is there actually dongle there, have I been modified, is there an EMU running.(services\emulator\HASP) Anti - Anti EMU check patches ( NEUHASP & NUWHASP reg checks), Is the serial number pirated/dongle reported stolen, etc. There where other things to take care of, like productenable bits. Thank god they hadn't obfuscated the function names or that would've made life significantly more difficult. I used an EMU to get the program to shows me what values in the dongle dump corresponded to each function and then what it was expecting. which covered paractically every function check). I basically just forced a call to my routine whenever the program wanted to read the sim_type/user_type/sim. that's very rough as I was only beginning to add the third party stuff when life and it's time constraints simply caught up to me.Īs a start, you'll have to identify the dongle read function ( force positive dongle read result ), find the function that transposes what it reads to internal variables/address so that you can identify what address corresponds with what function ( lathe_version 0x491234, lathe_level 0x491256 etc)įrom there you build a dongle table overwriting the transposition routine to load what you want, then redirect the program ( multiple locations as that data tends to get over written dependent on program flow. The last I checked, the protection was now spread across 4 different files and will require significant patching, therefore you'll need roughly 1600 bytes to patch. well I've yet to see valid Milllturn setup POST Module as it's normally encrypted with info on a specific users dongle. the list is long and not all functions have the same highest level or version) ( lathe_ver (ie 0x190) ,lathe_level ie 0x06) ,router_ver,router_level wire_ver, wire_level, Art. What level + ver is paid for/ applicable for each function you use.
CODE METER etc, ) Dongle type ( EDU, DEALER etc) Yes, it has to read a specific dongle value ( that determines many things like : sim s/n, sim type, ( HASP,NETHASP,WIBU. Properly done, it should be extremely difficult to remove the dongle.
The only reason a full patch was possible was their poor HASP implementation. and have stuff in their registry, don't set off the emu detection) maintenance time,etc,etc. ( that was redirecting dongles calls, building a fake dongle internally, taking care of the self protection, s/n blacklist, emu detection ( so the users that have previously run emu's. MC7 圆4 MU2 patching was just shy of 400 bytes. Yes, as you've discovered, a few NOP's here an there and patching some jumps aren't going to cut it :-) I'd be interested in your findings on patching 8/9 if you care to share? Not to say x7 MU2 was just a couple lines either, however. 500 bytes doesn't sound as horrible as redirecting each routine somewhere else and then writing code within the executable to, for lack of better terms, emulate an emulator. Unless one were inclined to really patch a LOT more of it than you say. It has to read some kind of value instead of NOP'ing an instruction or redirection to another sub. Quite a bit of stuff to dredge through without debugging as you said. That would explain some of my issues I was having before. ( my apologies if you're already on that track) Not nuclear physics but a lot of time and work. ) If you're really interested, I'd start by debugging an EMU setup and see how it behaves. ( CRC, EMU check, Blacklist, full HASP patch ie copying all the dongle info into each file, patching user_type,maintenance_time, get_productenablebits etc, etc, redirecting dongle calls, patching various other routines. You'll have to patch 500 or so bytes in each of 3 files.
While the structure is somewhat similar, there have been a few significant changes. ( I haven't seen any full patches beyond that) That won't really help too much with X8 & X9 though.