tazBRC
July 8th, 2009, 08:57
Hello All,
First of all I would like to introduce myself, I've
been cracking since 98' but in the mean time I'd stopped
cracking for some reasons and came back to cracking because
I missed this life and so on until this week I'd been requested
to crack a dongle from OLD company called PROTEQ, now it's
called SafeNet.
Now as this is my First contribution to this forum
I may start with some dongle cracking WITH dongle.
I'd not been programming or cracking since last 2 years from now
and as I don't work with computers, I'd lost my skills on programming.
Let's stop talking and start:
The target is a software with PROTEQ dongle protection.
The Proteq SDK for this version of dongle it just READS static
data from dongle.
Pretty much piece of cake, the method that I used to crack was
build a NEW DLL that returns the expected code to the software.
As it is STATIC dongle, it can be reversed just returning the
right code to the software.
I have not founnd the version of this dongle. It's a USB key,
but this won't impact in the reversing.
The dongle has 3 parts:
1) C50032.DLL: the comunication library to dongle's driver
2) PROTEQ.SYS: Win32 Driver - comunication to the USB key
3) USB Key itself.
The software call's C50032.C500 Function and expects bytes as result
(read from USB key).
Function: C500(Parameter pChar) Integer
Parameter: 10 bytes as input, 10 bytes output
C500 Integer: return = 0 for READ OK and negative values for errors.
This version of dongle has only 2 functions (new versions have around 10 functions).
PASSWORD FUNCTION: This functions is used to gain access to read
dongle memory.
Input parameter: 03 + 'PASSWORD!'
Output parameter: 03 + 9 hex values
This hex values returned means if you put the right password
on input, you will receive 9 hex values as return, and this
must match in softwares's code. This is generally easily find
on software debugging.
READ FUNCTION: allow to read memory block (480 bytes)
Input parameter: 01 00 00 ZZ
output parameter: 01 XX YY ZZ
01: read mode
00: used to store read bytes from memory
ZZ: memory position for reading
As we can see, ZZ tells is the position in memory block to read
2 bytes. The return for this functions only replaces the word "00 00"
with the bytes read.
Now ok, with the dongle in hans, makes very easy to build a DLL
that replaces the original one.
Just make a simple program that reads all the full content of memory reading 2 bytes
at once.
See bellow the source code in win32asm for the emulator.
I changed the memory bytes in order to preserve the target software
and sorry for the portuguese comments.
First of all I would like to introduce myself, I've
been cracking since 98' but in the mean time I'd stopped
cracking for some reasons and came back to cracking because
I missed this life and so on until this week I'd been requested
to crack a dongle from OLD company called PROTEQ, now it's
called SafeNet.
Now as this is my First contribution to this forum
I may start with some dongle cracking WITH dongle.
I'd not been programming or cracking since last 2 years from now
and as I don't work with computers, I'd lost my skills on programming.
Let's stop talking and start:
The target is a software with PROTEQ dongle protection.
The Proteq SDK for this version of dongle it just READS static
data from dongle.
Pretty much piece of cake, the method that I used to crack was
build a NEW DLL that returns the expected code to the software.
As it is STATIC dongle, it can be reversed just returning the
right code to the software.
I have not founnd the version of this dongle. It's a USB key,
but this won't impact in the reversing.
The dongle has 3 parts:
1) C50032.DLL: the comunication library to dongle's driver
2) PROTEQ.SYS: Win32 Driver - comunication to the USB key
3) USB Key itself.
The software call's C50032.C500 Function and expects bytes as result
(read from USB key).
Function: C500(Parameter pChar) Integer
Parameter: 10 bytes as input, 10 bytes output
C500 Integer: return = 0 for READ OK and negative values for errors.
This version of dongle has only 2 functions (new versions have around 10 functions).
PASSWORD FUNCTION: This functions is used to gain access to read
dongle memory.
Input parameter: 03 + 'PASSWORD!'
Output parameter: 03 + 9 hex values
This hex values returned means if you put the right password
on input, you will receive 9 hex values as return, and this
must match in softwares's code. This is generally easily find
on software debugging.
READ FUNCTION: allow to read memory block (480 bytes)
Input parameter: 01 00 00 ZZ
output parameter: 01 XX YY ZZ
01: read mode
00: used to store read bytes from memory
ZZ: memory position for reading
As we can see, ZZ tells is the position in memory block to read
2 bytes. The return for this functions only replaces the word "00 00"
with the bytes read.
Now ok, with the dongle in hans, makes very easy to build a DLL
that replaces the original one.
Just make a simple program that reads all the full content of memory reading 2 bytes
at once.
See bellow the source code in win32asm for the emulator.
I changed the memory bytes in order to preserve the target software
and sorry for the portuguese comments.
Code:
;##################################################################
;# tazmanianbrc/2009 - Proteq Emulator #
;##################################################################
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
;############################################################################
; Memory block from USB key
;############################################################################
Memory db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 01h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
Autor db 'tazmanian[BRC]',0
Data db '06/07/09',0
.data?
Posicao dd ?
.code
DllEntry proc hInstance:HINSTANCE, reasonWORD, reserved1
mov eax,TRUE
ret
DllEntry Endp
;#####################################################
; Nome da função: C500
; Parâmetros: Parametro (DWORD) de 4 a 10 bytes
; 4 bytes - XX YY ZZ AA
; XX: 01 ou 03 (Leitura ou SENHA)
; YY e ZZ: Não usado (dword onde será gravado os dados lidos do dongle)
; AA: byte que mostra endereço do byte a ler (varia de 00 a F0)
;----------------------------------------------------
;XX=03
; Repassa a senha para liberação do dongle, a senha é enviada nos endereços abaixo para o dongle:
;
;
; Senha para dongle do Cardionet = PASSWORD!
;
;XX=01
; Modo leitura do dongle.
; Bytes enviados: 01 XX YY ZZ
; 01: Modo leitura
; XX e YY: será gravado ali 2 bytes seguidos do dongle da posicao ZZ
; ZZ: posição a ser lida na memória
; Exemplo:
; Bytes enviados: 01 00 00 02 (Lê os bytes 00 e 01 da memoria do dongle)
; Bytes retornados: 01 41 21 02
; Ou seja, ele lê de 2 em 2 bytes.
;#####################################################
; Ou seja, o programa
C500 proc Parametro
mov [Posicao], edi ;Salva EDI
mov edi,[Parametro] ;Move para EDI os parâmetro
mov Parametro, edi
.if byte ptr [EDI]==3 ;Checa se 1o byte é 03 (Função da senha)
mov dword ptr [edi+1], 01020304h ;HARDCODED RETURN STRING FOR RIGHT PASSWORD
mov dword ptr [edi+5], 05060708h
mov [Parametro],edi
.elseif byte ptr [EDI]==1 ;Checa se 1o byte é 01 (Função da leitura)
xor edx, edx ;zera edx
Xor eax, eax ;zera eax
xor ecx, ecx ;zera ecx
mov al, 2 ;al=2
mov dl, byte ptr [EDI+3] ;dl=posição à ser lida (ZZ)
mul dl ;al=al*dl
mov cl, byte ptr [memory+eax] ;cl=primeiro byte a ser lido em buffer
mov byte ptr [EDI+1], cl ;salva cl no XX
mov cl, byte ptr [memory+eax+1] ;cl=segundo byte a ser lido em buffer
mov byte ptr [EDI+2], cl ;salva cl no YY
mov [Parametro], edi ;Salva edi no retorno Parametro para o programa
xor edx, edx ;Zera EDX
.endif
mov edi, Posicao ;Restaura valor de EDI
xor eax, eax ;eax=0: função OK (sempre retorna 0 se o dongle está na USB)
ret ;retorna para o programa.
C500 endp
End DllEntry