Okay usually I start out at the EP but today's target requires a bit more thinking on your part.  Today's lesson is on Cracking a Dongle.  What's a Dongle you ask.... Well a dongle is a few things actually... It is most commonly a Piece of hardware connected through either a USB, Serial, or even Parallel connections on your computer.  I happened to run across this by accident.. I had no earthly intention of actually cracking a dongle.  Nor would I even consider it.. EVER.... that stuffs for the super crackers.... You know who I am talking about.  This particular program utilizes the USB connection Dongle.  Now.. For some good reading before I/We even begin would be to look at the Manual for the KEY-LOK Protection.  (I didn't look at it but now wish I did).  So I include it here for your reading pleasure.  Its a PDF file.  SO I don't need to remind you that you need Adobe installed to view it..  Anyways get the manual here.  Have a good look at it.. You never know... You might learn something :)...

  Look like normal code to me... :)

Now to make you come to the conclusion I did I shall take you through the same steps I used..

  First off I searched for all referenced texts strings...

I was here when I searched..

Now I knew this was a "Trial" app so i searched for that string...

And I found it.. but what else did I find?????

Dongle references......

  Being this was my first Dongle attempt.. I decided to go ahead and try it out anyway.. But what to do/start?  Well I thought to myself long and hard... Then decided that at some point this program would have to communicate with this dongle (which is a USB dongle in this case) in order to make it a full version.  But exactly how do you make it think there's a piece of hardware attached to the computer?  Well the first thing I did was try to get to the earliest part of the check.  I wound up here:

Now how to make sense of all this?

  Well the first thing I did was look over the code.. maybe I can get a idea of what exactly would satisfy the program...  So if you scroll down a bit you come to particular area's of interest...like these:

Now I am not the biggest genius (or claim to be) but to me it seems strange that it would move these two registers into this pointer, enter the call, only to move them back again...  That seems kinda redundant if you ask me...BUT if you look closely it doesn't move them back exactly the same way.. It moves (originally) ECX and EAX to these two pointers... then moves the two pointers into EAX and EDX...  but still they are the same pointers.. so I concluded these two pointers must have something to do with our  registration status...

  If you scroll down a bit more you come across more interesting places like this:

WOW! those same two pointers again...Only this time we see it wants a certain value as you can see from the compare and jump's.  So lets try to pick this apart a little bit huh? 

  okay...

First we move ECX and EAX into the two pointers... then later on it checks the pointers values...

but first we enter another call... so again something must take place in that call.. I can give you two guesses :)  YUP!!!! its the dongle check. (the second one)  The first one was earlier when i explained the two pointers before.. That call we entered then moved the pointers back  to the registers...  So it seems like it checks again for the presence of the dongle..  Only this time.. we need to have some sort of values easily seen.. the Pointer "65619C" needs to be 145C or else we jump.  Okay... basic stuff.. JNZ (Jump if Not Zero) = JNE (Jump if Not Equal).  they are the same thing.  So if the pointer isn't the value "145C" we jump.. And I don't think it takes a genius to decide that jumping probably isn't our best idea.. we DO NOT want to jump...So somehow we need to set this pointer to hold the value it desires.  We can worry about that later on.. lets discuss the other pointer.  We need to have the value "6B61" you see it?  So again we have the same idea here.. This pointer must equal that value in order to NOT jump.  So... now we can begin and see what values we get from the program running.. then we can decide what exactly we need to do.  So set a BP on the offset:

And now run it till we break here.

Okay lets begin analysis.  Start tracing with F7 (step over first call) and see what our Pointers hold.

Okay so our first pointer is gonna get the value from ECX.  (this is before we enter the call)

and our other pointer?

Okay we get that value from EAX.

Remember all this happens before we enter this first call (our first dongle check).

Lets step over the call and see what our pointers will hold when we write back our bytes.

And our other pointer?

Okay.. now we see what our values are gonna be after exiting this first call.

Okay remember the 65619C pointer need to be the value "145C" it seems we get the value "4F16" after returning from the dongle check.  So .. what's this mean?... who the hell knows?  But we need to keep an eye on these values so when we do get to our final check... we can work it out.  So trace again with F7 (step over any calls) Until you get to here:

00440B5F |. 890D 9C616500 MOV DWORD PTR DS:[65619C],ECX
 

This is our first pointer maneuver before we et to the last dongle check. As we see it moves ECX to the pointer.  Then a JE takes place.  I am not too sure exactly why it checks this.  But it would bypass the second dongle check.. I can only assume if you caused a error in the first check it would do this.  If you were to look over the strings you would see there's a bunch of possible errors to be caused.  So that's my only assumption.  Anyways... We see it Moves again the registers to the pointers, then enters a call (dongle check) then moves the pointers back to the registers.  So lets take note again of our pointers and registers before and after the call:

And our other pointer:

And now we step over the call and see what we get as the outcome...

okay okay.. after all that... now.. this is how it works..

1. Set the pointer (move register to pointer)

2. Check for dongle (enter call)

3. Move back pointer to registers.

4. Move back to pointer

5. Enter call (last dongle check)

6. Move back to registers..

7. Check if registered.

Okay now we need to somehow make the register equal what we want it to be right from the get go.  And I will explain why...

If you look at the code, you can plainly see that it does quick switch on us before it reaches the deciding jump.  Look very closely.....

You see?

This happens right before our decision..... If we are registered or not registered.

So if we restart and trace the code slowly we see that the only jump we need to worry about is is the first JNZ.. because we can trick the other one at the actual check since it checks against the pointer and not the register that the pointer moved to.  Are you lost?

Do you see now?

Where it compares the pointer to the value?  Instead of a register to the value?

Okay very simply said.. we need to make EAX equal145C and why?.. well from the above this last one you see it moves EAX-> ECX.. so EAX must hold the value before we even get to this point.  But where to actually make it that value?

Well I found a nice and easy way.. We are gonna use some free space in the app to do it for us.

So assuming you are at the very beginning of the check:

If not get there.  We see a CALL.. the very first call....

Hit F7 on it to enter it (without executing it)

If we scroll down a bit we see the RETN plus a few extra bytes where we can inject our code.

Yes i know that it is past a few RETN's but if you were to actually trace it out you would eventually land here.

So for simplicities sake we can assume that you would have found this out anyway.  So what do we need to do here? Well EAX needs to equal 145C so it will get moved to the pointer after this.  So by doing this we can accomplish this feat.

And now we can satisfy the first conditional jump.  But alas.. we have a few more tricks to get around.  Okay.. Remember I said this was my first dongle.. So be gentle when you say "thanks" or whatever you want to do.  If we were to trace a bit longer we would see that the pointer gets re-written to a few more times before we reach the check... So since this whole entire code section plays no role in the operation ( except if registered or not) we can safely NOP out a few things if need be, so we keep our value.  Lets set a BP after this call we entered to see what we have against us.

and our registers hold???

Good.. EAX holds our value for the moment...  Now we must see exactly what i meant when i said "tricks"

Okay first you see that it moves EAX -> ECX, and then after moves our magic value to the pointer :)  Where we enter the first dongle check. and then move our values back to the registers.  Only this time it moves the value back to EAX instead of ECX (where it came from)

So now we continue on with our value in EAX...  Until we reach here:

Now our value is held in ESI.  And we continue...

We get here.. now this is the same call we entered the first time (where we patched)

And we exit it.. we have another move..

But we are okay....

Cause you see after this...

Is our real check routine.... SO hopefully ECX should contain the magic value....

And it does :)

So continue with F7 (step over call)

OKAY !!!! :)

so we will pass this first check....

Now for the second check.. we need to somehow get that value so we don't jump...

And what value do we need?

Well we are pretty much told here...

So the easiest possible solution I came up with, without really starting to modify too much code was to do this:

So all I did was move the value to the pointer right at that point, then NULL the jump.  by putting a 00 for the bytes it would have jumped.  This way.. yes it will want to jump.. but will jump to the next instruction.

So we now see that we have made it past the dongle check.... Well kinda.. there is more checks.. but they are only for the retrieval of the registered users name..

So.. this will conclude the first section of this tutorial...  The next section is purely cosmetic... Cause if we were to run the app we would see it says TRIAL still... and we don't want that... do we?

But try to use the app.. The limitation was a 60 second playback on the audio files...

You see the counter?

3 minutes 57 seconds......

now try it without the patching...

So in all actuality we have beaten this dongle.  But there's still that ugly TRIAL logo in our startup splash screen, and the about "activate" button shows us as trial.  So in this next section we will go over how I made it say what I wanted it to...

So go ahead and take 5.. be back.... (If you need some more aspirin.. by all means.. take some more)

  Please take note of what appears when you first start up the program... The splash is what we will target here...

Okay we see that it says Trial then a bunch of other things....  Well how to find exactly how and where it gets this string from?  Well actually I found it out because there's another exe in the installed directory that's protected by the same protection.  The name of it is..... "TriConvert.exe"  We will go over this a bit later on.. But if you look at your directory very closely.. you see a *.cfg file named after this exe.. so go ahead and open it up in notepad...

Okay now run the TriConvert program...

Do we see a theme here?

So lets just say i was to edit to string in the cfg file... to say.. "REGISTERED!"

Then run it..

Well crap!

it still says trial version...

Well dummy that's because the dongle still plays the role in this one...  So (I will cover this later on) but for right now I will run the already patched dongle version of it..

AHA!

See the .cfg file controls the splashes output string.  And since we are all smart here.. :) I would say its safe to assume that the Exe program we are currently working on here would have the same control.. Wouldn't you?  Okay We know know how we get our name on the splash... So exactly which .cfg controls the main program?  well it took me a while, cause I couldn't get any type of breakpoint to work here.. So I just cheated and opened each one up and read the contents.  I finally found it residing in this file...."prefs.cfg"  This is our string controller for the main program here.  Now if we were to just simply edit it.. it wouldn't work.. WHY!!!!!!

Well because it is being forced to say trial in the main program as well... So we must intercept it somewhere and force the string from the cfg file to be displayed instead of the nasty "TRIAL" string...  So to make this whole thing work we must find the string in the cfg file first and then replace it...  So open up "prefs.cfg", and lets look for the trial string shall we?

We look down a little bit and we see it...  It is obvious that the "-" is the terminator for the string.  So anything before it gets displayed.  And I can only assume that the next line would be our serial number? maybe our Dongle HW ID.. who the hell knows.. who the hell cares?  The point is.. Edit that string to say... whatever.. then our job is to make the program display it..

  So the only feasible answer I came up with was to debug the target again (DUH!) and check exactly when and where it decides the generated string will get displayed.  My first hunch was that it was right where we were earlier when we cracked the dongle.  Well it is :)

  Its right under our noses.  We must do a bit of our own patching though to get this string.  So try and follow along.  First we get back to our two JNZ's.  And then we simppky use the F7 key to get passed them.. Then take note of what this picture shows...

Remember the TRIAL VERSION string in our Prefs.cfg file?  Right so we have found the spot.  Now exactly how to make it say our name?  Well if you notice if you continue to execute each line of code... you see the string change from trial to registered user: (some number).  We want it to read from our file..  Well change the string then restart it....(make sure to save the .cfg file).. when you break you'll see your name in the first most string...

So we se it reads frommy file... Now to make it think its okay.. Cause this other string is sorta like the armadillo protection.. where it checks the name against DEFAULT.. only its not DEFAULT its Registered User:.  So the idea I came up with was to edit the first string to appear as the second one also.. like so....:

And this will work cause our name is pushed onto the stack...  But now we face another problem.. and that it the (days left...blah   blah).. so on top of our name will be placed our days used.. SO to bypass this we will simply let the program think that it checked a unregistered name... Understand?  If the program checks and the name isn't registered. then we jump over this check (which would happen if we were a uncracked dongle) I.E.  ...... those JNZ (HINT HINT).. so the easiest way is to just make our next jump  .. jump to the JNZ's destination...... well no.. that wouldn't work... BUT.... if you scroll up a little bit from the JNZ destination.. you will see another area...

That first arrow.. that's our ticket out of this mess.. the second one which points to the TRIAL string.. is definitely not....  SO if you were to hit F7 a little bit (from our string we just changed) you would see a FEW JE's that are part of a Case switch.. All we are gonna do is make the very first JE jump to the destination we just went over.

Here I enlarged the picture so you can see it better.  That first JE is our target JUMP...  Okay remember when I said the dongle had a trick to it...?  Well if your not careful you would see that the string doesn't change...?  WHY?????? well actually the solution is easy... As we have seen this area of code has many checks on the dongle.. well the string is one of them... Simply by making another JE -> JMP  we can fix this issue...  I will show you the code section and maybe you can determine why it does it????

  So for the case of the JE This is what our changes would look like :

Now we still have the problem with our name... cause like I said... the dongle kinda interferes here  bit.. so simply enter just about any call (except a few) like these..

And then when you enter it you see this:

As you can see.. there's a lot of references to our dongle here.. the way i came up with to bypass it all is to simply turn the JE at offset 004408CA to a JMP...

And then.. (providing al the other changes are still present.. i.e.... the original dongle crack, plus the new PUSH [our name] and the JE -> JMP)

Then alright.. lets run it.. see what happens....

AND BAM!!!!!!!!!!!!!!!!!!

We struck gold :) :)

  By making that JE a JMP we bypassed a lot of the dongle checks against our name.. So we didn't perform any magical act.. Just a bit of a quick witted one....

now save all the changes we made.. and then our main program is cracked... All that's left is the other app that's included in this suite... (which is important cause it converts our MP3's to the Karaoke format and stuff like that)

Okay.... Open up our other exe in Olly....  And our goal here is pretty much the same thing.. Patch out the dongle check, then make the splash show our name...

We are at the EP of this program...

Now we do the same thing.... Search for all referenced text strings.

Then our output is this:

So pretty self explanatory here.. what are we looking for??????

Right... some sort of dongle strings....

As we can see they almost identical.. well they are :)  So from the previous section we know how and what to do..

lets follow one of them in the disassembler and and then trace it back a bit.. to try and find our original caller...  So just double click any entry pertaining to the dongle.

Now lets right click the line and select the "go-to" option...

And then we land here:

Now same idea here.. just go to the top most instruction and select "go-to"

As you can see we have a few options (calls) to choose from.. to simplify this more.. just select the second option (CALL).

Okay this is our area of interest.... remember this from earlier?????  Okay same idea here...

Set a BP on the SUB ESP, 3FC instruction.. and then run it till we break...  Now the same exact idea is in play here.. we need to make EAX equal what???\

scroll down a bit and then we see exactly what we want...

So EAX must Equal "145C" and then our pointer must equal "6B61"... so how do we set that??? same shit guys...

rememebr that first place we were at where we did a "go-to"?????

look...

So we do this.. we have to enter the call insode here or else our value is overwritten by the "SPECIAL-SUPER-SECRET-POINTER"  Look closely...

So the call before this is what we want to investigate because EAX is moved into this pointer...So hit "Enter" on the call..

Okay.. you see the resemblance???  Same idea here guys.. find the last RETN and then inject our value to EAX that we want..

This is the last RETN.. so lets write this...

And this will take care of the first check.. now for the second one..

Same as before..  Just do this:

Okay the main dongle check is cracked :) :) :)

All that's left is the Registered name thing.. And how do we do that????

Same as before...

We find the same Push [name] and make it push it twice instead of pushing the default name, against the input name...

So.. our goal here is to push our name twice.. like so:

And now we push our name twice.. but remember we have to trick the dongle again, plus make the other JE Jump...but in this case its a JA that we are gonna patch....  But it might be a little tricky for most.. this again is a case switch.. after the JA we have a case switch check.. so we need to bypass this...

Below is the last dongle check  against our name.. like before we made the JE->JMP we are just gonna leave this alone, unless you feel like patching it also.. but there really is no need to...

That last JMP (which is a case switch) will jump anyway.. so no need here :)

only thing left then...????

the JA so our name isn't overwritten with trial again...

Above is where we want to jump to...

so by making the JA...which is highlighted in blue below..jump we can ovewrcome this problem..

So lets make the JA -JMP to that destination...

Now go ahead and hit F9 to run it.. and then.....

There we have successfully completed this tutorial in whole...

Now if you didn't do this correctly you will get a nag saying something about this being the trial version (converting stuff) and the output would only be 50% of what it should be or something like that.

But you'll notice that this nag is non-existent in the correctly patched version...

*NOTE*

Lets say for some reason you decide you like this app a lot.. you should really think about purchasing it.. and if for some reason you decide you want to use this on your Laptop or other computer.. You will notice that it doesn't work.... This is because of one file that is changed when you patch it.. the file name is "scramdmx.cfg" and all it is.. is (3) 1's at the end of the file.. but without this.. it will not run anywhere else but on your computer...  But you wouldn't do that would you?

Congratulations!!!!

You did it also :)

I hoped you learned something from this and not just another tutorial to add to the collection of your (I will do it later) tutorials...  Remember.. knowledge is power....

Until next time I remain....

MaDMAn_H3rCuL3s..

And I am out...

1. At first I was skeptical.... but it proved far too easy... I am almost certain this whole tutorial wouldn't be possible if this dongle was implemented better.  Sorry Program author if you read this.. But its true...

2. Never be frightened of a certain protection.. Just because they claim "IMPORT SUPER DESTRUCTION" or anything else you can think of.. remember.. it had to be intact at one time to be packed...

3. We at ARTeam have hoped you enjoyed this lengthy tutorial... Almost as much as I had writing it.

[MAIN TEAM]
[Nilrem] [JDog45] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr] [Eggi] [EJ12N] [JohnWho] [Condzero][Stickman 373] [Bone Enterprise]        [Release Team]

[TSRH]  [Exetools] [RCE Forums] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0] [C0n3r0n3] [ILCH] [And any others I missed]