Copy Link
Add to Bookmark
Report
NuKE Issue 06-008
================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "The `Arms Race' on Physical Protection -N
E- Devices : Round Two" Nu
-N uK
Nu By KE
uK Rock Steady E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% Physical Copy-protection Devices %
A physical protection device is usually a piece of equipment to a computer
or used in conjunction with a computer to protect software or data. The
majority of such devices are commonly referred to as `dongles', which are
electronic devices attached to the computer.
When a dongle protection is used, no attempt is made to prevent the user or
owner of the package from creating additional copies of the software. The
device is designed to prevent unauthorised use and not unauthorised copying.
The origins of the word `dongles' is obscure, but it originated about 1978-79
and is believed to have been first used to protect the `Wordcraft' package
on the Commodore Pet.
% Dongles - A Simple Dongle Design %
The first problem in designing a dongle is finding some method of attaching
the device to the hardware. It must be a method which is available on the
standard minimum configuration machine for which the software is intended to
run. The _most_ obvious choice is the serial interface port of which nearly
every machine has at least one, especially with the increase use of mice and
modems which require serial connections. Assuming further that we do not wish
to use this port during the running of the program, then a very simple dongle
could be constructed using the standard cabling and reverse channel so that
communications are usually made in both directions simultaneously. The wires
would have the following functions:
Sending Channel
~~~~~~~~~~~~~~~
Request to send (Output when the computer is ready to go)
Clear to send (Received when the terminal is ready)
Transmit data (Line for the computer to transmit the data)
Receiving Channel
~~~~~~~~~~~~~~~~~
Data Terminal Ready (Output when the computer is ready to receive data)
Data Set Ready (Received when the terminal is ready to transmit)
Receive Data (Line for Computer to receive the data)
Carrier Detect (Line for modem to signal the computer that
(another modem signal has been found via telephone)
Ring Detect (Line for modem to signal the computer that a)
(ringing tone has been received)
Assume that wires are used to connect the signals as shown below:
Standard output Standard inputs
~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
Transmit data..........Data Set Ready
Request to send........Receive Data
Data terminal ready....Ring Detect
This is a bizarre combination, which is extremely unlikely to be used by
design with any sort of equipment. To protect our dongle we further seal
the plug casing with pitch or epoxy resin so that the details of the wiring
cannot be seen without melting out or drilling away the resin.
The representation of a `U' character in the standard ASCII code will appear
as a square wave. This is because the character itself has the binary value
0101 0101, and, taken with the character beginning pulse (start bit) and the
character ending (stop bit), this makes up a square wave signal 1 0101 0101 0
+6v-+ +-+ +-+ +-+ +-+ +-+ Now, Transmit a stream of `U's, since Transmit is
| | | | | | | | | | | connected to Data Set Ready, this will go up and
0 | | | | | | | | | | | down, at intervals of one bit. By Sampling this
| | | | | | | | | | | line the program can test that the correct pattern
-6v +-+ +-+ +-+ +-+ +-+ +- is being transmitted and received. This means the
dongle is in place. This is a perhaps a dongle suitable for the computer
hobbyist, it rather is quite a poor attempt as a dongle. This is because of
several reasons; it does not allow the use of the serial port because it is
needed for the dongle, therefore a mouse or modem or printer connection via
the serial port can not be done if you only have one serial port.
% Advanced Pseudo Random bit Generator Dongles %
Two new devices being marketed to software homes are Datakey (DES, 1988) and
Software Key (Bristol, 1988). The overall concepts of both are similar, and
they were in fact developed by the same inventor, although the two structures
are quite separate and the details of the devices differ alot.
The devices are `active' dongles. Meaning one end of the dongle plugs into the
computer, and whatever is normally connected to the RS232 port is connected to
the other end, and should be unaffected by this device.
In the Datakey, which is a bit oriented device, toggling the Data Terminal
Ready line causes a single bit of data to be presented at Data Set Ready or the
Data Carrier Detect Line. By this means, a string of pseudo random binary data
of any length can be read out of the device. Assembly language routines are
included with the device for linking into the software to be protected.
In the Software Key, special command codes are used to trigger the device,
which responds with a byte of pseudo random data. Such sequences only repeat
after an extremely large number of operation.
% Software Sentinel %
The Software Sentinel (Sentinel, 1988) plugs into the parallel printer port of
an 80x86. The parallel channel was preferred to the serial channel since the
parallel channel is always present on many systems, even with minimum
configuration. However Sentinel also have a serial port version of this device
called the Sentinel S.
% Dongle Cracking %
~~~~~~~~~~~~~~~~~~~
Some exports are scornful of the protection afforded by dongles. Some even
boast that 30 minutes would usually be sufficient to bypass any dongle
protection in any program. As a matter of fact dongle cracking is actually
straight forward, simply find the routine that accesses the dongle test. The
difficulty of this job is really based on the software used to access the
dongle. If the software accesses the parallel/serial port via interrupt
functions, a simple TSR program can be stated to `fool' the program that a
dongle is present, or simply trace through the code from that point on to
see what actually happens, and what the program expects to get back. However
I do not expect a program to use interrupts to access an I/O port for the
sole reason of easily breaking in via the vector table. Chances are the
software is accessing the I/O port directly with the built in processor
instructions (OUT/IN). So it will be up to the user to disassemble the
program to search for IN/OUT or INS/OUTS or INSB/OUTSB or INSW/INTSW
instructions that will access the parallel/serial ports. Once you locate
the routine that accesses the port, you may either reverse engineer or set
a break-point and attempt your journey of debugging.
Nevertheless, this does not nullify the credablity of dongle protection.
As a matter of fact several new software are using dongles to protect
their software. But the fact remains, no software is 100% secure. Dongles,
require software to `test' that the dongle is attached, therefore the
possibility of finding the `test' routine exists, and therefore modification
is possible.
% Lenslok % The Latest Physical Protection Device %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Lenslok device was also designed for the low cost software end of the
market. The device consists of a plastic lens device rather like a pocket
magnifying glass. It contains a series of prisms which cause anything viewed
through it to be seen as a confused jumble of different dots. (pixels)
Figure #1 Figure #2
1 2 3 4 5 A B C D E
ÚÄÄÄÂÄÄÄÂÄÄÄÂÄÄÄÂÄÄÄ¿ ÚÄÄÄÂÄÄÄÂÄÄÄÂÄÄÄÂÄÄÄ¿ The letter `A' normally looks
³ ³ ³ X ³ ³ ³ ³ X ³ ³ ³ ³ ³ like the pattern in figure #1.
ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ Scrambled, it could look like
³ ³ X ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ ³ the pattern shown in #2. All
ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ that was done was that column
³ X ³ ³ ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ 1 & 3 were interchanged. So if
ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ we took column A & C and swapped
³ X ³ ³ ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ them, we would get the
ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ charactor `A' once again.
³ X ³ X ³ X ³ X ³ X ³ ³ X ³ X ³ X ³ X ³ X ³ Then the Lenslok would consist
ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ of a simple optical system,
³ X ³ ³ ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ which consists of two shallow
ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ ÃÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄÅÄÄÄ´ angled grooves cut into the
³ X ³ ³ ³ ³ X ³ ³ ³ ³ X ³ ³ X ³ plastic which change over the
ÀÄÄÄÁÄÄÄÁÄÄÄÁÄÄÄÁÄÄÄÙ ÀÄÄÄÁÄÄÄÁÄÄÄÁÄÄÄÁÄÄÄÙ columns.
So, the user would apply the `lens' to the screen, over the jumbled pattern
of dots and presses a key until the pattern appears through the prism.
Therefore, in a Lenslok protected system, you may have a word, scrambled,
which the system may ask you to respond to, whereby you would take the lens,
and pass it ontop of the charactor and voila.
% Cracking all together now... %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lenslok, is a great physical copy-protection, it is low-costing, it can be
used inconjuction with the current `Document Protection' currently widely
used in several low-cost software, expecially in home entertainment computer
games. Document protection, is whereby the program, mainly in the beginning,
will stop for a moment and ask you a question, whereby the answer is only
to be found in the documents supplied with the original package. Nevertheless,
document protection, is fairly weak, as documents can be easily photocopied.
It can also be scanned as a computer image, and can be easily distributed,
through computer modems, into the computer BBS scene.
So to an extent Lenslok can help document protection, as a lens is not easily
copied by your average computer hobbyist. So even though a copy of the
documention is made, how are we to know what exactly it (the software),
is asking us for?
All together now, _ALL_ protection schemes developed now, can be broken, may it
be, Lenslok, dongles, disk-based protection schemes. This is due to the reason
that all protection schemes have to use some sort of software that will `test',
and decide if this is an authorised copy or not. The fact of the matter is,
that their is a terrible weak spot. Software protectors have developed
_amazing_ protection schemes, the `front' of the protection is almost
unbreakable. Emagine a castle in medival times, with a moat around the castle,
the moat contains deadly man-eating animals, the front of the castle also have
men waiting with boiling oil to throw over you, there is also several men with
bows and arrows awaiting to kill you. Now, how effective is this, if somebody
leaves the back gate unlocked? Sure, it may be nearly impossible to get through
by the front, but the back gate is unguarded. The same applies for copy-
protection, whereby the fact of the matter is, that nobody has done anything
about low-level entry! Anyone capable of 80x86 structure assemble language,
can by-pass a copy-protection. The only problem is finding the routine, this
is a challenge within itself, it is rarely a just a CMP command. For some
reason NPC members think that CMP is all there is to look for! Aren't they
acomplished crackers?
Cracking involves alot of time, extreme knowledge on the 80x86, and a few
tricks of the trade. If a document check awaits you to type an answer, you
will need to set a break-point at that exact location. Ctrl-Break, will
_rarely_ work, so you will have to make tools of your own, that will allow you
to exit at the desired location. Protected software usually overwrite the
Int 3h, and Int 1h, to avoid break-points, you will have to devise your own
Break-point type program, perhaps one hooked to Int 9h, and at ALT-A it will
execute a Int 3h, and at the same time you will enter your debugger entry
point back to Int 3h. I would hook my TSR to Int 5h and on Print-Scrn it
would load the debugger. Many times, you would have to put a special routine
on Int 8h or 1Ch to make sure that your entry point is not erased at the
vector table, there's an unlimited number of possible combinations, I certainly
cannot name you them all. But what I can do, is give you the theory concept of
the protection scheme, and you can devise your own pleasable method. Many,
people enjoy reverse engneering jobs, some (like myself) take note of all
systems I/Os and Interrupts being called, and work my break-point from there.
But this two-part article was to give you an understanding on how some copy-
protection schemes work. The _only_ way one can attempt to defeat the
protection is to understand how the protection works. Then your attempts to
bypass it will be much more effective, rather than taking a non-effective
guess. Be direct, go directly to the source of the conflict, don't waste
your time on anything else. So I do hope this has been a learning experience
for at least some. If demand is there, in the following news journal we may
focus on effective cracking techniques, and some tricks and tips to avoid
falling into a ditch.
Rock Steady/NuKE
==============================================================================