Hi all,

I have an application protected by dongle called MegaLock. Its driver can be taken at http://www.megalock.co.kr/

I search around us about this one, but not lucked. Does there have any experience reverser it?:rolleyes:

you can find the development manual into the site.
this is a badly translated piece, that contains functions of the dongle.. not seem too complicated.
Is defined in OBJ will be able to confirm an establishment presence function from the pro gram which develops already and calling confirms a resultant price with [lak]. [lak] The checking functional life according to use language some could be changed same five kind function but a basically with afterwords has:

LOCK_INIT: The initial work function the program first execution at the time of or [lak] calling and the error will happen and executes in case. *
LOCK_AUTO: [lak] Simply turns the resultant price which checks and receives, are recorded in maul tune the number of characteristics of 4 bites which reads. *
LOCK_FUNC [0, 1, 2 and 3]: Accomplishes the operation function which the maul tune is having. *
LOCK_WRITE: Wants records the price where in 16 bite data parts of record style maul tune. * 　 *
LOCK_READ: Reads the price which is recorded in data part of maul tune.

If you want/can upload somewhere the app, much probably i cannot emulate the dongle but i can crack it of course:P

Thanks! You are kind. I will upload software to RPS and let you know link later.

first point

0045AA38 . 6A 00 PUSH 0
0045AA3A . E8 718D0000 CALL 004637B0
0045AA3F . 83C4 08 ADD ESP,8
0045AA42 . 84C0 TEST AL,AL ; DONGLE FOUND if AL=0
0045AA44 . 0F85 8C010000 JNZ 0045ABD6

you can put AL = 0 seeing what's happening into this call : CALL 004637B0

if dongle is found you jump..

0046389D |. 83C4 10 ADD ESP,10
004638A0 |. 83F8 03 CMP EAX,3 ; Switch (cases 0..3)
004638A3 0F87 C2000000 JA 0046396B

and you go there:

0046396B |> \32C0 XOR AL,AL ; Default case of switch 004638A0
0046396D |. 5F POP EDI
0046396E |. 5E POP ESI ; Azon61.0055BB78
0046396F |. A2 18FA5500 MOV BYTE PTR DS:[55FA18],AL
00463974 |. 5B POP EBX
00463975 |. 59 POP ECX
00463976 \. C3 RET

so you can either change eax value somewhere or change the JA in a JMP

next point of interest is here:

0045AA83 . 8896 24BB5500 MOV BYTE PTR DS:[ESI+55BB24],DL
0045AA89 . 46 INC ESI
0045AA8A . 83FE 10 CMP ESI,10
0045AA8D .^ 7C C1 JL SHORT 0045AA50
0045AA8F . 8B15 705A5500 MOV EDX,DWORD PTR DS:[555A70] ; Azon61.004CAFF0
0045AA95 . 8BC2 MOV EAX,EDX
0045AA97 . 8D70 01 LEA ESI,DWORD PTR DS:[EAX+1]
0045AA9A . 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
0045AAA0 > 8A08 MOV CL,BYTE PTR DS:[EAX]
0045AAA2 . 40 INC EAX
0045AAA3 . 84C9 TEST CL,CL
0045AAA5 .^ 75 F9 JNZ SHORT 0045AAA0
0045AAA7 . 2BC6 SUB EAX,ESI
0045AAA9 . 50 PUSH EAX ; /maxlen
0045AAAA . 68 24BB5500 PUSH 0055BB24 ; |s2 = "W"
0045AAAF . 52 PUSH EDX ; |s1
0045AAB0 . FF15 BCAA4900 CALL DWORD PTR DS:[<&MSVCR71.strncmp>] ; \strncmp
0045AAB6 . 83C4 0C ADD ESP,0C
0045AAB9 . 85C0 TEST EAX,EAX ; DONGLE NOT FOUND
0045AABB . 0F85 1F010000 JNZ 0045ABE0

in this point you load 10 bytes at address 0055bb24
and make a strcmp with value pointed at EDX.
of course the strings have to match:D

you need that first byte is 'W'

so you can bypass the second check ..
0045AAA9 . 50 PUSH EAX ; /maxlen
0045AAAA . 68 24BB5500 PUSH 0055BB24 ; |s2 = "W"
0045AAAF . 52 PUSH EDX ; |s1
0045AAB0 . FF15 BCAA4900 CALL DWORD PTR DS:[<&MSVCR71.strncmp>] ; \strncmp
0045AAB6 . 83C4 0C ADD ESP,0C
0045AAB9 . 85C0 TEST EAX,EAX ; DONGLE NOT FOUND
0045AABB . 0F85 1F010000 JNZ 0045ABE0

third check: control that dongle found is for PARTNERrip

0045AAFE . 2BC2 SUB EAX,EDX
0045AB00 . 8A80 24BB5500 MOV AL,BYTE PTR DS:[EAX+55BB24]
0045AB06 . 3C 46 CMP AL,46
0045AB08 . 74 12 JE SHORT 0045AB1C
0045AB0A . 3C 57 CMP AL,57
0045AB0C . 0F85 CE000000 JNZ 0045ABE0
0045AB12 . C705 48BB5500 01000000 MOV DWORD PTR DS:[55BB48],1
0045AB1C > E8 9F8BFDFF CALL 004336C0
0045AB21 . 85C0 TEST EAX,EAX
0045AB23 . 75 12 JNZ SHORT 0045AB37 ; WE HAVE TO JUMP
0045AB25 . 50 PUSH EAX
0045AB26 . 6A 10 PUSH 10
0045AB28 . 68 68B24C00 PUSH 004CB268 ; ASCII "This dongle is not for PartnerRIP."

here you see the value in AL : you must have 57 (W)

this call is also important:
0045AB1C > \E8 9F8BFDFF CALL 004336C0

if you step into you see what is the control:
control three types of dongles:
PARTNER
DEMOVER
AZON_48

with a simple strcmp so of course the strings have to match with PARTNER:D

so without any other modification you land here:

0045BE20 . 6A FF PUSH -1
0045BE22 . 68 CE8D4900 PUSH 00498DCE ; GOOD ! :D; SE handler installation
0045BE27 . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0045BE2D . 50 PUSH EAX
0045BE2E . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0045BE35 . 83EC 30 SUB ESP,30
0045BE38 . A1 60775500 MOV EAX,DWORD PTR DS:[557760]
0045BE3D . 33C4 XOR EAX,ESP
0045BE3F . 55 PUSH EBP

here there's the inizialization of the prog and there is the last check :

0045BF2D . A3 605A5500 MOV DWORD PTR DS:[555A60],EAX
0045BF32 . E8 8977FDFF CALL 004336C0
0045BF37 . 85C0 TEST EAX,EAX
0045BF39 . 8B2D E0AB4900 MOV EBP,DWORD PTR DS:[<&USER32.PostQuitMessage>] ; USER32.PostQuitMessage
0045BF3F . 75 04 JNZ SHORT 0045BF45
0045BF41 . 6A 00 PUSH 0 ; /ExitCode = 0
0045BF43 . FFD5 CALL EBP ; \PostQuitMessage
0045BF45 > A1 48BB5500 MOV EAX,DWORD PTR DS:[55BB48]
0045BF4A . 85C0 TEST EAX,EAX
0045BF4C . 75 4E JNZ SHORT 0045BF9C
0045BF4E . 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0045BF52 . FF15 14A24900 CALL DWORD PTR DS:[<&MFC71.#310>] ; MFC71.7C173199
0045BF58 . 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
0045BF5C . 68 20B24C00 PUSH 004CB220 ; ASCII " This dongle is not for PartnerRIP(white ink) !!! "

now i leave to you what to do :D it is pretty simple as you can see. i hope you make a FREE rel of this soft so other people can test the app

bye

PS. last point of interest is here: where you can change the SN of your app:

0045A8CD 880437 MOV BYTE PTR DS:[EDI+ESI],AL
0045A8D0 46 INC ESI
0045A8D1 83FE 05 CMP ESI,5
0045A8D4 .^ 7C EE JL SHORT 0045A8C4
0045A8D6 . 0FB64424 0B MOVZX EAX,BYTE PTR SS:[ESP+B]
0045A8DB . 0FB64C24 0A MOVZX ECX,BYTE PTR SS:[ESP+A]
0045A8E0 . 50 PUSH EAX
0045A8E1 . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
0045A8E5 . 51 PUSH ECX
0045A8E6 . 0FB6D4 MOVZX EDX,AH
0045A8E9 . 52 PUSH EDX
0045A8EA . 0FB6C0 MOVZX EAX,AL
0045A8ED . 50 PUSH EAX
0045A8EE . 8D8C24 90000000 LEA ECX,DWORD PTR SS:[ESP+90]
0045A8F5 . 68 08B24C00 PUSH 004CB208 ; ASCII " SN%02X%02X-%02X%02X"
0045A8FA . 51 PUSH ECX
0045A8FB . FF15 10A24900 CALL DWORD PTR DS:[<&MFC71.#2322>] ; MFC71.7C146A9D
0045A901 . 83C4 18 ADD ESP,18

you take 4 bytes so if you insert 12 34 56 78
your app will display : SN1234-5678

@sparpacillon

good effort :) nice