Log in

View Full Version : LaserLock 5 - Help !


Actlon
April 8th, 2002, 23:14
Hi - I've recently been playing with the LaserLock v5.00 protection scheme & have come up against a question;

Given a dumped version of a running target I've been able to get the translated API calls. I've also got the LaserLock dll (with the CallDLL export) for the target, have located the info block followed by a list of RVA's with encrypted data indicating the correct api import.

Based on this I've discovered the encrypted data should be xor'ed with the key in the in info block and then there is a secondary key. Given the 'answers' & the original data I have been able to determine the values, which seem to be applied in circular fashion - ie:

long secondary_key[9] = { 0x8C01, 0x1A46, 0x978F,
0xF7AB, 0xA4C0, 0x7BF8,
0xAF42, 0x60B5, 0xAB2E };

long primary_key = /*what ever it is*/;


for(i = 0; i < numCalls; i++) {
long x = ( encrypt_data[I] ^ primary_key ) ^ secondary_key[i%9];
data[ rva[I] - 4 ] = x;
}

These values have come from Worm World Party - the question is; are the secondary keys fixed for the version of LaserLock or is it either tabulated somewhere (& specific to WWP) or algorithmically determined ? can anyone help me - thanks !

crUsAdEr
April 8th, 2002, 23:52
Hi,

Why dont you just get another Laser Lock product and look into it.. you should be able to decide whether the secondary key is fixed or not...

Cheers,

[NtSC]
April 9th, 2002, 17:16
Worms World Party was some not standard Laserlock...
Parts of the Exe have been crypted..
To resolve your Exe just collect all [Call Laserlock] Adresses
in the Code.Section and code some rebuilder for it..
but aware of the mofo checksum..

a way not to temper with that ( is what i used in my dumper )

append a call fixer to the file,redirect the OEP to your call_fixer
and fix the Calls to the Laserlock.dll....
Afterwards you dump the code section to Disc + Replace it with the Original One.
There was finally also some Pointer wich had to be recognized,
to know if the Instruction_Opcode of the Original Caller has to be fixed.

And finally.. There was 1 Byte wich had to be set to
remove the Ability to need a CD..
Or more, overriding his Api-Counter.

Mentioned first time by my nice Friend r!sc,cheers ;-)

But yes,it works that way until the first Spenc Version of Laserlock appear...

Another good tutorial on Laserlock is written by Gadix about
Messiah...Very Informative,i appreciate it ;>

Until then,[NtSC]



Actlon
April 11th, 2002, 01:39
Thanks for the help

I was interested in trying to do this in a generic fashion without requiring a CD. I had a look at that spanish tut - I don't speak spanish, but to me it looked as if the guy was trying to collect the references by hacking & needing a CD initially.

Is there any other info out there on the web ? I currently can't find any more apps using LaserLock 5....but currently I'm not at home. Does anyone have any ideas of apps/games etc. using LL that I can get hold of easilly...even just the LL dll & main exe ?

thanks!

ThrawN
April 11th, 2002, 10:36
This kind of thing really interests me. Using the CD to understand and remove a comercial protection such as cdilla2 and laserlok.
Most of understanding how it works comes from this but when someone writes a tutorial nowadays they seem to write it based on having the origenal cd (thus the attual program is doing half the work for you, you only need to alter, dump and do some small things here and there)
Noone seems to have a care to attual explaining the protection 100% without a cd (which is what we all want to to anyhow yeah?)

Just some stupid food for thought..