Results 1 to 10 of 10

Thread: MAI Keylok on Linux

  1. #1
    suryawomshi
    Guest

    Red face MAI Keylok on Linux

    I have been reading everything I can find regarding Key-Lok lpt dongle, i have an application which runs on redhat linux 9, The protection is in the form of a counter. After x uses, you have to buy another dongle, i tried debugging the application in IDA pro using keylok signature but no luck, in IDA Strings shows "73e8466570a9e2300eeff2.MicroComputers Applications Inc" ...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    upload main target software and PM link to me...

  3. #3
    suryawomshi
    Guest
    I have attached a file

    plese let me know the status

    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    OK, I have the target, ran it through IDA myself, and there is pretty much no where to hide in here. No encryption that I saw, or anything like that.

    What does it say when you're out of uses?

  5. #5
    suryawomshi
    Guest
    Invlid Media Card
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    suryawomshi
    Guest

    Question

    can somebody help me
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Uhhh.. There is someone attempting to help, but he can't seem to get any cooperation. I sent you an e-mail detailing the first of the shared objects that I need in an attempt to execute the app so that I can see what's going on.

    What happened with that?

  8. #8
    suryawomshi
    Guest

    Question

    i have sent u mail

    what is happing below can some one tell me


    align 10h
    push ebp
    mov ebp, esp
    sub esp, 74h
    push esi
    push ebx
    push 2
    push offset aDevWindrvr ; "/dev/windrvr"
    call _open
    mov esi, eax
    add esp, 8
    cmp esi, 0FFFFFFFFh
    jz short loc_80636FA
    push 38h
    push offset a73e8466570a9e2 ; "73e8466570a9e2300eeff2.MicroComputers A"...
    lea ebx, [ebp-68h]
    push ebx
    call _memcpy
    add esp, 0Ch
    mov dword ptr [ebp-74h], 0A410B413h
    mov [ebp-70h], ebx
    mov dword ptr [ebp-6Ch], 68h
    lea eax, [ebp-74h]
    push eax
    push 9538244Bh
    push esi
    call _ioctl
    add esp, 0Ch
    push esi
    call _close

    loc_80636FA: ; CODE XREF: .text:080636BCj
    lea esp, [ebp-7Ch]
    pop ebx
    pop esi
    mov esp, ebp
    pop ebp
    retn
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Quote Originally Posted by suryawomshi View Post
    i have sent u mail

    what is happing below can some one tell me
    ; This code just saves the stack pointer, and sets things up to get parameters that might have been passed to the function.
    Code:
    align 10h
    push    ebp
    mov     ebp, esp
    sub     esp, 74h
    push    esi
    push    ebx
    ; This opens the device "/dev/windrvr". This windrvr references WinDriver from jungo, and is a "Linux driver for dummies" suite. But it DOES tell us something. It's either talking to a PCI card, or something attached to the USB port.
    Code:
    push    2
    push    offset aDevWindrvr ; "/dev/windrvr"
    call    _open
    ; This code checks the return value from the call to open above, and verifies that it's not an error (-1). (It also puts the file handle in esi).
    Code:
    mov     esi, eax
    add     esp, 8
    cmp     esi, 0FFFFFFFFh
    jz      short loc_80636FA
    ; This copies 38h bytes from the string shown, into a buffer pointed at by ebp-68h
    Code:
    push    38h
    push    offset a73e8466570a9e2 ; "73e8466570a9e2300eeff2.MicroComputers A"...
    lea     ebx, [ebp-68h]
    push    ebx
    call    _memcpy
    add     esp, 0Ch
    ; This monkeys around with some data
    Code:
    mov     dword ptr [ebp-74h], 0A410B413h
    mov     [ebp-70h], ebx
    mov     dword ptr [ebp-6Ch], 68h
    ; This sends the above data, and a command of 9528244Bh to the driver through the IOCTL interface, using the handle it obtained from the open call above. (it's in esi)
    Code:
    lea     eax, [ebp-74h]
    push    eax
    push    9538244Bh
    push    esi
    call    _ioctl
    add     esp, 0Ch
    ; Using the handle in esi once again, it calls CLOSE to state that it's done with talking to the driver/
    Code:
    push    esi
    call    _close
    ; This cleans up the stack, and returns to the caller.
    Code:
    loc_80636FA:                            ; CODE XREF: .text:080636BCj
    lea     esp, [ebp-7Ch]
    pop     ebx
    pop     esi
    mov     esp, ebp
    pop     ebp
    retn

    SO, basically, it's just sending a command to a device driver. What that command IS, is detailed above, what it DOES is an entirely different matter, and you'd need to disassemble the driver to find that out.
    Last edited by FrankRizzo; March 31st, 2009 at 22:15.

  10. #10
    suryawomshi
    Guest
    After much struggle i found only one func call (instead of Kfunc)


    void func(void)
    func proc near ; CODE XREF: sub_805321C+7p
    ; sub_8053A9C+3p
    ; DATA XREF: ...
    push ebp
    mov ebp, esp
    cmp dword_809CA70, 0
    jz short locret_8053218
    push 0
    call sub_8053144
    push offset stru_80A23E0 ; struct termios *
    push 2 ; int
    push 0 ; int
    call _tcsetattr
    push ds:dword_80A241C ; _sig_func_ptr
    push 1 ; int
    call _signal
    push ds:dword_80A2420 ; _sig_func_ptr
    push 2 ; int
    call _signal
    add esp, 20h
    push ds:dword_80A2424 ; _sig_func_ptr
    push 3 ; int
    call _signal
    push ds:dword_80A2428 ; _sig_func_ptr
    push 0Fh ; int
    call _signal
    push ds:dword_80A23C0 ; void *
    call _free
    push ds:dword_80A23C4 ; void *
    call _free
    mov dword_809CA70, 0
    locret_8053218: ; CODE XREF: func+Aj
    leave
    retn
    func endp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Keylok II dongle [edit]
    By balbero in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: October 15th, 2012, 08:07
  2. Keylok II Emu stuff
    By Sab in forum Advanced Reversing and Programming
    Replies: 25
    Last Post: May 29th, 2010, 16:12
  3. Replies: 3
    Last Post: August 12th, 2008, 14:59
  4. Linux
    By Sorvat in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: April 30th, 2001, 21:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •