Zen and the Art of Dongle Cracking
(A somehow 'general' essay about dongles)
project3

by zeezee

(24 December 1997, slightly edited by fravia+)


Courtesy of fravia's page of reverse engineering
Well, our dongle cracking project was being a little neglected... which is not nice, yet somehow understandable... huge economic interests are in play here, and many 'lower' crackers prefer to find an 'economic' arrangement with the dongle producers instead of publishing their (simple) cracks... (which is something that real +crackers should never do!)
And we have unfortunately had other delays as well: Marta never sent his contributions (we all know how lazy these spanish friends are :-) and we are all still awaiting Quine's promised HASP tutorial (should be there soon, be prepared!)
Luckyly we have zeezee working hard on this as well! This is what zeezee wrote me:

hi fravia+

This time comes a little more 'general' essay about dongle cracking.
After winning with 4 dongles and loosing with one I can draw some general
conclusions which may help all will-be dongle crackers
Now read and enjoy... +HCU's dongle cracking is gaining 'momentum' (was about time... this crap 'faked hardware' solution was gaining too much place (and easy money) on the protection scene... funny! As if a good logic analyzer would not be enough to crack any stupid dongle black and blue!

I'll tell you what I like about this essay: zeezee DOES NOT gives us here any specific target! In fact to know which target a cracker is working on is mostly utterly unimportant... the important thing for us is to learn HOW to reverse this kind of code, not to learn how to crack a specific program... Hey! You better learn it right now in 1997 (you have still a week before 1998), should you never have understood it until now: there are BILLIONS software programs out there... well, most are crap, yet say there are hundred thousands good software programs you could eventually enjoy out there... what's the point of giving any luser a 'specific' crack? (besides... most of the time it's much more fun cracking such software than using it :-)
You dig it? A 'specific' target crack (with few exceptions) has therefore -mostly- NO interest whatsoever for us... what we want is to understand how another fellow +cracker tackled HIS target in order to tackle OUR (completely different) ones with this knowledge somewhere in our 'collective memory'... therefore zeezee's approach is VERY GOOD. You won't learn here how to deprotect a specific dongle target, you will -eventually- learn how to crack your own dongle protected crap next year! (Let's hope you'll write an essay on your approach :-)
Have a happy new 1998!

                     Zen and the Art of Dongle Cracking
                     ------------------------------
                               by zeezee


Disclaimer:
I don't publish here any dongle-protected program names since it's not my goal
to make battles with lawyers, you see only relevant code snippets. This
tutorial is not about one specified software or dongle. The example given is
from a real program not widely available. The program itself isn't important.

So, let's start with blah-blah, sorry, with basics.

Dongles are small boxes connected to the LPT port (or sometimes to COM port) of
your computer. They should be (in fact they are in 99%) invisible to printer
connected to this port. There are variants of dongles mounted inside computer
but for us, the exact appearance of the dongle isn't important.

Inside of the dongle is an EEPROM or ASIC or maybe a dead fly. For us this is
only a black box which receives / sends data from our application via piece of
software (dongle API) which is sold with the dongle to app developers.
The app writers call the API and check values returned to make good/bad guy
jumps.

Most popular dongles are:
- Sentinel (big family) from Rainbow Technologies (USA)
- Hasp (not bad) from Aladin (Israel)
- Fest (if I recall made in Germany)
- Actikey (France)
and tens of others... See your favourite Dr Dobb's page.

Tools needed are usual: IDA, SoftICE, HIEW. And of course our application.
No logic analyzer, oscilloscope, maybe LED monitor if you really want it.

So, dear cracker, first step in our tutorial is:

*1* Identify the dongle you are dealing with.

It's not so hard in most cases. Either look at the dongle if you have
access to it, or look at all files that install with your soft, then you may
search all .DLL's, .VXD's etc. for copyright text other than application authors.
You find it quickly in almost all cases.

*2* Gather all possible information from www pages of dongle vendor.
This is VERY IMPORTANT STEP!

You will wonder how much doc you get. Full API, often with source, demo soft,
examples how to use API with your future biggest program etc. Get it all and
study carefully.
Remember: ALL computer hard/soft vendors are present in the Net. Just find them.
Don't panic when you read all info about dongle security. They ARE secure. OK.
You can't crack them unless they're done by complete idiots. OK.
But you want to crack the application, NOT the dongle.
When you read about RSA encryption, one-way functions and see in the
API some interesting Question/Answer hashing functions, remember that it's only
API. No one uses it. Only simple functions like Check/Serial Number/Read and
sometimes Write are used.

*3* You may also get an evaluation dongle from dongle dealer. For free.
If not for free ask for 14-day lease. It works! They want to sell these boxes.
Call these 0-800 or 0130 numbers. They want to help you unless you say something
stupid when asked for software you want to protect.
The people at Rainbow and Aladin dealers are _extremely_ helpful.

*4* Now you know the dongle/app you want to crack and have (or not) some additional
info. Time to think (+Orc calls it Zen).

Imagine a software company making big good proggy. The proggy is almost finished,
then comes the boss and says: "Ok, we're ready, now is the time to protect our
fantastic product. We have a demo kit from dongle X. So, dear programmers, use
it".
And poor programmers are studying dongle docs, API etc and putting some API
calls into their code.

Sometimes it ends like this:

        call DONGLE
        or ax, ax
        jz goodguy
badguy:

Yes, you may not believe it, yet it's true. (See previous essays)

Sometimes they go little further but in most cases, I repeat: in MOST cases
the idea is stupid.

But the chain is so strong as its weakest link. And in all 4 different progs
protected with different dongles the weakest link was the interface:

     Application - Dongle API (mostly contained in a DLL)

The dongle manufacturers are smart guys, they know how to encrypt data, make
self-modifying code, anti-debug tricks etc. I recommend: Leave their code as is.
The application side is much easier to crack.

The first thing in real crack is to find THE call (rarely more than one)  to
the dongle API, Use IDA or WDASM and remember the name of the DLL containing
dongle API and after several minutes (last time 2 hours and 40MB .IDB file!)
you have it.

There should be a part of API statically linked to the executable we are
cracking which calls the DLL, funny people at Aladin make self-mod code here,
so our further goal is to go a bit up.

Our poor programmers are lazy. Everyone is lazy when it comes to make some
dumb work like calling the dongle. So they write their own functions like:

QuickCheckIfDonglePresent()
GetDongleSerialNumber()
ReadDongleByte( addr ) - or word, or dword, or even full table
WriteDongleByte( addr, value )

Maybe they are exported by name? Maybe the name is ReadDongle or similar?

Look carefully at references IDA gives you. You certainly find it.
You should find procs called only once - they should be interfaces between
application/API. Who writes two wrappers to one function?

The dongle API is very well structured in most cases, the function number is
explicitly given, 0 - check, 1 - get number, 2 - read, 3 - write, etc...
Identify where are params/results.
And this is the thing which helps us crack. We may have also the API docs!
The API producers want to make API maximally user-friendly. They make it also
more cracker-friendly... We may find quickly what the app expects from the
dongle by studying API calls and 'cmp ax' following it.

*5* Then comes the active part (you may need dongle for short period of time)
Patch the code inserting a CC byte in the 'App-API Interface' place(s).

Run SoftICE with BPINT 3.

Replace INT 3 with the original byte, then set BPX to this address, trace...
Look what happens when there is no dongle. You may have luck and quickly find
a checkpoint with bad/good guy switch. Try to go the other way and see what
happens (maybe your app starts running).

Try to patch the code to emulate QuickCheckIfDonglePresent function.
Simply return a value which satisfies calling proc.

This may be sufficient in most stupid cases.

Then try to emulate GetSerial# routine. Remember that dongle serial# may be
stored and used to display # in About box. See references IDA gives you.
Not all dongles have GetSerial# proc. Sometimes serial# is read like normal
data from dongle.

This may be sufficient in most not-so-stupid cases.

And then comes to dongle reading. Several bytes are read, I assume that you find
the place where they are stored and all references to this place.
Several checks may happen and certainly will happen in programs with different
options enabled/disabled by the dongle.

maybe so (real example from one of leading SCADA programs)
  cmp eax, some_value1
  je is_model_1
  cmp eax, some_value2
  je is_model_2
  etc.


or maybe so (real example from Israeli program with Israeli dongle)

  test eax, mask_1
  jz lab1
  call enable_option_1
lab1:
  etc.

or maybe so (electrical engineering tools made in France with french dongle)

  12 words read from dongle are stored from [ebx]

  mov ecx, 12
lab1:
  cmp word ptr [ebx], 1
  jne lab2
  call enable_option(cx)
lab2:
  inc ebx
  loop lab1

Believe me. It's real.

If you have a working dongle, read all values from it, and you know what to
emulate (set BPX after API read function does his job and make notes).

And here the real example. The app is useless to you, it isn't freely available,
so let's study the disassembly I prepared for you.

*1* Our dongle is french Actikey and the DLL is CCNMMNT.DLL
*2* We do the disassembly of our target (40 MB) and look into .idata section.
    It takes a little longer than one cocktail...
    The result is astonishing, but I wait until ALL references were displayed.
*3* Crtl-S and go to .idata section. I found extern imported from CCNMMNT.DLL
    Go to reference of it.

00594510 ; Imports from CCNMMNT.dll
00594510
00594510                 extrn CCNMM:dword       ; DATA XREF: j_CCNMMr

Only one reference! The name j_CCNMM is assigned by IDA!
then:

00408770 ;               S u b r o u t i n e
00408770
00408770 j_CCNMM         proc near               ; CODE XREF: key_io+6Fp
00408770                 jmp     ds:CCNMM        ; jump to Dongle DLL
00408770 j_CCNMM         endp

The name key_io and other below are assigned by me, they are not exported ;-)

Let's go one step up. See: Only one reference. A green light! We are on our 
good way.
then:

0040BA10 key_io          proc near               ; CODE XREF: main_key_check+8
0040BA10                                         ; main_key_check+18Cp
0040BA10                                         ; key_check2+45p

After checking, I found that key_check2 is called only from the main_key_check,
so we still only have one reference here. We are still inside dongle API code.

Let's go up.

0040B840 ;               S u b r o u t i n e
0040B840
0040B840 main_key_check  proc near               ; CODE XREF: key_fun_00+4Dp
0040B840                                         ; keyfn_18_sernum+68p
0040B840                                         ; keyfn_02_write+5Bp
0040B840                                         ; keyfn_03_read+56p
0040B840                                         ; key_fun_1b+50p
0040B840                                         ; key_fun_1c+54p
0040B840                                         ; key_fun_1d+5Cp

Of course you may ask, how do I know that this is API and not our 
application? Quick answer: Funcs 1b, 1c and 1d aren't called!
Do you imagine writing wrappers that are never called? They were written by
the dongle makers and linked to the app.
In fact keyfn_02_write isn't called also. This is good news, the key should 
always respond with the same data.

The names of the callers are self-explanatory. Where I got them from? 
Studying the procs, that's all, see for example:

0040A250 keyfn_18_sernum proc near               ; CODE XREF: (several)
0040A250
0040A250 arg_0           = dword ptr  8
0040A250
0040A250                 push    esi
0040A251                 call    key_fun_00
0040A256                 cmp     ax, 1
0040A25A                 jnz     short skc110
0040A25C                 mov     ax, 1           ; 1 - error?
0040A260                 pop     esi
0040A261                 retn

0040A262 skc110:
0040A262                 mov     word ptr ds:key_fun, 18h  ; function 18!!!
0040A26B                 xor     eax, eax
0040A26D                 mov     esi, [esp+4+arg_0]
0040A271                 mov     word ptr ds:key_result_1, magic1
0040A27A                 mov     word ptr ds:key_par3, ax
0040A280                 push    offset key_par4
0040A285                 mov     word ptr ds:key_par4, ax
0040A28B                 push    offset key_par3
0040A290                 mov     word ptr ds:key_par1, magic2
0040A299                 mov     word ptr ds:key_par2, magic3
0040A2A2                 push    offset key_par2
0040A2A7                 mov     [esi], eax
0040A2A9                 push    offset key_par1
0040A2AE                 push    offset key_result_1
0040A2B3                 push    offset key_fun
0040A2B8                 call    main_key_check        ; here our call
0040A2BD                 mov     word ptr ds:main_result, ax
0040A2C3                 add     esp, 18h
                    ....store results...

The magic values are identifying the dongle and the product, so I removed 
them... they are unimportant for our cracking.

And this is the top of dongle API. Now it's time to identify what the
API is expected to return. Several 'cmp ax, something' and I was able to emulate
API functions 00 (quick check) and 18 (get serial).
I applied a short patch using HIEW to emulate these functions.

After that my proggy started with all options disabled.
Analyzing other 'cmp ax, something' was almost trivial.

So I wrote a short emulator of key_fn_02_read and now the proggy opens all
options to me.

Conclusions.

* Dongle cracking is not much more complicated as serial# cracking. You need
  more theoretical background from dongle producers, good disassembler which
  finds all Xrefs and SoftICE of course. The shareware protections are often
  much more sophisticated than simple dongle calls in expensive commercial apps.
  Of course, there are programs protected better, but they are exceptions.

* Don't start cracking from BPIO on LPT ports. Try to find The Weakest Link!

* Remember, Programmers are lazy when it comes tu put foreign code into their own.
  Not all API calls are used. Check simplest functions first and see what happens.

* Let your cracked program run for several minutes. Almost always there is
  a dongle check performed each 1 minute or so. Your crack should survive this.
  Try all actions the program should perform. Select every item from menu.
  Or, if you prefer, study whole disassembly for dongle calls...

* Beware when cracking with real dongles connected. There is theoretically the
  possibility to destroy a dongle. Use dongles only to read their contents
  and remove them when SoftICE-ing your cracks. They aren't necessary at this
  time :-) However I never found any auto-destruction procedure when studying
  various dongles API.
  Neverthless, you have been warned!

Good Luck!

zeezee
(c) zeezee All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to Project 3
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?