How can I emulate the HL_CODE of hardlock dongle?

In order to emulate the HL_Code you must :

1) create a table of responses from the lock device.

2) emulate the logic of the device.

the first possibility is more likely the only way to go for almost anyone.

The second possibility is only possible if you can read out the 48Bit Algo Seed. The technology to read these seeds is still quite well protected by the authors.

So build a logger and generate a response table.

Using a table of responses from the lock device could be easy to implement for older wrappers only.
Newer wapper versions have protections against this techniques, like scrambling the data exchanged with the driver, and sending some 'random' decrypt queries and comparing the answers with an hardcoded 256-values table or just sending a 'fake' decrypt query without checking the answer.
Of course, the sad of all this kind of new protections is than there could be easily bypassed also without needing to known anything about the scrambling mechanism used, and without recording the real/fake 'random' decrypt queries.
I already made a something like it working: just replacing a dll name on the target program with mine, and running the program once with the original key (to create the response table); from now, the program starts without any more no-key problem...

Hello sapu,

I am interested in knowing how you create response table for hardlock.

Also i would like to get myself clarified response table does it mean good values from the dongle memory or good values from hardlock algorithm which is stored somewhere in memory which you log it down & then emulate it via your own .dll Is that the way of logging or its something else.

Can you give example of table logging or some part of the code where the table is and what part you think is good for logging.

Hope its not too much...

Regards, Sope.

To use a response table, you'll need the intercept the DeviceIoControl call, check the function code, and replace the data with the espected values on the answer.
About how to check if the data to decrypt is from the initial hardcoded table, a random value, or from the program to decrypt, just do a memory scan:
- if the data is in the .protect section, the answer 2Kb below (the table is a 256x8 requests followed by a 256x8 answers, and is stored unencrypted).
- if the data is in the .code section (typically starting from address 0x00401008, with a fixed 2Kb increment on next messages), it's the program to decrypt (and you'll need to put back the right saved values)
- if no data found, it's a random value (return what you want, the answer is ignored)
Of course, to do it you'll need first to find a way to access the 'unscrambled' api data structure (just follow the stack until the data is unencrypted from the low-level drive access functions).
I'll send you more info to your private email address: if you find them useful, let me known...

sope & sapu aren't you family? would you please send me this info. on private message as well.. i'm insterested about this too...

Regards

you are wrong a little
there is a "magic" dword in envelope....
the way how to check each 8 bytes depends on this dword.

it can be set to value so all checks will be software only

see hlcwin32.exe utility option

but how can i find the starting offset of the table, and i need to determine it's size before searching...
is some fixed offes is used?

Can anyone tell me something about the ADP - Automatic Data Protection in envelope.
How can i pass it's checks? All other functions is working correctly. Please help.

hi,
Even I am looking for Hardlock Emulator or duplicate hardlock (USB). Can anyone help me out?
Thanx in advance

What you NEED is to read the damn FAQ, particularily the section about NOT asking for the Tools of the Trade. Pay attention or go away.

Regards,

Sorry About that