Hi Mike (Mike Ghormley), in <35B6D3FF.1E1E@blacksand.com> on Jul 22 you wrote:

> > Ahh but a simple program watching system ram in the memory locations of
> > nop will display the missing code.
>
> Tim, there isn't any NOPs.  I was using them as an example.  The code that is
written
> over looks very real.  A typical serious dongle may have more than 50 snippets
 of missing
> code.  It is not as simple as you imagine.

As long as the PC software authenticates the dongle and not vice-versa,
it's possible to just read all the code from the dongle (using an own piece
of software that talks to the dongle like the protected app).

Then all PC software calls to the dongle can be replaced by an emulation
function that returns the same code that the dongle would have returned.

The challenge-response inconsistency (if you're too tired to actually hack
the algo/key) can be overridden by changing the PC softwares' conditional
jumps.

It then does make no difference if the PC software patches the patched
locations back to their original content right after execution, or before
exiting.  Also it does not matter how often the dongle is read, and whether
there are 1 or 50 snippets in it, or if all 50 are applied at the same time
or just a single change is made at a time and then reversed back.


If the dongle authenticates the PC software, you'll either have to
reengineer the PC soft authentication algorithm, or manipulate the PC soft
to save the dongle code right after receival, or monitor the conversation
using software or hardware tools.  After successful extraction of the
dongles' code patches you can continue as described above.

> Of course any dongle scheme can be cracked

Dito.