Reverse Engineering Team
Unregistered, You must accept the Forum Rules below to be able to use some forum functions.

Read forum rules below...

1. All posts must be written in English.
2. Don't spam/abuse any other member via E-mail or Private Messages.
3. Have phun!

For breaking above rules you may be warned/banned appropriately!

Matrix Dongle Emulation

View previous topic View next topic Go down

Matrix Dongle Emulation

Post by rudolf82 on Wed Nov 02, 2016 6:00 am

Hello Guys,

I have several softwares protected with Matrix Dongle.

I got my correct Matrix Dongle Usercode from an Online Service where I send USBTraceLog.txt
I tried to analyze the log but I could not find the usercode inside the Log.
How can I extract UserCode from USBTrace Log for study purpose?


One (the simplest) of the protected applications uses original matrix32.dll to communicate with the Dongle
So I Downloaded Windows API Version from Techno*Data (http://ww*w.mat*ix-l*ck.com) and I developed a VB.NET Fake matrix32.dll that simulates the original dll responses.
Then I replaced original matrix32.dll with fake dll and application works correctly.

Other applications, however, do not use matrix32.dll; then I suppose the others application incorporate API Libraries (Lib files) directly into the application .EXE file
So I suppose I should develop a driver that intercepts calls to the dongle and return the answers that the application expects...is it correct?
Is it possible to devolop something like that? Where do I start?

Thank you and excuse me for english

rudolf82

Posts : 5
Points : 8
Reputation : 1
Join date : 2016-10-28

Back to top Go down

Re: Matrix Dongle Emulation

Post by ovis25 on Wed Nov 02, 2016 7:57 am

hook? and redirect to patched one.

ovis25

Posts : 433
Points : 731
Reputation : 112
Join date : 2014-06-07
Location : reversing.ro

http://reversing.ro

Back to top Go down

Re: Matrix Dongle Emulation

Post by BfoX on Wed Nov 02, 2016 9:35 am

possible, usb dongle emulator is ready. the usb trace log is done for it in 95%

BfoX

Posts : 942
Points : 1233
Reputation : 229
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: Matrix Dongle Emulation

Post by rudolf82 on Wed Nov 02, 2016 2:55 pm

Hello and thank you for yours replies....but I don't understand what do you meen...

How can I extract UserCode from USBTrace Log for study purpose?

And...how can I intercept App to Dongle calls?
Thanks for your patience

rudolf82

Posts : 5
Points : 8
Reputation : 1
Join date : 2016-10-28

Back to top Go down

Re: Matrix Dongle Emulation

Post by ovis25 on Wed Nov 02, 2016 3:53 pm

am afraid what you need is private stuff. Very Happy

ovis25

Posts : 433
Points : 731
Reputation : 112
Join date : 2014-06-07
Location : reversing.ro

http://reversing.ro

Back to top Go down

Re: Matrix Dongle Emulation

Post by sverox on Thu Nov 03, 2016 2:23 am

1. Find and study vusbbus HASP source posted on forums.
2. Understand how low level USB works.
3. Continue study matrix SDK (IDA your friend, start with static lib and obj files).
4. Isolate and reverse matrix packet encryption, sizes, data transferred in and out (hint -> hid.dll setReport and getReport).
5. Write/modify vusbbus functions for emulate low level matrix device (is works in HID (more popular) and driver mode, so 2 different protocols, but 1 (HID) enough for emulate).
6. After you have all/almost all data for 4 and 5 - make your own dumper, emulator and usbtrace decoder.

Job done!

sverox

Posts : 49
Points : 97
Reputation : 40
Join date : 2013-10-09

Back to top Go down

Re: Matrix Dongle Emulation

Post by rudolf82 on Thu Nov 03, 2016 3:03 am

Thank you very much Sverox for the info...

Just one last question before start, could you explain me how extract USERCODE from USBTrace log?

Thanks in advance

rudolf82

Posts : 5
Points : 8
Reputation : 1
Join date : 2016-10-28

Back to top Go down

Re: Matrix Dongle Emulation

Post by sverox on Thu Nov 03, 2016 3:31 am

Data you see in log is encrypted.
When you recover packet encryption you will find this.

sverox

Posts : 49
Points : 97
Reputation : 40
Join date : 2013-10-09

Back to top Go down

Re: Matrix Dongle Emulation

Post by rudolf82 on Thu Nov 03, 2016 3:42 am

Thank you very much Sverox

rudolf82

Posts : 5
Points : 8
Reputation : 1
Join date : 2016-10-28

Back to top Go down

Re: Matrix Dongle Emulation

Post by besoeso on Thu Mar 09, 2017 7:27 am

Any tips for attack the 128 bit key extracction for XTEA. For example if have 3 pairs plaintext/crypt, one for all zeros, other for all ones and the last with bit changes values.

besoeso

Posts : 10
Points : 15
Reputation : 3
Join date : 2012-10-11

Back to top Go down

Re: Matrix Dongle Emulation

Post by BfoX on Thu Mar 09, 2017 10:21 am

@besoeso: not possible solve 128 bit. but possible read back from dongle =)

BfoX

Posts : 942
Points : 1233
Reputation : 229
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: Matrix Dongle Emulation

Post by besoeso on Thu Mar 09, 2017 11:49 am

BfoX wrote:@besoeso: not possible solve 128 bit. but possible read back from dongle =)
If it is posible read back from dongle because there is a command for request the key. Will be good if you noted this info for isolate it. The 2 first bytes usbtrace data is enought or name api.


Last edited by besoeso on Thu Mar 09, 2017 11:56 am; edited 1 time in total

besoeso

Posts : 10
Points : 15
Reputation : 3
Join date : 2012-10-11

Back to top Go down

Re: Matrix Dongle Emulation

Post by BfoX on Thu Mar 09, 2017 11:55 am

try to analyse the matrix usb dongle driver by command number. one command is cut from driver, but you can recovery it by self. he near at write_tea_key command Wink

BfoX

Posts : 942
Points : 1233
Reputation : 229
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: Matrix Dongle Emulation

Post by rudolf82 on Thu Mar 09, 2017 3:21 pm

BfoX can you hel me to emulate these keys?
Are there any software or drivers to do this?
Can you explain how can I exctract USERCODE?

Thank you

rudolf82

Posts : 5
Points : 8
Reputation : 1
Join date : 2016-10-28

Back to top Go down

Re: Matrix Dongle Emulation

Post by besoeso on Fri Mar 10, 2017 3:59 am

if you look inside, where write key command (x42) is called you can to find write and read memory cmds, this last cmd used for read data from memory for check right written when execute the write command. 

If for example execute the write key command,  the next command is 0xD5 but it request only one byte (flag) to read. The size to request must to be 16 bytes. 

For check if write key is well written will must request 16 bytes for read.

A bit best clue or detail will be fine.

besoeso

Posts : 10
Points : 15
Reputation : 3
Join date : 2012-10-11

Back to top Go down

Re: Matrix Dongle Emulation

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum