Dongle Bashing
End of the dongle old aera ~ Dongles bye bye
(re-uploade version October 1998)
or
"How a single +HCU reverser can easily blow a whole commercial sector out of history"

Advanced
29 January 1998
by Frog's print
+cracker
Courtesy of Reverser's page of reverse engineering

SECOND PART


(Back to first part)


Label Craft v6.01
-Description:
Program for creating and editing all types of labels in the Microsoft Windows environment..
-OS:
Win3.xx/95 (16bit)
-Protection:
Dongle (parallel key). Driver: none
-Misc.:
Run as a  DEMO if no dongle detected (Save and Save As are disabled,any printed document will have: letters in text strings mixed up, numbers randomized, graphics overcrossed).

This program doesn't require any external known driver. The dongle protection is located in the main executable: plabel.exe (379Kb).
Since this soft uses its own routines to check if there is a dongle, let's have a quick look at its HLP file:
'This software is protected with a hardware key which must be plugged into the parallel printer port at the back of your PC. Without the key LabelCraft runs in demo mode. The following message is then shown when you choose Label Printing or Label Editing from the main menu: 'Missing key lock! Continue as Demoversion?'.
I have to say that this is not really helpful!
Never mind, let's Zen crack:

With SoftICE:
    BPIO -H 378

Run the program and a dialog box pops asking you to choose between "Editing" or "Printing a label"
Press "Editing" and SoftICE will break here:

.0001BFEA: EE             out    dx,al      ;  Here
.0001BFEB: EB00           jmps  .00001BFED 
.0001BFED: 8B0ECA3B       mov    cx,[03BCA]
.0001BFF1: E2FE           loop  .00001BFF1 
.0001BFF3: A17C09         mov    ax,[0097C]
.0001BFF6: 050200         add    ax,00002
This is the main routine that will checks your // port for the dongle.
To find the caller, it is very important to disable any BPIO before pressing the <F12> key otherwise SoftICE will break several times.
With SoftICE:
    BD *
    <F12> (press it 3 times)

We land here:
.00015575: 9ADA543B55     call   001:054DA ; Check // port 
.0001557A: 83C404         add    sp,004
.0001557D: 3D457F         cmp    ax,07F45  ; Is there a dongle?
.00015580: 7408           je    .00001558A ; Yes, jump...
.00015582: 46             inc    si 
.00015583: 83FE03         cmp    si,003
.00015586: 7EC6           jle   .00001554E
.00015588: EB06           jmps  .000015590 ; Bad_Guy_Jump
.0001558A: B80100         mov    ax,00001  ; Good_Guy
.0001558D: 5E             pop    si
.0001558E: C9             leave
.0001558F: C3             retn

When I reached the cmp ax,7F45 instruction, I saw in the registers windows that ax=FFFF. I quickly patched the je 1558A with jumps 1558A.
The program seems to work well and we don't get any warning message about the missing dongle. As the "Save" feature is disabled, I check the main menu and...there are no "Save', "Save as" submenus!
There is a screw loose somewhere.
In fact, I just did a little mistake here: I said above to disable the BPIO before pressing the <F12> key and realized that I didn't re-enable it again right after. When running a Dongle protected soft, it is necessary to always have a BPIO enable, because the program may check at any time the presence of the dongle.
Exit Label Craft. Enable the BPIO until you reach the above code. Disable it, press <F12> 3 times and patch the je 1558A again.
Now re-enable the BPIO and let the program run. SoftICE will pops at offset .0001BFEA again.
With SoftICE:
    BD *
    <F12> (press it 3 times)

And we'll finally land here: 
.000147F7: 9ADA540748     call   001:054DA       ; Check // port 
.000147FC: 83C404         add    sp,004 
.000147FF: 3D9E6F         cmp    ax,06F9E        ; Is there a dongle? 
.00014802: 740B           je    .00001480F       ; Yes, jump... 
.00014804: 9A58531248     call   001:05358       ; otherwise disable "Save/Save as".
.00014809: C706FC4E0100   mov    w,[04EFC],00001 ; Set Bad_Guy_Flag.
.0001480F: 9A9E53AC46     call   001:0539E 
.00014814: B80100         mov    ax,00001 
.00014817: 8D66FE         lea    sp,[bp][-0002] 
.0001481A: 1F             pop    ds 
.0001481B: 5D             pop    bp 
.0001481C: 4D             dec    bp 
.0001481D: CB             retf 
Just make it always jump at offset .00014802.

Now, it may be a good idea to disasm the file to see if there is any other similar check (another -slow- solution would be to enable the BPIO and, with SoftICE, to test ALL features of the program -copy, printing...- but I don't have that much time to waste -:). W32Dasm v6.xx should be fine (plabel.exe is a 16bit file).

And here is what we find:

.00050461: 9ADA547704     call   001:054DA       ; Check // port
.00050466: 83C404         add    sp,004
.00050469: 3D64D4         cmp    ax,0D464        ; Is there a dongle? 
.0005046C: 740B           je    .000050479       ; Yes, jump otherwise... 
.0005046E: C706FC4E0100   mov    w,[04EFC],00001 ; set Bad_Guy_Flag and
.00050474: 9A58538C04     call   001:05358       ; add garbages to the printing function...
.00050479: 833EFC4E00     cmp    w,[04EFC],000 
.0005047E: 7503           jne   .000050483    
.00050480: E90E01         jmp   .000050591       ; Go ahead if Dongle_OK. 
.00050483: 9AFFFF0000     call   GETTICKCOUNT
.00050488: 50             push   ax              
.00050489: 9A1E852001     call   001:0851E       
Patching the je .000050479 will fully crack this soft.

As we can see, there's nothing really amazing in this protection but it is a bit more 'personal' and more discreet than the usual routines used by important dongle manufacturer. It would be more complicated to crack if some strong anti-softICE/disasm tricks would be added.

 



Ai Damage v1.4
-Description:
Program to find the change in velocity of a vehicle from an analysis of the damage caused
-OS:
Win95/ NT  
-Protection:
Dongle (parallel key). Driver: DK2 DESkey
-Misc.:
Does NOT run if no dongle detected . Dongle license valid for 1 year.

If you didn't understand the program description here is another one:
"AiTS was founded to teach accident investigation, and to provide software to assist accident investigators in their task.
Ai Damage calculates changes in speed from the damage caused to vehicles. The program not only uses the tried and tested Crash3 algorthims, but also uses the principle of the conservation of linear momentum (in two dimensions) to fully analyse your accident".
To resume, this is just another crap I will erase from my HD right after this essay.

This program requires the DK2 DESkey dongle driver (dk2wn95.386 for Win95) not available with the downloaded program (you can download it here:  Bdk2wn32.exe 720Kb -: ). If its installation failed, you can do it manually as per follows:
Open 'system.ini'.Find the section of system.ini which is headed [386Enh]. Insert the following line into this section:  
  device=C:\AIDAMGE\DK2WN95.386 
If you changed the installation directory from C:\AIDAMAGE, you should adjust the path in the above line accordingly.

A quick look at AiDamage doc gives us some infos about the protection:
On the first time of starting, you will be requested to enter a code.  This code is needed before the dongle can be activated.  To obtain the code contact Ai Training Services on 01452 862798 and ask for a code.  You will also need to advise the operator of the number quoted in the box. (Marked User code:) 
Type in the code supplied EXACTLY as given.  Press 'OK' and the dongle will be activated and Ai Damage will start. To activate the dongle contact AiTS with the code displayed on the Enable Dongle dialog.  You will be given a return code which you should enter, exactly as quoted.  Once entered press ‘OK’ and Ai Damage will start properly. If you fail to enter the code as given, Ai Damage will not function.
You should not need to enter any other codes until the dongle is automatically de-activated at the expiry of your licence. Ai Damage will function for three months following the expiry of the licence.  Any attempt beyond this date to start the program will fail., with the display of this dialog.
If you try and remove the dongle whilst Ai Damage is running, then Ai Damage will detect this and close down.  You may not have any opportunity to save your data once the dongle has been removed.  Replacing the dongle will have no effect.  You must re-start Ai Damage and re-enter any of the lost data. 
On the expiry of the annual licence, the dongle will detect this condition and cause Ai Damage to display this dialog box.  You need to follow the instructions on screen, and your dongle will be activated for further use. 

As you can see, if you are working with AiDamage and then, by mistake, remove or disconnect the dongle, ALL your work will be lost! Nice people...
That's not all:
Ai Damage will run under Windows NT.  However it has not been tested fully under NT and support with configuration of NT is not provided as part of your licence agreement.
And finally:
It has been noticed that with some hardware / printer configurations the presence of the dongle can cause corruption of the output to the printer.

What an encouragement to buy this soft!!

So, let's crack it "black & blue" ; this will solve some of those troubleshootings. 

Run the program and you get the message box: 
DONGLE ERROR - Cannot find a valid dongle 

Disasm the main exe file (aidamage.exe 341Kb)with W32dasm85.
I simple search through the String Datas References will give us all we need:
 
:0041257C FF1544EE4200    MSVCRT40._mbscmp 
:00412582 83C408          add esp, 00000008
:00412585 85C0            test eax, eax               ; Is_Driver_Loaded?
:00412587 7425            je 004125AE                 ; Jump if OK
:00412589 8B4DF0          mov ecx, dword ptr [ebp-10]
:0041258C E8DF0E0000      call 00413470               ; "Dongle driver not loaded"
:00412591 85C0            test eax, eax 
:00412593 0F8487FEFFFF    je 00412420 
:00412599 8B4DF0          mov ecx, dword ptr [ebp-10] 
:0041259C E8FF100000      call 004136A0               ; "Unable to read license info"
:004125A1 85C0            test eax, eax 
:004125A3 0F85C9000000    jne 00412672 
:004125A9 E972FEFFFF      jmp 00412420                ; Exit 
:004125AE 6A00            push 00000000 
:004125B0 8D8D3CFFFFFF    lea ecx, dword ptr [ebp+FFFFFF3C] 
:004125B6 E8A5030100      call 00422960 
:004125BB C745FC04000000  mov [ebp-04], 00000004 
:004125C2 8D8D3CFFFFFF    lea ecx, dword ptr [ebp+FFFFFF3C] 
:004125C8 E809080100      MFC40.MFC40:NoName0113      ; Message Box:"Please Enter your password" 
:004125CD 83F801          cmp eax, 00000001           ; "OK" pressed? 
:004125D0 0F85AD040000    jne 00412A83                ; if not=>Exit 
:004125D6 682CC24200      push 0042C22C 
:004125DB 8D4DE4          lea ecx, dword ptr [ebp-1C] ; Store our password
:004125DE E833070100      MFC40.MFC40:NoName0081      ; Calculate correct password
:004125E3 C645FC05        mov [ebp-04], 05 
:004125E7 8B459C          mov eax, dword ptr [ebp-64] ; Store correct password in eax
:004125EA 8B4DE4          mov ecx, dword ptr [ebp-1C] ; Store our password in ecx
:004125ED 50              push eax 
:004125EE 51              push ecx 
:004125EF FF1544EE4200    MSVCRT40._mbscmp            ; Compare both 
:004125F5 83C408          add esp, 00000008 
:004125F8 85C0            test eax, eax               ; Is_Password_OK? 
:004125FA 7428            je 00412624                 ; Yes, jump and go ahead... 
:004125FC 6A00            push 00000000               ; otherwise... 
:004125FE 6A30            push 00000030 
... 
:00412600 6800C24200      push 0042C200 
:0041261F E9FCFDFFFF      jmp 00412420                ; "Password incorrect, closing down"

A lot of interesting things are going on here. I tried to nicely reververse engineer this routine but the program acted so strangely that I prefer to use a brute force approach.
What we are going to do is:
-force the program to recognize the dongle driver (even if it is not loaded)
-Get rid of the "Enter your password" message box.
-Make it believe we typed a password and pressed "OK"
-Feed it with the right password
-Force it to accept it

Changed offset are shown in red:

:0041257C FF1544EE4200    MSVCRT40._mbscmp
:00412582 83C408          add esp, 00000008
:00412585 33C0            xor eax, eax                ; Driver_Always_Loaded
:00412587 7425            je 004125AE                 ; Jump
:00412589 8B4DF0          mov ecx, dword ptr [ebp-10]
:0041258C E8DF0E0000      call 00413470               
:00412591 85C0            test eax, eax
:00412593 0F8487FEFFFF    je 00412420
:00412599 8B4DF0          mov ecx, dword ptr [ebp-10]
:0041259C E8FF100000      call 004136A0
:004125A1 85C0            test eax, eax
:004125A3 0F85C9000000    jne 00412672
:004125A9 E972FEFFFF      jmp 00412420                
:004125AE 6A00            push 00000000
:004125B0 8D8D3CFFFFFF    lea ecx, dword ptr [ebp+FFFFFF3C] 
:004125B6 E8A5030100      call 00422960 
:004125BB C745FC04000000  mov [ebp-04], 00000004 
:004125C2 8D8D3CFFFFFF    lea ecx, dword ptr [ebp+FFFFFF3C] 
:004125C8 B801000000      mov eax,000000001           ; No more Message Box
:004125CD 83F801          cmp eax, 00000001           ; "OK" pressed 
:004125D0 0F85AD040000    jne 00412A83
:004125D6 682CC24200      push 0042C22C 
:004125DB 8D4DE4          lea ecx, dword ptr [ebp-1C] ; Store our password
:004125DE E833070100      MFC40.MFC40:NoName0081      ; Calculate correct password
:004125E3 C645FC05        mov [ebp-04], 05 
:004125E7 8B459C          mov eax, dword ptr [ebp-64] ; Store correct password in eax
:004125EA 8B4D9C          mov ecx, dword ptr [ebp-64] ; Store correct password in ecx
:004125ED 50              push eax 
:004125EE 51              push ecx 
:004125EF FF1544EE4200    MSVCRT40._mbscmp            ; Compare both 
:004125F5 83C408          add esp, 00000008 
:004125F8 85C0            test eax, eax               ; Password_ALWAYS_OK
:004125FA 7428            je 00412624                 ; jump and go ahead. 
:004125FC 6A00            push 00000000               ; Will never reach this part.
:004125FE 6A30            push 00000030 
... 
:00412600 6800C24200      push 0042C200 
:0041261F E9FCFDFFFF      jmp 00412420

There are still few enhancements to do because running the program with these changes will give you the following message:
"This dongle does not support AIDamage"

Back to W32dasm85 we quickly find the problem:

:0041293A FF1544EE4200    MSVCRT40._mbscmp
:00412940 83C408          add esp, 00000008
:00412943 85C0            test eax, eax                ; Is_Dongle_OK?
:00412945 7420            je 00412967                  ; Yes, jump otherwise...
:00412947 8B4DF0          mov ecx, dword ptr [ebp-10]
:0041294A E8F10B0000      call 00413540                ; "This dongle doesn't support..."
 

We notice that the program is always checking if the dongle is still present:

:0041450A FF1544EE4200    MSVCRT40._mbscmp
:00414510 83C408          add esp, 00000008
:00414513 85C0            test eax, eax                ; Is_Dongle_Still_Connected?
:00414515 7511            jne 00414528
:00414517 33C0            xor eax, eax                 ; Good_Guy
:00414519 8B4DF4          mov ecx, dword ptr [ebp-0C]
:0041451C 64890D00000000  mov dword ptr fs:[00000000], ecx
:00414523 5E              pop esi
:00414524 8BE5            mov esp, ebp
:00414526 5D              pop ebp
:00414527 C3              ret
:00414528 685CC64200      push 0042C65C                ; "Dongle is no longer connected"

For those 2 checks, you just have to patch both test eax,eax.
 

Finally, I deeper look at the ASM listing and you'll find some other error messages:

"Your dongle has not been updated"
x-refs:
:00413C77
:00413F47
:00413FF0

"Invalid enable code, closing down"
x-refs:
:00413BFC
:00413C05

"Your licence has expired."
X-Ref:
:00413966

I didn't patch those occurences as the program worked well. I put some BPX at those offsets but SoftICE never broke (even when changing the OS date). So I just assume the program may check inside the dongle to see if the license has expired or not but since we forced it to accept the dongle we may not need to patch them.
Anyway, now you won't loose any data if you have a dongle connected or not and you can print safely!
 
Note: you can remove the DK2 DESkey driver, it is not needed any more.



Electro Chemistry (12 Nov.1997 version)
-Description:
Electrochemistry Software.
-OS:
Win3.xx/95
-Protection:
Dongle (parallel ). Driver: Key.dll (c:\windows\system).
-Misc.:
Run as a DEMO if no dongle detected (Nagscreen, file and print operations are disabled).

During its installation, this Visual Basic 3 soft added a key.dll (18Kb) file to the windows/system directory.
Though we could use Dodi's VB discompiler to disasm the main executable (ecprog.exe 231Kb) and find all references to the dongle through the source code, a live approach will be enough to get rid of the protection.

Running the program will display a Nagscreen:
"The software key was not detected! The software will run in demonstration mode only"

With SoftICE:
     BPIO -H 378
Run ecprog.exe and SoftICE pops. We are inside Make.dll, an Exported function from Key.dll.
Press <F12> 3 times, and you can't miss the dongle protection:
 

.000105C8: E88EFE      call  .000010459          ; Check I/O
.000105CB: 08C0        or     al,al              ; Is_Dongle_OK?
.000105CD: 7506        jne   .0000105D5
.000105CF: C646FF00    mov    b,[bp][-0001],000  ; Bad_Guy_Flag
.000105D3: EB04        jmps  .0000105D9
.000105D5: C646FF01    mov    b,[bp][-0001],001  ; Good_Guy_Flag
.000105D9: 8A46FF      mov    al,[bp][-0001]     ; Store Flag in AL
.000105DC: C9          leave
.000105DD: CA0C00      retf   0000C              ; Back to caller

This routine is very important:
You'll find it in most stupid dongle programs you'll have to crack, so get familiar with it!

.0001004B: 9AFFFF0000  call   001:004EE           ; Call the above routine 
.00010050: 08C0        or     al,al               ; Good_Guy_flag set?
.00010052: 7407        je    .00001005B            
.00010054: C746FC0100  mov    w,[bp][-0004],00001 ; Full_Program_Flag
.00010059: EB05        jmps  .000010060
.0001005B: 31C0        xor    ax,ax               ; Demo_Program_Flag
.0001005D: 8946FC      mov    [bp][-0004],ax      ; Bad_Guy => Xor AX
.00010060: 8B46FC      mov    ax,[bp][-0004]      ; Good_Guy=> AX=0x01
.00010063: 5F          pop    di
.00010064: 5E          pop    si
.00010065: 8D66FE      lea    sp,[bp][-0002]
.00010068: 1F          pop    ds
.00010069: 5D          pop    bp
.0001006A: 4D          dec    bp
.0001006B: CB          retf

If you disasm the DLL, you'll see that there is only 1 x-ref for both routine: the program just checks for the dongle at the very beginning but will not during its execution (but it will check the Full_Program/Demo_Program flag).
 
You can patch the conditional jump at 00010052 or the first routine.... there are plenty of ways to do so.
That's all for this dongle.
 


IPLab v1.7
-Description:
Scientific image analysis program.
-OS:
Win95/NT4
-Protection:
Dongle (parallel ). Driver: Sentinel.vxd.
-Misc.:
Does NOT run if no dongle detected + SetUp password protected.

The Setup will prompt you for a password. Let's crack it:
   BPX DialogBoxParam
Type in any password + <Enter>.
SoftICE pops:
   <F11>
You'll get the "Incorrect Password" message. Press <OK>.
   <F12>
Now just look at the end of the routine:

xxxx:4494 B80100   mov ax,0001  ; SetUP cancelled
xxxx:4497 EB02     jmp 449B
xxxx:4499 33C0     xor ax,ax    ; Install program
xxxx:449B 5E       pop si
xxxx:449C 5F       pop di
xxxx:449D C9       leave
xxxx:449E CB       ret

Just patch the mov ax,0001 so that the Setup will think you have typed the right password.

The program will be installed in the c:\IPLabDir directory (you can't choose another destination directory).
Running the main exe file IPLab.exe (1.22 Mb) will display:
"KEY NOT FOUND"

WDasm it and here is what we find:

:0040D626 E815630200              call 00433940                   ; Check_If_Dongle_OK
:0040D62B 85C0                    test eax, eax
:0040D62D 7516                    jne 0040D645                    ; Good_Guy
:0040D62F 56                      push esi
:0040D630 56                      push esi
:0040D631 68A8C64B00              push 004BC6A8                   ; "Key not found" + Exit
:0040D636 E8A5E50400              MFC40.MFC40:NoName0029
:0040D63B C7837C02000002000000    mov dword ptr [ebx+0000027C], 2
:0040D645 8D4DC0                  lea ecx, dword ptr [ebp-40]

Just make it always jump.

When running, the program will check is the key is still plugged in:

* Referenced by a CALL at Addresses :0043379C, :0043BCD1, :0043BD23, :0043BD75, :0043BDC3, :0044CF15
:00433AB0 6A00                    push 00000000
:00433AB2 6A00                    push 00000000
:00433AB4 6894E14B00              push 004BE194                    ; "Key Missing" 

It is called by 6 different routines. Here is just the first one of them (they all use the same following piece of code):

:00433787 E894830000              call 0043BB20                    ; Check // port
:0043378C 85C0                    test eax, eax                    ; Is_Dongle_OK?
:0043378E 740C                    je 0043379C                      ; Bad_Guy_Jump
:00433790 99                      cdq
:00433791 B907000000              mov ecx, 00000007
:00433796 F7F9                    idiv ecx
:00433798 85D2                    test edx, edx
:0043379A 7425                    je 004337C1                      ; Good_Guy jump
* Referenced by (C)onditional Jump :0043378E
:0043379C E80F030000              call 00433AB0                    ; "Key Missing" + Exit
:004337A1 6A00                    push 00000000
:004337A3 6A01                    push 00000001

This routine check the parallel port by calling offset :0043BB20. The 5 other similar ones call 4 different routines:

1) 0043BB20 
2) 0043BC20
3) 0043BB60 
4) 0043BBB0 

Now let's see those 4 routines that call the Sentinel driver:
1)
:0043BB20 A1B4094C00              mov eax, dword ptr [004C09B4] 
:0043BB25 0FBF00                  movsx eax, word ptr [eax] 
:0043BB28 99                      cdq 
:0043BB29 33C2                    xor eax, edx 
:0043BB2B 2BC2                    sub eax, edx 
:0043BB2D 8B15BC094C00            mov edx, dword ptr [004C09BC] 
:0043BB33 8BC8                    mov ecx, eax 
:0043BB35 0FBF02                  movsx eax, word ptr [edx] 
:0043BB38 99                      cdq 
:0043BB39 33C2                    xor eax, edx 
:0043BB3B 2BCA                    sub ecx, edx 
:0043BB3D 03C8                    add ecx, eax 
:0043BB3F 7512                    jne 0043BB53                         ; Make it always jump 43BB41
:0043BB41 FF1580794C00            MSVCRT40.rand                        ; Good_Guy
:0043BB47 8D0CC500000000          lea ecx, dword ptr [8*eax+00000000] 
:0043BB4E 2BC8                    sub ecx, eax 
:0043BB50 8BC1                    mov eax, ecx
:0043BB52 C3                      ret 
* Referenced by a jump:0043BB3F(C) 
:0043BB53 33C9                    xor ecx, ecx                         ; Bad_Guy
:0043BB55 8BC1                    mov eax, ecx 
:0043BB57 C3                      ret 

2)
:0043BC20 53                      push ebx
:0043BC21 56                      push esi
:0043BC22 668B5C240C              mov bx, word ptr [esp+0C]
:0043BC27 57                      push edi
:0043BC28 33FF                    xor edi, edi
...
:0043BC54 85FF                    test edi, edi
:0043BC56 750E                    jne 0043BC66                         ; Make it always jump 43BC58 
:0043BC58 FFD6                    call esi                             ; Good_Guy
:0043BC5A 40                      inc eax
:0043BC5B 5F                      pop edi
:0043BC5C 8BC8                    mov ecx, eax
:0043BC5E 5E                      pop esi
:0043BC5F C1E003                  shl eax, 03
:0043BC62 5B                      pop ebx
:0043BC63 2BC1                    sub eax, ecx
:0043BC65 C3                      ret
* Referenced by a (C)onditional Jump :0043BC56
:0043BC66 33C0                    xor eax, eax                         ; Bad_Guy
:0043BC68 5F                      pop edi
:0043BC69 5E                      pop esi
:0043BC6A 5B                      pop ebx
:0043BC6B C3                      ret

3)
:0043BB60 A1B8094C00              mov eax, dword ptr [004C09B8]
:0043BB65 0FBF00                  movsx eax, word ptr [eax]
...
:0043BB7F A1B0094C00              mov eax, dword ptr [004C09B0]
:0043BB84 0FBF00                  movsx eax, word ptr [eax]
:0043BB87 99                      cdq
:0043BB88 33C2                    xor eax, edx
:0043BB8A 2BCA                    sub ecx, edx
:0043BB8C 03C8                    add ecx, eax
:0043BB8E 7512                    jne 0043BBA2                         ; Make it always jump 43BB90
:0043BB90 FF1580794C00            MSVCRT40.rand                        ; Good_Guy
:0043BB96 8D0CC500000000          lea ecx, dword ptr [8*eax+00000000]
:0043BB9D 2BC8                    sub ecx, eax
:0043BB9F 8BC1                    mov eax, ecx
:0043BBA1 C3                      ret
* Referenced by a (C)onditional Jump :0043BB8E(C)
:0043BBA2 33C9                    xor ecx, ecx                         ; Bad_Guy
:0043BBA4 8BC1                    mov eax, ecx
:0043BBA6 C3                      ret

4)
:0043BBB0 A1B4094C00              mov eax, dword ptr [004C09B4]
:0043BBB5 0FBF00                  movsx eax, word ptr [eax]
:0043BBB8 99                      cdq
...
:0043BBF6 33C2                    xor eax, edx
:0043BBF8 2BCA                    sub ecx, edx
:0043BBFA 03C8                    add ecx, eax
:0043BBFC 7512                    jne 0043BC10                         ; Make it always jump 43BBFE 
:0043BBFE FF1580794C00            MSVCRT40.rand                        ; Good_Guy
:0043BC04 8D0CC500000000          lea ecx, dword ptr [8*eax+00000000]
:0043BC0B 2BC8                    sub ecx, eax
:0043BC0D 8BC1                    mov eax, ecx
:0043BC0F C3                      ret
* Referenced by a (C)onditional Jump :0043BBFC(C)
:0043BC10 33C9                    xor ecx, ecx                         ; Bad_Guy
:0043BC12 8BC1                    mov eax, ecx
:0043BC14 C3                      ret

That was just another stupid protection which didn't need any dongle. A simple 'password protected' program or a good .Reg/.Key file would have done the same (and would have save money to those programers -:).


DigiSHOW.vld v1.7
-Description:
Virtual Laser Disk program.
-OS:
Win95
-Protection:
Dongle (parallel ). Driver: DK47wn32.dll
-Misc.:
Does NOT run if no dongle detected.
 

Disasm the main exe (vld.exe 145Kb).
There're no words to describe the following; just read it and forget it.
  

:00405E4F E8ECD7FFFF    call 00403640               ; Get_That_stupid_dongle_driver
:00405E54 83F801        cmp eax, 00000001           ; Is_Dongle_OK?
:00405E57 0F8515010000  jne 00405F72                ; Jump if not
:00405E5D 8B44243C      mov eax, dword ptr [esp+3C]
:00405E61 8B4C2430      mov ecx, dword ptr [esp+30] 
... 
* Referenced by a (C)onditional Jump :00405E57(C) 
:00405F72 6A00          push 00000000               ; "The DigiSHOW.vld key 
:00405F79 68F8824100    push 004182F8               ; has not been found" 
  

And now, ladies and gentlemen, THE CALL : 
 
* Referenced by a (C)onditional Jump :00405E57
:00403640 81EC08080000  sub esp, 00000808 
:00403646 56            push esi 
:00403647 33F6          xor esi, esi 
:00403649 E8C4490000    DK47wn32.DK47DriverInstalled  ; No comments 
:0040364E 83F801        cmp eax, 00000001 
:00403651 7549          jne 0040369C 
:00403653 E8B4490000    DK47wn32.FindDK47             ; No comments 
:00403658 83F801        cmp eax, 00000001 
:0040365B 753F          jne 0040369C 
:0040365D 8D442404      lea eax, dword ptr [esp+04] 
:00403661 6806080000    push 00000806
:00403666 50            push eax
:00403667 6A3B          push 0000003B
:00403669 6A06          push 00000006
:0040366B 6A1E          push 0000001E
:0040366D E894490000    DK47wn32.DK47ReadRandomNumbers ; No comments
:00403672 B847040000    mov eax, 00000447
:00403677 33C9          xor ecx, ecx
:00403679 8A4C0404      mov cl, byte ptr [esp+eax+04]
:0040367D 03F1          add esi, ecx
:0040367F 40            inc eax
:00403680 3D06080000    cmp eax, 00000806
:00403685 7CF0          jl 00403677
:00403687 81FECAFE0100  cmp esi, 0001FECA
:0040368D 750D          jne 0040369C
:0040368F B801000000    mov eax, 00000001              ; Guess?
:00403694 5E            pop esi
:00403695 81C408080000  add esp, 00000808
:0040369B C3            ret

* Referenced by a (C)onditional Jump :00403651, :0040365B, :0040368D
:0040369C 33C0          xor eax, eax                   ; Guess here too? 
:0040369E 5E            pop esi 
:0040369F 81C408080000  add esp, 00000808 
:004036A5 C3            ret 
  

Everything is here. I would insult you if I explained how to crack this crap, so I will not. 
  
The Help/About menu displays:

DESIN & CODING:
Chris Fulton
GRAPHICS:
Chris Fulton
MANUAL:
Chris Fulton

Sorry, Chris, but you're an asshole: keep working on the Manual, but for God's sake, just forget the Coding! 
 


Axon Engineer Pro v2.11e
-Description:
Neurocellular modeling tool.
-OS:
DOS/Win3.xx/Win95
-Protection:
Dongle (parallel ). Driver: Sentinel.vxd.
-Misc.:
The DOS .exe file Does NOT run if no dongle detected. InstallShield password protected.

Crackers are very serious peoples, look: we are going to crack a dongle protected cellular electrochemical dynamics simulator! Nice isn't it? But don't worry, as usual the program is far more complicated to understand than its dongle protection is.

Before downloading it, I read at Axon's home page the following:
"If you are not currently a licensed user of Axon Engineer, the downloads below will be of no use to you since they require the presence of a hardware key ('dongle') to run.
If you are a licensed user of Axon Engineer Pro, you will need a password to run the setup program for the upgrade."
 

The setup (that stupid InstallShield Wizard) is protected with a password. A simple BPX Lstrcmp will show you that you should better type 'opengate1' if you ever want to have the opportunity to install this soft.

There are 2 .exe files:
- aewin.exe (375Kb) for Window$
- eapro.exe (400Kb) for DOS.

Strangely, the Windows' file doesn't seem to require any dongle (or did I miss something??) but the DOS'one does. That's just because it is much more sophisticated than aewin.exe which doesn't appear to be able to create new file.
Let's work on the DOS app. For this I would prefer to use Sourcer 7.0 but since +IDA Pro is an official +HCU tool we will use it for this crack.

Running eapro.exe will display the following message (and nearly crash your computer, BTW -:):
'Hardware Key Violation'

Open it with IDA Pro and search for the string "key":
   ALT-B     type=>   "key"

IDA send you there:

dseg:019E aHardwareKeyVio db 'Hardware Key Violation',0 ; DATA XREF: sub_0_0+1347
 
Just click on the XREF:

000:1346 loc_0_1346:                              ; CODE XREF: sub_0_0+35B
000:1346             push    ds
000:1347             push    offset aHardwareKeyVio
000:134A             push    0FFFFh
000:134C             call    sub_D49_2
000:1351             add     sp, 6
000:1354             jmp     short loc_0_13A0

As there is only 1 XREF, click on it again  and you'll get what you were looking for:

000:034C             push    ds
000:034D             push    offset aAxonEngineer
000:0350             call    sub_DED_28A                        ; Check_Dongle
000:0355             add     sp, 4
000:0358             cmp     ax, 2231h                          ; Is_Dongle_OK?
000:035B             jnz     loc_0_1346                         ; Bad_Guy_jump
000:035F             imul    bx, [bp+var_10], 46h

Here again, there's no need to tell you how to crack it.


FTI/DOE v2.3.1.4
-Description:
Tools for performing the process of dynamic energy analysis.
-OS:
DOS/Win3.xx/Win95/NeXTStep/VMS and most Unix systems.
-Protection:
Dongle (parallel ). Driver: none.
-Misc.:
The 2 main DOS .exe files do NOT run if no dongle detected
 

For infos, here is the more complete description of this soft:
'This software enables architects and engineers to perform a comprehensive analysis of dynamic heating and cooling loads, simulation of heating and cooling distribution systems, modeling of equipment supplying the required energy and calculation of the life-cycle costs of owning and operating energy systems for buildings. The program can simulate hour-by-hour performance for buildings ranging in size from a small one-room residence to a large multi-storied structure for each of the 8760 hours in a year.
FTI/DOE is based on the work conducted by the Simulation Research Group at Lawrence Berkeley Laboratories (LBL).'

I really have no use of this soft, but as this DOS app was written in Fortran and as I like this language, I downloaded it. If you never saw the source code of a file in Fortran, you can go to FTI/DOE site and download the source of one of the .exe of this program (the 'weather processor' file - wth.exe) and you'll see how beautiful it looks!

The 2 main softs (ble.exe 1Mb and sim.exe 1.57Mb) are dongle protected (own routines linked inside both programs) and will display the following message:

'Invalid Hardware Key or Key Error
Check the key for proper installation
...Exiting!!!'

We will only have a look at ble.exe as both program use exactly the same protection scheme.

BPIO -h 378 with SoftICE and run it. SoftICE pops, then <P RET> 2 times and here we go:

0002B285: E873EBFFFF            call   000029DFD        ; get dongle RetCode in ax
0002B28A: 8BE5                  mov    esp,ebp
0002B28C: 25F0FFFFFF            and    eax,0FFFFFFF0
0002B291: 663B0500560800        cmp    ax,[000085600]   ; compare to correct RetCode (0x8010)
0002B298: 6693                  xchg   bx,ax
0002B29A: 0F8502000000          jne    00002B2A2        ; Bad_Guy jump
0002B2A0: 33C0                  xor    eax,eax          ; Clear ax for Good_Guy
0002B2A2: 5A                    pop    edx
0002B2A3: 59                    pop    ecx
0002B2A4: 5B                    pop    ebx
0002B2A5: C3                    retn

A couple of <P RET> later we have:

00032393: E88DB30300            call   00006D725                ; the caller
00032398: 83C40C                add    esp,00C
0003239B: F705E41C090001000000  test   d,[000091CE4],000000001
000323A5: 753E                  jne    0000323E5                ; make it always jump

Again I just can't believe it: those guys wrote a sophisticated soft, powerful and reliable with a complicated language (Fortran) but were just unable to write a good protection scheme!
 

If you run it now, you'll get:
'Fortran runtime error on external file "C:\xxxxxx\xxxxxx\xxxxxx\input2.tmp" (1046):
Attempt to open non-existing file with STATUS = OLD'
This error message is just due to the fact that the soft doesn't run without command line arguments (see the batch files in the Script directory if you plan to use this soft).
 
 
 


S-Tagger for FrameMaker v2.0
-Description:
Tools for extracting text from MIF files created with Adobe FrameMaker 5.xx.
-OS:
Win95/NT3.51 (with Service Pack 2 or later installed)/NT 4.0 and Windows 3.x (with Win32s).
-Protection:
Dongle (parallel ). Driver: ACTIVATOR & UniKey (SSIACT.386 for Win95/3.xx and SSIPDDP.SYS  for WinNT).
-Misc.:
Run in DEMO mode if NO dongle detected (see below).
 

If no dongle is connected, the program will run in demo mode with the following limitations:
'The demonstration version is a full working version of The S-Tagger for FrameMaker, with the limitation that only files of a particular size, up to 180KB for MIF files and 30KB for STF/RTF files, can be processed.'

Running it will display a message box:
'While no dongle is connected to the parallel port, the program only runs in Demo mode.'
 
Disasm the main file (staggerf.exe 650Kb) :

We can quickly find the 'While no dongle...' string data ref:

:004047B6 6A01                    push 00000001
:004047B8 E8A3F6FFFF              call 00403E60              ; Check Dongle
:004047BD 85C0                    test eax, eax
:004047BF 7544                    jne 00404805               ; Good_Guy jump
:004047C1 6A01                    push 00000001
:004047C3 8D4DC8                  lea ecx, dword ptr [ebp-38]
:004047C6 6A05                    push 00000005
:004047C8 E893F6FFFF              call 00403E60              ; Check Dongle
:004047CD 85C0                    test eax, eax
:004047CF 7534                    jne 00404805               ; Good_Guy jump
:004047D1 8D4DE4                  lea ecx, dword ptr [ebp-1C]
:004047D4 E8237B0400              call 0044C2FC
:004047D9 68BE000000              push 000000BE              ; 'While no dongle is connected...'

The program check the dongle by calling twice the routine located at offset :00403E60. I don't know a lot about the Activator dongle, but it seems to be similar with the Hasp dongle as, each time it calls this routine, we can see the parameter pushed on the stack push 1, push 5 that could be 'check_if_dongle_present' and 'type of dongle' but I am not sure.

When running, S-Tagger displays the About thumbnail where we can read:
'The S-Tagger 2.0 for FrameMaker is running in Demo mode'
Searching again in the String data refs, we find 2 locations but only one is interesting:

:0042F9FE 687A170000              push 0000177A    ; '%s is running in'
...
...
:0042FA42 6A01                    push 00000001
:0042FA44 E81744FDFF              call 00403E60
:0042FA49 85C0                    test eax, eax
:0042FA4B 7436                    je 0042FA83
:0042FA4D 6898170000              push 00001798    ; 'comprehensive mode.'
...
...
:0042FAC7 EB21                    jmp 0042FAEA

* Referenced by a Jump at Address:0042FA91(C)
:0042FAC9 688E170000              push 0000178E    ; 'demo mode.'
 
Again, it calls the same routine (:00403E60). We can see that it will run either in 'demo mode' or in 'comprehensive mode'.
Let's have a look at this routine:

* Referenced by a CALL at Addresses:004047B8, :004047C8, :0040756D, :0040757D, :00417EF8, :00417F08, :00417F9B, :00417FAB, :0042E6AD, :0042FA44, :0042FA8A

:00403E60 807C240474   cmp byte ptr [esp+04], 74  ; check last 'push xxxxxxxx'
:00403E65 53           push ebx
:00403E66 56           push esi
:00403E67 8BF1         mov esi, ecx
:00403E69 733F         jnb 00403EAA               ; jnb Bad_Guy#2   **Change to jmp 00403E89**
:00403E6B 8A5C2410     mov bl, byte ptr [esp+10]
:00403E6F 80FB01       cmp bl, 01
:00403E72 7236         jb 00403EAA                ; jb Bad_Guy~2
:00403E74 80FB08       cmp bl, 08
:00403E77 7731         ja 00403EAA                ; ja Bad_Guy#2
:00403E79 E882000000   call 00403F00
:00403E7E 85C0         test eax, eax
:00403E80 7507         jne 00403E89               ; jne Good_Guy
:00403E82 33C0         xor eax, eax               ; Bad_Guy#1
:00403E84 5E           pop esi
:00403E85 5B           pop ebx
:00403E86 C20800       ret 0008

* Referenced by a Jump at Address:00403E80(C)
:00403E89 8B44240C     mov eax, dword ptr [esp+0C]
:00403E8D 8BCE         mov ecx, esi
:00403E8F 50           push eax
:00403E90 E88BFFFFFF   call 00403E20
:00403E95 B201         mov dl, 01
:00403E97 8D4BFF       lea ecx, dword ptr [ebx-01]
:00403E9A D2E2         shl dl, cl
:00403E9C 22D0         and dl, al
:00403E9E 5E           pop esi
:00403E9F 5B           pop ebx
:00403EA0 80FA01       cmp dl, 01
:00403EA3 1BC0         sbb eax, eax               ; eax= -1
:00403EA5 F7D8         neg eax                    ; set Good_Guy flag
:00403EA7 C20800       ret 0008

* Referenced by a Jump at Addresses:00403E69(C), :00403E72(C), :00403E77(C)
:00403EAA 33C0         xor eax, eax               ; Bad_Guy#2
:00403EAC 5E           pop esi
:00403EAD 5B           pop ebx
:00403EAE C20800       ret 0008

Obviously, patching the jnb Bad_Guy#2 is enough to a have a full working version ('comprehensive mode').
There are two calls to offsets :00403F00 and :00403E20. Here is the code for the first one:

:00403F00 83EC04       sub esp, 00000004
:00403F03 8D442402     lea eax, dword ptr [esp+02]
:00403F07 50           push eax
:00403F08 E8B3FFFFFF   call 00403EC0
:00403F0D 85C0         test eax, eax
:00403F0F 752B         jne 00403F3C
:00403F11 6A3A         push 0000003A

* Reference To: W32SSI.wSSIMemR, Ord:0015h
:00403F13 E8A8410300   Call 004380C0
:00403F18 3D6E610000   cmp eax, 0000616E
:00403F1D 7517         jne 00403F36
:00403F1F 6A3B         push 0000003B

* Reference To: W32SSI.wSSIMemR, Ord:0015h
:00403F21 E89A410300   Call 004380C0
:00403F26 3D00210000   cmp eax, 00002100
:00403F2B 7509         jne 00403F36
:00403F2D B801000000   mov eax, 00000001
:00403F32 83C404       add esp, 00000004
:00403F35 C3           ret

* Referenced by a Jump at Addresses:00403F1D(C), :00403F2B(C)
:00403F36 33C0         xor eax, eax                 ; Bad_Guy
:00403F38 83C404       add esp, 00000004
:00403F3B C3           ret

* Referenced by a Jump at Address:00403F0F(C)
:00403F3C B801000000   mov eax, 00000001
:00403F41 83C404       add esp, 00000004
:00403F44 C3           ret

Nothing to explain here, everything is clear again: W32ssi.dll is the DLL that will check for your dongle by calling its driver.
I was just wondering if this 'comprehensive mode' was the full version, so I created a 300Kb MIF file with FrameMaker 5.5 and converted it with S-Tagger without any problem and the program works well.
 


XinTianMa C
-Description:
CJK (Chinese-Japanese-Korean) language software for word processing and viewing of CJK encoded web pages for E-Windows 95/3.1, C-Windows (Traditional & Simplified), J-Windows and DOS.
-OS:
Win95/Win3.xx/DOS.
-Protection:
Dongle (parallel ). Driver: unknown (internal).
-Misc.:
Does NOT run if no dongle detected.

If you ever get connected to XinTianMa's site, you'll be surprised to read on top of each page:
'This page generated by an evaluation copy of the Microsoft Merchant Server.'
Ohhh, Naughty boys...

This DOS tool doesn't use any external dongle driver, but its own one linked inside the main .exe : xtmg.exe 413Kb. Only this file is protected.
Running it will display the following message: 'error : XTMG requires dongle.'
 
 Bpio -h 378 and SoftICE pops here:

00018939: 42           inc    dx
0001893A: 42           inc    dx
0001893B: EC           in     al,dx
0001893C: 8AE0         mov    ah,al
0001893E: 0C04         or     al,004
00018940: 24BF         and    al,0BF
00018942: EE           out    dx,al
00018943: 51           push   cx
00018944: 8B0E7822     mov    cx,[02278]
00018948: E2FE         loop   000018948
0001894A: 59           pop    cx
0001894B: 4A           dec    dx
0001894C: 4A           dec    dx
0001894D: B0FF         mov    al,0FF
0001894F: EE           out    dx,al
........
There's another similar one located elsewhere in the program. Both routines are called alternatively. The reason is that the program will search for 2 different RetCodes.
 

3 pret later, we land in the middle of this routine:

00018611: 55            push   bp
00018612: 8BEC          mov    bp,sp
00018614: 57            push   di
00018615: 56            push   si
00018616: 8B7E06        mov    di,[bp][00006]
00018619: C706F040C96E  mov    w,[040F0],06EC9  ; Store correct RetCode#1 in [40F0]
0001861F: C706F2404B3F  mov    w,[040F2],03F4B  ; Store correct RetCode#2 in [40F2]
00018625: 0BFF          or     di,di            ; Is it the first time we get here?
00018627: 7512          jne    00001863B
00018629: 6A29          push   029
0001862B: FF363C22      push   w,[0223C]
0001862F: FF363A22      push   w,[0223A]
00018633: 9A1E001725    call   02517:0001E
00018638: 83C406        add    sp,006
0001863B: 2BF6          sub    si,si
0001863D: 3BF7          cmp    si,di            ; Have both RetCodes been checked and OKayed?
0001863F: 7327          jae    000018668        ; jmp to Good_Guy
00018641: 1E            push   ds
00018642: 683E22        push   0223E            ; Prepare welcome message...
00018645: 0E            push   cs
00018646: E8A7FF        call   0000185F0        ; Check // port for dongle
00018649: 5B            pop    bx
0001864A: 5B            pop    bx
0001864B: 3B06F040      cmp    ax,[040F0]       ; Check if RetCode#1 OK
0001864F: 7513          jne    000018664        ; If not, jump and try again
00018651: 1E            push   ds
00018652: 685722        push   02257            ; Prepare copyright message...
00018655: 0E            push   cs
00018656: E897FF        call   0000185F0        ; Check // port for dongle
00018659: 5B            pop    bx
0001865A: 5B            pop    bx
0001865B: 3B06F240      cmp    ax,[040F2]       ; Check if RetCode#2 OK 
0001865F: 7503          jne    000018664        ; If not, jump and try again
00018661: 46            inc    si               ; inc Check_Dongle counter
00018662: EBD9          jmps   00001863D        ; jmp back
00018664: 2BC0          sub    ax,ax            ; Bad_Guy (clear ax)
00018666: EB03          jmps   00001866B
00018668: B80100        mov    ax,00001         ; Set Good_Guy flag
0001866B: 5E            pop    si
0001866C: 5F            pop    di
0001866D: C9            leave
0001866E: CB            retf                    ; Back to caller

0001866F: 55           push   bp
00018670: 8BEC         mov    bp,sp
00018672: 56           push   si
00018673: BE0100       mov    si,00001
00018676: 83FE04       cmp    si,004            ; Check_Dongle counter =<4 ?
00018679: 7720         ja     00001869B         ; jmp to Bag_Guy if >=5
0001867B: 56           push   si
0001867C: 9A1B003215   call   01532:0001B -
00018681: 5B           pop    bx
00018682: 0BC0         or     ax,ax
00018684: 740C         je     000018692   -
00018686: FF7606       push   w,[bp][00006]
00018689: 0E           push   cs
0001868A: E884FF       call   000018611         ; Call previous routine
0001868D: 5B           pop    bx
0001868E: 0BC0         or     ax,ax             ; Is it OK?
00018690: 7503         jne    000018695         ; jmp Good_Guy
00018692: 46           inc    si                ; inc Check_Dongle counter
00018693: EBE1         jmps   000018676         ; jmp back and try your luck again.
00018695: B80100       mov    ax,00001          ; Set Good_Guy flag...
00018698: 5E           pop    si
00018699: C9           leave
0001869A: CB           retf
0001869B: 2BC0         sub    ax,ax             ; Bad_Guy flag
0001869D: 5E           pop    si
0001869E: C9           leave
0001869F: CB           retf
...
000186F8: E874FF       call   00001866F         ; Call the above routine
000186FB: 5B           pop    bx
000186FC: 0BC0         or     ax,ax             ; Dongle or no dongle ?
000186FE: 7521         jne    000018721
...
00018721: B80100        mov    ax,00001         ; found it, go ahead
00018724: CB            retf
0001869B: 2BC0          sub    ax,ax            ; otherwise clear ax and exit
0001869D: 5E            pop    si
0001869E: C9            leave
0001869F: CB            retf
 
The program check the RetCode#1 and, if it is not correct, will check it again 3 times. After that, if it is still the wrong RetCode you are sent away otherwise it will do the same job for the RetCode#2.
The stupid part of this code is when the program stores the 2 correct RetCodes, and the fact that everything is located in same area. Hard to miss it!
As there are at least one dozen different ways to patch and crack this, I let you decide which one you prefer, there's no need to explain this.


OmniMark v3R1a Win95
-Description:
Perform large-scale conversion and mark-up of text and data for delivery in print or on CD-ROM, as well as allow Intranet and website builders to automate the presentation of individualized content
-OS:
Win95 (there are other versions for DOS/Win3.XX, NT, OS/2).
-Protection:
Dongle (parallel ). Driver: Hasp95.vxd.
-Misc.:
Does NOT run if no dongle detected.

This 32bit app will run in a DOS box. I tried it and it appears to be fast and very efficient.

That's another Hasp dongle! Let's bash it too.
With Hiew, we can quickly locate the main hasp routine in the main executable (omnimark.exe 1.5Mb): 00133548 (:00533548 with SoftICE or W32Dasm).
Running the program will display:
'Authorization failed. Exiting OmniMark.'

Though it's just another stupid protection, I add it here for 2 reasons:
1) though I cracked several Hasp protected softs, this is the first one I found that will clear eax for the Good_Guy and set it to 1 for the Bad_Guy:

:0041104A 6A01          push 00000001
:0041104C E8F7241200    call 00533548                    ; Call Hasp Service#1
:00411051 83C424        add esp, 00000024
:00411054 837DFC00      cmp dword ptr [ebp-04], 00000000 ; Is it a Hasp (RetCode#1 should be =0x01)
:00411058 0F850A000000  jne 00411068                     ; Good_Guy jump
:0041105E B801000000    mov eax, 00000001                ; Set Bad_Guy_Flag
:00411063 E9A6020000    jmp 0041130E                     ; terminate
The first time I ran it, I just put a BPX on the main Hasp routine, get back to the caller and make it jump (as usual) until the mov eax,1 at the end of this routine and.. got this 'Authorization failed' message.

2) one tip, that works sometimes, is to search for some ofently used instructions like the Jmp Next_Instruction (0xe90000000)located at the end of the main routine that will call the dongle routine. It is useless and only used instead of 5 nop:

:00410BD1 E8AA030000              call 00410F80
:00410BD6 83C404                  add esp, 00000004
:00410BD9 E900000000              jmp 00410BDE           ; useless
:00410BDE 5F                      pop edi
:00410BDF 5E                      pop esi
:00410BE0 5B                      pop ebx
:00410BE1 C9                      leave
:00410BE2 C3                      ret
...
...
:004112EA 85C0                    test eax, eax
:004112EC 0F8412000000            je 00411304
:004112F2 8B45E0                  mov eax, dword ptr [ebp-20]
:004112F5 A34C2C5600              mov dword ptr [00562C4C], eax
:004112FA C7059C3E56009A1F4100    mov dword ptr [00563E9C], 00411F9A
:00411304 B801000000              mov eax, 00000001
:00411309 E900000000              jmp 0041130E           ; useless
:0041130E 5F                      pop edi
:0041130F 5E                      pop esi
:00411310 5B                      pop ebx
:00411311 C9                      leave
:00411312 C3                      ret
 
 
 

Well, that's all to say about this soft, because if you disasm it and have a look in the String data refs, you'll get:

:004018ED E828F30000    call 00410C1A            ; Check dongle
:004018F2 85C0          test eax, eax
:004018F4 0F8512000000  jne 0040190C
:004018FA 687C115400    push 0054117C      ; 'Authorization failed. Exiting OmniMark'.
:004018FF E894F20000    call 00410B98
:00401904 83C404        add esp, 00000004
:00401907 E864F20000    call 00410B70
:0040190C E92F000000    jmp 00401940

No comments here as well about how to crack it...
 





 

And now, just for the fun, as I started my essay with Aladdin informations and tips about 'how_to_protect_better_your_soft_with_our_state_of_the_art_dongle', I though it may be worth having a quick look at one of the free tools you can get on their site: Haptest.exe
Description:
'Hasptest is a simple program that checks the existency of FotoWare protection dongles. It will report the different dongles found on your system. This can be used to check that all dongles are found, and that they are working properly.'
 

Here is just one piece of code from this 60Kb .exe file (all other calls to the dongle are strictly similar):

:00401BD6 6A02              push 00000002
:00401BD8 E823F4FFFF        call 00401000                               ; Hasp routine service #2
:00401BDD 83C424            add esp, 00000024
:00401BE0 817C240867B80000  cmp dword ptr [esp+08], 0000B867            ; Is RetCode1=0xB867 ?
:00401BE8 752C              jne 00401C16                                ; Bad_Guy_Jump
:00401BEA 817C240C964D0000  cmp dword ptr [esp+0C], 00004D96            ; Is RetCode2=0x4D96 ?
:00401BF2 7522              jne 00401C16                                ; Bad_Guy_Jump
:00401BF4 817C241098BD0000  cmp dword ptr [esp+10], 0000BD98            ; Is RetCode3=0xBD98 ?
:00401BFC 7518              jne 00401C16                                ; Bad_Guy_Jump
:00401BFE 817C2414366A0000  cmp dword ptr [esp+14], 00006A36            ; Is RetCode4=0x6A36 ?
:00401C06 750E              jne 00401C16                                ; Bad_Guy_Jump
:00401C08 6A40              push 00000040                               ; Good_Guy
:00401C0A 6838514000        push 00405138                               ; 'HASP TEST'
:00401C0F 68C0504000        push 004050C0                               ; 'FotoSync CSF HASP found'
:00401C14 EB0C              jmp 00401C22
:00401C16 6A10              push 00000010                               ; 'HASP TEST'
:00401C18 6838514000        push 00405138                               ; '** NO FotoSync CSF HASP found **'
...
...
Well, since they advise programmers to better protect their softs, I thought they might have taken this opportunity to do the same with their own programs...
 

That's all.
If I don't get a 'Dongle overdose' within the next few hours, and if I am smart enough, I may go and try to fetch all free dongle softs available on the Net, put them in a list and mail it to +Reverser for the +HCU.
 


OK, he did it: here it is

Frog's Print - January 29, 1998

Ob Duh

I wont even bother explaining you that you should BUY the relevant target programs if you intend to use them for non-study purposes. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside reverser's page of reverse engineering, choose your way out:


Back to advanced cracking

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redjavascript wars redcocktails redantismut CGI-scripts redsearch_forms redmail_reverser
redIs reverse engineering legal?