CHAPTER 78. DONGLES CHAPTER 78. DONGLES
At0x001186FCwe’ll write bytes 0x48 and 0 thus converting theBEQinstruction in anB(unconditional jump): We can spot
its opcode in the code without even referring to [IBM00].
At0x00118718we’ll write 0x60 and 3 zero bytes, thus converting it to aNOPinstruction: Its opcode we could spot in the
code too.
And now it all works without a dongle connected.
In summary, such small modifications can be done withIDAand minimal assembly language knowledge.
78.2 Example #2: SCO OpenServer.
An ancient software for SCO OpenServer from 1997 developed by a company that disappeared a long time ago.
There is a special dongle driver to be installed in the system, that contains the following text strings: “Copyright 1989,
Rainbow Technologies, Inc., Irvine, CA” and “Sentinel Integrated Driver Ver. 3.0 ”.
After the installation of the driver in SCO OpenServer, these device files appear in the /dev filesystem:
/dev/rbsl8
/dev/rbsl9
/dev/rbsl10
The program reports an error without dongle connected, but the error string cannot be found in the executables.
Thanks toIDA, it is easy to load the COFF executable used in SCO OpenServer.
Let’s also try to find “rbsl” string and indeed, found it in this code fragment:
.text:00022AB8 public SSQC
.text:00022AB8 SSQC proc near ; CODE XREF: SSQ+7p
.text:00022AB8
.text:00022AB8 var_44 = byte ptr -44h
.text:00022AB8 var_29 = byte ptr -29h
.text:00022AB8 arg_0 = dword ptr 8
.text:00022AB8
.text:00022AB8 push ebp
.text:00022AB9 mov ebp, esp
.text:00022ABB sub esp, 44h
.text:00022ABE push edi
.text:00022ABF mov edi, offset unk_4035D0
.text:00022AC4 push esi
.text:00022AC5 mov esi, [ebp+arg_0]
.text:00022AC8 push ebx
.text:00022AC9 push esi
.text:00022ACA call strlen
.text:00022ACF add esp, 4
.text:00022AD2 cmp eax, 2
.text:00022AD7 jnz loc_22BA4
.text:00022ADD inc esi
.text:00022ADE mov al, [esi-1]
.text:00022AE1 movsx eax, al
.text:00022AE4 cmp eax, '3'
.text:00022AE9 jz loc_22B84
.text:00022AEF cmp eax, '4'
.text:00022AF4 jz loc_22B94
.text:00022AFA cmp eax, '5'
.text:00022AFF jnz short loc_22B6B
.text:00022B01 movsx ebx, byte ptr [esi]
.text:00022B04 sub ebx, '0'
.text:00022B07 mov eax, 7
.text:00022B0C add eax, ebx
.text:00022B0E push eax
.text:00022B0F lea eax, [ebp+var_44]
.text:00022B12 push offset aDevSlD ; "/dev/sl%d"
.text:00022B17 push eax
.text:00022B18 call nl_sprintf
.text:00022B1D push 0 ; int
.text:00022B1F push offset aDevRbsl8 ; char *
.text:00022B24 call _access
.text:00022B29 add esp, 14h