tiistai 6. lokakuuta 2015

Old copy protection dongle


Long time ago, back in 80s when Programmers were Programmers and happy to write assembly to get the shave off the last clock cycle from inner loop, when computers were archaic and ran DOS the printers were connected to computers via parallel port. And that printer port was great thing indeed, offering bidirectional 8-bit bus and "clock" signal for running all kinds of fun external devices aside printers. I for example built a primitive 8-bit D/A converter out of it, mostly for fun. Sound quality was pretty awful but that didn't bother me.

Then modern Windows' appeared (in this context I mean Windows NT, 2000 and XP), blocking common software from accessing the parallel port (at least without using third-party drivers) and spoiled all the fun. Although serial ports (often) remained, they weren't as useful as good old parallel port.

But dwelling in ancient history is not my topic today, although this is related.

Apparently at some point I had actual license to an some kind of CAD program that ran on those old computers, as I have actually its copy protection dongle left over. I don't remember ever really using this software but that doesn't really matter here.

I am not exactly sure how these dongles worked (I never bothered to crack any of the programs using them) but my guess would be similar to one game I did successfully "liberate"; the software itself doesn't actually have all the necessary data needed to run it, instead some must be loaded from a dongle (or in a part normally inaccessible on a floppy disk, in case of the game mentioned). When loading program, this part if fetched from protection device, allowing program to properly run.

This method of course makes program pretty much impossible to crack if you don't have the protection device (be it dongle, floppy disk or whatever) accessible, but with it process often is fairly trivial (details are left as exercise for the reader), despite programmers' best efforts to make it as challenging as possible.

At this point the CAD package is irrelevant, as is the dongle too, but I was kinda interested on what's inside this thing anyway. These were plugged in parallel port and they actually could coexist with other devices and printers. At least usually, sometimes they did conflict. Quite annoying if you had to keep reaching behind the computer to switch these dongles.

Opening this was simple enough and inside is a simple PCB with passives and three chips.
Before proceeding further I just mention that these things weren't built just for single software product; some company designs and manufactures these modules and associated protection software, and the company using these to protect their software needs to "simply" include provided protection library in their product (not unlike modern protection counterparts). So there were many software packages from many developers that used essentially same dongles.

But back to innards of this dongle.

Left side chip has marking 74HC0324AM, indicating common-as-dirt 74-series logic. 324 within that family is a VCO - voltage controlled oscillator - but this chip here has 20 pins whereas VCO only has 14. So that doesn't sound very likely.

A bit of digging around suggests that this marking is actually forgery and that it is likely some kind of GAL (Gate Array Logic) chip, proprietary to this application. Considering that this thing is supposed to protect Very Expensive software I have to agree there - short of decapping chip and comparing it against other silicon there is no way to figure out what chip it is and what kind of logic is in there.

In middle there is 93LCS56, 4kbit serial EEPROM. There are two options here; this chip may contain the logic code for the GAL chip, or it may contain some software package-specific data such as license identification, serial number or such. Or possibly both. Very likely encrypted somehow (this being from mid-90s simple XOR with custom key is most plausible). Or its marking might also be forgd, but on quick glance pinout seems to match. I didn't feel lucky so I didn't bother trying to pull data out from it.

On right side there is chip with marking T9421W. Only thing I find with that code is a digital potentiometer but that isn't very plausible either. That code might, too, be forged to hide what the actual chip does. So pretty dead end deducing how the thing works (well, if I had better equipment and some nice chemicals I could try to dissolve packages to see what is inside, but alas I don't).

Now speculating on the functionality. Since you could put multiple of them together (for multiple different software packages) and still have the printer functional, there must be a way to activate one specific module. This is most likely done by outputting a specific byte pattern from PC, after which the triggered module takes over the parallel bus and starts communicating with PC.

Then there must be some data exchange; possibly some challenge/response type queries (above byte pattern being first of those) - possibly with changing keys to check if module is actually module and not, say, another PC replaying some stored old communication pattern. And then there is exchange of actual product specific data, which very likely is verified at the PC end somehow.

Of course the software on the PC doing all this is very likely encrypted on disk, obfuscated as well as possible, very picky about timings (no breakpoints for you!) and be in every way as annoying to work with as possible.

And I bet I would have had some serious fun cracking it back in my teens!


Ei kommentteja:

Lähetä kommentti