Defeating a 40-year-old copy protection dongle

Posted by zdw 5 days ago

Defeating a 40-year-old copy protection dongle(dmitrybrant.com)

855 points | 286 commentspage 3

dmitrygr 5 days ago|

  >Very importantly, there doesn’t seem to be any “input” into this routine. It doesn’t pop anything from the stack, nor does it care about any register values passed into it. Which can only mean that the result of this routine is completely constant!

This is not necessarily a fair assumption (though it worked this time). It could be some sort of a rolling code, where the reply is not constant but changes, and remains verifiable. Example: garge door openers have no input from the garage, but the sent signal differs every button click, and the garage can verify its correctness

dfox 5 days ago|

Unles the verification routine (eg. garage) keeps some state somewhere it has no way to prevent replays.

dmitrygr 4 days ago|||

i did not say replay was impossible. i said the statement in the article was overly broad, which it is. If it said "a single result could be hard-coded", it would be fine. but it said the function is constant, which it need not be.

But even that need not be true. here is how you could design that dongle to require no persistent state on RX and still not allow simple replay.

TX code:

   static u8 counter = 0;
   tmp = randU12() * 16 + (counter++);
   tmp2 = sha256(secret + tmp) & 0xffff;
   send32((tmp << 16) + tmp2)

RX code: static u16 prevSeenCodes[16]; static u8 idx = 0;

   tmp = recv32();
   tmp2 = tmp & 0xffff;
   tmp >>= 16;
   if (sha256(secret + tmp) & 0xffff != tmp2)
      fail();
   if (tmp in prevSeenCodes)
      fail();
   prevSeenCodes[15 & idx++] = tmp;

now you need to replay at least a sequence of 16 codes

that array is in ram and need not persist across program runs. dongle can be powered off or can be left on. all will work

izme 5 days ago||

This takes me back. There exist emulators for these dongles as well, you run the a dumper with the dongle attached and load the program and it makes a dump file which you then use in the emulator.

I had to do this for a company so they could continue to use their old specialised Win98 software on modern computers using Dosbox and an emulator.

SamBorick 4 days ago||

I forwarded this to my dad who still works on RPG. This product is called "Software Sentinel":

> It required an input key that was unique to our dongle series & our own code that was whatever we wanted. The reply was a hash of both values.

> The last version we used was USB. They retired the parallel style long ago.

boarsofcanada 5 days ago||

I wrote RPG II code in the 80s and helped the company I was working part-time for transition to another one of these S/36 emulation environments on the PC in the 90s. The software we used was made by the very generically named California Software Products.

It worked well enough and allowed the company to run until the founder retired and folded the business.

nu11ptr 5 days ago||

> If we look at segment 0800, we see the smoking gun: in and out instructions, meaning that the copy-protection routine is definitely here, and best of all, the entire code segment is a mere 0x90 bytes, which suggests that the entire routine should be pretty easy to unravel and understand. For some reason, Reko was not able to decompile this code into a C representation, but it still produced a disassembly, which will work just fine for our purposes. Maybe this was a primitive form of obfuscation from those early days, which is now confusing Reko and preventing it from associating this chunk of code with the rest of the program… who knows.

in/out instructions wouldn't have a C equivalent. My assumption would be it only translates instructions that a C compiler would typically create.

kevincox 5 days ago|

I would still hope for it to translate most of the code with a couple of asm blocks. But maybe the density of them was too high and some heuristic decided against it?

jfyi 5 days ago||

It would have been an interesting ending to replace the instructions and see if Reko could be made to output code for the function.

throwaway89201 4 days ago||

> It’s possible that I haven’t fully understood the logic, and the copy protection will somehow re-surface in another way.

They should be glad the copy protection is not more in the style of "The Games: Winter Challenge", where playing a pirated copy would make it subtly impossible to play many levels [1]. Would be 'fun' if the exported accounting data would contain all kinds of subtle errors.

[1] https://mrwint.github.io/winter/writeup/writeup.html

bloomingeek 4 days ago||

Kind of related: I own and still use an HP laptop that came with 8 GB of DDR4 SDRAM and 16 GB of Intel Optane memory. When MS told all of us that Win 10 was moving away from support, I decided to format and install Ubuntu. I have lots of experience with Linux, so it was gonna be a piece of cake.

Wrong! To my great surprise Linux wouldn't load, even after trying three different versions of Linux. After doing a massive search on the internet, I finally found a post that said I should crack open the case and remove the Optane chip, which I did. Presto, Linux was loaded and working fine!

zoom6628 3 days ago||

In the 80s I worked on BPCS, an early ERP system, and yes it was coded in RPG2, and RPG3. Mind blowingly hard to understand the source code but I credit my efforts then with later finding AWK so easy and logical. IBM had also just brought out the baby System36 which looked like a PC beige box but was actually a minified s/36 if I recall correctly. Didn't sell well. Then there was RPG for DOS which I heard of but didn't use.

If the authors client had been using an RPG accounting system for 40 years then it might be BPCS and there were tools out there to convert RPG to other less traumatic languages.

But fascinating article nonetheless and brought back memories of being an apps programmer. I also remember those dongles. Really fun when you had multiple apps with their own dongles and only one port.

RaftPeople 3 days ago|

So did I. We joked that BPCS stood for: Better Programs Coming Soon

It was actually a well designed and functional system, just too many bugs.

insuranceguru 5 days ago||

wow, the home accountant is basically the great-grandfather of everything we do in modern financial and actuarial modeling. dmitry's breakdown is like digital archeology.

it’s wild to think about the hardware risk people used to accept putting your entire household's financial history on a system that bricks itself the second a 40-year-old plastic dongle fails. really great read.

DANmode 5 days ago|

> Is this really worthy of a patent?

You have no idea how deep this rabbit hole goes.

Patents are barely better than copyright, as far as society net-positive.

More comments...