View Full Version : Dongle Reversing
markh51
September 21st, 2005, 03:57
I have been working for sometime to try and clone a dongle from a app I have. It not that I need to, it's just that I want to... The dongle in question is a Dallas DS1991 which is accessed through the LPT port. The DS1991 has 3 protected areas (subkeys) of storage which can only be accesses by using the correct password. The app uses a call to DeviceIOControl to send & receive information to & from the dongle. The dongle driver is a VXD file. I have obtained a copy of the developers guide which tells you all the commands which can be sent to the dongle and how the response is received.
I noted down everthing which was sent to and received from the dongle and quickly found the password(s) and the de-crypted information. The problem which I am having is that the passwords seem to be different for each dongle... I read an extract from the develpers guide which said the password can be unique for each dongle by using the dongles ROM ID which is UNIQUE for each and every one. The other problem is the password is different for each subkey, how can they get 3 passwords from one ROM ID ?
How could I find the routine which generates the password for each dongle. They must use some type of algorithm as they set the passwords on the dongle before they are sent out.
Thanks in advance.
naides
September 21st, 2005, 06:26
the passwords seem to be different for each dongle...
I read an extract from the develpers guide which said the password can be unique for each dongle by using the dongles ROM ID which is UNIQUE for each and every one. The other problem is the password is different for each subkey, how can they get 3 passwords from one ROM ID ?
The ROM ID could be any arbitrary number burned in the ROM by the manufactor. Appart for a length and format it can be any thing.
The three subkeys may be generated as hashes from the ROM ID. apply an arbitrary one->way transform of the ROM ID three times and you get 3 sub keys.
How could I find the routine which generates the password for each dongle.
Calculate the subkeys, provided you know the ROM ID.
You found the subkeys, right? How did they come to exist? are they harcoded in the vxd? or someone makes them on the flight?
I may be stating the obvious but if you know where those keys came from, you can tell how they came to exist.
If you had the dongle SDK, that WRITES the subkeys and the info, perhaps you could locate the algos that generate the subkeys from the ROM ID and reverse it or emulate it. It should also contain the routines that read the ROM ID.
markh51
September 21st, 2005, 08:00
Thanks for the response...
You see each DS1991 has 3 storage areas (SUBKEYS), each subkey has a ID to identify it. Each subkey has a password which unlocks it.
I know what the ROM ID is as it is easy to extract from the dongle. The ROM ID is lasered etched at Dallas when they are made, ensuring each one is different.
I found the routine which creates the passwords but I haven't got a clue how it does it. I found the routine by putting a BPR across memory where the ROM ID was stored and after many attempts I found this routine:
push offset byte_1001E190 <--- First 8 bits of ROM ID in reverse order
push offset byte_1001E198 <--- Last 8 bits of ROM ID in reverse order
call sub_10004660 <--- Call to create passwords and subkey ID's
Each dongle which is supplied with this software has unique Subkey ID's and passwords due to the ROM ID. I need to work out how it uses the ROM ID to decide what the passwords and subkey ID's are.
laola
September 22nd, 2005, 02:31
So why don't you have a look at what happens inside the routine that gets called to create the subkeys?
markh51
September 22nd, 2005, 03:20
The subkeys don't get created at runtime, they are programmed at the software house and encrypted somehow based on the dongles ROM ID. The only thing thats gets generated at runtime is the subkey ID's and passwords, but these are NOT written to the dongle they are compared to what is already strored. If they match, then the subkeys can be read.
What I need to create is some type of utility that can create the passwords based on the ROM ID like the program does. The only problem is that the subkey information is encrypted based on the ROM ID.
I found that the program uses RIJNDAEL and SHA-1. I used PEiD and KANAL to find out more:
RIJNDAEL [S][char]
RIJNDAEL [S-inv][char]
SHA1 [compress]
I had a look a the line numbers it gave me in KANAL and it looked like some sort of table which was referenced to a part in the code. It looks like it takes something from the table then XOR's with another byte ?!? It does this quite a few times through the call.
Can anyone shed any light on any of this ?
NoLOcKs
May 16th, 2009, 09:13
Hi markh51
Are you still in this forum ?
Is it possible restart this thread again ? Please, posted me a PM.
Thanks
NoLOcKs.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.