403F35 C3
ret
* Referenced by a Jump at Addresses:00403F1D(C), :00403F2B(C)
:00403F36 33C0
xor eax, eax
; Bad_Guy
:00403F38 83C404 add esp, 00000004
:00403F3B C3
ret
* Referenced by a Jump at Address:00403F0F(C)
:00403F3C B801000000 mov eax, 00000001
:00403F41 83C404 add esp, 00000004
:00403F44 C3
ret
Nothing to explain here, everything is clear again: W32ssi.dll
is the DLL that will check for your dongle by calling its driver.
I was just wondering if this 'comprehensive mode' was the full
version, so I created a 300Kb MIF file with FrameMaker 5.5 and converted
it with S-Tagger without any problem and the program works well.
XinTianMa C
-Description:
CJK (Chinese-Japanese-Korean) language software for word processing
and viewing of CJK encoded web pages for E-Windows 95/3.1, C-Windows (Traditional
& Simplified), J-Windows and DOS.
-OS:
Win95/Win3.xx/DOS.
-Protection:
Dongle (parallel ). Driver: unknown (internal).
-Misc.:
Does NOT run if no dongle detected.
If you ever get connected to XinTianMa's site, you'll be surprised
to read on top of each page:
'This page generated by an evaluation copy of the Microsoft
Merchant Server.'
Ohhh, Naughty boys...
This DOS tool doesn't use any external dongle driver, but its own
one linked inside the main .exe : xtmg.exe 413Kb. Only this file
is protected.
Running it will display the following message: 'error : XTMG
requires dongle.'
Bpio -h 378 and SoftICE pops here:
00018939: 42
inc dx
0001893A: 42
inc dx
0001893B: EC
in al,dx
0001893C: 8AE0
mov ah,al
0001893E: 0C04
or al,004
00018940: 24BF
and al,0BF
00018942: EE
out dx,al
00018943: 51
push cx
00018944: 8B0E7822 mov
cx,[02278]
00018948: E2FE
loop 000018948
0001894A: 59
pop cx
0001894B: 4A
dec dx
0001894C: 4A
dec dx
0001894D: B0FF
mov al,0FF
0001894F: EE
out dx,al
........
There's another similar one located elsewhere in the program. Both
routines are called alternatively. The reason is that the program will
search for 2 different RetCodes.
3 pret later, we land in the middle of this routine:
00018611: 55
push bp
00018612: 8BEC
mov bp,sp
00018614: 57
push di
00018615: 56
push si
00018616: 8B7E06 mov
di,[bp][00006]
00018619: C706F040C96E mov w,[040F0],06EC9
; Store correct RetCode#1 in [40F0]
0001861F: C706F2404B3F mov w,[040F2],03F4B
; Store correct RetCode#2 in [40F2]
00018625: 0BFF
or di,di
; Is it the first time we get here?
00018627: 7512
jne 00001863B
00018629: 6A29
push 029
0001862B: FF363C22 push
w,[0223C]
0001862F: FF363A22 push
w,[0223A]
00018633: 9A1E001725 call 02517:0001E
00018638: 83C406 add
sp,006
0001863B: 2BF6
sub si,si
0001863D: 3BF7
cmp si,di
; Have both RetCodes been checked and OKayed?
0001863F: 7327
jae 000018668
; jmp to Good_Guy
00018641: 1E
push ds
00018642: 683E22 push
0223E
; Prepare welcome message...
00018645: 0E
push cs
00018646: E8A7FF call
0000185F0 ;
Check // port for dongle
00018649: 5B
pop bx
0001864A: 5B
pop bx
0001864B: 3B06F040 cmp
ax,[040F0] ;
Check if RetCode#1 OK
0001864F: 7513
jne 000018664
; If not, jump and try again
00018651: 1E
push ds
00018652: 685722 push
02257
; Prepare copyright message...
00018655: 0E
push cs
00018656: E897FF call
0000185F0 ;
Check // port for dongle
00018659: 5B
pop bx
0001865A: 5B
pop bx
0001865B: 3B06F240 cmp
ax,[040F2] ;
Check if RetCode#2 OK
0001865F: 7503
jne 000018664
; If not, jump and try again
00018661: 46
inc si
; inc Check_Dongle counter
00018662: EBD9
jmps 00001863D ;
jmp back
00018664: 2BC0
sub ax,ax
; Bad_Guy (clear ax)
00018666: EB03
jmps 00001866B
00018668: B80100 mov
ax,00001 ;
Set Good_Guy flag
0001866B: 5E
pop si
0001866C: 5F
pop di
0001866D: C9
leave
0001866E: CB
retf
; Back to caller
0001866F: 55
push bp
00018670: 8BEC
mov bp,sp
00018672: 56
push si
00018673: BE0100 mov
si,00001
00018676: 83FE04 cmp
si,004
; Check_Dongle counter =<4 ?
00018679: 7720
ja 00001869B
; jmp to Bag_Guy if >=5
0001867B: 56
push si
0001867C: 9A1B003215 call 01532:0001B -
00018681: 5B
pop bx
00018682: 0BC0
or ax,ax
00018684: 740C
je 000018692 -
00018686: FF7606 push
w,[bp][00006]
00018689: 0E
push cs
0001868A: E884FF call
000018611 ;
Call previous routine
0001868D: 5B
pop bx
0001868E: 0BC0
or ax,ax
; Is it OK?
00018690: 7503
jne 000018695
; jmp Good_Guy
00018692: 46
inc si
; inc Check_Dongle counter
00018693: EBE1
jmps 000018676
; jmp back and try your
luck again.
00018695: B80100 mov
ax,00001 ;
Set Good_Guy flag...
00018698: 5E
pop si
00018699: C9
leave
0001869A: CB
retf
0001869B: 2BC0
sub ax,ax
; Bad_Guy flag
0001869D: 5E
pop si
0001869E: C9
leave
0001869F: CB
retf
...
000186F8: E874FF call
00001866F ;
Call the above routine
000186FB: 5B
pop bx
000186FC: 0BC0
or ax,ax
; Dongle or no dongle ?
000186FE: 7521
jne 000018721
...
00018721: B80100 mov
ax,00001 ;
found it, go ahead
00018724: CB
retf
0001869B: 2BC0
sub ax,ax
; otherwise clear ax and exit
0001869D: 5E
pop si
0001869E: C9
leave
0001869F: CB
retf
The program check the RetCode#1 and, if it is not correct, will
check it again 3 times. After that, if it is still the wrong RetCode you
are sent away otherwise it will do the same job for the RetCode#2.
The stupid part of this code is when the program stores the 2 correct
RetCodes, and the fact that everything is located in same area. Hard to
miss it!
As there are at least one dozen different ways to patch and crack
this, I let you decide which one you prefer, there's no need to explain
this.
OmniMark v3R1a Win95
-Description:
Perform large-scale conversion and mark-up of text and data for delivery
in print or on CD-ROM, as well as allow Intranet and website builders to
automate the presentation of individualized content
-OS:
Win95 (there are other versions for DOS/Win3.XX, NT, OS/2).
-Protection:
Dongle (parallel ). Driver: Hasp95.vxd.
-Misc.:
Does NOT run if no dongle detected.
This 32bit app will run in a DOS box. I tried it and it appears to be fast and very efficient.
That's another Hasp dongle! Let's bash it too.
With Hiew, we can quickly locate the main hasp routine in the main
executable (omnimark.exe 1.5Mb): 00133548 (:00533548 with SoftICE
or W32Dasm).
Running the program will display:
'Authorization failed. Exiting OmniMark.'
Though it's just another stupid protection, I add it here for 2
reasons:
1) though I cracked several Hasp protected softs, this is the first
one I found that will clear eax for the Good_Guy and set it to 1 for the
Bad_Guy:
:0041104A 6A01
push 00000001
:0041104C E8F7241200 call 00533548
; Call Hasp Service#1
:00411051 83C424 add
esp, 00000024
:00411054 837DFC00 cmp dword ptr
[ebp-04], 00000000 ; Is it a Hasp (RetCode#1 should
be =0x01)
:00411058 0F850A000000 jne 00411068
; Good_Guy jump
:0041105E B801000000 mov eax, 00000001
; Set Bad_Guy_Flag
:00411063 E9A6020000 jmp 0041130E
; terminate
The first time I ran it, I just put a BPX on the main Hasp routine,
get back to the caller and make it jump (as usual) until the mov eax,1
at the end of this routine and.. got this 'Authorization failed' message.
2) one tip, that works sometimes, is to search for some ofently used instructions like the Jmp Next_Instruction (0xe90000000)located at the end of the main routine that will call the dongle routine. It is useless and only used instead of 5 nop:
:00410BD1 E8AA030000
call 00410F80
:00410BD6 83C404
add esp, 00000004
:00410BD9 E900000000
jmp 00410BDE
; useless
:00410BDE 5F
pop edi
:00410BDF 5E
pop esi
:00410BE0 5B
pop ebx
:00410BE1 C9
leave
:00410BE2 C3
ret
...
...
:004112EA 85C0
test eax, eax
:004112EC 0F8412000000
je 00411304
:004112F2 8B45E0
mov eax, dword ptr [ebp-20]
:004112F5 A34C2C5600
mov dword ptr [00562C4C], eax
:004112FA C7059C3E56009A1F4100 mov dword ptr
[00563E9C], 00411F9A
:00411304 B801000000
mov eax, 00000001
:00411309 E900000000
jmp 0041130E
; useless
:0041130E 5F
pop edi
:0041130F 5E
pop esi
:00411310 5B
pop ebx
:00411311 C9
leave
:00411312 C3
ret
Well, that's all to say about this soft, because if you disasm it and have a look in the String data refs, you'll get:
:004018ED E828F30000 call 00410C1A
; Check dongle
:004018F2 85C0
test eax, eax
:004018F4 0F8512000000 jne 0040190C
:004018FA 687C115400 push 0054117C
; 'Authorization failed. Exiting OmniMark'.
:004018FF E894F20000 call 00410B98
:00401904 83C404 add
esp, 00000004
:00401907 E864F20000 call 00410B70
:0040190C E92F000000 jmp 00401940
No comments here as well about how to crack it...
And now, just for the fun, as I started my essay with Aladdin informations
and tips about 'how_to_protect_better_your_soft_with_our_state_of_the_art_dongle',
I though it may be worth having a quick look at one of the free tools you
can get on their site: Haptest.exe
Description:
'Hasptest is a simple program that checks the existency of FotoWare
protection dongles. It will report the different dongles found on your
system. This can be used to check that all dongles are found, and that
they are working properly.'
Here is just one piece of code from this 60Kb .exe file (all other calls to the dongle are strictly similar):
:00401BD6 6A02
push 00000002
:00401BD8 E823F4FFFF
call 00401000
; Hasp routine service #2
:00401BDD 83C424
add esp, 00000024
:00401BE0 817C240867B80000 cmp dword ptr [esp+08], 0000B867
; Is RetCode1=0xB867 ?
:00401BE8 752C
jne 00401C16
; Bad_Guy_Jump
:00401BEA 817C240C964D0000 cmp dword ptr [esp+0C], 00004D96
; Is RetCode2=0x4D96 ?
:00401BF2 7522
jne 00401C16
; Bad_Guy_Jump
:00401BF4 817C241098BD0000 cmp dword ptr [esp+10], 0000BD98
; Is RetCode3=0xBD98 ?
:00401BFC 7518
jne 00401C16
; Bad_Guy_Jump
:00401BFE 817C2414366A0000 cmp dword ptr [esp+14], 00006A36
; Is RetCode4=0x6A36 ?
:00401C06 750E
jne 00401C16
; Bad_Guy_Jump
:00401C08 6A40
push 00000040
; Good_Guy
:00401C0A 6838514000
push 00405138
; 'HASP TEST'
:00401C0F 68C0504000
push 004050C0
; 'FotoSync CSF HASP found'
:00401C14 EB0C
jmp 00401C22
:00401C16 6A10
push 00000010
; 'HASP TEST'
:00401C18 6838514000
push 00405138
; '** NO FotoSync CSF HASP found **'
...
...
Well, since they advise programmers to better protect their softs,
I thought they might have taken this opportunity to do the same with their
own programs...
That's all.
If I don't get a 'Dongle overdose' within the next few hours, and
if I am smart enough, I may go and try to fetch all free dongle softs available
on the Net, put them in a list and mail it to +Fravia for the +HCU.
Frog's Print - January 29, 1998
homepage
links
anonymity
+ORC
students' essays
academy database
tools
javascript wars
cocktails
antismut CGI-scripts
search_forms
mail_fravia+
Is reverse engineering legal?