Vero VISI-Series v7.2, v8.x, v9.x. Vero VISI-Series v7.2 / v8.0 / v9.1 - Tutorial A few days back I undertook a very serious analysis of this target which is protected by a DESKey DK2 dongle. Prior to this, several crackers had told me the program was 'uncrackable', or 'impracticle to break'.
Whether you need a locker padlock, a door chain for your house or a mortice lock, we can help. Browse our full selection of padlocks online at Tesco direct.
Ordinarily when I'm told something can't be cracked I move on, my list of projects needs shortening. However, somewhat foolishly I'd remembered the appalling DigiSHOW.vld as being a DESKey, it couldn't be that hard surely:-). As it turns out, this target isn't impossible to break its just very difficult, however what surprised me was how far I could break down the interface between the application and the dongle. Reading through the installation instructions it seems we'd really like to have a 'Dealer' or yellow dongle present, all other install types require some sort of password file which sounds like more work. We install the DESKey drivers and install VISI, at the end of the installation we get a series of 'Dongle not present' message boxes and a few 'Registration failed!' For good measure. None of these are catastrophic, just hit Cancel/OK as required.
The main program in VISI is cad3d.exe, run it and you'll get our familiar message box and an option to continue in DEMO mode, this results in being unable to save, the menu item is grayed. At 5.23Mb's we won't disassemble cad3d.exe we'll just do a PEDUMP and search the import table for DESKey names, its not hard to find our culprit, dk2win32.dll. 5 functions are imported (all of which are used, but only 4 of which we will be concerned with):- FindDK2() - is dongle present. DK2WriteMemory() - write to dongle memory.
DK2ReadMemory() - read from dongle memory. DK2DriverInstalled() - hopefully you installed the drivers. DK2ReadRandomNumbers() - generates 'random numbers' from the dongle. Loading the exports into SoftICE is the next step, the bpx of course goes on FindDK2(), lets take out the API guide:-:006FCEFF PUSH 008D6244 '. If your simulated dongle memory has 00 00 at address 0 you'll get the first message, if theres any value, the second.
Address 2 controls the expiry year counted in 6 month blocks from 1900. If you want a useful expiry date then set this word to 0xFF01. Launching cad3d.exe now gives us the final piece of the puzzle and the most difficult part to solve (under NT after selecting OK you'll get some more information in another message box that will prove very useful):- Interestingly you'll get this message under both 9x & NT, but exactly what is DESlock?, well in VISI this message is related to 2 DESKey API's, DK2ThroughEncryption() & DK2ReadRandomNumbers(). Both of these functions are capable of encrypting data using the DESKey and a seed byte, the algorithm in either case (if they aren't indeed the same) is unrecoverable without the original dongle, so we've got to hope for implementation mistakes.
One might think by just looking at the names that DK2ThroughEncryption() is likely to be the culprit, in fact in VISI it only encrypts 4 bytes and the response is verified application side:-:5000E9B4 ADD ESP,0C.