| ▲ | Defeating a 40-year-old copy protection dongle(dmitrybrant.com) |
| 219 points by zdw 4 hours ago | 63 comments |
| |
|
| ▲ | ruleryak 2 hours ago | parent | next [-] |
| Many a crack back in the day was even more simple still, we'd just find and alter the right JE or JNE into a JMP and we're off to the races. As the author found, the tough part is just finding and interpreting where and how the protection was implemented. If throwing the exe in a hex editor gave you access to String Data References (not always the case, but more common than not) then you'd just fail the check you were trying to skip, find that string, hop over into assembly to see what triggered loading that, and then just alter the logic to jump over it when the time comes. |
| |
| ▲ | hinkley 8 minutes ago | parent | next [-] | | There's a lot of things going on that lead to this. One, the developers spend more time running this code than we do, and they have to get the program working before we can even use it. So any parts of the program that are hostile to the developers risks killing the entire project. Obfuscating the copy protection can hit a point where it makes bug fixing difficult. Two, lack of training. If you, me, and Steve each have a bag of tricks we all use to crack games, whichever one of us figures it out gets bragging rights but the game remains cracked. Meanwhile Developer Dan has to be aware of all the tricks in all of our bags together if he wants to keep the three of us out. Only there's not three of us, there's 300. Or today, probably more like 30,000. Three, lack of motivation, which is itself several different situations. There's a certain amount of passive aggression you can put into a feature you don't even really want to work on. You can lean into any of the other explanations to defend why your code didn't protect from cracking all that much, but it's a checkbox that's trying to prove a negative, and nobody is going to give you any credit for getting it to work right in the same way they give you credit for fixing that corner glitch that the QA people keep bitching about. Or getting that particle animation to work that makes the AOE spells look badass. | |
| ▲ | antonvs an hour ago | parent | prev [-] | | > Many a crack back in the day was even more simple still, we'd just find and alter the right JE or JNE into a JMP and we're off to the races. I did that with dBASE III, which used ProLok "laser protection" from Vault Corporation - a signature burned onto the diskette with a laser. Back then, I found it amazing that Ashton-Tate actually spent money to contract with a copy protection company for something that could be so easily defeated by a teenager reading assembler. They could have easily just written the same kind of code themselves. An example of the power of marketing over substance. I was able to replicate that protection mechanism just by scratching a diskette with a pin. The "laser" was a meaninglessly advanced-sounding solution that added no value compared to any other means of damaging a diskette. | | |
| ▲ | foresto an hour ago | parent | next [-] | | > I was able to replicate that protection mechanism just by scratching a diskette with a pin. How did you figure out where to scratch it? Was the laser mark visible on the original disk, or did you have to read the code and orient based on the diskette's index hole? | | |
| ▲ | anyfoo 36 minutes ago | parent | next [-] | | Yes, it was apparently very visible: https://martypc.blogspot.com/2024/09/pc-floppy-copy-protecti... But as I mentioned in a sibling comment, I’m not sure it was ever confirmed that it was really a laser that made that mark. | |
| ▲ | antonvs 22 minutes ago | parent | prev [-] | | I described two different scenarios: defeating the protection, and replicating it, e.g. to protect your own software without paying Vault for their "laser" protection. Defeating the protection didn't involve knowing anything about the laser mark - as the comment I replied to described, it just involved changing a conditional jump to an unconditional one. Replicating the protection involved causing minor damage on the diskette - the details don't really matter, laser, pin scratch, whatever - then formatting the disk, and registering the pattern of bad sectors created by the damage. A normal copy of the disk didn't replicate those bad sectors exactly, which made it possible to detect that the original disk was not present. |
| |
| ▲ | Aaargh20318 an hour ago | parent | prev | next [-] | | I remember doing something similar with Lemmings 3D. You could simply NOP over the JMP into the copy-protection subroutine. It was surprisingly easy. Made me feel like such a badass hacker at 15 years old. | |
| ▲ | anyfoo 38 minutes ago | parent | prev [-] | | Was ist ever confirmed that it was in fact a laser? I wanted to make a trivia question out of this ProLok protection, because “lasers for copy protection” sounds just weird enough to potentially be a nonsense answer without context, but I couldn’t confirm that the holes were indeed made with lasers, and not with other means. | | |
| ▲ | antonvs 20 minutes ago | parent [-] | | Good question. I don't know the answer, but I'm quite certain that it didn't really matter what mechanism was used to mark a diskette. Any damage would be equally strong as a way to detect copying. |
|
|
|
|
| ▲ | nsoonhui 2 hours ago | parent | prev | next [-] |
| I write civil engineering software [0] and am familiar with this kind of dongle. Yes, even today there are users who want this kind of dongle instead of, say, cloud-based validation. They feel secure only if they have something tangible in hand. Since we sold (and still sell) perpetual licenses, it becomes a problem when a dongle breaks and replacement parts are no longer available. Not all users want to upgrade. Also, you may hate cloud licensing, but it is precisely cloud licensing that makes subscriptions possible and, therefore, recurring revenue—which, from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade. Also, despite investing a lot of effort into programming the dongle, we can still usually find cracked versions floating online, even on legitimate platforms like Shopee or Lazada. You might think cracking dongles is fun and copy protection is evil, but without protection, our livelihood is affected. It’s not as if we have the legal resources to pursue pirates. [0]: https://mes100.com |
| |
| ▲ | throw101010 an hour ago | parent | next [-] | | > Yes, even today there are users who want this kind of dongle instead of, say, cloud-based validation. They feel secure only if they have something tangible in hand. In my experience this continues to this day due to people who require drawing on air-gapped computers, because the drawings/simulations they work on are highly sensitive (nuclear, military, and other sensitive infrastructure). But I'm sure there are also old-fashioned people who like the portability/sovereignty of not having to rely on a third-party license server as you suggest. | |
| ▲ | dataflow an hour ago | parent | prev | next [-] | | > from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade. Why should users upgrade or keep paying you when they already bought what they need and don't need anything else? | | |
| ▲ | nsoonhui an hour ago | parent | next [-] | | Because 1. Physical dongle tends to break, and when it does, they expect us to give them replacing parts 2. They do expect bug fixes-- especially calculation bug fixes-- as the bugs are discovered. It's hard to leave their production critical apps broken like that once you know that the bugs can cause monetary or even life loss. | | |
| ▲ | Dylan16807 33 minutes ago | parent [-] | | Wanting to say in business makes sense, bug fixes make sense. But the actual dongle... look, something like that should have a 30+ year warranty. There should be a plan for how to replace it a couple times before making the initial sale. |
| |
| ▲ | mschuster91 37 minutes ago | parent | prev [-] | | > Why should users upgrade or keep paying you when they already bought what they need and don't need anything else? Because things evolve and inevitably, hardware dies, and you can't get a replacement. With an old "dumb" piece of machinery, when something breaks you can either repair the broken part itself (i.e. weld it back together, re-wind motor coils), make a new part from scratch, have a new part be made from scratch by a machining shop, or you adapt a new but not-fitting part. It can be a shitload of work, but theoretically, there is no limits. With anything involving electronics - ranging from very simple circuitry to highly complex computer controls - the situation is much, much different. With stuff based on "common" technology, aka a good old x86 computer with RS232/DB25 interfaces, virtualization plus an I/O board can go a long way ensuring at least the hardware doesn't die, but if it's anything based on, say, Windows CE and an old Hitachi CPU? Good fucking luck - either you find a donor machine or you have to recreate it, and good luck doing that without spec sheets detailing what exactly needs to be done in which timings for a specific action in the machine. If you're in really bad luck, even the manufacturer doesn't have the records any more, or the manufacturer has long since gone out of business (e.g. during the dotcom era crash). And for stuff that's purely software... well, eventually you will not find people experienced enough to troubleshoot and fix issues, or make sure the software runs after any sort of change. |
| |
| ▲ | jbm an hour ago | parent | prev | next [-] | | My dad used to use this kind of dongle for a civil engineering program called 'Cosmos'. Just wild to see it, it was so annoying to because sometimes it would simply not be detected on our 80386. | |
| ▲ | SecretDreams an hour ago | parent | prev [-] | | > which, from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade This take is diametrically opposite to what end users need. In a world where "if it ain't broke, don't fix it" is perfectly fine for the end user, buying a one off license for a software seems much more sane then SaaS. SaaS is like a plague for end users. I don't condone piracy, but I also don't condone SaaS. | | |
| ▲ | nsoonhui an hour ago | parent | next [-] | | In a perfect world, I would have agreed with you, even if it's diametrically opposite to my interest as a software developer cum business owner. But in an imperfect world whereby our dependencies ( software components that we use) and platforms that we need to build/rely on ( like Civil 3D) do charge us on annual basis, and that some of users expect perpetual bug fixes from us, with or without a support contract of sorts, SaaS seems to only way to go for our sustainability. | | |
| ▲ | SecretDreams an hour ago | parent [-] | | There's gotta be better middle ground. Release something polished and only fix major bugs/vulnerabilities for free (because that's a liability). Minor bugs are accepted for a one off cost (I'm still using Microsoft 2016, e.g.). We've all got to push back against these bloated saas models that don't bring tangible benefits to end users and serve only to pad company valuations. Make new versions of your software with features meaningful enough to encourage people to upgrade and outline support periods for existing software sales after they buy a one-time license. There's gotta be a better way. For everyone (except big tech CEOs). |
| |
| ▲ | charcircuit an hour ago | parent | prev [-] | | If a user gets ongoing value from software it makes sense for them to be willing to pay ongoing for that value. What users need is that the value they get from a product is more than the money they are trading for it. A one off license would be the result of a race to the bottom due to competition. | | |
| ▲ | icameron an hour ago | parent | next [-] | | Sure, if there is increasing or evolving utility being offered. But it’s also fair to charge for upgrades in that case. | |
| ▲ | SecretDreams an hour ago | parent | prev [-] | | If I get ongoing value from my fully paid off car, should I keep paying the OEM? How about my house or my bike or my shoes? My toilet (huge ROI on this one)? My fridge?? Why do we feel that software gets to impose this ridiculous SaaS model? The only real answer is "because they can", not because it's helping anyone. Reality is that many modern software developments have plenty in common with designing a toilet. You spend time identifying the problem statement, how you can differentiate yourself, prototype it, work out the bugs, ship the final product, and let sales teams move the product. The difference is the toilet can't be turned into a SaaS (yet) and, if it ever could, that would break functionality because you're supposed to poop in it, not have it poop on you. | | |
| ▲ | ryandrake 40 minutes ago | parent [-] | | Seriously, I have a house full of appliances, tools, clothing, and so on, that I get "ongoing value" from and whose manufacturers don't have the gall to try to charge me monthly for. Totally unacceptable business model. |
|
|
|
|
|
| ▲ | charcircuit 10 minutes ago | parent | prev | next [-] |
| >The only evidence for the existence of this company is this record of them exhibiting their wares at SIGGRAPH conferences in the early 1990s, as well as several patents issued to them, relating to software protection. There is also their webpage for ordering PC RPG II. The company address is a residential house. https://web.archive.org/web/20010802153755/http://home.netco... |
|
| ▲ | dehrmann 3 hours ago | parent | prev | next [-] |
| > I must say, this copy protection mechanism seems a bit… simplistic? A hardware dongle that just passes back a constant number? Seems like it was an appropriate amount of engineering. Looks like this took between an afternoon and a week with the help of an emulator and decompiler. Imagine trying to do this back then without those tools. |
| |
| ▲ | 15155 2 hours ago | parent | next [-] | | Audience matters. Something intended to stop legitimate business consumers in a non tech industry requires substantially less sophistication than something built to withstand professional reverse engineers. | | |
| ▲ | dwattttt 2 hours ago | parent | next [-] | | Locks are there to keep honest people honest. To expand on the saying, they're not there to be insurmountable. Just to be hard enough to make it easier to do things the right way. | | |
| ▲ | nkrisc 2 hours ago | parent [-] | | And often they’re there so no one can plausibly say they didn’t know what they were doing or stumbled into it accidentally. You can’t “accidentally” go through a door with a padlock on it. I’d guess it’s something similar with this dongle. You can’t “accidentally” run the software without the dongle. |
| |
| ▲ | classichasclass 2 hours ago | parent | prev [-] | | Copy protection was also generally less robust for educational software, since it sold to generally law-abiding folks (parents, educators, etc.). Never saw Rapidlok or V-MAX! used for educational software on the Commodore 64, for example. |
| |
| ▲ | bri3d 2 hours ago | parent | prev | next [-] | | In fairness, the decompiler didn't work on the protection method :) I think that both halves of the author's thesis are true: I bet that you could use this device in a more complicated way, but I also bet that the authors of the program deemed this sufficient. I've reversed a lot of software (both professionally and not) from that era and I'd say at least 90% of it really is "that easy," so there's nothing you're missing! | |
| ▲ | opinologo 3 hours ago | parent | prev | next [-] | | Iremember doing exactly this kind of hack for a small telco in Bueno Aires. Extel. Around the year 2000. In most cases it was not much more difficult than what OP described. | | |
| ▲ | iamflimflam1 2 hours ago | parent [-] | | I worked on some software that was used by telcos around that time - you were probably hacking our dongles :) |
| |
| ▲ | cyanydeez 3 hours ago | parent | prev [-] | | Yeah, my IT company bitshifts suspect files and provides the magic number. The protection just needs suficirntly complex. |
|
|
| ▲ | dunham 2 hours ago | parent | prev | next [-] |
| Back when I was a kid in the 80's. I cracked one of the Ultima games. I had it on my hard drive and didn't want to stick a floppy in every time I ran it. The code decrypted itself, which confused debuggers, and then loaded a special sector from disk. It was a small sector buried in the payload of a larger sector, so the track was too big to copy with standard tools. The data in the sector was just the start address of the program. My fix was to change executable header to point to the correct start address. |
|
| ▲ | aizk 2 hours ago | parent | prev | next [-] |
| Very cool to read an article about windows 95 still being used in production - a nice contrast to the infinite AI hype cycle over everything.
Tech may move fast in flashy areas but not in the more "boring" parts of the industry. |
| |
| ▲ | accrual 2 hours ago | parent | next [-] | | I knew of a Windows 95 host running virtualized in a corp environment until at least 2014 or so. It was surprisingly sturdy, I only had to remote into it once or twice when the old software it was running hung up on something. It was old medical software and we apparently had a couple clients still interfaced to it. | |
| ▲ | 1970-01-01 2 hours ago | parent | prev | next [-] | | The screenshots show the program was made for DOS. Very likely Windows was used just for network file sharing. | |
| ▲ | jojobas 2 hours ago | parent | prev [-] | | Win95 is only 30 years old and runs natively on some modern hardware. Apparently there is important stuff still running in emulated PDP-11s, almost double the age. | | |
|
|
| ▲ | jedberg 2 hours ago | parent | prev | next [-] |
| > I must say, this copy protection mechanism seems a bit… simplistic? A hardware dongle that just passes back a constant number? Defeatable with a four-byte patch? Nowadays we don't bother with copyright protection other than a license key, because we know enterprises generally will pay their bills if you put up any indication at all that a bill is required to be paid. This was basically the 80s version of that. |
|
| ▲ | kmad 39 minutes ago | parent | prev | next [-] |
| Was anyone else's first thought to put this through Claude and see what it thought? Who knows if it's in the training data, etc. but I fed in the gist of the raw asm and didn't see any other network requests. Opus 4.5 did pretty well considering it was raw assembly: ---
This is a classic hardware dongle detection routine for DOS/x86 systems from the 1980s-90s era. Here's what it does: Purpose
Copy protection - it detects whether a specific hardware key (dongle) is connected to the parallel port.
Step-by-Step Breakdown
1. Find Parallel Port (lines 0000-0015)
- Searches the BIOS data area (0000:0408) for parallel port addresses
- Checks up to 4 possible LPT ports
- Returns if no port found
2. Save Port State (lines 0016-001D)
- Disables interrupts (CLI)
- Reads and saves current data and control register values
- Pushes them onto stack for later restoration
3. Initialization Sequence (lines 001F-003A)
- Sends specific control signals: 0x82, 0x80, 0x82
- Uses precise timing delays (0x9C40 and 0x3880 loops)
- Prepares the dongle for interrogation
4. Challenge-Response Loop (lines 003C-005F)
- Runs 120 iterations (0x78)
- Each iteration:
- Sends 0xA2 to control port
- Reads status register
- Checks bit 6 (0x40 mask)
- Records timing of specific responses in BL and BH registers
- Looks for a response at iteration 0x76
5. Cleanup (lines 0061-006F)
- Writes 0x00 to reset
- Restores original port state
- Re-enables interrupts (STI)
- Returns with BX containing the challenge result
The dongle hardware would respond to these electrical signals with specific timing patterns that only genuine dongles would produce, making it very difficult to crack without the physical hardware.
--- |
|
| ▲ | zabzonk 28 minutes ago | parent | prev | next [-] |
| I think I remember hacking some of the copy-protection out of a version of Tetris using the Borland debugger. I definitely patched mouse support into a Chris Crawford "Battle of the Bulge" game using it (for my rather tricky platform). That was a good debugger, and probably the last one I have used much - prefer logging/printing for stuff I write myself. I remember my Dragon 32 (6809, Color Computer clone) had a dongle you plugged into the joystick port to protect a really crap game - Jumping Knights? I never tried to defeat it. |
|
| ▲ | sonixier 2 hours ago | parent | prev | next [-] |
| The company i work at has the same problem. We have some old mission-critical windows 2000 pc that runs the rpg compiler, with attached dongle. This gave me some clues on where to start - thanks author! |
|
| ▲ | Tempest1981 34 minutes ago | parent | prev | next [-] |
| So what hardware would be inside the dongle? Would a small PAL be enough? 22V10? Maybe use a few registers to delay the values written by a few cycles, mixing in some decode logic? (Something cheaper than a microcontroller, I'm guessing... due to cost) |
|
| ▲ | odomus 39 minutes ago | parent | prev | next [-] |
| Is defeating a 40-year-old copy protection mechanism still illegal under Section 1201 of the DMCA, or have they changed the law to make an exception for "very old" software? |
|
| ▲ | insuranceguru an hour ago | parent | prev | next [-] |
| wow, the home accountant is basically the great-grandfather of everything we do in modern financial and actuarial modeling. dmitry's breakdown is like digital archeology. it’s wild to think about the hardware risk people used to accept putting your entire household's financial history on a system that bricks itself the second a 40-year-old plastic dongle fails. really great read. |
|
| ▲ | izme 2 hours ago | parent | prev | next [-] |
| This takes me back. There exist emulators for these dongles as well, you run the a dumper with the dongle attached and load the program and it makes a dump file which you then use in the emulator. I had to do this for a company so they could continue to use their old specialised Win98 software on modern computers using Dosbox and an emulator. |
|
| ▲ | accrual 2 hours ago | parent | prev | next [-] |
| Fun journey! It would be fascinating to see what's inside the dongle. I wonder if it's programmable or just a simple circuit. |
| |
| ▲ | byb an hour ago | parent [-] | | Yes, a neat follow-up would be to clone the copy protection device with a cheap microcontroller. A lot of these devices were filled with epoxy, but it would be funny to find out these were all just 1Kbit EEPROMs. Such an article could give some background on parallel port communication, EEPROMs, and how regular printer data was passed through. |
|
|
| ▲ | kwanbix 3 hours ago | parent | prev | next [-] |
| My father, an accountant, used to have a program like that, that used RPG and a dongle! Good times. Horrible donle. |
|
| ▲ | DANmode an hour ago | parent | prev | next [-] |
| > Is this really worthy of a patent? You have no idea how deep this rabbit hole goes. Patents are barely better than copyright, as far as society net-positive. |
|
| ▲ | dmitrygr 2 hours ago | parent | prev | next [-] |
| >Very importantly, there doesn’t seem to be any “input” into this routine. It doesn’t pop anything from the stack, nor does it care about any register values passed into it. Which can only mean that the result of this routine is completely constant!
This is not necessarily a fair assumption (though it worked this time). It could be some sort of a rolling code, where the reply is not constant but changes, and remains verifiable. Example: garge door openers have no input from the garage, but the sent signal differs every button click, and the garage can verify its correctness |
|
| ▲ | burnt-resistor an hour ago | parent | prev | next [-] |
| And they probably could've just used Neverlock Business which cracks zillions of programs. |
|
| ▲ | catlikesshrimp 2 hours ago | parent | prev [-] |
| Why wasn't (isn't) this more widely used? It was clearly more effective than a cdkey. I know there is cost associated with the hardware, but surely the costumer can cough 15 more dollars. The only reason I can think of is wanting as wide adoption before max revenue as possible. But then, this has never been too popular, not even for games! |
| |
| ▲ | bri3d 2 hours ago | parent | next [-] | | Dongles were extremely widely used in the 1990s and early 2000s; for anything more advanced than consumer software you'd almost expect them? Almost every DAW, video editor, high-end compiler, engineering/CAD package, or 3D suite used them, certainly. I think sometime in the late 1990s FlexLM switched from dongles to "hardware identifiers" that were easily spoofed; honestly I don't think this was a terrible idea since to this article's conclusion, if you could reverse one you could reverse the other. But this concept was insanely prevalent for ~20 years or so. One of the biggest problems was not having enough ports. Some parallel port dongles tried to ignore communication with other dongles and actually had a port on the back; you'd make a "dongle snake" out of them. Once they moved to USB it was both easier and harder - you couldn't make the snake anymore, but you could ask people to use a hub when they ran out of ports. | | |
| ▲ | Joe_Cool an hour ago | parent [-] | | P-CAD even had a dongle-caddy where you could plug in I think about 7 of them into to unlock different modules. I will check if I can find an image of it. EDIT: here is an old listing of it: https://www.ebay.com/itm/187748130737 Sadly the lid isn't open so you can't see what modules are installed. |
| |
| ▲ | GuB-42 2 hours ago | parent | prev | next [-] | | Having to put a physical device on your parallel port at the back of the computer is kind of annoying, especially if every software you use has one. More common for games was to use the media itself for copy protection, using a variety of tricks to make copy more difficult. Other techniques involve printing some keys you have to enter using colors that don't render well in photocopies, or have you look at words a certain page of a thick user manual, the idea being that it is more expensive to go through the effort of copying this material than to buy the software legally. One of my favorite is from Microprose games, for which the manual was a pretty good reference book on the subject of the game, that alone is worth buying. And the copy protection is about asking you about information contained in the book, for example, it may be some detail about a particular plane in a flight simulator, which means that a way to bypass copy protection is simply to be knowledgeable about planes! Dongles were common, but mostly for expensive enterprise software. Also, dongles don't make cracking harder compared to all the other techniques, so for popular consumer software like games, it is likely to be a lot of inconvenience and a waste of money for limited results. | | |
| ▲ | ryandrake 32 minutes ago | parent [-] | | Makes me sad how many person-years of effort have been wasted over the years on futile dongle-engineering, copy-protection and DRM. They're pretty much all cracked. And the industry keeps insisting on trying! |
| |
| ▲ | jandrese 2 hours ago | parent | prev | next [-] | | One problem is that they often couldn't be daisy chained, the connector on the back was only useful for an actual printer. So if everybody started doing it you would have to swap them constantly which is a headache. So they're mostly used for software where it's going to be the only thing running on the box. I find it interesting that they didn't make it into the USB era where you could easily have something that does some actual processing on the device that makes it a serious challenge to reverse engineer. | | |
| ▲ | chrisldgk 2 hours ago | parent [-] | | They did carry over into the USB era!
I specifically remember my stepdads copy of Cubase (music production software) requiring a USB dongle to open. | | |
| ▲ | bonzog an hour ago | parent [-] | | Ditto - and there's also the "iLok" dongle used by loads of virtual instrument & effects plugins for DAWs. |
|
| |
| ▲ | ok123456 2 hours ago | parent | prev [-] | | It was widely used in engineering software because the license cost was equivalent to a large fraction of an engineer's salary. Anyone who used AutoCAD back in the 90s can remember. When parallel ports were discontinued, they migrated to USB and network license servers. |
|
