Dongles, how do they work?

Reversing aint easy these days and is getting harder. Every other executable is packed with this or that, PEID is no longer updated, and many software companies are moving towards dongle based security. The idea is simple – store the registration key or encryption key on a mobile piece of hardware.

So what is a dongle? Traditionally a dongle is a hardware device that connects to the PC through one of the ports in the back. The older ones used the parallel printer port.

Finding a computer with a parallel port these days is tough, so as with all technology, adaptations were made. Now, USB is the defacto standard.

These are relatively cheap to produce and are hard to crack. The fact of the matter is, depending on how the dongle protection is incorporated, it can be impossible to crack a program without the device. Not completely impossible however. Like I said, if the protection is implemented wrong, it cracking the program could be as simple as a 3 byte patch of changing

cmp eax,0

jne 040032BE

RET

to

JMP 040032BE

 

There are 2 ways to implement a dongle. The right way and the wrong way. The right way would be to encrypt your programs and store the encryption key on the dongle and decrypt at run time depending on whether the device is connected or not.

The wrong way would be to merely check for the presence of the dongle. Why? Device drivers can be produced to emulate the functionality and visibility of any device including USB and parallel devices. Not only that, the check for a device can be patched, quite easily. There are a few companies out there that implement dongle based protections to software companies as a 3rd party service taking the hassle of implementing a copy based protection system out of the hands of the software company. Trouble is, once you’ve cracked this 3rd party providor’s method, it works on EVERY ONE of their clients.

Take Sentinel from SafeNet for example: http://www.safenet-inc.com/support-downloads/sentinel-drivers/ . Their protection suite is quite popular, however recent versions produced have one fatal flaw – implementation of their dongle based copy protection can be halted based on a single 3 byte patch.

Say for example the software in question is done the right way – encrypted and needs the key to be decrypted at run time. How might this be cracked? Well for starters, we would need to identify the key. The key can be obtained either in memory during live analysis in a debugger or statically by probing the driver or contents of the USB device. Device drivers need to be debugged using a kernel debugger since drivers dont operate in user mode. WinDBG is suitable for this, however softice can be used as well. I myself have never been able to get softice working, but if you can, go for it. Another method would be to use this little program called USBSnoop – http://sourceforge.net/projects/usbsnoop/. This awesome tool allows for a tool that logs the usb data exchange between hardware and device driver. I’ve had excellent luck with this and have found the decryption key in plain text by analyzing the data stream log.

Once the key has been obtained, decryption of the program is possible. What would need to be done from there? One would need to either A) dump the decrypted program which would no longer need the key (depends on how the encryption is implemented) or create an emulator. The emulator would simply be a dummy USB device that contained a copy of the USB dongle – key and all.

Its hard to explain without going into full detail on how to create such an emulator, but guides do exist on how to create drivers. First off you’ll need the driver development kit from microsoft. Next, check out lib-usb from sourceforge: http://sourceforge.net/apps/trac/libusb-win32/wiki . Create a USB device driver that simulates the key or files being present on the newly emulated device. Maybe one day I’ll write a step by step on writing such a program, but for now however, we have the basics and concepts out of the way.

Expect more updates in the future.

 

 

 

 

 

18 thoughts on “Dongles, how do they work?
  1. Great info!
    Is it possible to bypass the hardware dongle’s driver installation/dongle check within the installers executable, bypassing the need for retrieving the decrypted key of the dongle?

    1. Depends on if they are encrypting the main program and putting the key on the dongle. If not, then its totally possible to patch the main exe either through the use of detours or with just a simple patch.

      1. I’m thinking that a detour is possible with modding the script.bin, at least that’s where I am so far. Any tips on bin editor/translator for reading in code instead of hex? I’m using HxD but I’m such a noob with hex…

        1. You can always pop the binary code into IDA pro and force it to treat data as code. That’s the biggest problem with working with a hex editor – trying to differentiate code from data.

  2. I use a dongle and a protection software that encrypts my programs and use the decryption function inside the dongle to decrypt the assembly in memory at run time. It also block the decryption if some debugger like softice is running.
    Anyway, I get exceptions on serializing since the BinaryFormatter cannot get the assembly.

    Source = mscorlib
    Message = Unable to find assembly ‘Zimt, Version=1.0.0.3, Culture=neutral, PublicKeyToken=null’.
    TargetSite = System.Reflection.Assembly GetAssembly()
    Stack =
    System.Runtime.Serialization.Formatters.Binary.BinaryAssemblyInfo.GetAssembly()
    System.Runtime.Serialization.Formatters.Binary.ObjectReader.GetType(BinaryAssemblyInfo assemblyInfo, String name)
    System.Runtime.Serialization.Formatters.Binary.ObjectMap..ctor(String objectName, String[] memberNames, BinaryTypeEnum[] binaryTypeEnumA, Object[] typeInformationA, Int32[] memberAssemIds, ObjectReader objectReader, Int32 objectId, BinaryAssemblyInfo assemblyInfo, SizedArray assemIdToAssemblyTable)
    System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record)
    System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum binaryHeaderEnum)
    System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
    System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
    System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)

    How can I solve this problem?

  3. Hi,
    We have a software package that requires a dongle in order to compile a new version. The dongle connects to a parallel port. However, new computers don’t come with this port, as was mentioned in the article. Is there a way to use an adapter so I can plug the dongle into a computer that has either a usb port, DB15, or even a DB25?

    1. The parallel port LPT0 / LPT1 might be emulated via a USB interface, but the program might not recognize it. You may have to get an old computer running to get it. Or just pay some cracker to remove the dongle functionality.

  4. Great article !
    I have a software in an old PC that use a LPT dongle, I have the original dongle with me and an old PC with LPT. I’m going to try to create an emulated driver to use in a new laptop without LPT, I found some webs that dump the content and create a custom driver. I think that maybe it could work, what do you think?
    Thank you very much!

    1. As I’ve stated before, emulation of the driver is one thing, but it might be easy to patch the check altogether.

      1. Hi!
        I could bypass the check, but the hardware key stores some information attached to the computer ID, and this informatio is required in next functionalities. Quite hard for me 🙂

  5. Dongles are anachronisms these days. Apps are moving to the cloud. and the big software companies have proven soft keys are all that is need for your protection.

    In the final analysis, Copy protection keeps people from using your software product. Inconvenience and cost to the customer.

    Proof of your ownership of code is good practice by hiding signature in it. This was proven needed by Mathcad years back when a competitor was blatantly plagiarizing their software. (a tradeshow demonstrated publicly the competitors plagiarism by invoking the Mathcad Copyright test response on stage.) Code signing can also protect the customer and companies reputation to insure the app has not become corrupted.

  6. Hi,

    how does this work?

    cmp eax,0

    jne 040032BE

    RET

    to

    JMP 040032BE

    I use a software program which requires an USB hardware dongle to work. A crack would be useful so it “jumps” the need for this dongle. But new versions are periodically released. Meaning every new version needs crack too. The software can also run with a software key but needs additional keys. So installation key gives an activation key when installed on PC or server which requires again an unlock key. When unlock key has been typed in the software is functional.
    This has benefits as it can run virtual as well I assume.

    Challenged?

  7. I cracked an old HASP4 key (dongle) for my $20K software. I required a express card, my key and HASP emulator apps to crack it. I have to move to a new machine without parallel port or express card slot. The HASP emulator app required the key to be plugged in for 1ST startup.

    Q: Is it possible to move emulator files from one machine to another?

    BTW: Using windows 10 32 bit now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.