Hi all

I need help to find the shell, I have a new version of software who use this I think, because decompile it
with source rescuer give error file is packed or encrypted, find some decend rockey4 tools is difficult because
she are not downloadable.

older software I can decompile and give good information, this version did use a table who give activation
of sudden program parts, find the rocky4 parts in file was easy (keychecker.pas).

it is a nice victum for you guys, can learn a lot of it but keep save, no crack on internet for it, it deserves better
but for reverse engineer it is very nice, rockey4 is not yet cracker much or not, new version uses keychk.dll 6.32
I do not now if it is the newest one, I see also old kechk32.dll can also be used, but encrypt sadly part of code
I need to investicate.

Do you now where to find tools to get info, with pEid I get differend encodes, but softwre uses encryption also for
databases etc, older software has the same and is cracked 90 procent.

2965.

here is the software itself, radio automation but without expensive apparatus it is not usable.

https://www.dropbox.com/s/nv8athpccjg1sg0/PC-Radio1%206.rar?dl=0

happy cracking with these dark days.

kees

You want to crack it without dongle? For R4/r4ndonly user algo it not simple. For r4shell additions tea algo inside.

I have crack the version just before the 6, who has be very simple, without a dongle, however one software module is not yet activated, net yet find it.

Very much fun it was, and still is, and I am not a real assembler freak, now not to much about it.

2966

attachment is older version, give table, I did attack software, not the dongle, like most brute force do, dongle
itself is not crackable, using the sys file maybe used as a software dongle? but not for me, I do look for dongle
dumpers etc, but when find she are gone.

In table when put all zero al modules are off, the time days left stays the same, 999 days, a week later still 999 days
because it is hardcoded there. so these are bad programmers who did not hide much, maybe new version is better
because it do not load in decompiler anymore and als not in protectionID.exe

have a nice day
kees

password's 0x80ef,0x4c8f, 0x8038,0x4cbf
but useless without dongle =)

I have the dongle but did write to it by mistake, it was a demo dongle,
program has a blue dongle with it..

so the new software version has a shell, not nice, I can however dump a
working version with a dongle, or read the dongle but need then a dongle reader
who are there but I can not download it like exetools.

Maybe someone here has the rockey tools?

Did you give the password,s of your own program? or is that from link I give?.
Paswords are there enough, and also this software have time limitation, company
give every 3 mondths a renew code even when buy program.

And this for a worthless radio program, who want to crack that? yes me, for learning
and burn some time in dark days.

regards

kees

if dongle is rockey4 or rockey4ND, then you must know that r4shell uses RY_SEED api for en\decrypting; assuming that those passwords are correct, then find the requested SEED value from shell and post here, I'll calculate the algo answers for you;

PS I cracked that dongle back in 2008

one more thing: I released a logging utility for rocky4 (not rockey4nd) those times (named R4Monitor), search around the net, you can find it somewhere

emmmmmm...kinda getting old

PPS: Is Sab still around?

Hehehe I did also, but not the dongle itselfs, but the software, i do like to look in software, we have these days very nice
software to decompile.

I have now research the new version 6 software who seems have a strong version 6 dongle, well, see how far I am get now
attacking software, it was not so difficult however the software is crawled with fake calls etc, find the good ones take time
but you see dongle can still cracked without a problem, just the weakness is still the programmer who do not take parts
of software into the dongle, however when people have the dongle, then a dongle is as bad as no protection, it costs less
to make light programs for people who have no mony for the pro version, but hee, then we have also no work anymore.

See pictures, I did find the byte representations of module activations, some are fake others did work, for example there
are 65 key.onair calls.

IDR software from crypto do good job!! it sees all the strings and references make things more easy in this delphi program

2975

2976

happy cristmas days

Your utility is also on sites where spam, pay for membership etc, even in China, I can not download it without to pay.

It is hobby, make friends etc what we do and stunning the programwriters, learn them good protections, right?.

I was just about to ask the same thing about you...

About protection, if I see this, then programmers are very lazy

2973

2974

regards, and all very nice days and christmas.

kees

@ kees58: nice work and it is a good thing you solved this problem by yourself, that's the only way you really learn something;

@Sab: how you're doing man? good to see you still around
these last years I've had little chance to visit this site (real life is a bitch), but it is still fun to checkout www.woodmann.com, specially see old friends

cEngineer You are right, it is not my proposal to do software piracy, Why this software is such heavy protectec, it is not worth much ehh.

The problem what I have left is I need a dongle dumper so I can play better game with it however r4monitor and such is not downloadable because it is behind
forums who need a invitation for example, and so I can not register and or have to pay 40 dollar month to download, but hee, also now it is very funn to play
with this protections, however try to crack dongle itselfs is not my idea, I do investigate software implentation of it, and I am shure a shell is not very secure
no dongle is secure because api need stringly encrypted and also then with a dongle and a memorydump we get very far.

If I see the byte representation of the dongle protection

nice days and don,t hack the christmas tree.

kees

Hi all

I hope all is well, Because we are hidden by big snowfall I have stay home with christmas and did search al the dongle rockey4 inputs and the original dongle,
I have seen that the dongle and the software itselfs do calculate code who is be calculated back to byte and word, it works like a bankpas every time program
is restarted it will generate a new seed, so, emulating it is not easy, but get it hardcoded in software is, however I am not yet as good to do it right, some things
I did get to work, others not, but it is a learning proces.

I have made a dongle dump, here it is, so you can see things, I have not yet play with dumps because i did hardcode.

Dongle is indeed a rockey 4 serial 19730, it is fun hardcode it but need some more assembler knowledge.

regards

kees

this dongle use the function like FN_RY_CALCULATE, FN_RY_SEED, FN_RY_FIND, FN_RY_READ, FN_RY_OPEN, FN_RY_FIND_NEXT

nice ehhh, this I did think also but software is still weak, everything is calculated back to byte to make menus working, what already does for most part...

Here I see the key reads in and every loop change it. why when so powerfull is the software still so easy to crack?, maybe stupid question
because you now that aready As you see in extra editions that big number is not really oke, it is the serial instead haha, fun fun..

2978

here some decompile info, from IDR.exe

2980

here you can see where it ends, just some bytes like in the old days, however it is not always that way, get it onair is more difficult and a
menu do not load completely, but you now why, I have not al inputs, the activations I have done without the key.

have a happy newyear, I hope info is interesting.

kees

Hi Guys


All a happy newyear and happiness and health.

I have question.

code assembler, I am not as good in calculation so I ask you what it does.

Move eax, some code, I have AF give outcome is 3.
shr eax,6 (shift bytes to the right) (divide).
and al,3 (clear bits?)
move byte ptr [ebx+48],al some byte, and this outcome need to be 4.

I need some more reading for assembler or a goog assembler to test this kind of things.

However I have found al keys and have hardcoded it, not it give the same als with a rockey4
but without the dongle, nice.

regards

You try to recovery user algo?

Wel as this is a user algo, then it is wel very breakable..

Program is not encrypted because I did found api calls, I have nopped dongle usb call
en mov a 1 in eax, so dongle is there always and investicate what came out befor I di nopped it, don,t
be freaked, it do many calls, every module it make a own code, looks pretty save but no the programmer
was very lazy...

Program has modules and time I have change that to 2053, haha when I do program
2014 it says license ended.

this is part of the code.

00AEB6A0 mov word ptr [ebx+144],cx; TKeyCheck.?f144:word
00AEB6A7 cmp word ptr [ebx+140],0; TKeyCheck.?f140:word
>00AEB6AF jne 00AEBA99
00AEB6B5 mov eax,dword ptr [ebx+158]; TKeyCheck.?f158:dword I put in 2030a for dongle serial give my serial
00AEB6BB mov dword ptr [ebx+34],eax; TKeyCheck.SerialNumber:Integer put 2030a adres somewhere
00AEB6BE movsx eax,word ptr [ebx+162]; TKeyCheck.?f162:word I put in 12 give 18 days left, always.
00AEB6C5 mov dword ptr [ebx+38],eax; TKeyCheck.DaysLeft:Integer put 12 in somewhere
00AEB6C8 lea edx,[ebx+190]; TKeyCheck.?f190:?
00AEB6CE lea eax,[ebx+183]; TKeyCheck.?f183:?
00AEB6D4 mov ecx,8
00AEB6D9 call Move
00AEB6DE cmp byte ptr [ebx+7D],1; TKeyCheck.?f7D:byte
>00AEB6E2 jne 00AEB7DF
00AEB6E8 movzx eax,byte ptr [ebx+17C]; TKeyCheck.?f17C:byte did put 83 because It get this from dongle
00AEB6EF shr eax,2
00AEB6F2 and eax,1
00AEB6F5 cmp eax,1
00AEB6F8 sete al some calculation to get a 1, but when I do nop all from aeb6e8 to aeb6f8 and put here mov ax,2 I get activated module for here 2 (two channels.
00AEB6FB xor ecx,ecx
00AEB6FD mov edx,2
00AEB702 call IfThen
00AEB707 mov byte ptr [ebx+51],al; TKeyCheck.VoiceTracks:Integer give now two channels
00AEB70A movzx eax,byte ptr [ebx+17C]; TKeyCheck.?f17C:byte from dongle byte AF dit activate it.
00AEB711 shr eax,2
00AEB714 and al,1
00AEB716 mov byte ptr [ebx+4A],al; TKeyCheck.MixEditor:byte
00AEB719 mov byte ptr [ebx+47],1; TKeyCheck.HDRecorder:Byte
00AEB71D movzx eax,byte ptr [ebx+17B]; TKeyCheck.?f17B:byte
00AEB724 shr eax,4
00AEB727 and al,3
00AEB729 mov byte ptr [ebx+48],al; TKeyCheck.JingleMachine:byte
00AEB72C mov word ptr [ebx+42],270F; TKeyCheck.CDDragers:word
00AEB732 movzx eax,byte ptr [ebx+17B]; TKeyCheck.?f17B:byte

It was so simple to get that stuf broken, except the dongle? maybe a envelope was a better way to hide api?

Oke, this program do go back to byte.

For example this part

00AEB70A movzx eax,byte ptr [ebx+17C]; TKeyCheck.?f17C:byte from dongle byte AF dit activate it.
00AEB711 shr eax,2
00AEB714 and al,1
00AEB716 mov byte ptr [ebx+4A],al; TKeyCheck.MixEditor:byte
00AEB719 mov byte ptr [ebx+47],1; TKeyCheck.HDRecorder:Byte

I can do simpel this to active it.

00AEB70A movzx eax,byte ptr [ebx+17C]; TKeyCheck.?f17C:byte from dongle byte AF dit activate it.
00AEB711 mov al,1
00AEB714 nop
00AEB716 mov byte ptr [ebx+4A],al; TKeyCheck.MixEditor:byte
00AEB719 mov byte ptr [ebx+47],1; TKeyCheck.HDRecorder:Byte

But I like play a little with it and so I want to now how shr and and did work, so reading some lecture about assembler.

I do now this, the program is totaly cracked, and I am not realy experienced and this for a rockey 4dongle.

The rockey do recalculate every time program starts, looks like move channel who have a plastic who do this every 15 minutes or so.

I am a little stunned about how program is written, I do now attack dongle but do program, however I am did go quite deep here.

Thanks to IDR.ex from crypto who give me information, but also without it an some more time I did it also.

Program is full of keycheck calls, but I hev most inactive now.

regards

kees

Wel I have broke the whole program, emulate partly the dongle input part what concerns date and days left and serial
code it in program..

Did patch the rest, I was suprised how weak this program is, not the dongle, just the old not zero than jump bad guy thing
and this in 2015!!.

I can do all with it but it was a search challence, I think without IDR it was very much work to find.

One thing is not done, the date for upgrading is still on 30-12-1899, the other is 2053 so much time left.

All modules are active, to make one aktive I did just one jmp goodguy.

unbelievable weak programmed, 24 patches ware enough to get everthing working include emulate part....

regards

kees