Hello there!

I am relatively new to dongle emulation and reverse engineering, so I'm afraid this is a very basic question, I've searched on the forum but haven't found any answer.

I've done already a Sentinel dongle emulation with the help from the threads here at this forum, and it was quite easy with all the info in here. But this time I'm not sure what brand is the dongle. It seems to me that it could be a protection made by the same company as the software itself.
No drivers are installed, but the program installs its own little "server", which identifies the dongle and sends its info - via TCP (crackable?) - to the application.
I've checked at Process Manager, but it seems that the dongle is identifyied as an Human Interface Device (HID), and its driver is said to be an HID-compilant (generic) device.

So, here are my questions:
1 - Is it possible that the dongle is from any already available emulators? If it is, how could I identify it?
2 - If not, would there be any workaround, such as creating a table myself, and using a vusbus-like program to emulate it? Are there any guidelines to do it?


I'm thinking that maybe intercepting the TCP calls made by this app and creating a fake server would do. What do you think?

Thanks a lot for the help!

It may be driver less range of the dongle aka
Eutron/SmartKey 3 DL or Rockey4ND...

Could be UniKey

Git

Sometimes a picture tells more.

Could be SparKey

Hey Guys!

Thanks for all the replies! I really appreciate your help!

I haven't answered the messages yet because I found this link (http://www.sporaw.com/work/dongles/hardlock/emulator_dumps.htm), which suggests that the program whose dongle I want to emulate (EMME/3) is protected with an Aladdin Hardlock (and it even has its ModAd). So I've been trying all this time to dump it as if it were an Aladdin Hardlock, with no success at all.
I've tried bruteforcing hl-dump twice,one with the dongle server open, and one with it closed, I've tried some two different versions of Toro Monitor, also haSploGer (from sataron and xyrurg), tried SENTEMUL2008 and SENTEMUL2007 (which gives me the blue screen of death). Nothing worked. Not a single blick of identifying it as an Aladdin Hardlock - they all just ignored the presence of the hardlock.

So I'm guessing it's not an Aladdin Hardlock after all...

As for the ones you guys listed here, I'll try them all, but as of now I've only tried Eutron (eudump.exe), that doesn't recognize it at all. I've seen pictures of them all, though, and none of them ressembles the dongle I have.
Actually, since you asked for pictures, here it is. (http://img393.imageshack.us/my.php?image=picture012vb7.jpg)
Sorry for the lack of focus & poor quality, I have no cameras besides a webcam with me right now. But I guess we can see that it is very different from other dongles. (it's weight is also different from others - it is much heavier)


Do you have any ideas? The application itself is small (50mb), so I can upload it if you'd like to examine it.


Maybe it's time to think about actually cracking it. I'll take a look at that option more carefully, but it must be beyond my cracking experience.

Thanks again for the help!
van

Hey Guys!
The application itself is small (50mb), so I can upload it if you'd like to examine it.
van

The application itself is small (50mb), so if you can upload it we'd like to examine it.

Do you have a file called inrokey.sys in system32\drivers\ ?

Git

@kodyazan
http://rapidshare.com/files/145070640/emme-3.0.41.rar
pass: reboard
@Git
Yes! Indeed I have!!!

There is your answer. It is an InroKey dongle.

Git

inro key doesn't hardlock.

so can't emulate the dongle now.

well,

so there's no simple way to emulate it?


As I said, I'm quite a newbie in dongle emulation,so maybe what I'm asking may sound foolish, but would it worth trying to create a table using a USB sniffer of the responses the dongle sends, and with that create an emulator?

Any way, there is a long road ahead.

@Vanity,

What I see, (and you can also see with debugger )

All socket communication. Connect(), Send(), Select(),Recv() functions.

After successfull connect, emma is sending 48 bytes to the server, below is a sample snapshot.

00EEF4A8 A5 AF 01 52 0E 0D 34 43 2F B7 62 26 97 F9 84 FD
00EEF4B8 E5 D3 47 7B 78 99 90 F1 01 6A 1C E4 BD 13 97 1B
00EEF4C8 6B 1B A1 E5 45 9F 7B 02 5B 4B 63 79 59 17 E9 EE

and after a good return from select() , recv() called with following parameters:

buffersize 512.
buffer:015bf988
pfrom=015bf95c
pfromlen=015bf8e0

And returns 31 bytes below:
015BF988 01 32 09 32 09 33 09 30 09 30 09 30 09 70 65 74
015BF998 73 6F 09 30 09 09 32 2E 30 2E 32 09 30 09 00

(Forexample above contains my computer name.)


The crack SOLUTION should be:
1-Succesfull return values (zero or one) of socket functions maybe simulated. They are well-known. (WS2_32.lib). connect returns 0. etc.

2-So running InroKeyServer is not needed.

3-RECV() returns receives number of bytes and fills a memory area with received bytes. TRACKING THOSE BYTES , where they are used/compared may yield a FINAL SOLUTION.

3-If i had a dongle, I could trace where good solution goes in the code, and try to target there step by step.So tracking good responses may take you to solution faster.

Seperate small debugger notes:

-Put a breakpoint on 0070f0b0, where socket communication begins.
-Software is designed with QT. Dont tracein to QT function calls.
-Debugging while INROserver is running does timing errors.(Sometimes.)
-Socket communication is nonblocking.
-It opens atleast 2 threads in memory, they may communicate with shared memory.

I am only free at weekends, so may not look till next week. hope it helps.

kodyazan,

I'd like to kindly thank you! I won't write much right now, as I'm still debugging, and trying to understand the results, but until the weekend I will write a complete message.

Thanks!
van

nodongle.biz can make the emulator for INRO EMME

can anyone emuuuuuuu the rockey4nd dungle ??

@kapatmalan: read a previsions post carefull...