Log in

View Full Version : MAI Keylok on Linux


suryawomshi
March 18th, 2009, 15:17
I have been reading everything I can find regarding Key-Lok lpt dongle, i have an application which runs on redhat linux 9, The protection is in the form of a counter. After x uses, you have to buy another dongle, i tried debugging the application in IDA pro using keylok signature but no luck, in IDA Strings shows "73e8466570a9e2300eeff2.MicroComputers Applications Inc" ...

FoxB
March 19th, 2009, 09:18
upload main target software and PM link to me...

suryawomshi
March 20th, 2009, 11:57
I have attached a file

plese let me know the status


FrankRizzo
March 20th, 2009, 15:06
OK, I have the target, ran it through IDA myself, and there is pretty much no where to hide in here. No encryption that I saw, or anything like that.

What does it say when you're out of uses?

suryawomshi
March 21st, 2009, 02:51
Invlid Media Card

suryawomshi
March 29th, 2009, 11:39
can somebody help me

FrankRizzo
March 29th, 2009, 12:40
Uhhh.. There is someone attempting to help, but he can't seem to get any cooperation. I sent you an e-mail detailing the first of the shared objects that I need in an attempt to execute the app so that I can see what's going on.

What happened with that?

suryawomshi
March 29th, 2009, 12:54
i have sent u mail

what is happing below can some one tell me


align 10h
push ebp
mov ebp, esp
sub esp, 74h
push esi
push ebx
push 2
push offset aDevWindrvr ; "/dev/windrvr"
call _open
mov esi, eax
add esp, 8
cmp esi, 0FFFFFFFFh
jz short loc_80636FA
push 38h
push offset a73e8466570a9e2 ; "73e8466570a9e2300eeff2.MicroComputers A"...
lea ebx, [ebp-68h]
push ebx
call _memcpy
add esp, 0Ch
mov dword ptr [ebp-74h], 0A410B413h
mov [ebp-70h], ebx
mov dword ptr [ebp-6Ch], 68h
lea eax, [ebp-74h]
push eax
push 9538244Bh
push esi
call _ioctl
add esp, 0Ch
push esi
call _close

loc_80636FA: ; CODE XREF: .text:080636BCj
lea esp, [ebp-7Ch]
pop ebx
pop esi
mov esp, ebp
pop ebp
retn

FrankRizzo
March 31st, 2009, 22:05
Quote:
[Originally Posted by suryawomshi;79898]i have sent u mail

what is happing below can some one tell me



; This code just saves the stack pointer, and sets things up to get parameters that might have been passed to the function.
Code:

align 10h
push ebp
mov ebp, esp
sub esp, 74h
push esi
push ebx

; This opens the device "/dev/windrvr". This windrvr references WinDriver from jungo, and is a "Linux driver for dummies" suite. But it DOES tell us something. It's either talking to a PCI card, or something attached to the USB port.
Code:

push 2
push offset aDevWindrvr ; "/dev/windrvr"
call _open

; This code checks the return value from the call to open above, and verifies that it's not an error (-1). (It also puts the file handle in esi).
Code:

mov esi, eax
add esp, 8
cmp esi, 0FFFFFFFFh
jz short loc_80636FA

; This copies 38h bytes from the string shown, into a buffer pointed at by ebp-68h
Code:

push 38h
push offset a73e8466570a9e2 ; "73e8466570a9e2300eeff2.MicroComputers A"...
lea ebx, [ebp-68h]
push ebx
call _memcpy
add esp, 0Ch

; This monkeys around with some data
Code:

mov dword ptr [ebp-74h], 0A410B413h
mov [ebp-70h], ebx
mov dword ptr [ebp-6Ch], 68h


; This sends the above data, and a command of 9528244Bh to the driver through the IOCTL interface, using the handle it obtained from the open call above. (it's in esi)
Code:

lea eax, [ebp-74h]
push eax
push 9538244Bh
push esi
call _ioctl
add esp, 0Ch

; Using the handle in esi once again, it calls CLOSE to state that it's done with talking to the driver/
Code:

push esi
call _close

; This cleans up the stack, and returns to the caller.
Code:

loc_80636FA: ; CODE XREF: .text:080636BCj
lea esp, [ebp-7Ch]
pop ebx
pop esi
mov esp, ebp
pop ebp
retn



SO, basically, it's just sending a command to a device driver. What that command IS, is detailed above, what it DOES is an entirely different matter, and you'd need to disassemble the driver to find that out.

suryawomshi
April 3rd, 2009, 12:39
After much struggle i found only one func call (instead of Kfunc)


void func(void)
func proc near ; CODE XREF: sub_805321C+7p
; sub_8053A9C+3p
; DATA XREF: ...
push ebp
mov ebp, esp
cmp dword_809CA70, 0
jz short locret_8053218
push 0
call sub_8053144
push offset stru_80A23E0 ; struct termios *
push 2 ; int
push 0 ; int
call _tcsetattr
push ds:dword_80A241C ; _sig_func_ptr
push 1 ; int
call _signal
push ds:dword_80A2420 ; _sig_func_ptr
push 2 ; int
call _signal
add esp, 20h
push ds:dword_80A2424 ; _sig_func_ptr
push 3 ; int
call _signal
push ds:dword_80A2428 ; _sig_func_ptr
push 0Fh ; int
call _signal
push ds:dword_80A23C0 ; void *
call _free
push ds:dword_80A23C4 ; void *
call _free
mov dword_809CA70, 0
locret_8053218: ; CODE XREF: func+Aj
leave
retn
func endp