Dongle Description - Dongle Information - Dongle BPX's - Dongle Emulators - Dongle Tutorials - Dongle Implementation
I'll just use this space to explain exactly what dongles are. Often termed as hardware protection most dongles are small parallel port plugs which consist of little more than factory burned EPROM and an ASIC of sorts. The idea behind a dongle is the developer issuing checks against return values obtained from the dongle, evidently these calling routines are the weak link. Virtually all dongle implementations can be broken without the need for the dongle, the software developers who use them usually aren't clever enough or motivated enough to really invest the time reading the dongle manufacturer's API, they assume that because they are using a dongle that will be deterrent enough..
On very rare occasions dongles can be unbeatable without access to the original dongle, some dongles literally drive the programs they protect (e.g. LightWave) or make so many checks on returns (e.g. ArchiCAD, Mastercam) that patching all of the checks reliably just isn't an option (although emulation of the main protection routines is). Others use the return codes from the dongle as encryption seeds, although I've yet to see a key of sufficient length that would make brute-forcing impossible. I really can't stress this point enough, make your way to the dongle manufacturer's websites and get their API guides, else you'll be reversing jumps all day.
I should point out that removing dongles from software is legally a slightly different area to debugging standalone applications (even if you have purchased a legitimate dongle), read here the legal directives regarding hardware locks (albeit a little German biased), note that if your dongle is stolen you are left up the creek basically, pay or else. Needless to say, your here only to learn about these protections just in case you need to fix something quickly while waiting for your replacement :-).
http://www.des.co.uk/ - DESKey range.
http://www.globetrotter.com/ - FlexLM
licensing system (can interface with hardware locks), they have recently removed
their SDK's from most parts of the web because of the insecurity.
http://www.hardlock.com/ - Hardlock by
Aladdin Knowledge Systems.
ftp://ftp.hasp.com/ - HASP by Aladdin Knowledge
Systems - also http://www.aks.com/.
-
Suggested reading (haspman.pdf).
Hardlock API Guide -
Full disclosure of Hardlock API, slightly edited (90k).
Proteq range - Very basic Portuguese dongle
(3 API's, is_it_connected(), read() & write() ).
ftp://ftp.rnbo.com/ - Sentinel range by Rainbow
(recommended reading pro223.pdf, spro_dev.pdf).
WIBU-KEY - More information soon.
bpio -h 378 rw (I/O port access), CreateFileA (dongle driver file), DeviceIOControl, FreeEnvironmentStringsA (very effective against HASP's). Message Box API's, Prestochangoselector (16-bit HASP's), '7242' search string (Sentinel packet record validation).
DongleSpy v1.0 - A monitoring program for Super SentinelPro dongles which link the manufacturers specific dll, pretty much obselete (25k).
DumbHASP- Dumps the internal contents of HASP dongles, only works with 112 byte flavours i.e. MemoHASP-1 (47k).
HASP Grabber v0.97.3 - Another HASP memory dumper which might work with all HASP's. Its a lot faster than DumbHASP too (10k).
Quine's "Pushing the Envelope with HASP" essay - A simply superb essay which disappeared from the web a while back (I have some idea as to the reason why). Now that the envelope has moved on a little I see no harm in re-publishing this great document in its entirety (if Quine objects I'll remove it).
Safesoft Systems SSI emulator - Generates reliable vxds for this very particular flavour of dongle (20k).
Soft-Pro HASP Emulator v0.06 - Yet more HASP emulation via vxd/sys. These files aren't actually a variation on the commercial UCL emulators hence my reason for including them. This replaces hasp95.vxd which is curious to say the least, my research tells me that rewriting hasp95dl.vxd is by far the easier way to go. In its current form this emulator is useless, I tested it using Services 1, 2, 5 and 50 without any success, I also couldn't find any signs of a generic Service 2 routine. If the author is reading my page and has a real version he'd like to send me I'll graciously accept :-) (265k).
UCL's Commercial HASP Emulator (with source code) - Recently released by Meteo & Fixit this is the full package of a HASP vxd/sys emulator that was up until recently being sold commercially. It takes registry keys to activate these files for use with specific programs. All services are emulated well yet the driver version needs updating. You might ask yourself why these were released to the public, simple really, HASP's new envelope no longer communicates via this interface and thus on the newest programs they are functionally useless (86k).
UCL's HASP Seed Code Generator - A very useful program (1k).
I'll briefly explain why this is so useful. The idea when you develop your HASP protection is to call HaspCode to check whether a specific dongle exists, you do this by passing the dongle Passwords and a seed code via the hasp() routine, then you verify the corresponding return codes. Read Bajunny's essays at Fravia's site for an explanation of this pretty simple concept. To get this C code to compile you'll need to add the correct compiler include directive (trivial).
Example (from a real TimeHASP - ALLDATA v2.5):
:0045F02B PUSH 00006B47 <-- 2nd HASP password.
:0045F030 PUSH
00003815 <-- 1st HASP password.
:0045F037 PUSH 00000135 <-- Hasp Seed
Code.
:0045F03C PUSH 00000002 <-- Basic Service 2 (HaspCode).
:0045F03E
CALL 0045F0A6 <-- HASP routine.
:0045F046 CMP DWORD PTR [EAX+18], 0000B940
<-- Good return code.
On this occasion you are given the value of the return code that is checked, (you can of course verify this with the generator).
Of course if you are planning on reversing lots of HASP's you'll want to convert this code into ASM, perhaps emulating other services whilst your there, this should be achievable in under 500 bytes (including the triad table).
WKPE v1.81 or download direct here (190k).
This one was kindly sent to me by the author and is freeware (Windows 95 only). Its approach is vxd based yet not specific to any specific dongle, seems to rely on trapping low-level IO access (of course you need the original dongle). The author claims 80% reliability or effectiveness, I recall reading elsewhere that this could be somewhat optimistic :-). I can only advise you try this (it didn't work on the HASP or Sentinel I have here). As its free I don't really think you ought to trouble the author too much for support.
| Target Name | Description | Date |
| 3D Studio Max R2.5 | Very simple patching of a Sentinel protection. | 06/10/99 |
| ALLDATA CAR v3.00 | How to emulate completely the main hasp() routine. | 18/03/99 |
| CASMate-Pro v6.52 | HASP envelope encryption reversing and complete emulation of a MemoHASP. | 22/10/99 |
| Cimagrafi v5.0 | Beating a fairly tricky MemoHASP & observing some common tricks. | 12/11/98 |
| Cimatron v10 BETA | More hasp() emulation as well as adding code to a protected dll. | 02/04/99 |
| Cimatron v10.6 | HASP's new envelope (version 7), redirecting
HASP routines, HASP driver attacking. |
20/12/99 |
| Chief Architect 97 | A simply appalling Super SentinelPro implementation. | 01/12/98 |
| CPS v1.16 | Reversing scw32.dll or "how not to implement a secure API". | 01/11/98 |
| DigiSHOW.vld v1.25 | Just don't use Deskey's dk47wn32.dll for your protection. | 04/09/98 |
| ERDAS IMAGINE v8.2 | Don't make your functions "cracker friendly" (Sentinel). | 07/02/99 |
| EyeSys Windows Workstation v2.11W | Kechk.dll & cracker frustration with INT 3 loops. | 07/03/99 |
| FabriCAD Suite v3.0 | Recovering HASP return codes and patching a good HaspCode() implementation. | 04/09/99 |
| GeoPath Power CAD/CAM | Feeling the dongle return codes (with a version 3 addition - added Dec. 1999). | 26/09/98 |
| HASP Envelope | A guide to completely removing the HASP PE envelope (.protect section). | 04/10/99 |
| Hollywood FX v3.08 | More Sentinel reversing. | 11/03/99 |
| Virtual Gibbs v5.05 | Re-writing sproRead() and identifying Sentinel trademark API weaknesses. | 26/09/99 |
You can view on my coding page a full list of programs I have reversed which use dongles.
Of course some of the developers are kind enough to supply wonderful little utilities such as the example above from Cimagrafi. Naturally ALL of my options are now enabled :-).
If you insist on protecting your application with a dongle consider heeding my advice :-
1. Firstly, when any good cracker attacks your software he or she (not to discriminate) will usually go looking for the tell-tale signs of your dongle manufacturers routines (read above how both Sentinel & HASP are vulnerable to simple API breakpoints). Your first step therefore should be to make this task harder. If your dongle vendor provides any encryption e.g. the HASP envelope or Sentinel shell then USE it and check the PE header for tampering, this is especially effective with dll's. Although these wrappers have been broken, multiple files requiring de-protecting buys time.
2. Detect debuggers (or SoftICE) using at least 2 routines and DON'T tell the cracker if you've found it, one very easy technique would be to open autoexec.bat and check for winice.exe, see my anti-debugging page for further possibilities. Try also to encrypt your "bad guy" message strings otherwise a disassembler will easily isolate them.
3. For the most part a cracker won't be familiar with the operation of your program, so use words from your dongle as encryption seeds, values in switch statements or variables critical to specific functions. The more doubt you place in a crackers mind about the word's value the more time he'll waste staring blankly at his debugger, if you can, use _inline assembler to ROR/ROL & XOR your words.
4. Sometimes a cracker will be fortunate enough to have a "dump" of your hardware keys contents, therefore if you can spare the dongle memory space use a registry query to retrieve the RegisteredOrganization key and encrypt it before storing it to the dongles memory (this might at least help you identify your disloyal customer).
5. If you are using HASP or Sentinel then most of the "commercial crackers" already have generic vxd/sys files which they will distribute at a price to end-lusers. Consider therefore adding additional protection means such as strongly encrypted keyfiles or even a once-off server validation check (as suppliers tend not to be crackers a well-hidden encrypted registry key could keep your program safe for months).
Finally take a little visit to DupeCheck and find out if a crack exists for your program, if you can actually obtain it, download and study the weak links in your protection..
Real Dongle Reversing
The objective of mastering the art of dongle reversing rests inside the ASIC's used by these parasites. In virtually every off-the-shelf dongle I've seen sold to developers there is an API function provided which uses unrecoverable algorithms to manipulate passed parameters, this occurs independent of the EPROM. In HASP this API is HaspCode() or Service 2 which has been completely broken (see above for the source code), although I can tell you now that this was only achieved with careless leaks inside Aladdin.
Sentinel's equivalent RNBOsproQuery() is not so widely studied and can't be generically broken according to their API guide because the internal algorithms are apparently different for each customer. The standard Sentinel query has been broken yet the default Sentinel API implementation isn't robust enough because rarely is the query being used to decrypt the program. HASP would have remained secure if its algorithm hadn't been discovered because it is responses from the ASIC which are used to decrypt the code section, no dongle = no execution.
The name of the game with real dongle reversing is "API awareness", don't think you'll break good dongle implementations by just SoftICE'ing and reversing a few jumps, you may do a few weak implementations this way but not many. Get the documentation and WATCH the queries and word reading API's very closely, then emulate the main routines. Remember it can sometimes be impossible to recover exact response codes because you'll sometimes end up with TEST [ESI+38], 1 as a check (this example from a real dongle btw :-) ).
If you have access to the original dongle endeavour to study it DEEPLY, bpr or bpm on returned words from the dongle. Certain dongle manufacturers sadly see it fit to try and obfuscate our debuggers, so patch your SoftICE or use FrogsICE (the lazy man's anti-debugging tool).