flat assembler
Message board for the users of flat assembler.

Index > Heap > parallel port dongle hacking,new server got no parallel port

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
hi,
face a special case today,

the customer is using an old legacy inventory & point of sales software, the software uses a parallel port dongle for authentication, (smartlock)

now they bought from me a new server (that come without parallel port), so i add-on a pcie parallel card to it.

then after several tries today morning, it seems, the dongle would only function when the parallel port is on board

(i would say this feature is fucking ridiculous, am stuck now)

either i get them a new server with onboard LPT port or i hack my own way to make this dongle run on this new server.

a little bit about this LPT dongle

- it is a parallel port dongle
- the license it got is stock & point of sales
- it got network license
- we plug the dongle in server
- the client access the software using SMB, \\server\stock\STOCK.EXE

idk if anyone hack a LPT dongle here? but please share me information,


the smartlock in question is from this company
http://www.mcamos.com.tw/SmartLockNetPro_eng.htm
Post 04 Jul 2012, 15:36
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17250
Location: In your JS exploiting you and your system
revolution
I have neutered many a dongle-based piece of software for precisely this reason: hardware incompatibility. I have always patched the code rather than alter the dongle. It seems to me to be the easier way and is portable to any future computer or VM that the code needs to run on.

However there are no simple steps that I can provide for you on how to patch the code. Each program/dongle set I've seen is different and has its own way of verifying things.

So in short, you'll need a debugger, some spare time and some patience.

An alternative is to write to the developers and ask if they have a USB based dongle, or if they can provide a special non-dongled version for your use. Or maybe they can even provide a new version that uses the new PCI card port addresses. It never hurts to try talking to the people involved, you just might get exactly what you want simply by asking. Shocked
Post 04 Jul 2012, 16:16
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
cool,
yeah, that shit is forcing me to use onboard parallel port, phew,, i thought PCIE lpt card would work (order 2 pieces), damn it., lol Very Happy

idk how i gonna hack it, phewwww....not even having the dongle SDK

great resources
http://www.woodmann.com/crackz/Dongles.htm
Post 04 Jul 2012, 16:35
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
It seems like a very old dongle.
So I don´t think it uses a smartcard, if it does, beware, you could temper it while playing.

If it uses some rally safe security chip, i think you wouldn´t be able to dump it. You would know, if you open the dongle, and find inside a PC Battery, DONT REMOVE IT, as it will erase the chip.



How about make a driver that will redirect all the comunication from the pci LPT Boardt to an emulated LPT1?

To the pci lpt card, wich port is assigned? LPT2? If its so, why just don´t change on the Computer Manager the port number to an LPT1


And it would be good to know if it is an INCOMPATIBILITY issue, or it is a BAD programing of the dongle softwaer.
I really don´t know how the dongle would find the diference between being installed on the LPT1 port direct in the motherboard, and being installed on the LPT1 port of a pci card.
Sure the port is LPT1 and not LPT2?
Post 04 Jul 2012, 20:00
View user's profile Send private message Reply with quote
Stephen



Joined: 13 Aug 2011
Posts: 30
Stephen
dongles suck. If the software company is still around you can probably upgrade to a usb dongle. smartlock makes a usb dongle, but it's not going to have the same serial number as the lpt port one, so the software needs to have it's registration updated...

I've got a stack of dongles on the back of my animation computer. I know some are very picky about the lpt. I know that several of the programs I use check the dongle several different ways at different points in the program. It is software, so it is hackable, you may just have to do several different hacks at several different places.
Post 04 Jul 2012, 20:07
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
the software exists around year 2000,
12 years, wow...

Quote:

I really don�t know how the dongle would find the diference between being installed on the LPT1 port direct in the motherboard, and being installed on the LPT1 port of a pci card.

it was detected and assigned to LPT3, but i change it to LPT1 already, still no luck,

well, i think the dongle check it through the memory address, idk, i guess so, whether it is onboard or pci.

(since it is pcie card, i don't have tools to modify the IRQ or etc settings) usually onboard one is accessible through bios.

but after google online, it seems, it only runs onboard parallel port Sad

Quote:
dongles suck. If the software company is still around you can probably upgrade to a usb dongle.

the company is still around, it was sold to foreign company last year, i email them already, and probably, the answer i would get is upgrade to their latest version. (which will sucks even more)

phewwww,,,, i got only 2 choices, hack it, or get them a new server with onboard parallel port, Cool
Post 04 Jul 2012, 20:59
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Quote:

i think the dongle check it through the memory address

it shouldn't be very dificult to crack it. Because the dongle is valid, so you would need to bypass that part on the software and not to make a full crack of the dongle.
Think of it as a cosmetic patch.
Post 04 Jul 2012, 21:06
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
ok, thanks for all the ideas & encouragement,

i think i will start by coding a LPT port monitor, see what things happening at the back, and record those data.

using this as reference
http://logix4u.net/parallel-port/16-inpout32dll-for-windows-982000ntxp/

INPOUT32.DLL
2 functions
Inp32
Out32

i check the software dll, SLLAC32A.DLL, some OutputDebugString function was call inside, maybe put a OutputDebug monitor in current server later.
Post 05 Jul 2012, 13:11
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
i was thinking bout redirection....

faking a LPT port, redirect it I/O to the real dongle memory address, let it process and copy the output to place that this old software able to read.

i think the old software cannot detect the dongle, but I/O from my program to the PCIE lpt/com port should be possible. i guess.
Post 05 Jul 2012, 13:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17250
Location: In your JS exploiting you and your system
revolution
How will you redirect the I/O? Will you be modifying the kernel mode driver to capture all requests?

If the program uses direct I/O access then it will be even more difficult, you will have to lower the I/O privilege level and capture the exceptions. If the dongle software has blocked debugging then your task will be tricky with having to modify the kernel in some way.

It is probably easier to just hack the code directly.
Post 05 Jul 2012, 13:22
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
idk if it is possible to fake a LPT1, i guess it should be possible.

i check the SLLAC32A.DLL, it uses the following functions
Code:
kernel32.dll
========
DisableThreadLibraryCalls
ExitProcess
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetACP
GetCPInfo
GetCommandLineA
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetVersion
GetVersionExA
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
LCMapStringA
LCMapStringW
LoadLibraryA
MultiByteToWideChar
OutputDebugStringA
RtlUnwind
SetHandleCount
Sleep
TerminateProcess
VirtualAlloc
VirtualFree
WideCharToMultiByte
WriteFile
lstrlenA

user32.dll
=======
wsprintfA

netapi32.dll
========
Netbios

ws2_32.dll
=======
N/A 2 (ordinal)
N/A 3
N/A 4
N/A 16
N/A 17
N/A 19
N/A 20
N/A 21
N/A 23
N/A 111
N/A 115
N/A 116
WSAEnumProtocolsA
    


idk yet how the dongle functions yet, maybe the software just check it upon initialization, or a random time frame checking if dongle is still there,

LanReg.exe for smartlock registration

SLNTLDR.EXE is created in windows services

SLLPSVDR.SYS the driver


Last edited by sleepsleep on 14 Oct 2013, 09:43; edited 2 times in total
Post 05 Jul 2012, 13:41
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
tomorrow i will try something like this,

i install a copy of that software in my lappy, C:/STOCK/STOCK.EXE, run it and see if it could detect the license server in my client network

if it works, then i disconnect the network and see how long it would continue to works.

if every features work and the software only check when starting, then it would be great news!
Post 05 Jul 2012, 14:02
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
SleepSleep... if the software stop working it isn´t bad news.

Imagine this code:
Code:
int  isDonglePresent(void){
if(somthing)
{
   return TRUE;
}else{
   return FALSE;
}
    


And then, this function is used almost at every part of the software.
Code:
case command
OPEN: {if(isDonglePresent(){ do stuff....
CLOSE: {if(isDonglePresent(){ do stuff....
READ: {if(isDonglePresent(){ do stuff....
    


The dongle comes with an API. The guy who wrote the program, is not the same wich developed the dongle, so he was just using an API.
You should find that API call, patch it, and problem solved.

Try to isolate the dongles libraries and drivers from the program.
There would be some antidebug tricks, but really old ones, so this wouldn't be a problem.

Other thing, in some dongles api, there is a callback function that will be trigered if the dongle is removed.
Post 05 Jul 2012, 14:37
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
when the lock is not found, the application will output a custom messagebox

Correct Smart Lock required, i hope to tackle from here, still finding the way into this rabbit hole.

the application is available from official website (just in case maybe someone is interested)
http://bit.ly/N4TW2p
Post 06 Jul 2012, 15:38
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17250
Location: In your JS exploiting you and your system
revolution
Good luck sleepsleep. The first one is always the hardest.
Post 06 Jul 2012, 16:08
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
i think the hardest part is to know where is where,
phhewwww,,,
was thinking about coding a dll that mimic the real dll export call and try to see what was send into and sent out, import the real dll to do real job, just want to monitor what the shit is happening.

ppppphhhhhhhhhhheeeeeeeeeeeeewwwwwwwwwwwwwww,,,,

revolution wrote:
Good luck sleepsleep. The first one is always the hardest.

thanks, i try my best Wink
Post 06 Jul 2012, 21:31
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
mind you that you can't proxy kernel32 or user32.dll unless you edit the exe and rename the import table lib names to something like "vernel32.dll". "vernel32.dll" being your proxy dll which then forwards the calls.

You should just hook it though because you'll have to import all the API, unless you use a tool.

Check out API Moniter from http://Rohitab.com
Post 06 Jul 2012, 23:02
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
found somethig,
the application is compile (encrypted) using foxpro 8

i tried to decompile it using DVFP
http://www.atoutfox.org/articles.asp?ACTION=FCONSULTER&ID=0000000415

the app doesn't support decompile encrypted foxpro app as i read from the comment, but somebody mentioned APP and REFOX should able to decompile encrypted foxpro app to SOURCE!
Post 07 Jul 2012, 22:06
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
just tried REFOX it, no luck, detected as non fox pro app, (maybe it uses a middle man app to load the fox pro project, i guess so) coz the application is too foxpro like, eg. the status box on the top right
Post 07 Jul 2012, 23:41
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
i coded the fake SLLAC32A.DLL Very Happy
it functions as middle man to the real SLLAC32A.DLL

how do i pass the param to the original DLL dllmain entry?
because that function is not exported by default.

this is what i got on 1st run
Code:
hello world! 
    

it seems the application only use the SLLRead_ function (hopefully)

because the dongle is on customer production server, i could only code and test the application without dongle,,, only i am sure that it wouldn't crash the production server then only i put this middle man dll and log the conversation.

wow,,, what if i return the VALID number in EAX Smile
gonna drive to that server later, phewww


Last edited by sleepsleep on 14 Oct 2013, 09:44; edited 1 time in total
Post 08 Jul 2012, 06:11
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.