View Full Version : Hardlock question
prt
August 1st, 2003, 05:30
How can I emulate the HL_CODE of hardlock dongle?
tgodd
August 1st, 2003, 07:26
In order to emulate the HL_Code you must :
1) create a table of responses from the lock device.
2) emulate the logic of the device.
the first possibility is more likely the only way to go for almost anyone.
The second possibility is only possible if you can read out the 48Bit Algo Seed. The technology to read these seeds is still quite well protected by the authors.
So build a logger and generate a response table.
sapu
December 12th, 2003, 15:03
Using a table of responses from the lock device could be easy to implement for older wrappers only.
Newer wapper versions have protections against this techniques, like scrambling the data exchanged with the driver, and sending some 'random' decrypt queries and comparing the answers with an hardcoded 256-values table or just sending a 'fake' decrypt query without checking the answer.
Of course, the sad of all this kind of new protections is than there could be easily bypassed also without needing to known anything about the scrambling mechanism used, and without recording the real/fake 'random' decrypt queries.
I already made a something like it working: just replacing a dll name on the target program with mine, and running the program once with the original key (to create the response table); from now, the program starts without any more no-key problem...
sope
December 13th, 2003, 02:39
Hello sapu,
I am interested in knowing how you create response table for hardlock.
Also i would like to get myself clarified response table does it mean good values from the dongle memory or good values from hardlock algorithm which is stored somewhere in memory which you log it down & then emulate it via your own .dll Is that the way of logging or its something else.
Can you give example of table logging or some part of the code where the table is and what part you think is good for logging.
Hope its not too much...
Regards, Sope.
sapu
December 17th, 2003, 04:34
To use a response table, you'll need the intercept the DeviceIoControl call, check the function code, and replace the data with the espected values on the answer.
About how to check if the data to decrypt is from the initial hardcoded table, a random value, or from the program to decrypt, just do a memory scan:
- if the data is in the .protect section, the answer 2Kb below (the table is a 256x8 requests followed by a 256x8 answers, and is stored unencrypted).
- if the data is in the .code section (typically starting from address 0x00401008, with a fixed 2Kb increment on next messages), it's the program to decrypt (and you'll need to put back the right saved values)
- if no data found, it's a random value (return what you want, the answer is ignored)
Of course, to do it you'll need first to find a way to access the 'unscrambled' api data structure (just follow the stack until the data is unencrypted from the low-level drive access functions).
I'll send you more info to your private email address: if you find them useful, let me known...
cRk
March 3rd, 2004, 01:29
sope & sapu aren't you family?

would you please send me this info. on private message as well.. i'm insterested about this too...
Regards
nikita@work
March 26th, 2004, 18:48
Quote:
[Originally Posted by sapu]- if the data is in the .protect section, the answer 2Kb below (the table is a 256x8 requests followed by a 256x8 answers, and is stored unencrypted).
|
you are wrong a little

there is a "magic" dword in envelope....
the way how to check each 8 bytes depends on this dword.
it can be set to value so all checks will be software only
see hlcwin32.exe utility option
souz
March 20th, 2005, 01:25
Quote:
[Originally Posted by nikita@work]you are wrong a little 
there is a "magic" dword in envelope....
the way how to check each 8 bytes depends on this dword.
|
but how can i find the starting offset of the table, and i need to determine it's size before searching...
is some fixed offes is used?
souz
April 1st, 2005, 02:12
Can anyone tell me something about the ADP - Automatic Data Protection in envelope.
How can i pass it's checks? All other functions is working correctly. Please help.
kooolguy
April 24th, 2005, 00:25
hi,
Even I am looking for Hardlock Emulator or duplicate hardlock (USB). Can anyone help me out?
Thanx in advance
JMI
April 24th, 2005, 02:21
What you NEED is to read the damn FAQ, particularily the section about NOT asking for the Tools of the Trade. Pay attention or go away.
Regards,
kooolguy
April 25th, 2005, 06:50
Sorry About that
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.