by weinzierl
3 subcomments
- These dongles used to be ubiquitous and they broke all the time.
As a young intern, I arrived early one morning to find the PCB layout software (PADS PowerPCB) on our "design PC" wasn’t working. (I use quotes because it was just the beefiest machine we had, naturally our boss’s PC, which he kindly shared)
Obviously the dongle. I tried unplugging and replugging it, with and without the printer daisy-chained. Nothing.
So I begrudgingly asked my colleague who’d just arrived. He looked at the dongle, looked at me, looked at the dongle again, and started laughing.
Turns out our Boss had stayed late the previous night processing customer complaints. One customer had sent back a "broken" dongle for the product we were selling. Boss tested it on his PC, found it worked fine, and mailed it back on his way home.
Except he didn’t send our dongle back. He had sent my PowerPCB dongle. More fun was had when the rest of the team and finally our boss arrived. Luckily he took it with good humor.
- This reminds me the old days of Windows 95 when I found a software to burn CDs that had a trial version which was limited to 150MB of data or so. If you tried to create a CD bigger than that it would refuse to burn and it would instead open a popup and tell you that the image exceeded the limit of XYZ blocks allowed by the trial version.
So I first decompressed the executable program (Windows executable were often packed at that time [0]), then I opened a binary editor, looked for that specific number in hexadecimal notation in the binary and changed to something much higher. I was than able to burn CDs without limitation.
[0] https://en.wikipedia.org/wiki/Executable_compression
- Many a crack back in the day was even more simple still, we'd just find and alter the right JE or JNE into a JMP and we're off to the races. As the author found, the tough part is just finding and interpreting where and how the protection was implemented. If throwing the exe in a hex editor gave you access to String Data References (not always the case, but more common than not) then you'd just fail the check you were trying to skip, find that string, hop over into assembly to see what triggered loading that, and then just alter the logic to jump over it when the time comes.
by nsoonhui
11 subcomments
- I write civil engineering software [0] and am familiar with this kind of dongle. Yes, even today there are users who want this kind of dongle instead of, say, cloud-based validation. They feel secure only if they have something tangible in hand.
Since we sold (and still sell) perpetual licenses, it becomes a problem when a dongle breaks and replacement parts are no longer available. Not all users want to upgrade. Also, you may hate cloud licensing, but it is precisely cloud licensing that makes subscriptions possible and, therefore, recurring revenue—which, from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade.
Also, despite investing a lot of effort into programming the dongle, we can still usually find cracked versions floating online, even on legitimate platforms like Shopee or Lazada. You might think cracking dongles is fun and copy protection is evil, but without protection, our livelihood is affected. It’s not as if we have the legal resources to pursue pirates.
[0]: https://mes100.com
- Yeah, Software protection was very naive in the beginning. Fun fact: I owned a windows 3.11 for workgroup UPGRADE disc collection, it was clearly explained and also enforced from the setup installer. So, no previous installed win 3.0 == upgrade installer will fail. The fix: just create an empty Textfile named win.com at any place - the installer simple scans the WHOLE disk just for this existing filename. Next fun fact: in reality, the Upgrade contained the full installation, no only a delta. Men, software was so simple these days....
- > I must say, this copy protection mechanism seems a bit… simplistic? A hardware dongle that just passes back a constant number?
Seems like it was an appropriate amount of engineering. Looks like this took between an afternoon and a week with the help of an emulator and decompiler. Imagine trying to do this back then without those tools.
by andyjohnson0
0 subcomment
- > For some reason, Reko was not able to decompile this code into a C representation, but it still produced a disassembly, which will work just fine for our purposes.
Perhaps an indication that the code in that segment was hand-written in assembly language rather than C?
- Back when I was a kid in the 80's. I cracked one of the Ultima games. I had it on my hard drive and didn't want to stick a floppy in every time I ran it.
The code decrypted itself, which confused debuggers, and then loaded a special sector from disk. It was a small sector buried in the payload of a larger sector, so the track was too big to copy with standard tools. The data in the sector was just the start address of the program. My fix was to change executable header to point to the correct start address.
- I still develop software requiring hardware dongles. We moved from parallel to USB-A about 15 years ago and we're still on USB-A, much to the annoyance of anyone who has bought a new laptop in recent years.
The crack is a little bit harder these days as there is a special compiler that encrypts the binary using an on-dongle key, decrypting it after it's loaded.
A big reason for the dongle is to regionally control features (e.g. users in country A must not have feature X but users in country B should) and able to "expire" offline desktop software.
- Very cool to read an article about windows 95 still being used in production - a nice contrast to the infinite AI hype cycle over everything.
Tech may move fast in flashy areas but not in the more "boring" parts of the industry.
by felineflock
0 subcomment
- I did something similar decades ago: ran on debug with and without the dongle, then compared the execution path to identify where exactly it deviated.
Then replaced the "jump" with "nop" to prevent it from branching out when the dongle was absent.
This was with an early version of Visual C++ and I knew only a little 8086 Assembly.
by throwaway89201
0 subcomment
- > It’s possible that I haven’t fully understood the logic, and the copy protection will somehow re-surface in another way.
They should be glad the copy protection is not more in the style of "The Games: Winter Challenge", where playing a pirated copy would make it subtly impossible to play many levels [1]. Would be 'fun' if the exported accounting data would contain all kinds of subtle errors.
[1] https://mrwint.github.io/winter/writeup/writeup.html
- I forwarded this to my dad who still works on RPG. This product is called "Software Sentinel":
> It required an input key that was unique to our dongle series & our own code that was whatever we wanted. The reply was a hash of both values.
> The last version we used was USB. They retired the parallel style long ago.
- The company i work at has the same problem. We have some old mission-critical windows 2000 pc that runs the rpg compiler, with attached dongle. This gave me some clues on where to start - thanks author!
- I was hired in the early 90's by a collection of franchises for a home care company. The privately owned head office self-developed and distributed required monthly updates to the only software franchises were permitted to run their business. The monthly updates (floppies) reset the license for another month at each location. After years of problems, poor support, and in a couple cases offices getting shut down because head office just "didn't like them anymore", they banded together to sue the owners (one of which developed the software). I did IT work for a couple of the offices and was already familiar with maintaining the software / systems. They hired me to bypass the licensing code which was a lot of fun to figure out. In the end I wrote a DOS based license generator each office had that could update their software by just getting a code over the phone for the upcoming month (or any date for 365 days). A few years later once the lawsuit settled and the company broke apart we issued a patch for the software to remove the license check completely. I should fire up DOSBox sometime so I can play with that old software again.
by bloomingeek
0 subcomment
- Kind of related: I own and still use an HP laptop that came with 8 GB of DDR4 SDRAM and 16 GB of Intel Optane memory. When MS told all of us that Win 10 was moving away from support, I decided to format and install Ubuntu. I have lots of experience with Linux, so it was gonna be a piece of cake.
Wrong! To my great surprise Linux wouldn't load, even after trying three different versions of Linux. After doing a massive search on the internet, I finally found a post that said I should crack open the case and remove the Optane chip, which I did. Presto, Linux was loaded and working fine!
by 3uruiueijjj
1 subcomments
- USB license dongles are still very common in industrial automation, I work for a company that uses it. You don't want an internet outage (or an AWS outage) to take down a production line for a day. You also expect to set up a system once and then have it just work for a decade or so.
In our case, the copy protection would still be as easy to bypass as the one in the article.
- Of course it used to be simple in the earlier days. It got way better and fast with HASP and alike in the mid 90’s. I specifically remember software that kept a portion of its data in the dongle memory with good anti-debugging techniques too. But even the hardest protection would take a week to break at most.
by userbinator
0 subcomment
- For some reason, Reko was not able to decompile this code into a C representation
That's likely because it's one of those (of which many existed) which attempt to dumbly pattern-match against what a typical C compiler of the time (with equally dumb and extremely inefficient code generation) would do, but that routine clearly looks like handwritten Asm. I've never seen a C compiler from that era generate a LOOP instruction, for example, and of course "cli" nor the I/O instructions are not expressable except perhaps as intrinsics. Ghidra might be a bit better at this, as it's a generalised decompiler.
In fact, when the compiler (RPGC.EXE) compiles some RPG source code, it seems to copy the parallel port routine from itself into the compiled program.
This reminds me of the classic Ken Thompson attack.
- Is defeating a 40-year-old copy protection mechanism still illegal under Section 1201 of the DMCA, or have they changed the law to make an exception for "very old" software?
- The fact that the software and hardware is evidently still in use at some companies gives me pause about whether releasing it in a cracked form publicly after having published it on a personal website would be a good idea.
Software companies love to milk enterprises for all their worth, because they're the entities who will pay the most amount of money if it means that the software they use can still work - and a big part of how they do this is via vendor lock-in. We can see in this article that this company was still using Windows 98 - they're clearly locked-in!
All of which is to say that this intellectual property might actually still be owned by a company who'll be able to sue.
If you haven't already checked whether the patent and other intellectual property is still owned by any company, OP, I would strongly suggest doing so first.
- > If we look at segment 0800, we see the smoking gun: in and out instructions, meaning that the copy-protection routine is definitely here, and best of all, the entire code segment is a mere 0x90 bytes, which suggests that the entire routine should be pretty easy to unravel and understand. For some reason, Reko was not able to decompile this code into a C representation, but it still produced a disassembly, which will work just fine for our purposes. Maybe this was a primitive form of obfuscation from those early days, which is now confusing Reko and preventing it from associating this chunk of code with the rest of the program… who knows.
in/out instructions wouldn't have a C equivalent. My assumption would be it only translates instructions that a C compiler would typically create.
- > I must say, this copy protection mechanism seems a bit… simplistic? A hardware dongle that just passes back a constant number? Defeatable with a four-byte patch?
Nowadays we don't bother with copyright protection other than a license key, because we know enterprises generally will pay their bills if you put up any indication at all that a bill is required to be paid.
This was basically the 80s version of that.
by Graziano_M
0 subcomment
- What did the function that called into it do with the result? If it was a simple "if rv != 0xabcd goto fail" the patch could probably be simplified to just... nop a few bytes.
- This takes me back. There exist emulators for these dongles as well, you run the a dumper with the dongle attached and load the program and it makes a dump file which you then use in the emulator.
I had to do this for a company so they could continue to use their old specialised Win98 software on modern computers using Dosbox and an emulator.
- At a time where games have shit like always online DRM, it's a bit reassuring to remember that software developers making the experience worse for their customers isn't new.
You pay for software? You need to keep that big dongle plugged in your computer all the time! You pirate the same software? No need for any dongle!
- It is interesting that the vendor adapts the hardware token and then makes it weak on the software side.
I recently did similar thing for the FineReader 6 using a hardware dongle [0]. It was surprisingly easy, no disassembly at all, just injecting srand(0) and a hardcoding the responses from the dongle. I had no prior reverse-engineering experience at all.
[0] https://slomkowski.eu/abbyy-finereader-6-ikey-1000-hack/
by boarsofcanada
0 subcomment
- I wrote RPG II code in the 80s and helped the company I was working part-time for transition to another one of these S/36 emulation environments on the PC in the 90s. The software we used was made by the very generically named California Software Products.
It worked well enough and allowed the company to run until the founder retired and folded the business.
by insuranceguru
0 subcomment
- wow, the home accountant is basically the great-grandfather of everything we do in modern financial and actuarial modeling. dmitry's breakdown is like digital archeology.
it’s wild to think about the hardware risk people used to accept putting your entire household's financial history on a system that bricks itself the second a 40-year-old plastic dongle fails. really great read.
- Cracking this dongle; wouldn't this be a federal offence in the US?
Not being snarky - genuine question!
I am not from the US :-)
by shevy-java
0 subcomment
- This is kind of like archaeology - just, software archaeology.
- Tangential to this was the existence of California Software Product's "Baby/36" software. My father was a 36/400 programmer and sysadmin, and in his spare time used Baby/36 to write software for local businesses. I have vague memories of parallel port dongles being involved back then too. Don't think he mandated their use, was more a "framework" requirement.
by charcircuit
1 subcomments
- >The only evidence for the existence of this company is this record of them exhibiting their wares at SIGGRAPH conferences in the early 1990s, as well as several patents issued to them, relating to software protection.
There is also their webpage for ordering PC RPG II. The company address is a residential house.
https://web.archive.org/web/20010802153755/http://home.netco...
- I think I remember hacking some of the copy-protection out of a version of Tetris using the Borland debugger. I definitely patched mouse support into a Chris Crawford "Battle of the Bulge" game using it (for my rather tricky platform). That was a good debugger, and probably the last one I have used much - prefer logging/printing for stuff I write myself.
I remember my Dragon 32 (6809, Color Computer clone) had a dongle you plugged into the joystick port to protect a really crap game - Jumping Knights? I never tried to defeat it.
- Just a few months back I worked in embedded development on a project and there was a physical dongle to unlock the compiler, which was surprising during on-boarding as I've spent years doing commercial embedded work relying on GCC. :)
- I remember reading an ad in one of the 90s PC magazines that attributed the dongle to an inventor named “Don Gull.” I was fortunate enough to never have to use a hardware dongle, but I remember hearing about their persistence into the twenty-first century. I would imagine that most of them were as ridiculously simple as this one was.
- well done.
this brought up fond memories of crackme communities in the early web... looking at asm callgraphs in ollydbg ...
I just found my +20y old patch.exe that 'NOP's the correct address of a popular windows archive handling software just to get rid of its nag screen ;-)
- Fun journey! It would be fascinating to see what's inside the dongle. I wonder if it's programmable or just a simple circuit.
by taylorportman
1 subcomments
- Often these dongles were just a single resistor 'circuit'
- Really interesting read, wonder how many other installs are using (and trapped into continuing to use) such obscure legacy software.
by Tempest1981
0 subcomment
- So what hardware would be inside the dongle? Would a small PAL be enough? 22V10? Maybe use a few registers to delay the values written by a few cycles, mixing in some decode logic? (Something cheaper than a microcontroller, I'm guessing... due to cost)
- I want to read the rest of the migration story
by potatomaseat9
0 subcomment
- Its insane this things still works after 40 year old and someone now able to cracked it down
- I designed a security dongle a long time ago ... Used properly, it did rotations and XORs like a CRC. You could definitely make it hard to defeat but it was still ultimately deterministic.
- Fun hack, sure, but why on earth isn't the focus on porting the accounting data to a new, currently supported accounting system?
by thenthenthen
2 subcomments
- As a hardware guy I would first start with opening up the dongle, but hey! Still very curious to see whats inside!
by ForHackernews
0 subcomment
- Searching for RPG compilers, I found this IBM notice: https://www.ibm.com/support/pages/osvs-rpg-ii-compiler110-wi...
General Availability
02-Nov-1981 , 281-999
No longer available for order, Withdrawn from Market
05-Dec-2022 , 922-053
Transition to Extended/Sustained or End of Support
30-Sep-2023 , 922-078
Completion of Extended, Sustained, Extension availability
30-Sep-2023
1981 to 2023 is a staggering run of support. That's why firms still buy IBM.
- My father, an accountant, used to have a program like that, that used RPG and a dongle! Good times. Horrible donle.
- > Is this really worthy of a patent?
You have no idea how deep this rabbit hole goes.
Patents are barely better than copyright, as far as society net-positive.
>Very importantly, there doesn’t seem to be any “input” into this routine. It doesn’t pop anything from the stack, nor does it care about any register values passed into it. Which can only mean that the result of this routine is completely constant!
This is not necessarily a fair assumption (though it worked this time). It could be some sort of a rolling code, where the reply is not constant but changes, and remains verifiable. Example: garge door openers have no input from the garage, but the sent signal differs every button click, and the garage can verify its correctness
by doctor_blood
1 subcomments
- Today on "Hacker" News: a third of the commenters wring their hands and question the morality and legality of subverting copy protection on software almost half a century old.
- i used to use SoftIce to patch software the same way and sometimes just add a JMP to bypass the registration check completely
- This is circumventing an effective copy protection measure, a federal crime under 17 U.S.C. section 1201. I see the developer is from Boston, so falls under U.S. jurisdiction and thus has committed a felony under U.S. federal law.
by burnt-resistor
0 subcomment
- And they probably could've just used Neverlock Business which cracks zillions of programs.
by catlikesshrimp
6 subcomments
- Why wasn't (isn't) this more widely used? It was clearly more effective than a cdkey.
I know there is cost associated with the hardware, but surely the costumer can cough 15 more dollars.
The only reason I can think of is wanting as wide adoption before max revenue as possible. But then, this has never been too popular, not even for games!
by maximgeorge
0 subcomment
- [dead]
by asyncadventure
0 subcomment
- [dead]
by huflungdung
0 subcomment
- [dead]
- [flagged]
Hacker News