Assembly Language for Beginners

8.5. DONGLES

seg000:00118A4C 40 82 00 20 bne error

seg000:00118A50 57 E0 06 3F clrlwi. %r0, %r31, 24

seg000:00118A54 41 82 00 10 beq good

seg000:00118A58 48 00 4B F5 bl sub_11D64C

seg000:00118A5C 60 00 00 00 nop

seg000:00118A60 48 00 00 10 b exit

seg000:00118A64

seg000:00118A64 good: # CODE XREF: check3+318j

seg000:00118A64 38 60 00 01 li %r3, 1

seg000:00118A68 48 00 00 08 b exit

seg000:00118A6C

seg000:00118A6C error: # CODE XREF: check3+19Cj

seg000:00118A6C # check3+238j ...

seg000:00118A6C 38 60 00 00 li %r3, 0

seg000:00118A70

seg000:00118A70 exit: # CODE XREF: check3+44j

seg000:00118A70 # check3+58j ...

seg000:00118A70 80 01 00 58 lwz %r0, 0x50+arg_8(%sp)

seg000:00118A74 38 21 00 50 addi %sp, %sp, 0x50

seg000:00118A78 83 E1 FF FC lwz %r31, var_4(%sp)

seg000:00118A7C 7C 08 03 A6 mtlr %r0

seg000:00118A80 83 C1 FF F8 lwz %r30, var_8(%sp)

seg000:00118A84 83 A1 FF F4 lwz %r29, var_C(%sp)

seg000:00118A88 4E 80 00 20 blr

seg000:00118A88 # End of function check3

There are a lot of calls to.RBEREAD().

Perhaps, the function returns some values from the dongle, so they are compared here with some hard-

coded variables usingCMPLWI.

We also see that the r3 register is also filled before each call to.RBEREAD()with one of these values: 0,

1, 8, 0xA, 0xB, 0xC, 0xD, 4, 5. Probably a memory address or something like that?

Yes, indeed, by googling these function names it is easy to find the Sentinel Eve3 dongle manual!

Perhaps we don’t even have to learn any other PowerPC instructions: all this function does is just call

.RBEREAD(), compare its results with the constants and returns 1 if the comparisons are fine or 0 other-

wise.

OK, all we’ve got is thatcheck1()has always to return 1 or any other non-zero value.

But since we are not very confident in our knowledge of PowerPC instructions, we are going to be careful:

we will patch the jumps incheck2()at0x001186FCand0x00118718.

At0x001186FCwe’ll write bytes 0x48 and 0 thus converting theBEQinstruction in anB(unconditional

jump): we can spot its opcode in the code without even referring to [PowerPC(tm) Microprocessor Family:

The Programming Environments for 32-Bit Microprocessors, (2000)]^13.

At0x00118718we’ll write 0x60 and 3 zero bytes, thus converting it to aNOPinstruction: Its opcode we

could spot in the code too.

And now it all works without a dongle connected.

In summary, such small modifications can be done withIDAand minimal assembly language knowledge.

8.5.2 Example #2: SCO OpenServer.

An ancient software for SCO OpenServer from 1997 developed by a company that disappeared a long

time ago.

There is a special dongle driver to be installed in the system, that contains the following text strings:
“Copyright 1989, Rainbow Technologies, Inc., Irvine, CA” and “Sentinel Integrated Driver Ver. 3.0 ”.

After the installation of the driver in SCO OpenServer, these device files appear in the /dev filesystem:

/dev/rbsl8

/dev/rbsl9

/dev/rbsl10

(^13) Also available ashttp://yurichev.com/mirrors/PowerPC/6xx_pem.pdf