Hello,

First of all, sry for my bad english
I did read the FAQ, got the tools and made myself halfway familiar with them. I've used ollydbg with lena151's tipps, IDA, and some api monitoring programs.
I watched some of lena tutorials but I'm still a noob in reversing but I'm working on that.
I know the basics of asm and c/c++

Story:

I'm planning to buy a used Digital Storage oscilloscope thats worth about 6000$
This scopes are normal PCs with motherboard, graphic card, usb and network ports etc,.(plus touchscreen) the scope itself is just a PCI card with connections to the acquisition boards and the front panel I guess

Problem:

The problem now is that I would need some of the math and matlab functions that you can add as an extra soft-option (requires a key) on the next higher class of oscilloscopes. Every scope has a serial and the key is linked to this serial

All scopes of the company use the same software, they just have different hardware (sampling rate, bandwith, bus, etc,..)
So also the low class scopes have all the dll's for the high-class features in their folder
The software can be downloaded free from the page of the company and runs on every pc.. it just gives a error message
that no hardware was dedected and that its noth authorized on the system


Goal:

My ideal goal now would be to let the software 'think' that its a better scope to allow me to add the options of this class of scopes (matlab compatibility for example)
If thats impossible then I would , at least, try to gain access to all the soft-option keys for my low-class scope

I don't know If anyone has experience with something like this
I would just want to know if it could be even possible before buying a scope for a few thousand $
Maybe someone could take a short look on the software or tell me what I should post to make it even possible for you to help

Thank you for reading this and I hope that my post didn't break the rules (I'm awaiting you punishment JMI: )

We can't tell you whether or not its possible without actually doing it, and you could never check to make sure it worked without the equipment.

So what your asking for is for someone to crack some software for you without access to the equipment that they might need to do so.

In short, it's a crack request, and JMI will be along shortly to deliver your punishment

I think there is still a difference in trying to get an overview of the software and cracking it
What I'm looking for is someone who has experience with Software that Interacts with hardware
And where the problems in this topology might be
=> and if solving this problems is even possible for the average user that is on his way to the RE diploma

OK, I'll toss you a direction to head off into. You say that the software gives an error message if you don't have the correct hardware. That's you path in! Run the executable (or .dll), through IDA, find that message in the disassembly, and see where the code is that references it.

In the vicinity of that code, you should find something going on that'll tell you if it's just a simple check, or if they actually DO something with the hardware they're expecting to find. If it's the former, even YOU might be able to fix it!

If it's the latter, you'll probably need to study for a while, and then maybe rent the next higher model scope, read the contents of the hardware out, and then make an emulator for that hardware for YOUR scope, or, just patch the data into the EXE. (It sounds worse than it is).

I have been in situations just as these, so I can symphatize with you. . .

Things to keep in mind: These instrument-hardware company products are not "for the masses" so they usually do not expect a very sophisticated attack on their software limitations, they actually can "tally" who has what instrument and if such and such cheated on them, warranty and support are void/you are fucked. So I would exect this to be a simple crack: Case in example Confocal microscopy instruments: A $200.000 piece of hardware, attached to a $50.000 analysis software. The protection? a very intimidating USB dongle. The crack? a SINGLE jump change to a function that literally checked for the presence of the dongle and produced an error window saying "no Dongle found"!

Question number 2: Could you "borrow" the instrument and see how doable the crack is? Before investing hefty 6000, at least do some testing see how well guarded the code is. . .

Third, Lateral solution: If you need matlab based enhancements, Fourier shit etc, do you really need their original applications? Is there a way to export the Raw data and develop the analytic tools yourself?? Sounds at least as fun as doing the crack, and actually you will be learning something with academic and perhaps monetary value. . .

Hi,
thanks for the responses

I did already find the error message in Ollydbg (not ida though)
Problem is that it loads up about 20 dlls until the error message appears
So going reverse is a bit difficult (didn't learn the right trick yet)
I always land in "ntdll" where it gets terminated and puts out the error message
Same if i debug the driver installer

I will definately buy the 6k machine in about a month ( I won't buy it new and also not for the full price so warranty is 'no problem')

As you already posted the company.. I'll risk it and also post it
Im planning to buy a lecroy wavesurfers-xs and want the features of a waverunner
They even look identical
Difference is only speed/rates and possibility for matlab/excel options and other analyzing features
software is free on the page so I don't really need to wait
(tell me if i should delete the things above)

Is there any tutorial out there regarding communiction with installed hardware or driver installation? (Yes i searched myself... im messing around with this for days now so.. I AM putting effort in this :rolleyes

PS: [I have a very cheap desktop-DSO that communicates over the parallel port.. its no problem to get the data from there but I think that I'm not ready for this kind of challenge]

Thank you for time,
SteelWolf

OK, I'll address this part. Use windows search to search the directory for the string. It could tell you what .DLL it's in, (or .exe for that matter), and then you can IDA that one and concentrate your efforts there.

Ok
Searched the directory for a couple of strings that came up when debugging it "step by step" but found none of them

I searched for strings that are "connected" to a call to "ZwTerminateProcess" or "ShutDownInProgress" but it's just too much of code inbetween
I have no idea if I'm just lacking the skill to filter out the important parts (yeah I know I do) or If this code is really hard to understand
Most of Lena's tutorials were quiet easy to understand even If its about some complex key algorithms.. the problem here is that I can't event find a point where I could start to think about things like that
The Programm starts, Loads about 40-50 dlls, comes along with some INT3 loads more dlls and then terminates the threads and application
The strings only appear in the stack and registers so its a bit hard searching for them
They first appear in the VBAJET32.dll but I guess that has nothing to do with the termination of the process but just with the strings itself


I find TerminateProcess as string but not not the error message

Another problem I have with IDA is that It isn't able to execute the application properly, odb has no problem with it, IDA won't even come up with the loading screen? Any essential configuration that I've missed?


I've reached a point where I'd also say that working with the raw data and writing my own scripts in matlab would be easier but programming some of the more complex scripts would take me months I guess
I contacted the sales manager, universities and institutes to take a closer look on the scopes but it will be very hard to bring up a debugger while someone tries to demonstate me the scope..
No chance of borrowing one also, not even for money but I'm still searching
Emulating the Hardware like FrankRizzo said seems to be the most secure way I guess (Only the part where it checks the Serial or ScopeID of course, not the acquisition itself)


Could maybe someone just take a short look on the exe? just to tell me if its wasted time or not
This would really help.. I'm investing very much time in this so.. its not just a request because I'm too lazy
I'm searching nearly every day for that scope or the knowledge to reverse it and its starting to get a bit frustrating

Thank You

"You've got mail!"

First you probably have to learn how PCI really works, if you want to emulate parts of the scope card. You'll also need it if you want to use breakpoints and other stuff correctly.

http://wiki.osdev.org/PCI

Since good old SoftICE doesn't run properly on XP, you'll have to use an alternative like bochs if it comes to the kernel stuff.
Maybe you can try if the scope software runs on a windows image emulated by bochs (with IDA support . Then you can use bochs to capture the PCI-DMA traffic of your scope software. By analyzing this traffic you can maybe find out where the software checks the serial of your scope.

Since bochs can also somehow emulate PCI cards (never did it),you can then try to write a bochs PCI file which emulates the serial of your scope. This is probably simpler than patching the exe to finally find out that you have patched the wrong routine.
It would also be interesting whether the serial in the PCI card is the same as the one written on your scope. I doubt it, but if it´s like that, you can simply ask an ebay seller with the same scope with all options for the serial, claiming you want to check whether the scope he´s selling is reported as stolen.

The most important thing is not to give up. I also spent about 2 month on an old dongled piece of code till it was finally done. But in the end you´ll be very proud of yourself

I'm going to go out on a limb here, it makes no sense that a much higher performing scope and a lower performing one would have the same hardware, frequently you'll find that the PCI card is different or not fully populated, otherwise there would be a thriving black market for enabling the extra features, I'd verify they are identical before putting a lot of effort in to this.

SiGiNT

They are both midrange scopes with the "same" acquisition board
The only difference is that the Rate and Memory is doubled
Rate on the wavesurfer is 5 GS/s on the runner 10GS/s
Maybe better Analog/Digital Converters.. or maybe just software limitation..
The Surfer series goes from 200MHz up to 1GHz starting at 6k$ for the 200Mhz and the Runner go from 400 to 1GHz starting at 11k$ for the 400MHz
These scopes are "professional" class scopes so there won't be a black market because they are mainly bought by larger Companies or Institutes

Runner has the same soft-options that can be activated via key like the surfer but just a few more like the custom support and some specialized features but all of them don't need better hardware to work properly



The PCI card itself is just a interface (with a spartan 3 on it or something like that on it) that connects to the scope hardware and control panel
There are also scopes that start on 160k$.. Thats what I would call much highper performance.. I wouldn't want to try to run the features of that scope on the wavesurfer.. but the price difference between two 400MHz scopes (WaveSurfer and WaveRunner) is "only" about 2k$ I think


@Garrett:
But I guess that would only work if theres really already hardware to comunicate with, mh? No board no traffic?
I'm still trying to rent a cheaper scope of that series but there isn't much choice arround here
And installing all the software on a scope from the university seems a bit difficult
But yeah.. I'll try to not give up ; )

PS: FrankRizzo already helped me a lot regarding the breakpoints and protection

Big Thanks to him!

Thanks
SteelWolf

I'm not trying to discourage you, there is precedence for what you believe, but as you say the sampling rate could be different ADC's and supporting comps, the Spartan is an FPGA so you could be seeing 2 different chips with the same marking, but that would be a little stupid on LeCroy's part, however they are a large company and large companies aren't known for their stellar logical decisions, in the end it will be an educational experience and just that is worth the effort. If I can help let me know - I am in the electronics industry.

SiGiNT

Know anything about dumping BitArts Crunch/PE 3.0 packed .DLLs? I can DUMP it, but I've had a helluva time rebuilding the imports, and stuff to be able to get a meaningful dead listing.

OK, in the spirit that JMI has set forth, here's my work, maybe someone can help.

DLL packed with Bitarts Crunch (3.x/4.x). Being that it's "just" a .DLL, I wrote a small app called Dllloader, that uses LoadLibrary to load it into memory, and then gives me a messagebox to stall the app while I go mess with the .dll.

Set the "Break on new module(Dll)" option in Olly, and when it broke, it gave me the info, (Loads at 12400000, size 00156000). I went to the entry point of the crunch code, and set the hardware access breakpoint on the stack, as instructed by the tutorials. Press run a couple of times, and BLAM. End up at the OEP: 12489A25.

Using OllyDump, I dump from 12400000 with a size of 00156000 into a file called test.dll.

I load up ImpRec (Grandpa Simpson), and attach to the process, and then the .dll. I then input the OEP, and press AutoSearch. What I get back is this:
2203

And a nice messagebox telling me that it found the imports, and that I should just press Get Imports to get them. So, I do that:
2204

BLAM, imports. So, I choose "Fix Dump", select my recently dumped test.dll, and I get this:
2205

As you see from the picture, the RVA is A6000. If you go to that address in the file, that's where the data is. So, I'm puzzled as to what the problem is. I thought that maybe the "Add New Section" option could be throwing a wrench into things. So, (continued on next post where I can post more pictures).

So, I uncheck the Add New Section box, and try it again, only to be presented with this:
2206

Which is also not true. I load up LordPE, and have a look at the file, and it shows this:
2207

Which shows that there IS a section there. My only thought was about the ROffset, and RSize being 0, but I must admit that I'm green in this area, and don't know for sure.

So, there you have it. The complete process of dumping, and ALMOST getting the imports recovered on the all important .DLL for SteelWolf's project.

Anyone know what I did wrong? Can anyone gimme a point in the right direction?

I'm no unpacking god, but dumping it the OEP is all that is needed to unpack an exe packed with Crunch 5.0, there is no need to fix/rebuild the IAT with ImpRec or the like.

When using OllyDump, uncheck the Rebuild Import box and dump at OEP and that should do it.

Maybe this is also the case for Crunch 3.0 packed DLL too? Worth a shot if nothing else.

Nope, followed the steps exactly, and got a file that loads into IDA with no imports. I would gladly send you the file if you wanted to have a crack at it.

Sure, send me a PM to a link and I'll take a look see.

Okay, I was able to dump it with the imports intact using LordPE and rebuilt the imports with ImpREC. I can now load it into IDA and see the previously destroyed imports.

I see there are string refs to HASP and Hardlock so I think some software surgery may be required.

There is also the string "GuinessIsGoodForYou" which could be of interest.

Amazing! The right combination of tools, and it "just works". I now have the same.

I'm glad you got it working. I've seen a problem similar to this before, only I was using the PE Dumper plugin for Olly. This had me going round in circles for a while until I tried LordPE. Since then, I have always reached for LordPE for reliable memory dumps.

Thanks for the tip. I would have been running those same circles for who knows HOW LONG.

These guys (the authors) were a weird bunch. I've found F00DD00D as a value, what it probably the author'd birthday 11011969, one of the default values they use is Pi. 31415269 (or something close). Also, the whole mess is 1 big COM glob with everything being it's own little inProc server, and calls going back and forth.

Now, as for the HASP stuff. It appears to support *4* type of authentication, with HASP being only 1. It also supports Dallas, and Dallas Internal (which I assume is the iButton), and, a Config File!