Dongle cracking: NetXRay 1.1.3

("A Very Easy Dongle Protection")

by +DataPimp

(02 November 1997)


Courtesy of fravia's page of reverse engineering

Well, +DataPimp has indeed "specialised" in CD-ROM protections, yet he has now started to work on this 'related' cracking subject! Well, you would not have thought that some 'so called' dongles just check THEIR OWN PRESENCE ON THE PORTS... would you? And yet, look here! An easy (yet important) further step!

				Cracking NetXRay 1.1.3
			   (A Very Easy Dongle Protection)

 				   by -= +DataPimp =-

	Yes dongles, there was only two dongle essays there and since
I contributed to the Cd-Check essays I would have to say that I wanted
to contribute this to project as well. I would have to say that this is 
my first dongle and I was able to defeat it's protection within a matter 
of about 1 or 2 minutes. This software is not freely downloadable, but 
you can -if you like- find it on the internet, it is the same exact 
version that was released by PWA. 

	OK, so you have the software, let's get going so we can run this 
software and see what it looks like. Ok, after you have installed the 
program go ahead and run it, you will see a msg box pop up with a message 
saying the 'protect key' was not found, and some other junk telling you 
to contact them etc. 
Ok, now we are not going to use Soft-Ice on this at all, we are 
going to decompile the "netxray.exe" file and view it's code. 
Once you have decompiled it, we are going to search for the string 
"sorry". You will notice that it is found rather quickly, and this 
is the code we find:

* Referenced by a Jump at Addresses:00401B33(U), :00401B3E(C)
|
:00401B51 85C0          test eax, eax   <-was Dongle attached? :00401B53 742D je 00401B82 <-0="NO!,1=YES!" :00401B55 6A00 push 00000000 :00401B57 6A00 push 00000000 * StringData Ref from Data Obj>"Sorry! No protect key is found. "
                               ->"Please contact Cinco Networks,Inc "
                               ->"by phone (770) 671-9272, or by "
                               ->"Internet e-mail sales@cinco.com, "
                               ->"if you wish to purchase or upgrade "
                               ->"NetXRay. Otherwise, return the "
                               ->"complete package in the original "
                               ->"shipping box.  Thank you for your "
                               ->"interest in Cinco products."
                                  |
:00401B59 6878325500              push 00553278 <-prepare Nag :00401B5E E835E40F00 call 004FFF98 <-Call Nag This is a classic Bad Guy, Good Guy test, and can easily be defeated. At Code "Data.class" tppabs="http://fravia.org/Data.class" Location "00401B53" all we have to do is change that to a "jmp"... of course now it does not matter any more if the dongle is found or not the code snippet will continue to allow the running of the program. I hope that this has helped people with the understanding of dongles, I know that I have learned something myself, and that has made it all worth while. Thanks for reading, DataPimp@hotmail.com 
(c) +DataPimp 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to Project 3 ("Dongle protections")
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?