Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 11-28-2011, 10:53 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default Multikey: Overwrite -> Status=0x4

Hi!

I'm trying to "upgrade" (using an application specific key-file) a dumped/emulated SSP dongle but somehow it always fails telling me "cannot write to dongle".

When monitoring the process with Toro's Monitor, it stops after writing
Code:
Out:> Overwrite -> Status=0x4
Here is the corresponding .reg file for MultiKey:
Code:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\MultiKey\Dumps\xxxx0000]
"DongleType"=dword:00000003
"Copyright"="Me"
"Created"="NONE"
"Name"="MyApp"
"Type"=dword:00000000
"CellType"=hex:01,01,03,03,03,01,03,01,00,00,03,03,03,03,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"sntMemory"=hex:28,37,xx,xx,f4,21,00,00,f4,21,00,00,1c,07,00,00,04,00,06,00,c7,\
  28,25,91,34,2f,0b,ad,46,00,06,00,00,00,34,12,ff,ff,c9,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff,ff,ff,ff,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff,ff,ff,ff,ff
Is it just a problem with an incorrect CellType or do I need to find the WP key?

Thanks for any help...

Last edited by oxident : 11-28-2011 at 03:09 PM. Reason: making things a little bit more difficult to find them using google
Reply With Quote
  #2  
Old 11-28-2011, 12:05 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Why don't you try it and see?. Early versions of MK did not write, I don't know if later versions do. Change celltype to 01, read the file into the registry and restart the emulator.

Git
Reply With Quote
  #3  
Old 11-28-2011, 12:30 PM
BfoX BfoX is offline
Senior Member
 
Join Date: Aug 2007
Posts: 2,234
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

use toro logger
__________________
... Either you work well or you work much ....
Reply With Quote
  #4  
Old 11-28-2011, 01:20 PM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

Quote:
Originally Posted by Git View Post
Why don't you try it and see?. Early versions of MK did not write, I don't know if later versions do. Change celltype to 01, read the file into the registry and restart the emulator.

Git
I promise I did! But it was like looking in the dark not knowing which cell needs to be writable. First I tried the cells which were read just before the Overwrite is being called ... without success.
Toro's Logger don't tell me which cell is going to be overwritten. I'm sure I can use IDA to intercept the call and read out the WP value but I'm unsure what to do with it.

The MK version does support writes (checked it with another app).
Reply With Quote
  #5  
Old 11-28-2011, 01:45 PM
BfoX BfoX is offline
Senior Member
 
Join Date: Aug 2007
Posts: 2,234
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

mk is support wp/owp operations
__________________
... Either you work well or you work much ....
Reply With Quote
  #6  
Old 11-28-2011, 02:41 PM
Lomex Lomex is offline
Senior Member
 
Join Date: Dec 2009
Posts: 139
Default

Dont know why you try to hide the Dongle ID, if this is CLEARLY not your dongle dump. Its the same floating around since a LONG time on the net.
Hehe, heard of that the newest Update wont work anymore with this dump. Thats why you wanna update it ?
Reply With Quote
  #7  
Old 11-28-2011, 02:47 PM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

[Please DO NOT quote whole messages, it is unnecessary]

I've hidden the ID because I guess it would be better not to reveal too much details about this work to the manufacturer. As long as this board is indexed by Google it would be quite to just search the net for the developer ID and get information about how the protection is defeated.

Nevertheless, the latest version of the application works quite fine with this dump as long as some modifications to the main executable were done but I wanna make this "rock solid" for the next updates. It's hard work to patch every nightly build

So I'm planning to get dongle dump which works out of the box. But before this gets released I have to make sure the supplier of this dump won't be detected.

Last edited by Git : 11-28-2011 at 03:23 PM.
Reply With Quote
  #8  
Old 11-28-2011, 03:00 PM
Lomex Lomex is offline
Senior Member
 
Join Date: Dec 2009
Posts: 139
Default

You mean "modification" because the newest Versions are checking for the Multikey and VusbBus EMU, or other modifications ?

Btw, you need to change also Cell 3+4, otherwise everyone know, which dump this is.

Also you should try to update it, while using Vusbus Emulator. I remember a case, where someone wrote that it works better with it, I mean writing on the dump.

Cu

Lomex

Last edited by Lomex : 11-28-2011 at 03:07 PM.
Reply With Quote
  #9  
Old 11-28-2011, 03:08 PM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

[Please DO NOT quote whole messages, it is unnecessary]

Yes, this is of course the most "trivial" one. The other modification includes checking the product options (or better said: max. supported version). That's why I'm trying to get rid of this old dongle dump by upgrading the virtual dongle to the latest program version and then removing any evidence of the supplier (which would mean to change the serial number and maybe other details).

Oh, yes. I have to think a little bit longer before pressing the submit button. Thanks

EDIT: Now I've found the WP/OWPs in the relevant CALLs but I'm not sure what to do now.

push 3 ; access code
push 0E8C7h ; data
push 0Ah ; address
push 334Ch ; OWP2
push 0EFD4h ; OWP1
push 21F4h ; WP
...
push esi ; packet
call _RNBOsproOverwrite@28 ; RNBOsproOverwrite(x,x,x,x,x,x,x)

That's done for addresses 0Ah to 0Dh with different data, of course.

Last edited by oxident : 11-28-2011 at 03:33 PM.
Reply With Quote
  #10  
Old 11-28-2011, 03:24 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Check you are not quoting most or all of the previous message too...

Git
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.