 Dongle
Description Dongle
Web Resources Dongle BPX's (SoftICE)
Dongle Tools Review HaspCode()
Tutorials
(sorted) Dongle
ID's / Seed Codes Dongle Protection Advice |
|
Dongle
Description Dongle
Web Resources Dongle BPX's (SoftICE)
Dongle Tools Review HaspCode()
Tutorials
(sorted) Dongle
ID's / Seed Codes Dongle Protection Advice |
I'll just use this space to explain exactly what dongles are. Often termed as hardware protection most dongles are small parallel port plugs which consist of little more than factory burned EPROM and a custom ASIC of sorts. Initial ASIC development costs are high so the dongle sellers compromise quite considerably on parts to drive down unit costs, most of the other components are off-the-shelf.
The idea behind a dongle protection is the developer issuing checks against return values obtained from the dongle, either read directly from its memory or using some internal algorithm. Evidently these calling routines are the weakest link, although any decent hardware engineer will easily see what the dongle is doing. Virtually all dongle implementations can be broken without the need for the dongle, the software developers who use them usually aren't devious or motivated enough to really invest the time reading the dongle manufacturer's API, they assume that because they are using a dongle that will be deterrent enough, as you'll see reading my pages, this is false optimism perpetuated by the dongle industry.
On very rare occasions dongles can be unbeatable without access to the original dongle, either that or they are just impractical in computing time to break, some dongles literally drive the programs they protect (e.g. LightWave) or make so many checks on query returns (e.g. ArchiCAD) that patching all of the checks reliably just isn't an option (although emulation of the main protection routines is). Others use the return codes from the dongle as encryption seeds, although I've yet to see a key of sufficient length that would make a known plaintext attack impossible. I really can't stress this point enough, make your way to the dongle manufacturer's websites and get their API guides, example code, everything, else you'll be reversing jumps all day.
I should point out that removing dongles from software is legally a slightly different area to debugging standalone applications (even if you have purchased a legitimate dongle), read here the legal directives regarding hardware locks (albeit a little German biased), note that if your dongle is stolen you are left up the creek basically, pay for a new one or else. Needless to say, your here only to learn about these protections just in case you need to fix something quickly while waiting for your replacement :-).
http://www.des.co.uk -
DESKey range, API documentation available here
(938k).
Dinkey Dongle - 4 flavours
of very rudimentary dongle, download my edited guide here
(15k).
http://www.globetrotter.com
- FLEXlm licensing system (can interface with hardware locks),
they have recently removed their SDK's from most parts of the
web because of the insecurity, check out the dedicated FLEXlm
page.
http://www.ealaddin.com/hardlock/default.asp?cf=tl
- Hardlock by AKS, API guide available here
(91k).
http://www.ealaddin.com/hasp/default.asp?cf=tl
- HASP by Aladdin Knowledge Systems (AKS), also http://www.aks.com.
Suggested reading haspman.pdf. All HASP 4 related material can
now be downloaded freely from HASP's webpage.
Keylok - From Microcomputer
Applications Inc. A very rudimentary dongle designed more for
developer ease than any real attempt at protection.
Proteq range - Very basic
Portuguese dongle (3 API's, is_it_connected(), read() & write()
).
Rainbow Technologies
- Sentinel range by Rainbow (recommended reading pro223.pdf, spro_dev.pdf).
WIBU-KEY - Full API Guide available
here (158k).
bpio -h 378 rw (I/O port access), CreateFileA (dongle driver file), DeviceIOControl, FreeEnvironmentStringsA (very effective against HASP's). Message Box API's, Prestochangoselector (16-bit HASP's), '7242' search string (Sentinel packet record validation).
Before you download these tools, please note that I am not the author of any of them. I have only tested about 1/2 of them with very mixed results, so do not send me e-mails asking why they don't work with your target.
| Tool | Description / Review |
| Deskey DesLock PE Prot. Remover v1.00B | Previously known as KILLDK3 (150k). Now supports (DK2 / DK38 / DK3 / DK12 / DK37 / DK9 / DK25 / DK47) and Deslock v2.25,2.27, courtesy of ExeLord (141k). |
| Dongle IDA Signatures | HASP, Keylok & Sentinel signatures for IDA (18k). |
| Dongle Readers | Freeware HASP/Hardlock & SSI dongle readers (10k). |
| DongleSpy BETA 1 | +spath's generic DOS dongle spy (includes source code), one for your low level probes (4k). |
| Dongle Spy v1.0 | A monitoring program for Super SentinelPro dongles, pretty much obselete (25k). |
| DumbHASP | Dumps the internal contents of HASP dongles (written in Pascal), only works with 112 byte flavours i.e. MemoHASP-1 (47k). |
| DumpSentinel v0.2 | Memory dumper for Sentinel targets (40k). |
| HASP 3 Reader | Interrogator for MemoHASP-1 dongles (254k). |
| HASP 4 Schematic | Details of the HASP 4 hardware (22k). |
| HASP Grabber v0.97.3 & v1.00.2 | HASP memory dumper and rewriter which might work with all HASP key types, its a lot faster than DumbHASP too (18k). I've recently tested this dumper with a HASP 4 key under Windows 98 and it does not work (even if you manually insert the HASP passwords under SoftICE). |
| KeyPro Emulator | Dongle emulator for DOS hardware keys, includes source code, very obvious bugs (for historical reference only) (74k). |
| MicroGuard IDA sigs | mgvc32c.sig (MicroGuard PC API (x86/C/MSVC)), mgcw32c.sig (MicroGuard PC API (x86/C/CodeWarrior)) (8k). |
| SenZap v1.2 | Includes DosZap & WinZap (ageing software to remove unknown dongles) (8k). |
| Safesoft HASP Emulator | A packaged version of a ready made Windows 95 HASP emulator, the hasp95dl.vxd installed by this emulator looks to me to be based heavily on UCL's source code, there are however some small differences. This vxd is configured using a registry key and doesn't store any emulated dongle contents inside the actual file, it also outputs messages to your debugger after a hasp() call. The password for the installation program is Hasp0184 (123k). |
| Safesoft SSI Emulator | Generates reliable vxds for this very particular flavour of dongle (21k). |
| Sentinel SuperPro CrackMe | Test your Sentinel skills, courtesy of CyberHeg (my solution is available on request) (30k). |
| Sentinel SuperPro Tools | DOS/Windows & I/O capture tools for Sentinel dongles (477k). Visit the authors webpage here. |
| Sentinel SuperPro (vxd) (v0.08 & v0.24) | A vxd for Sentinel dongles (this looks like a method to support only specific applications, hiho's Yonkie btw :-) ) (32k). Latest version usually available here. |
| SKEYEM v1.0 | Eutron SmartKey NET skeylink.dll emulator (3k). Also try this replacement SmartKey dump and emulation dll (103k). |
| Soft-Pro HASP Emulator v0.06 |
More HASP emulation via vxd/sys. These files aren't actually
a variation on the commercial UCL Emulator hence my reason for
including them. This replaces hasp95.vxd which is curious to
say the least, my research tells me that rewriting hasp95dl.vxd
is by far the easier way to go. This package also includes the source code and translated documentation (now all that remains is for you to fix the bugs!). Note a little HASP history with some undocumented services (978k). |
| SPRODUMP v0.2 | A working Sentinel SuperPro memory dumper by +spath (I've included an example of a dump in the zip, tested in October 2000) (20k). |
| SPUICA | Latest version (1.05.1) of this Sentinel Shell Remover (courtesy of the I.C.A (hi! guys)), (202k). |
| SSUNSHL | Another Sentinel SuperPro Unsheller (138k). |
| Tony Lee's HASP Emulator v1.3 | An integrated HASP dumper and emulator for MemoHASP-1 dongles from this Taiwanese author, take note, you must have the original dongle (143k). |
| UCL's Commercial HASP Emulator | Recently released by Meteo & Fixit this is the full package of a HASP vxd/sys emulator that was up until recently being sold commercially. It takes registry keys to activate these files for use with specific programs. All services are emulated however the driver version needs updating (continually). You might ask yourself why these were released to the public, well the advent of HASP 4 and widespread knowledge of HASP cracking techniques probably means these enterprising Russians aren't making any money out of selling HASP cracks (103k). |
| Virtual DOG v1.04 | Sent to me by the Chinese author, this dongle emulator relies on trapping low-level IO access (very similar to WKPE according to the author). Visit his webpage for updated versions (94k). |
|
(also includes versions 1.01/1.2/1.5/1.8) |
This one was kindly sent to me by the author and is freeware (Windows 95 only). Its approach is vxd based yet not specific to any specific dongle, seems to rely on trapping low-level IO access (of course you need the original dongle). The author claims 80% reliability or effectiveness, I recall reading elsewhere that this could be somewhat optimistic :-). I can only advise you try this (it didn't work on the HASP or Sentinel I have here). As its free I don't really think you ought to trouble the author too much for support (1.04Mb's). |
FrogsPrint's 'Dongle Bashing paper, the end of an era' - Very good (and very long paper) destroying 15 dongle protected programs (57k).
MD5 Hashing Articles - 2 descriptions of MD5 hashing which is used by the HASP envelope, the return codes from HaspCode() are the input, the message digest?, forget about ever reversing it.
MMGroup's Webpage - or Martin Mckeen (both of his sites have disappeared from the web for violation of TOS, want to take one guess on who reported him?). Offers hardware duplication of HASP's, of interest because he seems to have done analysis work on HASP 4 which implies his hardware must support the new decrypt / encrypt services. Here are some hardware pictures such as the HASP logic trace and wiring scheme. After combing DejaNews I also managed to find a quite interesting post regarding the new HASP 4 functions.
In May 2001 Martin was kind enough to e-mail me with the following update. "I wish to announce a death of newest HASP 4 functions Encode/Decode. After 8 months search I really found a way how encryption is done inside the ASIC. More - I designed a duplicate based on MCU which simulates HASP 4 - it really works perfect. If you hear somebody has problems with HASP 4 - you can pass them my mail... I will try to help." So there you have it, another instance where security by obscurity has once again been proven useless.
Quine's "Pushing the Envelope with HASP" essay - A simply superb essay which disappeared from the web a while back (I have some idea as to the reason why). Now that the envelope has moved on a little I see no harm in re-publishing this great document in its entirety (if Quine objects I'll remove it).
Rainbow I2C Analysis Project - Analysis of dongle hardware (invaluable for all serious dongle aficionados), this covers Sentinel keys (132k).
Safe-Key - (formerly SafeSoft of Canada), sell emulators to legitimate end users (you have to prove you own a dongle). I confess to hearing some rumours about the former 'SafeSofts'' integrity from disgruntled end-users, this may or may not be the case with the new company.
Spectrum Software - Based in the USA. Have been offering dongle replacement software since 1991 and also advertise their services in Computer Shopper. Appear fairly active in exploring legal avenues against the likes of the BSA/SPA with regards to dongles. I have been assured they will only deal with legitimate dongle owners.
I'll briefly explain why understanding this is so useful. The idea when you develop your HASP protection is to call HaspCode() to check whether a specific dongle exists, you do this by passing the dongle Passwords and a seed code via the hasp() routine, then you verify the corresponding return codes. Read Bajunny's essays at Fravia's site for an explanation of this pretty simple concept.
Example (from a real TimeHASP - ALLDATA v2.5) :-
:0045F02B PUSH 00006B47 <-- 2nd HASP password.
:0045F030 PUSH 00003815 <-- 1st HASP password.
:0045F037 PUSH 00000135 <-- Hasp Seed Code.
:0045F03C PUSH 00000002 <-- Basic Service 2 (HaspCode).
:0045F03E CALL 0045F0A6 <-- HASP routine.
:0045F046 CMP DWORD PTR [EAX+18], 0000B940 <-- Good return
code.
On this occasion you are given the value of the return code that is checked, (you can verify this with the generator). Of course if you are planning on reversing lots of HASP's you'll want to convert this code into ASM, perhaps emulating other services whilst your there :-), this should be achievable in under 350 bytes (including the triad table).
In the latest HASP 4 dongles the HaspCode() implementation has changed from the known UCL algorithm above, the rudiments of the envelope have also changed too, the code section is now decrypted using the new HASP 4 block services. By searching the newsgroups one may find a useful post describing the function.
DigiSHOW.vld v1.25 - Just
don't use DESKey's dk47wn32.dll for your protection (05/09/98).
Vero VISI Series v7.2 - Inside
the DESKey DK2 dongle protection (includes DESlock), (21/08/00).
ALLDATA CAR v3.0/3.2/v4.25
- How to emulate completely the main HASP() routine (27/03/00).
Barudan Punchant v6.0G -
TimeHASP-4 and function disabling reversing (28/12/99).
CASMate-Pro v6.52 - HASP envelope
encryption reversing and complete emulation of a MemoHASP (22/10/99).
Cimagrafi v6.7.0.1 - MemoHASP-1
envelope cracking without unpacking (21/02/01).
Cimatron Series (v10 BETA, v10.6,
v11.0, v11.1, v12.0) - HASP emulation, adding code to a dll,
HASP's new encrypted object, redirecting HASP routines, HASP driver
attacking, Cimatron's KeyCode algorithm (17/08/01).
FabriCAD Suite v3.0 - Recovering
HASP return codes and patching a good HaspCode() implementation
(04/09/99).
HASP Envelope Cracking - How
to unpack the HASP Envelope, also an introduction to the HASP
dll technique (24/04/00).
Inec Investor 7.3 - Fast HASP
Envelope unpacking (courtesy of aSL!) (10/07/01).
Mastercam v8.1 Beta 2 - HASP
and access code reversing (05/12/2000).
Matchmover - InstallShield
decrypting and HASP cracking (courtesy of Kashmir) (09/06/00).
Hardlock Dongle Reversing
- Great paper by MaV3RiCk (with an addition by yours truly) (14/09/00).
Plastic Animation Paper - Hewlett
Packard's ppppapi.dll or 'why you shouldn't use this protection'
(25/01/00).
SSI Dongle Protection - Historical
essay describing how to rebuild encrypted SSI dongle protections,
useful for general information and if you have the dongle (22/01/98).
Vellum Solids 99 & WIBU-KEY
- WIBU-KEY & yet more algorithm reversing (29/02/00).
Zen & the Art of Dongle Cracking
- A general document by zeezee describing how to approach dongle
reversing.
3D Studio Max R2.5/R3.1
- Tracking Kinetix's changes to their Sentinel protection, discussion
of sproQuery() (03/06/00).
AutoCAD R14 (French Version)
- Courtesy of ACiD BuRN (19/08/00).
Breaking the shell - Sentinel
shell breaking courtesy of CyberHeg (March 2001).
CPSWin32 v1.3 & GeoPath Power
CAD/CAM - Emulation of the Sentinel cplus dll (31/10/00).
FlexiSign PRO - Sentinel
cracking courtesy of goatass (16/06/00).
StruCad Drawing Viewer v2.05
- Recovering of original dongle words (21/02/00).
Surfcam 2000 - sproQuery()
emulating, general Sentinel (08/02/01).
Virtual Gibbs v5.05/v5.55rc1
- Re-writing sproRead() and identifying Sentinel trademark API
weaknesses (26/09/99).
You can view on my coding page a full list of programs I have reversed which use dongles. Please do not ask me for 'cracks' for them though else I will get very annoyed.
Of course some of the developers are kind enough to supply wonderful little utilities such as the example above from Cimagrafi. Naturally ALL of my options are now enabled :-).
When reversing HASP & Sentinel (and other dongles too), there is usually a piece of information supplied to the developer which identifies that specific dongle, in Sentinel's case this could theoretically be verified. HASP's for example are characterised by their passwords and Sentinel by a developer ID & other passwords for specific API functions, I think Hardlock is also identified by its MOD address. The following page linked here is my attempt to log those manufacturers details I am aware of (its by no means a complete list of even the programs I have reversed so I hope you will contribute).
If you insist on protecting your application with a dongle consider heeding my advice :-
1. Firstly, when any good cracker attacks your software he or she (not to discriminate) will usually go looking for the tell-tale signs of your dongle manufacturers routines (read above how both Sentinel & HASP are vulnerable to simple API breakpoints as well as other approaches). Your first step therefore should be to make this task harder. If your dongle vendor provides any encryption e.g. the HASP envelope or Sentinel shell then USE it and check for file tampering, this is especially effective with dll's which are time consuming to unpack. Although the HASP wrapper has been broken and the Sentinel shell won't stop anyone with a legitamate dongle, multiple files requiring de-protecting buys time.
2. Detect debuggers and anti-debugging tools e.g. FrogsICE & SoftICE, only a cracker is going to be running the former and the latter is unlikely on any of your customers machines, use at least 2 routines for your detection and DON'T tell the cracker you've found it, if you do alter the program flow subtlely, redirect the cracker to a routine that he really doesn't want to analyse, don't do anything illegal like formatting hard disks, just one instance of this happening to a legitamate user will render your product obselete. See my anti-debugging page for many detection possibilities. Also encrypt your "bad guy" message strings otherwise a disassembler will easily isolate them.
3. For the most part a cracker won't be familiar with the operation of your program and the warez peddlers generally don't test very well, this is the most powerful weapon you can ultimately use, words from your dongle can be used as encryption seeds, values in switch statements or variables critical to specific functions, if your program performs any mathematical or statistical analysis/calculations a dongle word is just begging to be used :-). The more doubt you place in a crackers mind about a word's value the more time he'll waste staring blankly at his debugger and the less likely an illegitamate commercial user will make do with the cracked version, if you can, use proprietary encryption (say like hash functions) on your dongle data.
4. Sometimes a cracker will be fortunate enough to have a "dump" of your hardware keys contents or he may possess the actual dongle (very unlikely in my experience of the warez scene), if you can spare the dongle memory space use a registry query to retrieve the RegisteredOrganization key and encrypt it before storing it to the dongle's memory (this might at least help you identify your disloyal customer). Any cracker worth his salt with access to a legitamate dongle will break your protection (eventually), try therefore to educate your customers a little with regards to software piracy, small organisations with 1 or 2 licenses are much more likely candidates to leak your software, support them if you can with friendly licensing policies, you might appeal to their conscience :-).
5. If you are using Hardlock, HASP or Sentinel then most of the commercial crackers already have generic vxd/sys files which they will merely configure with registry keys and distribute, this of course means they will not actually alter your program, attacking instead the dongle manufacturers code, consider therefore adding additional protection means such as strongly encrypted keyfiles, server validation checks, encrypted registry keys, basically anything that will add hours to a crackers progress. For example I'll give you CimaRender Pro v7.0 (a program I recently reversed), the HASP dongle on this target took me under 4 minutes (literally) to crack, using pure finger movements, yet reversing the Key algorithm required near 2hrs analysis (although I acknowledge I could have patched after around 20 minutes).
Finally take a little visit to some of the search engines and find out if a crack exists for your program, if you can actually obtain it, download and study the weak links in your protection.
The objective of mastering the art of dongle reversing rests inside the ASIC's used by these parasites. In virtually every off-the-shelf dongle I've seen sold to developers there is an API function provided which uses unrecoverable algorithms to manipulate passed parameters, this occurs independent of the EPROM. In HASP this API is HaspCode() or Service 2 which has been completely broken (see above for the source code), although I can tell you now that this was only achieved with careless leaks inside Aladdin.
Sentinel's equivalent RNBOsproQuery() is not so widely studied and can't be generically broken according to their API guide because the internal algorithms are apparently different for each customer, from a dongles review site I snatched this fairly useful snippet '...SentinelSuperPro features 14 field-activated algorithms, memory, and Rainbow's proprietary ASIC...the key is the industry's only software protection device to combine the benefits of multiple algorithms and read/write memory in one solution'.
The standard Sentinel query has been broken yet the default Sentinel API implementation isn't robust enough because rarely is the query being used to decrypt the program. HASP would have remained secure if its algorithm hadn't been discovered because it is responses from the ASIC which are used to decrypt the code section, no dongle = no execution.
The name of the game with real dongle reversing is "API awareness", don't think you'll break good dongle implementations by just SoftICE'ing and reversing a few jumps, you may do a few weak implementations this way but not many. Get the documentation and WATCH the queries and word reading API's very closely, then emulate the main routines. Remember it can sometimes be impossible to recover exact response codes because you'll sometimes end up with TEST [ESI+38], 1 as a check (this example from a real dongle btw :-) ).
If you have access to the original dongle endeavour to study it DEEPLY, bpr or bpm on returned words from the dongle. Certain dongle manufacturers sadly see it fit to try and obfuscate our debuggers, so patch your SoftICE or use FrogsICE (the lazy man's anti-debugging tool).
FAQ Key Generators Miscellaneous
Papers
+ORC Return
to Main Index Time Trials Tutorial
Archive
Visual Basic
