Advanced cracking

A slightly different kind of dongle cracking
by Dr. Fuhrball
4 October 1998

---

Courtesy of fravia's pages of reverse engineering

Well, Dr Fuhrball calls the investigation of a visual basic target trough a pure software approach (dead listing and smartchecking) 'methode ý la fravia', which is flattering yet inacceptable, since these methods are known "depuis l'aube de la crackhumanitÈ". Dr Fuhrball demonstrates here how an hardware approach ("ý la +ORC") can be at times very useful in dongle cracking. Yet something puzzles me: "Numega's smartcheck shows absolutely nothing"... are you sure smartcheck's settings were right Dr Fuhrball? If so it would be REALLY worth checking WHY smartcheck failed... (Matt, r you reading this?). And now enjoy this (advanced) dongle reversing essay...

---

A slightly different kind of dongle cracking by Dr. Fuhrball



Todays target is an extremely expensive program with a highly limited

market. Its a tool for advanced modeling and simulation of a mechanical

device. The two pieces of software plus the data acquisition box cost

over $100,000 USD. A search of companys that would be in a position to

use such software came up with less than 100 world wide. The program

is not available on the net.



HINT:	4 wheels



It does however use a slight twist on a trick which makes it interesting

to explore.



This program is massive. 20 custom dll's written in C++, and 30 VB OCX's

29 of which are written in native compiled VB OCX's, and one of which

is compiled to P code.



Two days of soft-icing, wdasming basically led nowhere, because of an

interesting trick exposed later. After a weekend of tracing thru the

VB5 virtual machine, and looking at virtually everything, i finally

discovered 3 different places where the dongle code was called.

Two were in the C++ dll's  which took about

10 minutes each. The OCX was an entirely different matter.



After spending these two days "methode ý la fravia" I got tired and went

back to "Dr. Fuhrballs patented hardware method". This realized results

in under an hour.



Normally at home i would have used my personal logic analyzer, a

Tektronix 7d01F2. 

But I was at work and had a better one. This time a Biomation K205. 

This really nice antique has an additional property of being able

to run with completely clockless operation. Setting the jitter time to

20 nanoseconds, and running on just state changes gave a pretty picture

of exactly what was going on.



Oh, lookie, absolutely every time the dongle is accessed, absolutely the

same information is returned. There are alienation bits similar to the

microphar technique, but after printing out 3 different sets of patterns

and holding them up to the light shows the typical device.

One output data line, One output clock line, and one Input data line.



Sad really, one of these days i might actually find a dongle used in a

way thats gonna be really tough.



As an aside, after reading fravia's message board with the guy asking

about the Autocad Crack, I took a look at this, and less than 15 minutes

later had that one obliterated using the same technique below.



Notice: some of the code below has been slightly modified to force you

to actually learn something about how this works.



I decided to write a dongle emulator using a pic chip (www.microchip.com)

Numerous assemblers most of which are shareware or freeware are

available all over the net. You will need a pic programmer however, like 

the one that parallax sells.





;PICC54 with 4mhz clock

;instructions take 1 microsecond

;fuses cp=off, wdte=enabled, osc=xt



;count the correct number of pulses ignoring any data

;then output the correct acknowledgement

;its amazing how many different dongles this variation

;on a theme works on







;equates



portb   equ     6

w       equ     0

count   equ     8

pic54   equ     1FFH





        org     0

start   goto    main





main    movlw   B'00000100'

        tris    portb



;now wait for SLCT = 1



L1      btfss   portb,1

        goto    L1



;now wait for SLCT = 0



L2      btfsc   portb,1

        goto    L2



;now count 84 clock times



        movlw   84

        movwf   count



;wait for clock=0



L3      btfsc   portb,2

        goto    L3



;wait for clock = 1



L4      btfss   portb,2

        goto    L4



        decfsz  count,f

        goto    L3



; now funnel the correct data out



;wait for clock = 0



L4      btfsc   portb,2

        goto    L4



; output databit 0



        movlw   0

        movwf   portb



;wait for clock = 1

L5      btfss   portb,2

        goto    L5



;wait for clock = 0



L14     btfsc   portb,2

        goto    L14



; output databit 1



        movlw   4

        movwf   portb



;wait for clock = 1

L15     btfss   portb,2

        goto    L15



;wait for clock = 0



L24     btfsc   portb,2

        goto    L24



; output databit 2



        movlw   0

        movwf   portb



;wait for clock = 1

L25     btfss   portb,2

        goto    L25



;wait for clock = 0



L34     btfsc   portb,2

        goto    L4



; output databit 3



        movlw   4

        movwf   portb



;wait for clock = 1

L35     btfss   portb,2

        goto    L35



;wait for clock = 0



L44     btfsc   portb,2

        goto    L44



; output databit 4



        movlw   0

        movwf   portb



;wait for clock = 1

L45     btfss   portb,2

        goto    L45



;wait for clock = 0



L54     btfsc   portb,2

        goto    L54



; output databit 5



        movlw   4

        movwf   portb



;wait for clock = 1

L55     btfss   portb,2

        goto    L55





;wait for clock = 0



L64     btfsc   portb,2

        goto    L64



; output databit 6



        movlw   0

        movwf   portb



;wait for clock = 1

L65     btfss   portb,2

        goto    L65





;wait for clock = 0



L74     btfsc   portb,2

        goto    L74



; output databit 7



        movlw   4

        movwf   portb



;wait for clock = 1

L75     btfss   portb,2

        goto    L75



        clrwdt

        goto    L1



        org     pic54

        goto    start



        END







This works great, however its certainly not a "methode ý la fravia" in 

that we have not actually learned anything about cracking the software.



OK, now that we know whats going on, we can go back into reversing and 

modify the DK12wn32.dll code thats the dongle driver.



Here is a code snippet:





Exported fn(): FindDK12 - Ord:0008h

:200012DD 55                      push ebp

:200012DE 8BEC                    mov ebp, esp

:200012E0 83EC0C                  sub esp, 0000000C

:200012E3 53                      push ebx

:200012E4 56                      push esi

:200012E5 57                      push edi

:200012E6 33C0                    xor eax, eax

:200012E8 66A114300020            mov ax, word ptr [20003014]

:200012EE 8945F4                  mov dword ptr [ebp-0C], eax

:200012F1 E9A0000000              jmp 20001396



* Referenced by a  Jump at Address:2000139A(C)

|

:200012F6 6AFF                    push FFFFFFFF

:200012F8 A18C500020              mov eax, dword ptr [2000508C]

:200012FD 50                      push eax



* Reference To: KERNEL32.WaitForSingleObject, Ord:026Ah

                                  |

:200012FE FF15D8600020            Call dword ptr [200060D8]

:20001304 8B4508                  mov eax, dword ptr [ebp+08]

:20001307 50                      push eax

:20001308 E80B080000              call 20001B18

:2000130D 83C404                  add esp, 00000004

:20001310 668945F8                mov word ptr [ebp-08], ax

:20001314 6A00                    push 00000000

:20001316 6A01                    push 00000001

:20001318 A18C500020              mov eax, dword ptr [2000508C]

:2000131D 50                      push eax





I think you all know what to do with the first few lines of the

routine to always return the right return code. But once again

its not the "methode ý la fravia"



Back to this annoying OCX.



(I do not need to show the two dll's, as they are trivial)





This OCX is compiled to VB5 p code. Numega's smartcheck shows absolutely

nothing. W32dsm89 is also of no use, it generates garbage. Softice

is of some use, but traveling thru the VB5 virtual machine is tons of

fun.



I started writing a VB5 p code discompiler. And kept adding to it as

i encountered p codes that i did not know. Someday I may actually

complete this with all the p codes, then publish it. Its a true mess 

at the moment which is why i will not publish it now.



Anyway back to the OCX. With the dongle installed, debugging thru the

mess continued to get VB5 on errors. Without the dongle installed there are

no VB5 on errors, but the code does not run. To make a long story short

here is some pseudo code that shows the trick.





ON ERROR GOTO continuetoprocess





mound of initialization and setup code here





Call the 32 bit dongle code, which calls the dongle vxd

in particular we are looking for a dongle with developer id = XXXXXXX

the return code is 0 for not installed, or 1,2,3 for the device

found on port LPT1,2,3



A=FINDK12(XXXXXX, , ,...)

B=A-1

C=100.0/B

B=B-1

C=100.0/B

B=B-1

C=100.0/B



print out the fact that the dongle was not found!

goto YOULOOSE





continuetoprocess:



Therefore: if error code is floating point divide by zero then

we must have found the dongle!



(this is a little bogus, but is REALLY how the code works.)





Cute little trick.  What this shows is that the statement



IF Visual Basic THEN cracked at once



is not necessarily true!





Next I will write an OCX using the above tricks and a few more

to show that cracking VB based protection schemes can be much 

tougher than you might think.



But its time for me to have some down time to listen to my new

Wilson speakers.

Advanced cracking

homepage links search_forms +ORC students' essays academy database
reality cracking how to search javascript wars
tools anonymity academy cocktails antismut CGI-scripts mail_fravia+
Is reverse engineering legal?