I'll just use this space to explain exactly what dongles are. Often termed as hardware protection most dongles are small parallel port plugs which consist of little more than factory burned EPROM and an ASIC of sorts. The idea behind a dongle is the developer issuing checks against return values obtained from the dongle, evidently these calling routines are the weak link. Virtually all dongle implementations can be broken without the need for the dongle, the software developers who use them usually aren't clever enough or motivated enough to really invest the time reading the dongle manufacturer's API.
On very rare occasions dongles can be unbeatable without access to the original dongle, some dongles literally drive the programs they protect (e.g. LightWave) or make so many checks on returns (e.g. Mastercam) that patching all of the checks reliably just isn't an option (although emulation of the main protection routine is). Others use the return codes from the dongle as encryption seeds, although I've yet to see a key of sufficient length that would make brute-forcing impossible. I really can't stress this point enough, make your way to the dongle manufacturer's websites and get their API guides, else you'll be reversing jumps all day.
http://www.des.co.uk -
DESKey range.
http://www.globetrotter.com
- FlexLM licensing system (can interface with hardware locks).
ftp://ftp.hasp.com - HASP by
Aladdin Knowledge Systems - also http://www.aks.com.
- Suggested reading (haspman.pdf).
Hardlock API Guide - Full disclosure
of Hardlock API, slightly edited (90k).
Proteq range - Very basic
Portuguese dongle (3 API's, is_it_connected(), read() & write()
).
ftp://ftp.rnbo.com - Sentinel
range by Rainbow (recommended reading pro223.pdf, spro_dev.pdf).
Common SoftICE BPX's
bpio -h 378 rw (I/O port access), CreateFileA (dongle driver file), DeviceIOControl, FreeEnvironmentStringsA (very effective against HASP's). Message Box API's, Prestochangoselector (16-bit HASP's), '7242' search string (Sentinel packet record validation).
DongleSpy v1.0 - A monitoring program for Super SentinelPro dongles which link the manufacturers specific dll (25k).
DumbHASP- Dumps the internal contents of HASP dongles, only works with 112 byte flavours i.e. MemoHASP-1 (47k).
HASP Commercial Emulator - A russian replacement vxd/sys that found its way to me from a commercial customer of a de-HASPing business. You'll need to crack the registry keys this uses to get anywhere, the driver version may also cause you some hassles (57k).
HASP Grabber v0.97.3 - Another HASP memory dumper which might work with all HASP's. Its a lot faster than DumbHASP too (10k).
Quine's "Pushing the Envelope with HASP" essay - A simply superb essay which disappeared from the web a while back (I have some idea as to the reason why). Now that the envelope has moved on a little I see no harm in re-publishing this great document in its entirety (if Quine objects I'll remove it).
Safesoft Systems SSI emulator - Generates reliable vxds for this very particular flavour of dongle (20k).
UCL's HASP Seed Code Generator - A very useful program.
I'll briefly explain why this is so useful. The idea when you develop your HASP protection is to call HaspCode to check whether a specific dongle exists, you do this by passing the dongle Passwords and a seed code via the hasp() routine, then you verify the corresponding return codes. Read Bajunny's essays at Fravia's site for an explanation of this pretty simple concept. To get this C code to compile you'll need to add the correct compiler include directive (trivial).
Example (from a real TimeHASP - ALLDATA v2.5):
:0045F02B PUSH 00006B47 <-- 2nd HASP password.
:0045F030 PUSH 00003815 <-- 1st HASP password.
:0045F037 PUSH 00000135 <-- Hasp Seed Code.
:0045F03C PUSH 00000002 <-- Basic Service 2 (HaspCode).
:0045F03E CALL 0045F0A6 <-- HASP routine.
:0045F046 CMP DWORD PTR [EAX+18], 0000B940 <-- Good return
code.
On this occasion you are given the value of the return code that is checked, (you can of course verify this with the generator).
Of course if you are planning on reversing lots of HASP's you'll want to convert this code into ASM, perhaps emulating other services whilst your there, this should be achievable in under 500 bytes (including the triad table).
UltraHEM II - Yet another one of the Russian HASP vxd/sys based emulators. This ones good for services 1,2 and maybe 4 & 51 but functionally useless for any others, I haven't undertaken a very deep analysis yet, there may be a way to 'plug-in' required return codes for specific programs (most likely via registry key) (51k).
WKPE v1.81 or download direct here (203k).
This one was kindly sent to me by the author and is freeware (Windows 95 only). Its approach is vxd based yet not specific to any specific dongle, seems to rely on trapping low-level IO access (of course you need the original dongle). The author claims 80% reliability or effectiveness, I recall reading elsewhere that this could be somewhat optimistic :-). I can only advise you try this (it didn't work on the HASP or Sentinel I have here). As its free I don't really think you ought to trouble the author too much for support.
| Target Name | Description | Date |
| 3D Studio Max R2.5 | Very simple patching of a Sentinel protection. | 06/10/99 |
| ALLDATA CAR v3.00 | How to emulate completely the main hasp() routine. | 18/03/99 |
| CASMate-Pro v6.52 |
HASP envelope encryption reversing and complete emulation of
a MemoHASP.  |
22/10/99 |
| Cimagrafi v5.0 | Beating a fairly tricky MemoHASP & observing some common tricks. | 12/11/98 |
| Cimatron 10 BETA | More hasp() emulation as well as adding code to a protected dll. | 02/04/99 |
| Chief Architect 97 | A simply appalling Super SentinelPro implementation. | 01/12/98 |
| CPS v1.16 | Reversing scw32.dll or "how not to implement a secure API". | 01/11/98 |
| DigiSHOW.vld v1.25 | Just don't use Deskey's dk47wn32.dll for your protection. | 04/09/98 |
| ERDAS IMAGINE v8.2 | Don't make your functions "cracker friendly" (Sentinel). | 07/02/99 |
| EyeSys Windows Workstation v2.11W | Kechk.dll & cracker frustration with INT 3 loops. | 07/03/99 |
| FabriCAD Suite v3.0 | Recovering HASP return codes and patching a good HaspCode() implementation. | 04/09/99 |
| GeoPath Power CAD/CAM | Feeling the dongle return codes. | 26/09/98 |
| HASP Envelope | A guide to completely removing the HASP PE envelope (.protect section). | 04/10/99 |
| Hollywood FX v3.08 | More Sentinel reversing. | 11/03/99 |
| Virtual Gibbs v5.05 | Re-writing sproRead() and identifying Sentinel trademark API weaknesses. | 26/09/99 |
I have also reversed several other programs protected by dongles, yet no tutorial has found its way here because my time is finite after all :-) they include :-
* Barudan Punchant v6.0
* CADWorx Pipe v3.0 * Mastercam 7.x * PCDMIS v2.305
* Staad 3.1 Suite * Tagima
DG/ML v6.0 * Tempo v10 * Wilcom ES-65 Designer * WinPharm
v1.3
Of course some of the developers are kind enough to supply wonderful little utilities such as the example above from Cimagrafi. Naturally ALL of my options are now enabled :-).
If you insist on protecting your application with a dongle consider heeding my advice :-
1. Firstly, when any good cracker attacks your software he or she (not to discriminate) will usually go looking for the tell-tale signs of your dongle manufacturers routines (read above how both Sentinel & HASP are vulnerable to simple API breakpoints). Your first step therefore should be to make this task harder. If your dongle vendor provides any encryption e.g. the HASP envelope or Sentinel shell then USE it and check the PE header for tampering, this is especially effective with dll's. Although these wrappers have been broken, multiple files requiring de-protecting buys time.
2. Detect debuggers (or SoftICE) using at least 2 routines and DON'T tell the cracker if you've found it, one very easy technique would be to open autoexec.bat and check for winice.exe, see my anti-debugging page for further possibilities. Try also to encrypt your "bad guy" message strings otherwise a disassembler will easily isolate them.
3. For the most part a cracker won't be familiar with the operation of your program, so use words from your dongle as encryption seeds, values in switch statements or variables critical to specific functions. The more doubt you place in a crackers mind about the word's value the more time he'll waste staring blankly at his debugger, if you can, use _inline assembler to ROR/ROL & XOR your words.
4. Sometimes a cracker will be fortunate enough to have a "dump" of your hardware keys contents, therefore if you can spare the dongle memory space use a registry query to retrieve the RegisteredOrganization key and encrypt it before storing it to the dongles memory (this might at least help you identify your disloyal customer).
5. If you are using HASP or Sentinel then most of the "commercial crackers" already have generic vxd/sys files which they will distribute at a price to end-lusers. Consider therefore adding additional protection means such as strongly encrypted keyfiles or even a once-off server validation check (as suppliers tend not to be crackers a well-hidden encrypted registry key could keep your program safe for months).
Finally take a little visit to http://www.dupecheck.com and find out if a crack exists for your program.
Real Dongle Reversing
The objective of mastering the art of dongle reversing rests inside the ASIC's used by these parasites. In virtually every off-the-shelf dongle I've seen sold to developers there is an API function provided which uses unrecoverable algorithms to manipulate passed parameters, this occurs independent of the EPROM. In HASP this API is HaspCode() or Service 2 which has been completely broken (see above for the source code), although I can tell you now that this was only achieved with critical leaks from inside Aladdin.
Sentinel's equivalent RNBOsproQuery() is not so widely studied (although the standard query is broken), this is because Sentinel's default API implementation isn't robust enough, HASP would have remained secure if its algorithm hadn't been discovered because it is responses from the ASIC which are used to decrypt the code section, no dongle = no execution.
The name of the game with real dongle reversing is "API awareness", don't think you'll break good dongle implementations by just SoftICE'ing and reversing a few jumps, you may do a few weak implementations this way but not many. Get the documentation and WATCH the queries and word reading API's very closely, then emulate the main routines. Remember it can sometimes be impossible to recover exact response codes because you'll sometimes end up with TEST [ESI+38], 1 as a check (this example from a real dongle btw :-) ).
If you have access to the original dongle endeavour to study it DEEPLY, bpr or bpm on returned words from the dongle. Certain dongle manufacturers sadly see it fit to try and obfuscate our debuggers, so patch your SoftICE or use FrogsICE (the lazy man's anti-debugging tool).
FAQ
Key Generators
Miscellaneous Papers New
Reversers Return to Main Index
Time Trials Tools
Visual Basic