CHAPTER 78. DONGLES CHAPTER 78. DONGLES
Listing 78.4: Resultsmessage #1
key= 20 value= eb^h%|``hudw|_af{n~f%ljmSbnwlpk key= 21 value= ajc]i"}cawtgv{^bgto}g"millcmvkqh key= 22 value= bkd\j#rbbvsfuz!cduh|d#bhomdlujni key= 23 value= check security device connection key= 24 value= lifbl!pd|tqhsx#ejwjbb!nQofbshlo
message #2
key= 7 value= No security device found
key= 8 value= An#rbbvsVuz!cduhld#ghtme?!#!'!#!
message #3
key= 7 value= Bk<waoqNUpu$yreoa\wpmpusj,bkIjh key= 8 value= Mj?vfnrOjqv%gxqd``_vwlstlk/clHii key= 9 value= Lm>ugasLkvw&fgpgag^uvcrwml.mwhj
key= 10 value= Ol!tdtMhwx'efwfbf!tubuvnm!anvok key= 11 value= No security device station found key= 12 value= In#rjbvsnuz!{duhdd#r{whho#gPtme
message #4
key= 14 value= Number of authorized users exceeded
key= 15 value= Ovlmdq!hg#juknuhydk!vrbsp!Zydbefe
message #5
key= 17 value= check security device station
key= 18 value= ijbh!tdtmhwx'efwfbf!tubuVnm!'!
There is some garbage, but we can quickly find the English-language messages!
By the way, since the algorithm is a simple xoring encryption, the very same function can be used to encrypt messages. If
needed, we can encrypt our own messages, and patch the program by inserting them.
78.3 Example #3: MS-DOS.
Another very old software for MS-DOS from 1995 also developed by a company that disappeared a long time ago.
In the pre-DOS extenders era, all the software for MS-DOS mostly relied on 16-bit 8086 or 80286 CPUs, so en masse the
code was 16-bit. The 16-bit code is mostly same as you already saw in this book, but all registers are 16-bit and there are
less instructions available.
The MS-DOS environment has no system drivers, and any program can deal with the bare hardware via ports, so here you
can see theOUT/INinstructions, which are present in mostly in drivers in our times (it is impossible to access ports directly
inuser modeon all modernOSes).
Given that, the MS-DOS program which works with a dongle has to access the LPT printer port directly. So we can just
search for such instructions. And yes, here they are:
seg030:0034 out_port proc far ; CODE XREF: sent_pro+22p
seg030:0034 ; sent_pro+2Ap ...
seg030:0034
seg030:0034 arg_0 = byte ptr 6
seg030:0034
seg030:0034 55 push bp
seg030:0035 8B EC mov bp, sp
seg030:0037 8B 16 7E E7 mov dx, _out_port ; 0x378
seg030:003B 8A 46 06 mov al, [bp+arg_0]
seg030:003E EE out dx, al
seg030:003F 5D pop bp
seg030:0040 CB retf
seg030:0040 out_port endp
(All label names in this example were given by me).
out_port()is referenced only in one function:
seg030:0041 sent_pro proc far ; CODE XREF: check_dongle+34p
seg030:0041
seg030:0041 var_3 = byte ptr -3
seg030:0041 var_2 = word ptr -2
seg030:0041 arg_0 = dword ptr 6
seg030:0041
seg030:0041 C8 04 00 00 enter 4, 0