Victoria's DongleCrackMe
| Download DongleCrackMe.zip, 289 kb (password: crackmes.de) Browse contents of DongleCrackMe.zip The aim of this crackme is an analysis of the works of some hardware key. The key is simulated through a process named DongleBlackBox, which is run along the protected program. The program (JPEGConv) will have been cracked when it's fully operational and you don't need the key process to make it
Difficulty: 7 - Very hard | Send a message to Victoria » View profile of Victoria » |
Solutions
Solution by josh, published 28. jun, 2013; download (828 kb), password: crackmes.de or browse.
josh has not rated this crackme yet.
Discussion and comments
| Victoria Author 06. Sep 2005 | Well, still not a slightest trace of a solution. Guess it's harder than the 7, that was given to the crackme by Zero :) |
|---|---|
| Shism 06. Sep 2005 | So you have to enable Show w. channel correct? |
| Victoria Author 09. Sep 2005 | No, you have to eliminate the need for the key process. The program requires a process called DongleBlackBox to run all the time, otherwise it stops working. Your task is to remove the dongle in such a way that the program would still work normally. This is a simulation of the following situation: you have a hardware dongle protected (eg. CAD) program you want to crack. You unplug the dongle, but because of that the program obviously refuses to work. So you patch the code and remove all the security related stuff and the program works like a charm without the dongle. In this situation the dongle is simulated as the DongleBlackBox process. To make it work like in the real life you aren't allowed to look into this process or its code in the DongleBlackBox file, just as you wouldn't look into the code of a real dongle - it's a black box. On the other hand, you may do every other thing possible - a lot of crackmes here have a rule of no patching. In this crackme it's not only allowed in case of JPEGConv.exe and sm.dll, but I invite you to do so! I do believe it's harder than your average crackme (it's harder than 7, compared to other crackmes with this difficulty level), but I invite all of you to try it, even the newbies. Even if you can't crack it I'd be interested in HOW you tried to do it and why it didn't work. Sometimes a description of an analysis is much more interesting than the solution itself. Good luck :) |
| Shism 10. Sep 2005 | So we can't patch sm.dll? |
| Shism 10. Sep 2005 | Very interesting O O.... How the program runs as soon as you open it in a debugger.Without even executing it...Wonder how that trick works |
| Shism 10. Sep 2005 | Also very interesting that the dongle runs without executing any code in the exe..... Wow that's pretty good work. |
| Victoria Author 11. Sep 2005 | To make it clear: 1. you MAY patch sm.dll 2. you MAY patch JPEGConv.exe 3. you may NOT do anything with DongleBlackBox process or file (not even look into it, as it would spoil the fun) |
| deroko 04. Oct 2005 | huh, I'll try again tomorow to see what can I do... so far I've reversed struct that is sent to dongle, also tried to set hook after WriteFile/ReadFile so I can see what reg combination is sent/received from dongle, then used code to inject into last section of sm.dll and hooked sm.RaiseException so it will point to my new proc, but it crashes at dongle_request 4b (I didn't find what that thing is yet..., maybe tomorow) =) |
| bilbo 04. Oct 2005 | It seems that this thread was moved here: http://www.woodmann.com/forum/showthread.php?p=47644 Aha, and thanks, Victoria, for having inspired me an article at http://www.osix.net/modules/article/?id=728 |
| stingduk 05. Oct 2005 | well i was browsing through the rce board (woodmans) and i saw the thread pointing in here and the comment by shism in there [quote] Very interesting O O.... How the program runs as soon as you open it in a debugger.Without even executing it...Wonder how that trick works Shism 11. Sep, 00:48 Also very interesting that the dongle runs without executing any code in the exe..... Wow that's pretty good work. [/quote] got me interested you can use my plugin ntglobalflag that breaks on dll init routines as well as tls callbacks to look at how it is operating also you can break on entry point of sm.dll ill posting a snippet of it when it is creating the dongleblackbox here [quote] 100011F2 PUSH sm.10005110 ; |ModuleFileName = "DongleBlackBox" 100011F7 CALL NEAR DWORD PTR DS:[<&KERNEL32.Cr>; \CreateProcessA |ModuleFileName = "DongleBlackBox" |CommandLine = NULL |pProcessSecurity = NULL |pThreadSecurity = NULL |InheritHandles = TRUE |CreationFlags = 0 |pEnvironment = NULL |CurrentDir = NULL |pStartupInfo = 0012F860 \pProcessInfo = 0012F850 [/quote] you can get it from biw http://www.reversing.be/article.php?story=20050603193932184 hey elfz pretty excellent job of transforming this site :) i am logging in after quite a long time may be years together :) fantastic job comments and stuff search browse contents hats off to you :) |
| Victoria Author 05. Oct 2005 | Thanks Bilbo for the tip about the discussion, haven't known about it. I've posted some info there, although not much, as not to spoil the fun. |
| badmojo2 14. May 2013 | Very old crackme but definitely worth your time... Different from most others and a good amount of challenge. Will post solution if anyone still cares. |
| redoC 14. May 2013 | Yes, pls post solution. |
| redoC 15. May 2013 | wont run on Win7 |
| badmojo2 15. May 2013 | If you have problems running it on newer OSes try starting a command line process (cmd.exe) and running it from there. It worked for me on Win7 x64. Believe it has to do with input/output handles but didnt look further into it. |
| redoC 15. May 2013 | It's better, but now it displays: Could not create dongle process |
| badmojo2 15. May 2013 | Strange, did you extract the whole archive into the same directory? DongleBlackBox must be in the current folder for JPEGConv.exe to run... |
| zairon Moderator 15. May 2013 | Trace back and see why it shows this advice |
| redoC 15. May 2013 | When I change PEheader.subsystem from Windows GUI to Console it starts working. |
| redoC 17. May 2013 | badmojo2 what's your solution? You identify dongle code without debugging it? |
| badmojo2 17. May 2013 | Yeah, the only rule is that you must absolutely not "look inside" the DongleBlackBox process as that would pretty much spoil the challenge. I used a mostly automatic approach to identify the dongle code (you are not forbidden from creating your own program that interacts with the dongle). :) |
| redoC 18. May 2013 | So post solution, do not leave it to yourself. |
| badmojo2 18. May 2013 | There is too much manual work needed even after a semi-automated solution. I don't mean to be an asshole about it but its been 7-8 years this crackme was released, and interest is too reduced to justify me spending hours and hours writing it up step by step. If you do seriously attempt it and get stuck on a specific part please send me a private message. |
| josh 27. Jun 2013 | Interesting Dongle. Agree with badmojo that its the worth while investigating it. And, that it needs a lot of manual work, which is of course attractive from the protection point of view. |
| andrewl.us Moderator 28. Jun 2013 | congrats to josh on a great solution here! |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.