|
Marx Crypto Box, the most
Secure device ever made
("Protection Plus Professional")
|
Dongles
|
|
03 February 1998
|
by
Dr. Fuhrball
|
Updated
05 February 1998
|
 |
Courtesy of Fravia's page of
reverse engineering
|
|
|
Interesting reading... Dr Fuhrball has already given us the
Simple unix busting essay... note that the
cracking approach chosen here is perfectly accettable: the Author shows how the
protection scheme works inside a target (so that all readers can learn)
WITHOUT giving out
a ready made crack for a valuable program to all lamers of the planet. Well,
with 'our' dongle protection schemes we are getting quite forward, just a
request to Dr Furhball for an add on as soon as he has some
time:
...when I soldered enough wires to the microprocessor
and stuck it in the pic burner I was able to read out the
entire contents of the processor chip
many among our readers do NOT know how to read eeprom data. Could
you please (since you are I believe the first one speaking of
this subject in an essay published at the HCU) explain with
some "length and depth" the whole process? (trial and errors comprised :-)
5 February 1998
Dr Fuhrball has answered with a first essay of a future 'hardware cracking' section,
that for the moment will be hosted inside the dongle section. Thank a lot Dr Fuhrball!
Hope you (and others :-) will send more and more essays on this gorgeous stuff,
since few crackers
(at the moment :-) practicize these interesting skills!
Here it is:
Dr Fuhrball's treatment on the hardware side of
accessing eeproms
(with three hand-written dongle wiring schemas and a short
basic program)
Enjoy!
|
|
|
There is a crack, a crack in everything
That's how the light gets in
| |
|
Rating
|
( )Beginner (X)Intermediate ( )Advanced ( )Expert
|
|
An useful essay about the reversing of a dongle based protection scheme
Marx Crypto Box, the most
Secure device ever made
("Protection Plus Professional")
Written by
Dr Fuhrball
I've decided to leave the universal dll shim for a later
effort as i am gonna be seriously busy the next 3 weeks.
Today's cocktail: 40 year old single speyside malt "The Glenrothes"
(got a bottle of this for christmas. Wish I had a case)
Wdasm
eprom burner
http://www.marx.com
Marx Crypto Box, highly simplified,
by Dr. Fuhrball
The most recent and highly excellent essay from Frogs Print covers much of
what I could possibly say about this subject. Here is an example of the Marx
crypto box dongle. A totally bogus and highly insecure device in many ways.
Their advertising on this device (www.marx.com) says that this is the most
Secure device ever made, with a custom risc processor. The fact is that
The device uses a pic16 processor (low voltage with 2mhz oscillator) and
an 8kbit eeprom, both devices made by Microchip Inc. But it's even better,
because when I soldered enough wires to the microprocessor and stuck it in
the pic burner, I was able to read out the entire contents of the processor
chip. This is secure????? And the same thing goes for the data inside the
eeprom.
Marx also sells a software only protection system
(Protection Plus Professional). A free evaluation copy is available
from their web site. This should be entertaining.
This entire security system is based on one dll. Here is the entire API.
CbN_BoxReady(unsigned int port number,unsigned char *boxname)
CbN_DecRAM1(unsigned int port number,unsigned int id number,unsigned char
*codeid,unsigned char *passwordram1, unsigned int counter address, unsigned
int new count)
CbN_DecRAM2(same as DecRAM1)
CbN_Decrypt(unsigned int port number, unsigned int id number,unsigned char
*codeid, unsigned int seed, unsigned int length,unsigned char *outdata)
Cbn_Encrypt(same as Decrypt)
CbN_IDEA_Decrypt(unsigned int port number, unsigned int id number, unsigned
char *codeid, unsigned char *buffer, unsigned long length)
CbN_IDEA_Encrypt(same as IDEA Decrypt)
CbN_IncRam1(unsigned int port number, unsigned int id number, unsigned char
*codeid,unsigned char *passwordram1, unsigned int counter address, unsigned
int *net count)
CbN_IncRam2(same as IncRam1)
CbN_ReadID1(unsigned int port number, unsigned char *code id,unsigned long
*idreturn)
CbN_ReadID2(same as readid1)
CbN_ReadID3(same as readid1)
CbN_ReadID4(same as readid1)
CbN_ReadID5(same as readid1)
CbN_ReadID6(same as readid1)
CbN_ReadID7(same as readid1)
CbN_ReadID8(same as readid1)
CbN_ReadRAM1(I'm getting tired of typing!)
CbN_ReadRAM2(...)
CbN_ReadSER(...)
CbN_WriteRAM1(...)
CbN_WriteRAM2(...)
And the various return codes
0 the function worked correctly
1 wrong or missing argument
2 crypto-box key not available
3 error on standard encryption
4 error on IDEA encryption
5 crypto-box memory read access error
6 crypto-box memory write access error
7 error on counter increment or decrement
8 error on function call CbN_BoxReady()
Part of the supposed security is the increase in number of bytes for
successive functions.
The serial number is 2 bytes long
The id number is 3 bytes long
The passwords are 4 bytes long
This is similar in many ways to the software sentinel device which they
have obviously copied from.
Here is an example of it's use in a program. This program is NOT available
from the net, and is of absolutely no use to 99% of the people out there.
It is a conversion from its original UNIX version, and as such has a few
bugs, but is still a highly valuable tool. As I have absolutely nothing
against this fine company, and some of this company's instruments are the
finest available in the world, I will not divulge the name of the program.
* Reference To: CBNDLL.CbN_ReadSER, Ord:0020h
|
:0043431C E8F3791700 Call 005ABD14
:00434321 0FBFC0 movsx eax, ax
:00434324 8985ACFEFFFF mov dword ptr [ebp+FFFFFEAC], eax
:0043432A 83BDACFEFFFF00 cmp dword ptr [ebp+FFFFFEAC], 00000000
:00434331 0F8E11000000 jle 00434348
:00434337 6A00 push 00000000
:00434339 8B85ACFEFFFF mov eax, dword ptr [ebp+FFFFFEAC]
:0043433F 50 push eax
:00434340 E8B2DFFCFF call 004022F7
:00434345 83C408 add esp, 00000008
* Referenced by a Jump at Address:00434331(C)
|
:00434348 817DE4XXXXXXXX cmp dword ptr [ebp-1C],XXXXXXXX
:0043434F 0F840F000000 je 00434364
* StringData Ref from Data Obj ->"The ..." removed for obvious reasons
:00434355 68D8EF6100 push 0061EFD8
:0043435A 6A63 push 00000063
:0043435C E896DFFCFF call 004022F7
:00434361 83C408 add esp, 00000008
* Referenced by a Jump at Address:0043434F(C)
|
:00434364 C685A8FEFFFFXX mov byte ptr [ebp+FFFFFEA8], XX
:0043436B C685A9FEFFFFXX mov byte ptr [ebp+FFFFFEA9], XX
:00434372 C685AAFEFFFFXX mov byte ptr [ebp+FFFFFEAA], XX
:00434379 C685ABFEFFFFXX mov byte ptr [ebp+FFFFFEAB], XX
:00434380 C685BCFEFFFFXX mov byte ptr [ebp+FFFFFEBC], XX
:00434387 C685BDFEFFFFXX mov byte ptr [ebp+FFFFFEBD], XX
:0043438E C685BEFEFFFFXX mov byte ptr [ebp+FFFFFEBE], XX
:00434395 C685BFFEFFFFXX mov byte ptr [ebp+FFFFFEBF], XX
:0043439C C685C0FEFFFFXX mov byte ptr [ebp+FFFFFEC0], XX
:004343A3 8D45EC lea eax, dword ptr [ebp-14]
:004343A6 50 push eax
:004343A7 8B85B0FEFFFF mov eax, dword ptr [ebp+FFFFFEB0]
:004343AD 50 push eax
:004343AE 6A14 push 00000014
:004343B0 8D85BCFEFFFF lea eax, dword ptr [ebp+FFFFFEBC]
:004343B6 50 push eax
:004343B7 8D85A8FEFFFF lea eax, dword ptr [ebp+FFFFFEA8]
:004343BD 50 push eax
:004343BE 6A01 push 00000001
:004343C0 6A01 push 00000001
* Reference To: CBNDLL.CbN_ReadRAM1, Ord:001Eh
|
:004343C2 E847791700 Call 005ABD0E
:004343C7 0FBFC0 movsx eax, ax
:004343CA 8985ACFEFFFF mov dword ptr [ebp+FFFFFEAC], eax
:004343D0 83BDACFEFFFF00 cmp dword ptr [ebp+FFFFFEAC], 00000000
:004343D7 0F8E0F000000 jle 004343EC
* StringData Ref from Data Obj ->"R..." Removed for obvious reasons
|
:004343DD 6808F06100 push 0061F008
:004343E2 6A63 push 00000063
:004343E4 E80EDFFCFF call 004022F7
:004343E9 83C408 add esp, 00000008
* Referenced by a Jump at Address:004343D7(C)
|
:004343EC 8B85B0FEFFFF mov eax, dword ptr [ebp+FFFFFEB0]
:004343F2 C64405EC00 mov [ebp+eax-14], 00
:004343F7 8D45C8 lea eax, dword ptr [ebp-38]
:004343FA 50 push eax
:004343FB 8D45EC lea eax, dword ptr [ebp-14]
:004343FE 50 push eax
:004343FF E8DC8A1700 call 005ACEE0
:00434404 83C408 add esp, 00000008
:00434407 85C0 test eax, eax
:00434409 0F840F000000 je 0043441E
* StringData Ref from Data Obj ->"C..." Same here
|
:0043440F 6810F06100 push 0061F010
:00434414 6A63 push 00000063
:00434416 E8DCDEFCFF call 004022F7
:0043441B 83C408 add esp, 00000008
* Referenced by a Jump at Address:00434409(C)
|
:0043441E 33C0 xor eax, eax
:00434420 E900000000 jmp 00434425
* Referenced by a Jump at Addresses:004342E3(U), :00434420(U)
|
:00434425 5F pop edi
:00434426 5E pop esi
:00434427 5B pop ebx
:00434428 C9 leave
:00434429 C3 ret
it's a "no brainer" to replace the beginning of the code with a
xor eax,eax
pop edi
pop esi
pop ebx
leave
ret
As I am a programmer (among other things) I have the attitude that software
Protection is a waste of time. I believe that some other programmer's have
the same opinion, they are forced by their bosses to install crap such as
this, and they personally do not care that it can be reversed in minutes.
I wont even bother explaining you
that you should BUY this target program if you ever find it on the
web and intend to use it for a longer
period than the allowed one. Should you want
to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll
find it on most Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse engineering,
choose your way out:
Back to project 3
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse engineering legal?