Bashing LPT-Parasites
DONGLES: The weak brothership between hard- and software
Project 3
16 February 1998
by MaD
Courtesy of Reverser's page of reverse engineering
slightly edited
by reverser+

Well, Mad is slowly specialisying in dongles, and this essays brings very important teachings for ALL shareware protectors too: the point of using a dongle (if you really think you should, in our opinion that is a waste of money, a good protection in assembly coded by you yourself will be MUCH more strong than a dongle protection)... anyway, if you use a dongle, then use it as an encryption machine, play with the return values, use filters and mathematical gimmicks INSIDE it... never never never never just perform a "IS dongle there? No: ax=0, yes:ax=1" stupid check... or else blame yourself...
The 'spaghetti' code of the dongle calling snippets is also pretty intersting... clearly someone had very funny ideas about how to use dongles here :-)
Very useful for

There is a crack, a crack in everything That's how the light gets in
(x)Beginner (x)Intermediate ( )Advanced ( )Expert

Like in my last essay about dongles, this is again a partner-ship where the dongle may be strong (who knows?) but the software is certainly the weak and poorly element. It's a very straight forward and simple to see through work.
Bashing LPT-Parasites
The weak brothership between hard- and software
Written by MaD [CPT]

Well no so long ago I wrote my first essay on dongle protections,I got another one in my
hands and had an option the 'try' in at home ;).... Todays target also uses the dongle just
for checking if it's there or not .... and is checked ever time you call a small selection
of routines... (for instants the print-routine ...)
So the dongle once more missed it's target in my option (also see dong_mad.htm), I mean
using the dongle for jump-information in the source or maybe even better, encryption and 
decryption on the fly (I think even more powerful)...
Why the simple is_dongle_there,_then_run,_else_nag routine !!!! Anyway just flip your 
favorite CD in your CD-ROM player (I recommend any CD from THE DOORS :))))) Come on baby
fight my lighter (or what did jimmy boy sing ???)and look at my essay and see again a 
stupid brothership between hard- and software .... :(

Tools required
Well it's again soft-ice 3.x (what else??) and your own favorite hex-editor , I always use ultraedit 5.00a

Target's URL/FTP
No URL available.... This software has a very small group of people as target. (I don't want to say any more)
Program History
(Sorry I prefer not to reveal this target's name... see, it's a very specialized program, which is very useful for very few people. I don't want to damage the Authors... hey! What we want is to understand protection schemes, right? Who cares about the exact bits and bytes?)


Okay ... Let's look at this target, I start to install which was very slow ..
I stopped the installation after the third floppy and there is an executable in the target
directory .... I ran the target and yes in came alive by telling me it didn't
see the dongle on the parallel port and now switched to demo-mode ....
Well as usual I run the program in both states, so I plugged this dongle to the parallel port, 
and no message is displayed. When the dongle is disconnected from the PC all seem to work fine
but when certain functions are selected (print for example) it says it won't do that in 
the demo version ... when connecting the dongle straight away and hit print again, my 
nice Deskjet 690C starts printing away... This could mean that we might have an dongle that
is providing the software jump-info (offset data I mean).
okay let's get physical .... I fired up softice and set the usual breakpoint on LPT1 
(BPIO -H 378 R). This will give us an entry in the target on the follow position.
We are here right in the middle of the chat_to_dongle routine (16 bit source), since I'm a very
curious and impulsive person, I like to see the call that is responsible for the execution. So
I just hit on the F12-button a few times (p ret) and I come across the wonderful code (later on
I'll conclude the chat_to_dongle code ...)
Well well, we see a call 0002.005b which hold among other things the dongle_chat routine. After
this call there's a cmp-action, which compares the location [bp-02) with 03 (and it will hold 03
if the dongle is attached to the parallel-port). If you run the target without the dongle 
[bp-02] will hold 00 so ... I ran the program with the dongle, on the fly I unplugged it .... 
press the print-button (which gives you the nag ... this to verify if the program responded) 
now patch the program at 0002.004A, so it compares loc. [bp-02] with 00,and press the print 
button ....  tatatatataaaaa !!!! If you now patch it on the disk, you will see the same routine
is used also for startup ... :(
So again we found a dongle-protection that will only use the dongle as reference, instead of
encryption or jumping !!!
I can't understand why software houses want to protect their software with this crap !!!!
Okay let's look at the dongle-chat routine .... I just picked some highlights out of this 
scheme and explain them ...
The follow routine (0003.0013 - 0003.0079) is used to determine on which LPT-device the 
dongle is plugged.
Here mem.loc. DS:[096E] is check if it contains 0378 ,0278 (in other words LPT1 and LPT2). 
As we can see here that our target must be old or is still compatible with the good old
hercules card because 03BC is used on the hercules graphic-adaptor (integrated)... (I'm not 
talking about the hercules 3D color-adaptor but the ancient mono-hercules). This was also seen 
as LPT1 (long time ago since I've last seen that).
This checking is done, so they can use the same routine at 1.)start-up to check on which port
the dongle is and 2.)check the dongle later on in the program if it's still there BUT without
having to check on which LPT port the dongle is ('cause the routine is very long threaded and
takes time which would be bad for performance).
In this call a check is preformed to test how fast your CPU is so that they can (later on 
in the program, using this info to) time with a simple loop, the delay they need in between
transfers to the dongle. This is stored in ds:0977 and used by a call 07BD (for me that value 
is 1E = pentium 200)
The timing is done by checking on 1017:006C (this is the LSB of the clock-count,see int. 1A/00)
while executing a number of loops in 1/18 of a sec. Okay let's go on before we get to detailed..
Here we can see that the program assumes that the dongle is plugged to LPT1, before entering 
the actual check-routines call 0120,call 01e9. which return in case of an dongle 7B and 
no dongle FF. If the dongle is not found the target will try the next option (see 0003.0044 - 
Here it looks like the previous LPT-port is reset so that any printer attached will not be
effected later when the program is ended. 
If no dongle is found DS:[096E] is set with 0 so the program knows that there is no dongle
I like to show you the timing-routine,
I just commented to lines so I don't have to write down the line-numbers all the time.. (LAZY)
This value stored in DS:0977 is used in the following delay-routine
I don't need to comment that I hope ..... And a example of this routine in action looks like 
this ....
Also no comment needed ....
Okay about the dongle_chat routines, I decided not to include code, it's specific for this 
dongle and won't add any value for later essays or reversals. I will make a conclusion here
about the chat-routine, which is more general and has value for later on.
The CALL 0120 was a very long and spaghetti like structure. Sub_routines would be called 10's
of times after each other to form LONG strings of binary code which were sent to the dongle.
But not once a value was read back, not at port 0379 or 037A and the semi-bi-directional way
(write FFh to the IO-port 0378 (out 0378,ff) and read in right back (in al,378) so that
all the low bits (read zeros) are displayed ....) So this routine is used to enable the hardware
in the dongle. The Call 01E9 there was again a lot of bytes send to the dongle, after this was 
done the target started to read data from IO-port 0379. Testing the received value for bit 20h
, which meant OR CL,CH or don't OR CL,CH. This was following by a SHL CH,1 (okay a little code).
This would give FFh in case the dongle was unplugged and 7Bh in case the dongle was connected.
Final Notes
Well today we see that in this case of a dongle protection, the dongle could also be replaced
by a good serial-scheme. Because the program doesn't really need the dongle to run. The dongle
here will only slow down the program (in theory) in stead of protecting it. I see it as a 
parasite, consuming power and time but doesn't REALLY do what it's suppose to do because the 
combination of the software and the dongle is again to simple.... 
I said in my essay also something about using the dongle as encryption-key on the fly.. Well 
thinking over this statement I now must concluded that in will slow down the software 
performance. But still it's a nice thought, though.
Anyway another dongle has revealed it's true protection capabilities and I hope they will be
improved in the future, otherwise it's a dying bread of protect, I reckon (well ain't it already
by the cost of it ....???)
Have a nice day and keep hunting 
btw. I want to THANK reverser , for not publishing this essay right away... (he knows why ..!!)

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
You are deep inside reverser's page of reverse engineering, choose your way out:

Back to project 3

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?