Hello,

Sorry I start my first post with a question. I must say I searched through this forum for a while, and unfortuniatly I couldn't found an anwser. Thank you for trying to help me.

I got a program, it is protected with a hardlock key. Atm I got not the hardlock key here, but if I need it I can arrange it (or at least a dump of it). Can I use those "emulator-software" dumpers? or will it only dump in such a way, the company who supplied it can make sense of it?

Now to the program itself , I was trying to run it without a dongle... and what u think I got .. the famous message:

------------------------------------------
"Error 7 : Hardlock not found."
------------------------------------------

I think it is pretty clear now, by what dongle it is protected. I looked at the sections, it contains a ".Protect" section. And the Entry Point is pointing to somewhere in that section. BUT, when I start on my Win2k machine Softice and I try to re-run the program my computer hangs. I tried tools to hide SI, but well under NT there aren't much who can. So Installed on some other computer Win98, I start up there clean, install the program. Same msg box, after installing SI, it hangs ALSO . Now I tried FrogSice, it gave me 2 places with SoftIce detection. when I press on both places Yes in frogsice-his-blue-screen, the program crashes somewhere in the hardlock.vxd...!?!

Is there a standard procedure for hardlock?, is this what I describe normal, or are this some kind of own implementations of the coder.

I red somewhere on the Inet, that Hardlock uses 3 softice detections. The CreateFileA method, and some others, how can I defeat them all?

Sorry, but I really will stop asking now hehehe :P, but my last question is, how can I see clearly if the program is encrypted. I can disamble, and see lots of string references, normally I should say no, but well I don't have to much experience with this all.

Thanx a lot for reading. I hope somebody can help me out

Goofy
[FreeStylers]

Hi,
I assume you have read the FAQ.
The main page of Rce messageboards Regroupment there's
a link which has large info's on dongles:CrackZ Archive.

hmm, yes... but well of coarse I cannot say I red ALL the tutorials, but the ones I think I could find about hardlock, aren't telling me how to defeat the anti-softice thingy. Please correct me if I'm wrong, and better present a link which could help me then

thanx again.

Hardlock is not a nice target for a newbie.

Regardless of how many tutorials he reads.

Hardlock will play with the DR7 register as well as the debug registers.

You have to find the place in the driver and patch them out.

Unfortunately, I am unable to help you any further with this.

The readers out there typically will just build a big table, which then gets used to calculate the 3 - 16 bit numbers used by the algo unit. These numbers are NOT held in the serial eeprom.

Regards,

TGODD

Anti-anti-softice-info for w2k(NT) was recently discussed here and the sollutions are ready for deployment... You just have to search...

If you don't have the same version of sice there are hints to older threads that contain the info you need to work it yourself...

It is not always so that every aspect of a crack is addressed in a tut. So you have to search for info on that separately...

Good Luck!
/Manko

I understand what you all saying, though I red all the tutorials that has the word hardlock in it (that where found by google). I still doing my best. I understand that there are various ways for soft-ice detection, I will just try some more.

but how can I be sure the program "needs" a dongle for decrypting, is it encrypted when the EP is pointing to the .Protect code? or does this means nothing?.

Anyway, I'm very pleased with the help of ya ppl here

Hi Cyco2,

If you do a search on this board with the term Hardlock, you will find 18 possibilties with your answer, and as I searched through them I found many threads that will lead you toward your answer.

Well I'm sorry people, I may be very greeny new to this forum (and understand / accept ppl are bitching to newbies), but I'm not new to cracking. I keygenned a lot, though I must say dongles are quiet new for me. I did a search yes, but please don't tell me all the post contains anwsers for me, but for then I understand, I'm new so why spent time.

Sorry to ask these questions, I guess u ppl should ignore them. Though if you are a nice guy, and you want to help a fellow cracker out, response here then please. With some information that is more useful then:

Look in search etc.

I really did look in them.

well anyway, if some1 needs help on keygenning drop me a line, I AM willing to help

ps. Of coarse I'm pleased by the responsed I got from ppl that tried to help me, please don't feel offended.

g00d... I did some more research.

the program is protected with HL-CRYPT.
I got thanx to "nikolatesla20" (anti anti si patches) rid of the Soft-Ice hang in Win2k. Though somewhere SI is still detected. I get now this error:

---------------------------
Hardlock Protection System
---------------------------
Error 1003 : Internal Error.
---------------------------
OK
---------------------------

I guess it is another anti debugger check. I was reading all the tutorials, and HL-CRYPT isn't possible to solve without a dongle. Well I could arrange a dump of the dongle. But is this enough? Is there any1 who did some HL-CRYPT analyses? I'm willing to write a big tutorial how I do this crack. I hope I can get some support

sorry about my bitching earlier, just got frustrated from reb00ting hehehe

Thanx ppz...

Alright I found some more interestion stuff...
The Int 3 Check I think... look here:

00AEFEDB 93 XCHG EAX,EBX
00AEFEDC 8ADB MOV BL,BL
00AEFEDE CC INT3 <== This is some kind of bastard
00AEFEDF 0F85 70040000 JNZ 00AF0355 <== Jumps here

The registers had the following values:
ESI = 00004647
EDI = 00004A4D

From crackz his page I saw this:
--------------------------------------------------------
:? 4647
00004647 0000017991 "FG" <-- Magic Val. 1.
:? 4A4D
00004A4D 0000019021 "JM" <-- Magic Val. 2.

28F1:0092 MOV SI,4647
28F1:0095 MOV DI,4A4D
28F1:0098 PUSH CS
28F1:0099 POP DS
28F1:009A MOV AX,0911h <-- Function 0911.
28F1:009D MOV DX,000Eh <-- Points at null-terminated command (in this case HBOOT).
28F1:00A0 INT 3 <-- Call Interrupt.
--------------------------------------------------------

Well should I just nop that int 3 instruction?

When I do it goes further for a while... jumping from jmp to jns to jmp etc
but anyway after a while it will enter the NTDLL module and after running this code

77F83789 > B8 1C000000 MOV EAX,1C
77F8378E 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
77F83792 CD 2E INT 2E

it will jump the next instruction.

00AEE72A 0000 ADD BYTE PTR DS:[EAX],AL
00AEE72C 0000 ADD BYTE PTR DS:[EAX],AL
00AEE72E 0000 ADD BYTE PTR DS:[EAX],AL
00AEE730 60 PUSHAD
00AEE731 8BC9 MOV ECX,ECX
00AEE733 E6 C1 OUT 0C1,AL <======= It suddenly starts here, but crashes on the instruction
00AEE735 50 PUSH EAX
00AEE736 77 66 JA SHORT 00AEE79E
00AEE738 47 INC EDI

After crash I get this message box:

---------------------------
sttwin.original.exe - Application Error
---------------------------
The exception Privileged instruction.

(0xc0000096) occurred in the application at location 0x00aee733.


Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK Cancel
---------------------------

Well I really don't have a clue... how to track this all down

[*EDIT*]

Some more information, This is from Win98SE
btw.... FrogsIce tells me this:
------------------------------------------------------
=> Sttwin
** SOFTICE DETECTION ** code 0B, at cs:00AFA1EA
Attempting to load: SIWVID (string ref at cs:00D2FBC4)

=> Sttwin
** SOFTICE DETECTION ** code 02, at 0167:00AEFEDE
Interrupt:03h eax=40128300h ebx=49B80C01h ecx=00000DF0h
edx=00AF11D0h >esi=00004647h >edi=00004A4Dh ebp=00D2FB40h

SEH proc address at cs:7FC39E61
------------------------------------------------------

then the program crashes on a instruction in the Hardlock VXD