issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 78. DONGLES CHAPTER 78. DONGLES


Chapter 78


Dongles


Author of these lines, occasionally did software copy-protectiondonglereplacements, or “dongle emulators” and here are
couple examples of how it’s happening.


About one of the cases that is not present here, you can read here: [Yur12].


78.1 Example #1: MacOS Classic and PowerPC


Here is an example of a program for MacOS Classic^1 , for PowerPC. The company who developed the software product has
disappeared a long time ago, so the (legal) customer was afraid of physical dongle damage.


While running without a dongle connected, a message box with the text ”Invalid Security Device” appeared. Luckily, this
text string could easily be found in the executable binary file.


Let’s pretend we are not very familiar both with Mac OS Classic and PowerPC, but will try anyway.


IDA opened the executable file smoothly, reported its type as ”PEF (Mac OS or Be OS executable)” ( indeed, it is a standard
Mac OS Classic file format).


By searching for the text string with the error message, we’ve got into this code fragment:


...


seg000:000C87FC 38 60 00 01 li %r3, 1
seg000:000C8800 48 03 93 41 bl check1
seg000:000C8804 60 00 00 00 nop
seg000:000C8808 54 60 06 3F clrlwi. %r0, %r3, 24
seg000:000C880C 40 82 00 40 bne OK
seg000:000C8810 80 62 9F D8 lwz %r3, TC_aInvalidSecurityDevice


...


Yes, this is PowerPC code. The CPU is a very typical 32-bitRISCof 1990s era. Each instruction occupies 4 bytes (just as in
MIPS and ARM) and the names somewhat resemble MIPS instruction names.


check1()is a function name we’ll give to it later.BLisBranch Linkinstruction, e.g., intended for calling subroutines. The
crucial point is theBNEinstruction which jumps if the dongle protection check passes or not if an error occurs: then the
address of the text string gets loaded into the r3 register for the subsequent passing into a message box routine.


From the [SK95] we will found out that the r3 register is used for return values (and r4, in case of 64-bit values).


Another yet unknown instruction isCLRLWI. From [IBM00] we’ll learn that this instruction does both clearing and loading.
In our case, it clears the 24 high bits from the value in r3 and puts them in r0, so it is analogical toMOVZXin x86 (15.1.1 on
page 189), but it also sets the flags, soBNEcan check them afterwards.


Let’s take a look into thecheck1()function:


seg000:00101B40 check1: # CODE XREF: seg000:00063E7Cp
seg000:00101B40 # sub_64070+160p ...
seg000:00101B40
seg000:00101B40 .set arg_8, 8
seg000:00101B40
seg000:00101B40 7C 08 02 A6 mflr %r0


(^1) pre-UNIX MacOS

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.