Assembly Language for Beginners

(nextflipdebug2) #1

8.5. DONGLES


key= 23 value= check security device connection
key= 24 value= lifbl!pd|tqhsx#ejwjbb!nQofbshlo message #2 key= 7 value= No security device found key= 8 value= An#rbbvsVuz!cduhld#ghtme?!#!'!#! message #3 key= 7 value= Bk<waoqNUpu$yreoa\wpmpusj,bkIjh
key= 8 value= Mj?vfnrOjqv%gxqd`_vwlstlk/clHii key= 9 value= Lm>ugasLkvw&fgpgag^uvcrwml.mwhj
key= 10 value= Ol!tdtMhwx'efwfbf!tubuvnm!anvok key= 11 value= No security device station found key= 12 value= In#rjbvsnuz!{duhdd#r{whho#gPtme
message #4
key= 14 value= Number of authorized users exceeded
key= 15 value= Ovlmdq!hg#juknuhydk!vrbsp!Zydbefe
message #5
key= 17 value= check security device station
key= 18 value= ijbh!tdtmhwx'efwfbf!tubuVnm!'!


There is some garbage, but we can quickly find the English-language messages!


By the way, since the algorithm is a simple xoring encryption, the very same function can be used to
encrypt messages. If needed, we can encrypt our own messages, and patch the program by inserting
them.


8.5.3 Example #3: MS-DOS


Another very old software for MS-DOS from 1995 also developed by a company that disappeared a long
time ago.


In the pre-DOS extenders era, all the software for MS-DOS mostly relied on 16-bit 8086 or 80286 CPUs, so
the code was 16-bit en masse.


The 16-bit code is mostly same as you already saw in this book, but all registers are 16-bit and there are
less instructions available.


The MS-DOS environment has no system drivers, and any program can deal with the bare hardware via
ports, so here you can see theOUT/INinstructions, which are present in mostly in drivers in our times (it
is impossible to access ports directly inuser modeon all modernOSes).


Given that, the MS-DOS program which works with a dongle has to access the LPT printer port directly.


So we can just search for such instructions. And yes, here they are:


seg030:0034 out_port proc far ; CODE XREF: sent_pro+22p
seg030:0034 ; sent_pro+2Ap ...
seg030:0034
seg030:0034 arg_0 = byte ptr 6
seg030:0034
seg030:0034 55 push bp
seg030:0035 8B EC mov bp, sp
seg030:0037 8B 16 7E E7 mov dx, _out_port ; 0x378
seg030:003B 8A 46 06 mov al, [bp+arg_0]
seg030:003E EE out dx, al
seg030:003F 5D pop bp
seg030:0040 CB retf
seg030:0040 out_port endp


(All label names in this example were given by me).


out_port()is referenced only in one function:


seg030:0041 sent_pro proc far ; CODE XREF: check_dongle+34p
seg030:0041
seg030:0041 var_3 = byte ptr -3
seg030:0041 var_2 = word ptr -2
seg030:0041 arg_0 = dword ptr 6
seg030:0041
seg030:0041 C8 04 00 00 enter 4, 0
seg030:0045 56 push si

Free download pdf