Results 1 to 5 of 5

Thread: Proteq dongle emulator

  1. #1

    Smile Proteq dongle emulator

    Hello All,

    First of all I would like to introduce myself, I've
    been cracking since 98' but in the mean time I'd stopped
    cracking for some reasons and came back to cracking because
    I missed this life and so on until this week I'd been requested
    to crack a dongle from OLD company called PROTEQ, now it's
    called SafeNet.

    Now as this is my First contribution to this forum
    I may start with some dongle cracking WITH dongle.

    I'd not been programming or cracking since last 2 years from now
    and as I don't work with computers, I'd lost my skills on programming.


    Let's stop talking and start:

    The target is a software with PROTEQ dongle protection.
    The Proteq SDK for this version of dongle it just READS static
    data from dongle.

    Pretty much piece of cake, the method that I used to crack was
    build a NEW DLL that returns the expected code to the software.
    As it is STATIC dongle, it can be reversed just returning the
    right code to the software.

    I have not founnd the version of this dongle. It's a USB key,
    but this won't impact in the reversing.

    The dongle has 3 parts:

    1) C50032.DLL: the comunication library to dongle's driver
    2) PROTEQ.SYS: Win32 Driver - comunication to the USB key
    3) USB Key itself.

    The software call's C50032.C500 Function and expects bytes as result
    (read from USB key).

    Function: C500(Parameter pChar) Integer

    Parameter: 10 bytes as input, 10 bytes output
    C500 Integer: return = 0 for READ OK and negative values for errors.

    This version of dongle has only 2 functions (new versions have around 10 functions).

    PASSWORD FUNCTION: This functions is used to gain access to read
    dongle memory.

    Input parameter: 03 + 'PASSWORD!'
    Output parameter: 03 + 9 hex values
    This hex values returned means if you put the right password
    on input, you will receive 9 hex values as return, and this
    must match in softwares's code. This is generally easily find
    on software debugging.

    READ FUNCTION: allow to read memory block (480 bytes)
    Input parameter: 01 00 00 ZZ
    output parameter: 01 XX YY ZZ

    01: read mode
    00: used to store read bytes from memory
    ZZ: memory position for reading

    As we can see, ZZ tells is the position in memory block to read
    2 bytes. The return for this functions only replaces the word "00 00"
    with the bytes read.

    Now ok, with the dongle in hans, makes very easy to build a DLL
    that replaces the original one.

    Just make a simple program that reads all the full content of memory reading 2 bytes
    at once.

    See bellow the source code in win32asm for the emulator.

    I changed the memory bytes in order to preserve the target software
    and sorry for the portuguese comments.

    Code:
    ;##################################################################
    ;#      tazmanianbrc/2009 - Proteq Emulator                       #
    ;##################################################################
    
    .386
    .model flat,stdcall
    option casemap:none
    include \masm32\include\windows.inc
    include \masm32\include\user32.inc
    include \masm32\include\kernel32.inc
    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
    
    .data
    ;############################################################################
    ; Memory block from USB key 
    ;############################################################################
    Memory db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     01h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
           db     00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
    
    Autor 		db 'tazmanian[BRC]',0
    Data  		db '06/07/09',0
    
    .data?
    
    
    
    Posicao     dd ?
    
    
    .code
    DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD
    
    	mov  eax,TRUE
    	ret
    DllEntry Endp
    
    
    ;#####################################################
    ; Nome da função: C500
    ; Parâmetros: Parametro (DWORD) de 4 a 10 bytes
    ;             4 bytes - XX YY ZZ AA
    ;             XX: 01 ou 03  (Leitura ou SENHA)
    ;             YY e ZZ: Não usado (dword onde será gravado os dados lidos do dongle)
    ;             AA: byte que mostra endereço do byte a ler (varia de 00 a F0)
    ;----------------------------------------------------
    ;XX=03
    ;   	Repassa a senha para liberação do dongle, a senha é enviada nos endereços abaixo para o dongle:
    ;   
    ;   
    ;   Senha para dongle do Cardionet = PASSWORD!
    ;   
    ;XX=01
    ;	Modo leitura do dongle.
    ;	Bytes enviados: 01 XX YY ZZ
    ;		01: Modo leitura
    ;		XX e YY: será gravado ali 2 bytes seguidos do dongle da posicao ZZ
    ;		ZZ: posição a ser lida na memória
    ;	Exemplo: 
    ;		Bytes enviados:    01 00 00 02 (Lê os bytes 00 e 01 da memoria do dongle)
    ;		Bytes retornados:  01 41 21 02
    ;		Ou seja, ele lê de 2 em 2 bytes.
    ;#####################################################
    
    
    ; Ou seja, o programa 
    C500 proc Parametro:DWORD
    
    	mov [Posicao], edi				;Salva EDI
    
    	mov edi,[Parametro]				;Move para EDI os parâmetro
    	mov Parametro, edi
    	.if byte ptr [EDI]==3				;Checa se 1o byte é 03 (Função da senha)
    								
    
    		mov dword ptr [edi+1], 01020304h	;HARDCODED RETURN STRING FOR RIGHT PASSWORD
    		mov dword ptr [edi+5], 05060708h
    		mov [Parametro],edi			
    
    
    		
    
    	.elseif byte ptr [EDI]==1			;Checa se 1o byte é 01 (Função da leitura)
    		xor edx, edx				;zera edx
    		Xor eax, eax				;zera eax
    		xor ecx, ecx				;zera ecx
    
    		mov al, 2				;al=2
    		mov dl, byte ptr [EDI+3]   		;dl=posição à ser lida (ZZ)
    		mul dl					;al=al*dl
    
               	mov cl, byte ptr [memory+eax]		;cl=primeiro byte a ser lido em buffer
    		mov byte ptr [EDI+1], cl		;salva cl no XX
    		mov cl, byte ptr [memory+eax+1]		;cl=segundo byte a ser lido em buffer
    		mov byte ptr [EDI+2], cl		;salva cl no YY
    		mov [Parametro], edi			;Salva edi no retorno Parametro para o programa
    		xor edx, edx				;Zera EDX
    
    
    	.endif
    	mov edi, Posicao				;Restaura valor de EDI
    	xor eax, eax					;eax=0: função OK (sempre retorna 0 se o dongle está na USB)
    	ret						;retorna para o programa.
    C500 endp
    End DllEntry
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    you can make a logs with USBTrace or BusHound?
    i mean - you have the usb dongle?

  3. #3
    I did not use any USB log tools, just tracing the dongle's DLL and the software.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Founder FoxB's Avatar
    Join Date
    Mar 2002
    Location
    Earth
    Posts
    450
    you can try?

  5. #5
    Actually I don't have the dongle right now. It's already gone.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Crypto box marx dongle emulator
    By riccardomancini in forum The Newbie Forum
    Replies: 2
    Last Post: December 28th, 2013, 05:38
  2. I have a Rainbow dongle and emulator, need help
    By TredderX in forum The Newbie Forum
    Replies: 7
    Last Post: March 2nd, 2007, 14:55
  3. hasp emulator
    By david_hi in forum The Newbie Forum
    Replies: 11
    Last Post: February 24th, 2007, 04:42
  4. Replies: 1
    Last Post: August 31st, 2005, 23:06

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •