Cuteskunk BBS

home *** CD-ROM | disk | FTP | other *** search

/ Cuteskunk BBS / cuteskunk.zip / cuteskunk / Virus / Virus-Magazines / NuKE / nk-info6.zi2 / NK-INFO6.008 < prev next >

Wrap

Text File | 1993-05-05 | 14KB | 240 lines

================================================================================ Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "The `Arms Race' on Physical Protection -N E- Devices : Round Two" Nu -N uK Nu By KE uK Rock Steady E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % Physical Copy-protection Devices % A physical protection device is usually a piece of equipment to a computer or used in conjunction with a computer to protect software or data. The majority of such devices are commonly referred to as `dongles', which are electronic devices attached to the computer. When a dongle protection is used, no attempt is made to prevent the user or owner of the package from creating additional copies of the software. The device is designed to prevent unauthorised use and not unauthorised copying. The origins of the word `dongles' is obscure, but it originated about 1978-79 and is believed to have been first used to protect the `Wordcraft' package on the Commodore Pet. % Dongles - A Simple Dongle Design % The first problem in designing a dongle is finding some method of attaching the device to the hardware. It must be a method which is available on the standard minimum configuration machine for which the software is intended to run. The _most_ obvious choice is the serial interface port of which nearly every machine has at least one, especially with the increase use of mice and modems which require serial connections. Assuming further that we do not wish to use this port during the running of the program, then a very simple dongle could be constructed using the standard cabling and reverse channel so that communications are usually made in both directions simultaneously. The wires would have the following functions: Sending Channel ~~~~~~~~~~~~~~~ Request to send (Output when the computer is ready to go) Clear to send (Received when the terminal is ready) Transmit data (Line for the computer to transmit the data) Receiving Channel ~~~~~~~~~~~~~~~~~ Data Terminal Ready (Output when the computer is ready to receive data) Data Set Ready (Received when the terminal is ready to transmit) Receive Data (Line for Computer to receive the data) Carrier Detect (Line for modem to signal the computer that (another modem signal has been found via telephone) Ring Detect (Line for modem to signal the computer that a) (ringing tone has been received) Assume that wires are used to connect the signals as shown below: Standard output Standard inputs ~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~ Transmit data..........Data Set Ready Request to send........Receive Data Data terminal ready....Ring Detect This is a bizarre combination, which is extremely unlikely to be used by design with any sort of equipment. To protect our dongle we further seal the plug casing with pitch or epoxy resin so that the details of the wiring cannot be seen without melting out or drilling away the resin. The representation of a `U' character in the standard ASCII code will appear as a square wave. This is because the character itself has the binary value 0101 0101, and, taken with the character beginning pulse (start bit) and the character ending (stop bit), this makes up a square wave signal 1 0101 0101 0 +6v-+ +-+ +-+ +-+ +-+ +-+ Now, Transmit a stream of `U's, since Transmit is | | | | | | | | | | | connected to Data Set Ready, this will go up and 0 | | | | | | | | | | | down, at intervals of one bit. By Sampling this | | | | | | | | | | | line the program can test that the correct pattern -6v +-+ +-+ +-+ +-+ +-+ +- is being transmitted and received. This means the dongle is in place. This is a perhaps a dongle suitable for the computer hobbyist, it rather is quite a poor attempt as a dongle. This is because of several reasons; it does not allow the use of the serial port because it is needed for the dongle, therefore a mouse or modem or printer connection via the serial port can not be done if you only have one serial port. % Advanced Pseudo Random bit Generator Dongles % Two new devices being marketed to software homes are Datakey (DES, 1988) and Software Key (Bristol, 1988). The overall concepts of both are similar, and they were in fact developed by the same inventor, although the two structures are quite separate and the details of the devices differ alot. The devices are `active' dongles. Meaning one end of the dongle plugs into the computer, and whatever is normally connected to the RS232 port is connected to the other end, and should be unaffected by this device. In the Datakey, which is a bit oriented device, toggling the Data Terminal Ready line causes a single bit of data to be presented at Data Set Ready or the Data Carrier Detect Line. By this means, a string of pseudo random binary data of any length can be read out of the device. Assembly language routines are included with the device for linking into the software to be protected. In the Software Key, special command codes are used to trigger the device, which responds with a byte of pseudo random data. Such sequences only repeat after an extremely large number of operation. % Software Sentinel % The Software Sentinel (Sentinel, 1988) plugs into the parallel printer port of an 80x86. The parallel channel was preferred to the serial channel since the parallel channel is always present on many systems, even with minimum configuration. However Sentinel also have a serial port version of this device called the Sentinel S. % Dongle Cracking % ~~~~~~~~~~~~~~~~~~~ Some exports are scornful of the protection afforded by dongles. Some even boast that 30 minutes would usually be sufficient to bypass any dongle protection in any program. As a matter of fact dongle cracking is actually straight forward, simply find the routine that accesses the dongle test. The difficulty of this job is really based on the software used to access the dongle. If the software accesses the parallel/serial port via interrupt functions, a simple TSR program can be stated to `fool' the program that a dongle is present, or simply trace through the code from that point on to see what actually happens, and what the program expects to get back. However I do not expect a program to use interrupts to access an I/O port for the sole reason of easily breaking in via the vector table. Chances are the software is accessing the I/O port directly with the built in processor instructions (OUT/IN). So it will be up to the user to disassemble the program to search for IN/OUT or INS/OUTS or INSB/OUTSB or INSW/INTSW instructions that will access the parallel/serial ports. Once you locate the routine that accesses the port, you may either reverse engineer or set a break-point and attempt your journey of debugging. Nevertheless, this does not nullify the credablity of dongle protection. As a matter of fact several new software are using dongles to protect their software. But the fact remains, no software is 100% secure. Dongles, require software to `test' that the dongle is attached, therefore the possibility of finding the `test' routine exists, and therefore modification is possible. % Lenslok % The Latest Physical Protection Device % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Lenslok device was also designed for the low cost software end of the market. The device consists of a plastic lens device rather like a pocket magnifying glass. It contains a series of prisms which cause anything viewed through it to be seen as a confused jumble of different dots. (pixels) Figure #1 Figure #2 1 2 3 4 5 A B C D E ┌───┬───┬───┬───┬───┐ ┌───┬───┬───┬───┬───┐ The letter `A' normally looks │ │ │ X │ │ │ │ X │ │ │ │ │ like the pattern in figure #1. ├───┼───┼───┼───┼───┤ ├───┼───┼───┼───┼───┤ Scrambled, it could look like │ │ X │ │ X │ │ │ │ X │ │ X │ │ the pattern shown in #2. All ├───┼───┼───┼───┼───┤ ├───┼───┼───┼───┼───┤ that was done was that column │ X │ │ │ │ X │ │ │ │ X │ │ X │ 1 & 3 were interchanged. So if ├───┼───┼───┼───┼───┤ ├───┼───┼───┼───┼───┤ we took column A & C and swapped │ X │ │ │ │ X │ │ │ │ X │ │ X │ them, we would get the ├───┼───┼───┼───┼───┤ ├───┼───┼───┼───┼───┤ charactor `A' once again. │ X │ X │ X │ X │ X │ │ X │ X │ X │ X │ X │ Then the Lenslok would consist ├───┼───┼───┼───┼───┤ ├───┼───┼───┼───┼───┤ of a simple optical system, │ X │ │ │ │ X │ │ │ │ X │ │ X │ which consists of two shallow ├───┼───┼───┼───┼───┤ ├───┼───┼───┼───┼───┤ angled grooves cut into the │ X │ │ │ │ X │ │ │ │ X │ │ X │ plastic which change over the └───┴───┴───┴───┴───┘ └───┴───┴───┴───┴───┘ columns. So, the user would apply the `lens' to the screen, over the jumbled pattern of dots and presses a key until the pattern appears through the prism. Therefore, in a Lenslok protected system, you may have a word, scrambled, which the system may ask you to respond to, whereby you would take the lens, and pass it ontop of the charactor and voila. % Cracking all together now... % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Lenslok, is a great physical copy-protection, it is low-costing, it can be used inconjuction with the current `Document Protection' currently widely used in several low-cost software, expecially in home entertainment computer games. Document protection, is whereby the program, mainly in the beginning, will stop for a moment and ask you a question, whereby the answer is only to be found in the documents supplied with the original package. Nevertheless, document protection, is fairly weak, as documents can be easily photocopied. It can also be scanned as a computer image, and can be easily distributed, through computer modems, into the computer BBS scene. So to an extent Lenslok can help document protection, as a lens is not easily copied by your average computer hobbyist. So even though a copy of the documention is made, how are we to know what exactly it (the software), is asking us for? All together now, _ALL_ protection schemes developed now, can be broken, may it be, Lenslok, dongles, disk-based protection schemes. This is due to the reason that all protection schemes have to use some sort of software that will `test', and decide if this is an authorised copy or not. The fact of the matter is, that their is a terrible weak spot. Software protectors have developed _amazing_ protection schemes, the `front' of the protection is almost unbreakable. Emagine a castle in medival times, with a moat around the castle, the moat contains deadly man-eating animals, the front of the castle also have men waiting with boiling oil to throw over you, there is also several men with bows and arrows awaiting to kill you. Now, how effective is this, if somebody leaves the back gate unlocked? Sure, it may be nearly impossible to get through by the front, but the back gate is unguarded. The same applies for copy- protection, whereby the fact of the matter is, that nobody has done anything about low-level entry! Anyone capable of 80x86 structure assemble language, can by-pass a copy-protection. The only problem is finding the routine, this is a challenge within itself, it is rarely a just a CMP command. For some reason NPC members think that CMP is all there is to look for! Aren't they acomplished crackers? Cracking involves alot of time, extreme knowledge on the 80x86, and a few tricks of the trade. If a document check awaits you to type an answer, you will need to set a break-point at that exact location. Ctrl-Break, will _rarely_ work, so you will have to make tools of your own, that will allow you to exit at the desired location. Protected software usually overwrite the Int 3h, and Int 1h, to avoid break-points, you will have to devise your own Break-point type program, perhaps one hooked to Int 9h, and at ALT-A it will execute a Int 3h, and at the same time you will enter your debugger entry point back to Int 3h. I would hook my TSR to Int 5h and on Print-Scrn it would load the debugger. Many times, you would have to put a special routine on Int 8h or 1Ch to make sure that your entry point is not erased at the vector table, there's an unlimited number of possible combinations, I certainly cannot name you them all. But what I can do, is give you the theory concept of the protection scheme, and you can devise your own pleasable method. Many, people enjoy reverse engneering jobs, some (like myself) take note of all systems I/Os and Interrupts being called, and work my break-point from there. But this two-part article was to give you an understanding on how some copy- protection schemes work. The _only_ way one can attempt to defeat the protection is to understand how the protection works. Then your attempts to bypass it will be much more effective, rather than taking a non-effective guess. Be direct, go directly to the source of the conflict, don't waste your time on anything else. So I do hope this has been a learning experience for at least some. If demand is there, in the following news journal we may focus on effective cracking techniques, and some tricks and tips to avoid falling into a ditch. Rock Steady/NuKE ==============================================================================