I have been reading everything I can find regarding Key-Lok lpt dongle, i have an application which runs on redhat linux 9, The protection is in the form of a counter. After x uses, you have to buy another dongle, i tried debugging the application in IDA pro using keylok signature but no luck, in IDA Strings shows "73e8466570a9e2300eeff2.MicroComputers Applications Inc" ...

upload main target software and PM link to me...

I have attached a file

plese let me know the status

OK, I have the target, ran it through IDA myself, and there is pretty much no where to hide in here. No encryption that I saw, or anything like that.

What does it say when you're out of uses?

Invlid Media Card

can somebody help me

Uhhh.. There is someone attempting to help, but he can't seem to get any cooperation. I sent you an e-mail detailing the first of the shared objects that I need in an attempt to execute the app so that I can see what's going on.

What happened with that?

i have sent u mail

what is happing below can some one tell me


align 10h
push ebp
mov ebp, esp
sub esp, 74h
push esi
push ebx
push 2
push offset aDevWindrvr ; "/dev/windrvr"
call _open
mov esi, eax
add esp, 8
cmp esi, 0FFFFFFFFh
jz short loc_80636FA
push 38h
push offset a73e8466570a9e2 ; "73e8466570a9e2300eeff2.MicroComputers A"...
lea ebx, [ebp-68h]
push ebx
call _memcpy
add esp, 0Ch
mov dword ptr [ebp-74h], 0A410B413h
mov [ebp-70h], ebx
mov dword ptr [ebp-6Ch], 68h
lea eax, [ebp-74h]
push eax
push 9538244Bh
push esi
call _ioctl
add esp, 0Ch
push esi
call _close

loc_80636FA: ; CODE XREF: .text:080636BCj
lea esp, [ebp-7Ch]
pop ebx
pop esi
mov esp, ebp
pop ebp
retn

; This code just saves the stack pointer, and sets things up to get parameters that might have been passed to the function.

; This opens the device "/dev/windrvr". This windrvr references WinDriver from jungo, and is a "Linux driver for dummies" suite. But it DOES tell us something. It's either talking to a PCI card, or something attached to the USB port.

; This code checks the return value from the call to open above, and verifies that it's not an error (-1). (It also puts the file handle in esi).

; This copies 38h bytes from the string shown, into a buffer pointed at by ebp-68h

; This monkeys around with some data


; This sends the above data, and a command of 9528244Bh to the driver through the IOCTL interface, using the handle it obtained from the open call above. (it's in esi)

; Using the handle in esi once again, it calls CLOSE to state that it's done with talking to the driver/

; This cleans up the stack, and returns to the caller.



SO, basically, it's just sending a command to a device driver. What that command IS, is detailed above, what it DOES is an entirely different matter, and you'd need to disassemble the driver to find that out.

After much struggle i found only one func call (instead of Kfunc)


void func(void)
func proc near ; CODE XREF: sub_805321C+7p
; sub_8053A9C+3p
; DATA XREF: ...
push ebp
mov ebp, esp
cmp dword_809CA70, 0
jz short locret_8053218
push 0
call sub_8053144
push offset stru_80A23E0 ; struct termios *
push 2 ; int
push 0 ; int
call _tcsetattr
push ds:dword_80A241C ; _sig_func_ptr
push 1 ; int
call _signal
push ds:dword_80A2420 ; _sig_func_ptr
push 2 ; int
call _signal
add esp, 20h
push ds:dword_80A2424 ; _sig_func_ptr
push 3 ; int
call _signal
push ds:dword_80A2428 ; _sig_func_ptr
push 0Fh ; int
call _signal
push ds:dword_80A23C0 ; void *
call _free
push ds:dword_80A23C4 ; void *
call _free
mov dword_809CA70, 0
locret_8053218: ; CODE XREF: func+Aj
leave
retn
func endp