HardLock Envelope unpacking (WITH dongle) [Archive]

View Full Version : HardLock Envelope unpacking (WITH dongle)

fritzFS

August 6th, 2006, 12:05

Hello,

as the title says, I am trying to unpack a hardlock envelope.

Yes, I have read the posts on this forum related to hardlock/envelope/hasp.

Tools: OllyDbg, OllyDump.

Target executable file has .text, .rdata, .data, .rsrc and .protect section.
(LordPE SS: hxxp://img358.imageshack.us/img358/5697/lordpe1jc4.jpg)

Things I've done so far:
1. plug the dongle
2. opened the target with ollydbg
3. set a breakpoint on new thread (ollydbg: options->debugging options->events)
OEP is starting within a new created thread ...
4. ollydbg breaks here:

Code:



7C810856   33ED             XOR EBP,EBP --> HERE

7C810858   53               PUSH EBX

7C810859   50               PUSH EAX

7C81085A   6A 00            PUSH 0

7C81085C  ^E9 73ACFFFF      JMP kernel32.7C80B4D4



7C80B4D4   6A 10            PUSH 10 --> HERE

7C80B4D6   68 18B5807C      PUSH kernel32.7C80B518

7C80B4DB   E8 EB6FFFFF      CALL kernel32.7C8024CB

7C80B4E0   8365 FC 00       AND DWORD PTR SS:[EBP-4],0

7C80B4E4   64:A1 18000000   MOV EAX,DWORD PTR FS:[18]

7C80B4EA   8945 E0          MOV DWORD PTR SS:[EBP-20],EAX

7C80B4ED   8178 10 001E0000 CMP DWORD PTR DS:[EAX+10],1E00

7C80B4F4   75 0F            JNZ SHORT kernel32.7C80B505

7C80B4F6   803D 0830887C 00 CMP BYTE PTR DS:[7C883008],0

7C80B4FD   75 06            JNZ SHORT kernel32.7C80B505

7C80B4FF   FF15 E812807C    CALL DWORD PTR DS:[<&ntdll.CsrNewThread>>; ntdll.CsrNewThread

7C80B505   FF75 0C          PUSH DWORD PTR SS:[EBP+C]

7C80B508   FF55 08          CALL DWORD PTR SS:[EBP+8] -> OEP?

7C80B50B   50               PUSH EAX

7C80B50C   E8 98170000      CALL kernel32.ExitThread

In this disassembly we see the OEP:
7C80B508 FF55 08 CALL DWORD PTR SS:[EBP+8] ; XXXXXX.0046A630

So, our new start functions looks like:

Code:



0046A630  /. 55             PUSH EBP

0046A631  |. 8BEC           MOV EBP,ESP

0046A633  |. 6A FF          PUSH -1

0046A635  |. 68 40776500    PUSH XXXXXX.00657740

0046A63A  |. 68 E2D66000    PUSH XXXXXX.0060D6E2                   ;  JMP to MSVCR71._except_handler3; SE handler installation

0046A63F  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]

0046A645  |. 50             PUSH EAX

0046A646  |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP

0046A64D  |. 81EC 18010000  SUB ESP,118

0046A653  |. 53             PUSH EBX

0046A654  |. 56             PUSH ESI

0046A655  |. 57             PUSH EDI

0046A656  |. 8965 E8        MOV DWORD PTR SS:[EBP-18],ESP

0046A659  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8] --> problem #1

0046A65C  |. 8B18           MOV EBX,DWORD PTR DS:[EAX]

0046A65E  |. 8B48 04        MOV ECX,DWORD PTR DS:[EAX+4]

0046A661  |. 894D E0        MOV DWORD PTR SS:[EBP-20],ECX

0046A664  |. 8B70 08        MOV ESI,DWORD PTR DS:[EAX+8]

0046A667  |. 50             PUSH EAX                                 ; /block

0046A668  |. 8B3D 78156300  MOV EDI,DWORD PTR DS:[631578]            ; |MSVCR71.free

0046A66E  |. FFD7           CALL EDI                                 ; \free

0046A670  |. 56             PUSH ESI                                 ; /src

0046A671  |. 8D95 D8FEFFFF  LEA EDX,DWORD PTR SS:[EBP-128]           ; |

0046A677  |. 52             PUSH EDX                                 ; |dest

0046A678  |. FF15 50156300  CALL DWORD PTR DS:[631550]               ; \wcscpy

0046A67E  |. 56             PUSH ESI

0046A67F  |. FFD7           CALL EDI

0046A681  |. 83C4 10        ADD ESP,10

0046A684  |. FF15 90116300  CALL DWORD PTR DS:[631190]               ; [GetCurrentThreadId

0046A68A  |. 8BF0           MOV ESI,EAX

0046A68C  |. 8975 E4        MOV DWORD PTR SS:[EBP-1C],ESI

0046A68F  |. 8D85 D8FEFFFF  LEA EAX,DWORD PTR SS:[EBP-128]

0046A695  |. 50             PUSH EAX                                 ; /Arg2

0046A696  |. 56             PUSH ESI                                 ; |Arg1

0046A697  |. E8 C4030000    CALL XXXXXX.0046AA60                   ; \XXXXXX.0046AA60

0046A69C  |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0

0046A6A3  |. 8B4D E0        MOV ECX,DWORD PTR SS:[EBP-20]

0046A6A6  |. 51             PUSH ECX

0046A6A7  |. FFD3           CALL EBX

0046A6A9  |. 8BF8           MOV EDI,EAX

0046A6AB  |. 897D DC        MOV DWORD PTR SS:[EBP-24],EDI

0046A6AE  |. 56             PUSH ESI                                 ; /Arg1

0046A6AF  |. E8 3C040000    CALL XXXXXX.0046AAF0                   ; \XXXXXX.0046AAF0

0046A6B4  |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1

0046A6BB  |. 8BC7           MOV EAX,EDI

0046A6BD  |. 8B4D F0        MOV ECX,DWORD PTR SS:[EBP-10]

0046A6C0  |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX

0046A6C7  |. 5F             POP EDI

0046A6C8  |. 5E             POP ESI

0046A6C9  |. 5B             POP EBX

0046A6CA  |. 8BE5           MOV ESP,EBP

0046A6CC  |. 5D             POP EBP

0046A6CD  \. C2 0400        RETN 4

Anyway, when I get to this OEP (0046A630), I do next step:

5. Dump the file using OllyDump with OEP

Problem:

Of course, now I try to run the dumped executable file and it crashes.
The problem is with this new start function, some parameters are passed from the hardlock envelope decrypt when it finishes, that's marked as 'problem #1'.

Should I hardcode that value?
Replace it with :

Code:

0046A659  |. 8B45 08        MOV EAX,0x011CD488

Have anyone come across such hardlock envelope?

Thank you.

fritzFS

August 7th, 2006, 10:21

Seems like start of new thread wasn't an OEP.

I've discovered real OEP with the help of IDA, it is located at 0x60D35A.

I have dumped the process at new OEP, but still doesn't working, exe crashes.
Also, ImpRec isn't much helping since there are 2 invalid pointers left, and when I trace it, seems that protection isn't done yet:-(

OEP starts here:

Code:

0060D35A > $ 6A 74          PUSH 74

0060D35C   . 68 C0006700    PUSH dumped_h.006700C0

0060D361   . E8 22060000    CALL dumped_h.0060D988

0060D366   . 33FF           XOR EDI,EDI

0060D368   . 897D E0        MOV DWORD PTR SS:[EBP-20],EDI

0060D36B   . 57             PUSH EDI                                 ; /pModule => NULL

0060D36C   . 8B1D 58116300  MOV EBX,DWORD PTR DS:[631158]            ; |kernel32.GetModuleHandleA

0060D372   . FFD3           CALL EBX                                 ; \GetModuleHandleA

The problem lies here, this is a function that is called at the begging ...

Code:

0060DA9C  /. 55             PUSH EBP

0060DA9D  |. 8BEC           MOV EBP,ESP

0060DA9F  |. 83EC 10        SUB ESP,10

0060DAA2  |. A1 90746B00    MOV EAX,DWORD PTR DS:[6B7490]

0060DAA7  |. 85C0           TEST EAX,EAX

0060DAA9  |. 74 07          JE SHORT dumped_h.0060DAB2

0060DAAB  |. 3D 4EE640BB    CMP EAX,BB40E64E

0060DAB0  |. 75 4E          JNZ SHORT dumped_h.0060DB00

0060DAB2  |> 56             PUSH ESI

0060DAB3  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]

0060DAB6  |. 50             PUSH EAX                                 ; /pFileTime

0060DAB7  |. FF15 68116300  CALL DWORD PTR DS:[631168]               ; \GetSystemTimeAsFileTime

0060DABD  |. 8B75 FC        MOV ESI,DWORD PTR SS:[EBP-4]

0060DAC0  |. 3375 F8        XOR ESI,DWORD PTR SS:[EBP-8]

0060DAC3  |. FF15 3C116300  CALL DWORD PTR DS:[63113C]               ; [GetCurrentProcessId

0060DAC9  |. 33F0           XOR ESI,EAX

0060DACB  |. FF15 90116300  CALL DWORD PTR DS:[631190]               ; [GetCurrentThreadId

0060DAD1  |. 33F0           XOR ESI,EAX

0060DAD3  |. FF15 C4116300  CALL DWORD PTR DS:[6311C4]               ; [GetTickCount

0060DAD9  |. 33F0           XOR ESI,EAX

0060DADB  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]

0060DADE  |. 50             PUSH EAX

0060DADF  |. FF15 C8116300  CALL DWORD PTR DS:[6311C8] --> points to 1010968

0060DAE5  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]

0060DAE8  |. 3345 F0        XOR EAX,DWORD PTR SS:[EBP-10]

0060DAEB  |. 33F0           XOR ESI,EAX

0060DAED  |. 8935 90746B00  MOV DWORD PTR DS:[6B7490],ESI

0060DAF3  |. 75 0A          JNZ SHORT dumped_h.0060DAFF

0060DAF5  |. C705 90746B00 >MOV DWORD PTR DS:[6B7490],BB40E64E

0060DAFF  |> 5E             POP ESI

0060DB00  |> C9             LEAVE

0060DB01  \. C3             RETN

Address point in red is invalid (1010968). Seems that unpacker creates that memory block during the unpacking process and application uses this.

Anyway, this is the problem ... I've dumped that memory block with OllyDbg, seems like array of addresses or something like that.

Anyone?

naides

August 7th, 2006, 11:14

If you run the original app, with the dongle attached, and trace into:

0060DADF |. FF15 C8116300 CALL DWORD PTR DS:[6311C8] --> points to 1010968

call, where does it take you?

One thing I have found valuable is to trace the dumped and original apps (one in a virtual machine, the other in the host OS) IN PARALLEL finding smilarities and differences in the code flow.

Could you emulate the address table fillup routine that the unpacker places around 6311C8? at least do it manually with the debugger and see if it remedies the crash.

I think it was cyberheg who described reversing Hardlock protection as "peeling and onion".

fritzFS

August 7th, 2006, 13:46

naides,
thank you for your reply.

Code:

0060DADF  |. FF15 C8116300  CALL DWORD PTR DS:[6311C8] --> 01030968

btw, this is also the difference ...
with dongle, this is 01030968, without dongle 01010968.

anyway, here it goes:

Code:

01030968   E8 F1F383FF      CALL XXXXX.0086FD5E

0103096D   0000             ADD BYTE PTR DS:[EAX],AL

0103096F   00E8             ADD AL,CH

01030971  -E9 F383FF00      JMP 02028D69



0086FD5E   8ADB             MOV BL,BL

0086FD60   8AFF             MOV BH,BH

0086FD62   55               PUSH EBP

0086FD63   87F9             XCHG ECX,EDI

0086FD65   66:8BF6          MOV SI,SI

0086FD68   87CF             XCHG EDI,ECX

0086FD6A   8BEC             MOV EBP,ESP

0086FD6C   51               PUSH ECX

0086FD6D   53               PUSH EBX

0086FD6E   C0E7 20          SHL BH,20                                ; Shift constant out of range 1..31

0086FD71   EB FF            JMP SHORT XXXXX.0086FD72



0086FD72   FFF6             PUSH ESI

0086FD74   8D00             LEA EAX,DWORD PTR DS:[EAX]

0086FD76   EB FF            JMP SHORT XXXXX.0086FD77



0086FD77   FFF7             PUSH EDI

0086FD79   8BC0             MOV EAX,EAX

0086FD7B   60               PUSHAD

0086FD7C  ^0F81 F9D6FFFF    JNO XXXXX.0086D47B --> jump is taken

0086FD82   70 03            JO SHORT XXXXX.0086FD87

0086FD84   44               INC ESP

0086FD85   77 FF            JA SHORT XXXXX.0086FD86

0086FD87  ^0F80 EED6FFFF    JO XXXXX.0086D47B

0086FD8D   D8F4             FDIV ST,ST(4)

0086FD8F  ^0F85 A8D9FFFF    JNZ XXXXX.0086D73D

0086FD95   74 03            JE SHORT XXXXX.0086FD9A

0086FD97   93               XCHG EAX,EBX

0086FD98   7B 10            JPO SHORT XXXXX.0086FDAA

0086FD9A  ^0F84 9DD9FFFF    JE XXXXX.0086D73D

0086FDA0   25 DEE969E5      AND EAX,E569E9DE



0086D47B   8BED             MOV EBP,EBP

0086D47D   8B4424 34        MOV EAX,DWORD PTR SS:[ESP+34]

0086D481   0F88 3D040000    JS XXXXX.0086D8C4

0086D487   52               PUSH EDX

0086D488   5A               POP EDX

0086D489   79 03            JNS SHORT XXXXX.0086D48E --> jump is taken





0086D48E   0F89 30040000    JNS XXXXX.0086D8C4 --> jump is taken



0086D8C4   8D36             LEA ESI,DWORD PTR DS:[ESI]

0086D8C6   E8 BE420000      CALL XXXXX.00871B89

0086D8CB   D8FB             FDIVR ST,ST(3)

0086D8CD   68 24D08600      PUSH XXXXX.0086D024

0086D8D2   C3               RETN

...

So, as you can see ... this is it ... it goes back to the dongle (0086B ... -> .protect section)

naides

August 7th, 2006, 14:22

OK. I see. You are now tracing into heavily obfuscated code
starting at 0086FD5E, which you mention is located at the .protect section.

Provided the unpacking is done, the task now would be to emulate the answer(s) and tasks that these calls retrieve and perform so the app believes the dongle is attached.
I am less than the ideal person to give you further guidance (I certainly can suggest educated guesses and problem solving approaches) but perhaps CrackZ or cyberheg may read this postings and take a little pity on us

fritzFS

August 7th, 2006, 15:07

Naides,
but how can I just emulate those API's when the application (dumped) is crashing because of this unavailable memory (0x0103...) in dumped version?

Btw, I've analyzed the protection more, this time with TORO's great monitor by side.

During the unpacking process, the following calls to hardlock has been made:

HLM_LOGIN
HL_GETINF
HL_CRYPT (0xE function)
HL_CRYPT
...

Everything till OEP.
Starts with this address, somewhere inside it calls appears again:

Code:

0060DADF |. FF15 C8116300 CALL DWORD PTR DS:[6311C8] --> 01030968

Now, this calls :
HLM_LOGIN
HL_READ
HL_GETINF
...

And that's it ...

Only HL_GETINF is repeating while the application is running ...

JMI

August 7th, 2006, 15:34

fritzFS:

Please take the time to surround your code printouts with the following:

at the beginning, place; CODE (with [ ] around it)

and at the end, place /CODE also with [ ] around it. (I have to do it this way or it would create the box itself.

)

This will create a "codebox" with a thumbnail which will allow your posted code sections to be shorter on the actual page and, if the code output is wider than the normal page view (which yours are not), it will prevent the page from going beyond the normal width.

You can also use the edit button and go back and fix your previous posts in this Thread, or I will do it for you.

It just makes a long display of code neater and easier to read.

Thanks.

Regards,

fritzFS

August 7th, 2006, 15:40

JMI, thank you for the notice, I've updated them.

fritzFS

August 7th, 2006, 16:06

I have found the code section with dongle communication ...

Code:

005ED960  /$ 68 6C497F00    PUSH XXXXXXXX.007F496C

005ED965  |. 68 64497F00    PUSH XXXXXXXX.007F4964

005ED96A  |. 6A 01          PUSH 1

005ED96C  |. 68 685B0000    PUSH 5B68 --> MODAD

005ED971  |. E8 F3AB0100    CALL XXXXXXXX.00608569 --> HLM_LOGIN; failes

005ED976  |. 83C4 10        ADD ESP,10

005ED979  |. 66:85C0        TEST AX,AX

005ED97C  |. 75 12          JNZ SHORT XXXXXXXX.005ED990

005ED97E  |. E8 4DFCFFFF    CALL XXXXXXXX.005ED5D0

005ED983  |. 83F8 02        CMP EAX,2

005ED986  |. 75 08          JNZ SHORT XXXXXXXX.005ED990

005ED988  |. E8 2EA70100    CALL XXXXXXXX.006080BB

005ED98D  |. 33C0           XOR EAX,EAX

005ED98F  |. C3             RETN

005ED990  |> E8 26A70100    CALL XXXXXXXX.006080BB

005ED995  |. 56             PUSH ESI

005ED996  |. 68 6C497F00    PUSH XXXXXXXX.007F496C

005ED99B  |. 68 64497F00    PUSH XXXXXXXX.007F4964

005ED9A0  |. 6A 01          PUSH 1

005ED9A2  |. 68 735B0000    PUSH 5B73 --> MODAD

005ED9A7  |. E8 BDAB0100    CALL XXXXXXXX.00608569 --> HLM_LOGIN - OK

005ED9AC  |. 83C4 10        ADD ESP,10

005ED9AF  |. 66:85C0        TEST AX,AX

005ED9B2  |. 74 0C          JE SHORT XXXXXXXX.005ED9C0 --> Jump taken

005ED9B4  |. E8 02A70100    CALL XXXXXXXX.006080BB

005ED9B9  |. B8 02000000    MOV EAX,2

005ED9BE  |. 5E             POP ESI

005ED9BF  |. C3             RETN

005ED9C0  |> 8B7424 08      MOV ESI,DWORD PTR SS:[ESP+8]

005ED9C4  |. 68 B0308300    PUSH XXXXXXXX.008330B0

005ED9C9  |. 56             PUSH ESI

005ED9CA  |. E8 51FCFFFF    CALL XXXXXXXX.005ED620 --> HL_READ

005ED9CF  |. 83C4 08        ADD ESP,8

005ED9D2  |. 85C0           TEST EAX,EAX

005ED9D4  |. 74 11          JE SHORT XXXXXXXX.005ED9E7

005ED9D6  |. 833E 00        CMP DWORD PTR DS:[ESI],0

005ED9D9  |. 77 15          JA SHORT XXXXXXXX.005ED9F0 --> Jump taken

005ED9DB  |. E8 DBA60100    CALL XXXXXXXX.006080BB

005ED9E0  |. B8 03000000    MOV EAX,3

005ED9E5  |. 5E             POP ESI

005ED9E6  |. C3             RETN

005ED9E7  |> E8 D4FDFFFF    CALL XXXXXXXX.005ED7C0

005ED9EC  |. 85C0           TEST EAX,EAX

005ED9EE  |. 74 0C          JE SHORT XXXXXXXX.005ED9FC

005ED9F0  |> E8 C6A60100    CALL XXXXXXXX.006080BB --> HL_LOGOUT

005ED9F5  |. B8 01000000    MOV EAX,1

005ED9FA  |. 5E             POP ESI

005ED9FB  |. C3             RETN

005ED9FC  |> E8 BAA60100    CALL XXXXXXXX.006080BB

005EDA01  |. B8 04000000    MOV EAX,4

005EDA06  |. 5E             POP ESI

005EDA07  \. C3             RETN

naides

August 7th, 2006, 18:14

Questions:

Are these the only calls to CALL XXXXXXXX.00608569 --> HLM_LOGIN - OK

or are there more? and IDA dissasembly should tell you that, because you have to emulate each one of them, or modify the code at 608569 to return the right answers.

At least in this code snip, success appears to be signaled by placing 1 in eax and returning an "answer to the challenge" to the address [ebp + 8] which is indirected using ESI. If you look at whatever gets written to the address pointed by ESI at the instruction

005ED9D6 |. 833E 00 CMP DWORD PTR DS:[ESI],0

while the dongle is connected, and artificially write this value to that address in your dumped code, then make sure EAX return 1, you have emulated this dongle check ( at least this one).

fritzFS

August 7th, 2006, 18:37

Yes, there is more ... more beyond this call ...
Actually, it's too much to trace and monitor :-(

This is getting real hard and I'm loosing my focus ..

nikan

August 8th, 2006, 02:44

hi
if after using imprec, you have only 2 unresolved pointer, you must set them manually to getprocaddress and exitprocess function.

regards

fritzFS

August 8th, 2006, 12:34

Thank you everyone for your help ...

Hardlock envelope is gone (nikita, you rock!), now there is only HLM_LOGIN, HL_READ and HL_LOGOUT in application ...

Here it goes, what is left of Hardlock:

Code:



.text:005ED960 do_dongle_check proc near               ; CODE XREF: sub_49DA20+4Dp

.text:005ED960                                         ; sub_6017C0+56p

.text:005ED960

.text:005ED960 arg_0           = dword ptr  4

.text:005ED960

.text:005ED960                 push    offset unk_7F496C

.text:005ED965                 push    offset unk_7F4964

.text:005ED96A                 push    1

.text:005ED96C                 push    5B68h

.text:005ED971                 call    call_HLM_LOGIN

.text:005ED976                 add     esp, 10h

.text:005ED979                 test    ax, ax

.text:005ED97C                 jnz     short loc_5ED990

.text:005ED97E                 call    sub_5ED5D0

.text:005ED983                 cmp     eax, 2

.text:005ED986                 jnz     short loc_5ED990

.text:005ED988                 call    call_HL_LOGOUT

.text:005ED98D                 xor     eax, eax

.text:005ED98F                 retn

.text:005ED990 ; ���������������������������������������������������������������������������

.text:005ED990

.text:005ED990 loc_5ED990:                             ; CODE XREF: do_dongle_check+1Cj

.text:005ED990                                         ; do_dongle_check+26j

.text:005ED990                 call    call_HL_LOGOUT

.text:005ED995                 push    esi

.text:005ED996                 push    offset unk_7F496C

.text:005ED99B                 push    offset unk_7F4964

.text:005ED9A0                 push    1

.text:005ED9A2                 push    5B73h           ; my MODAD

.text:005ED9A7                 call    call_HLM_LOGIN

.text:005ED9AC                 add     esp, 10h

.text:005ED9AF                 test    ax, ax

.text:005ED9B2                 jz      short dongle_is_here

.text:005ED9B4                 call    call_HL_LOGOUT

.text:005ED9B9                 mov     eax, 2

.text:005ED9BE                 pop     esi

.text:005ED9BF                 retn

.text:005ED9C0 ; ���������������������������������������������������������������������������

.text:005ED9C0

.text:005ED9C0 dongle_is_here:                         ; CODE XREF: do_dongle_check+52j

.text:005ED9C0                 mov     esi, [esp+4+arg_0]

.text:005ED9C4                 push    offset unk_8330B0

.text:005ED9C9                 push    esi

.text:005ED9CA                 call    call_HL_READ

.text:005ED9CF                 add     esp, 8

.text:005ED9D2                 test    eax, eax

.text:005ED9D4                 jz      short failes

.text:005ED9D6                 cmp     dword ptr [esi], 0

.text:005ED9D9                 ja      short finish

.text:005ED9DB                 call    call_HL_LOGOUT

.text:005ED9E0                 mov     eax, 3

.text:005ED9E5                 pop     esi

.text:005ED9E6                 retn

.text:005ED9E7 ; ���������������������������������������������������������������������������

.text:005ED9E7

.text:005ED9E7 failes:                                 ; CODE XREF: do_dongle_check+74j

.text:005ED9E7                 call    sub_5ED7C0

.text:005ED9EC                 test    eax, eax

.text:005ED9EE                 jz      short loc_5ED9FC

.text:005ED9F0

.text:005ED9F0 finish:                                 ; CODE XREF: do_dongle_check+79j

.text:005ED9F0                 call    call_HL_LOGOUT

.text:005ED9F5                 mov     eax, 1

.text:005ED9FA                 pop     esi

.text:005ED9FB                 retn

.text:005ED9FC ; ���������������������������������������������������������������������������

.text:005ED9FC

.text:005ED9FC loc_5ED9FC:                             ; CODE XREF: do_dongle_check+8Ej

.text:005ED9FC                 call    call_HL_LOGOUT

.text:005EDA01                 mov     eax, 4

.text:005EDA06                 pop     esi

.text:005EDA07                 retn

.text:005EDA07 do_dongle_check endp

Notice: those functions are called from couple of places so I cannot just patch this one function ...

Anyway, what would be the most elegant way to solve this to the end?

As nikita@work said: patch the HL_LOGIN and HL_LOGOUT, emulate HL_READ?

I tried to patch the HL_LOGIN and HL_LOGOUT at call_HL_LOGIN and call_HL_LOGOUT, but different errors occurs so ...

anyone?

Btw, I tried to emulate this function with TORO's Monitor (&emulator) 1.6, but there's unsupported function in it (the rest is working fine). I use 2.5 version of his monitor (everything supported), but cannot create a .reg file (there's no sample .reg file) ... does anyone have a sample .reg file for his 2.5 version of monitor?

fritzFS

August 8th, 2006, 18:35

Ok, I've analyzed it further and there's no way to just patch this file and make it work ...

Maybe it is possible, but ... too much work ...

I would like to take this approach:
- code a simple .dll with HLM_LOGIN, HL_READ and HL_LOGOUT
- make the targets uses it

Of course, this .dll is ONLY for this target ... memory will be hardcoded inside it so no fancy stuff is needed or support for other dongle or anything like it.

Does anyone has some pointers?

Thank you!

fritzFS

August 9th, 2006, 10:19

Problem solved due to few who helped ...

I have managed to remove the need for dongle.

I would comment it here, but I doubt anyone would appreciate it due to number of replies.

Moderators, please close this thread!

peterg70

August 13th, 2006, 20:26

Just because people haven't replied to the thread doesn't mean people won't benefit from solution and methods applied to resolve a particular problem.

Just think about this. If someone was to come and read your thread and only find half the information available they will 1. Complain that you left it half finished. 2. complain to other members that they need information. 3. send you pms saying they need the final steps.

How about compiling your comments and thoughts on the best method you used to conquer the problem, especially with hindsight available. What could you have done differently that would have saved yourself alot of hassle.

Golden Rules etc.. Like what Nikan Stated regarding resolving the IAT.

Anyway thats my 2 cent worth (or is it 5 cents now with inflation)

dELTA

August 15th, 2006, 08:02

Yes, there will always be people who will benefit from the solution, so please post it fritzFS.

peterg70

August 16th, 2006, 22:50

I just noticed that the whole thread lastest 3 days max.... and hes onto the next dongle...

fritzFS
Do remember some people do have other things to do than just sit here and respond to posts etc... I tend to pop in every few days but sometimes it can be months...

So I would like you to finish this thread off rather than just leaving it in the state it is...

fritzFS

August 17th, 2006, 03:05

Hello peterg70,

I'll post my latest comments with conclusion as soon as I get home (in 2 days).

Thank you

fritzFS

September 6th, 2006, 08:39

Hello,

as peterg70 requested, I'll try to finish this thread.

Sorry guys, no emulation code or anything like that.

After the hardlock envelope was removed (unpacking and fixing file), there was no more HL_CODE function, only simple functions. I started to patch them one by one, but I took a look at function above (function that called all those hardlock APIs) and I noticed the following code:

ret = call process_dongle_protection();
switch (ret) {
case 'no_dongle':
msgbox 'No dongle';
exitprocess();
case 'wrong_version':
msgbox 'Wrong version';
exitprocess();
case '...':
msgbox '...';
exitprocess();
default: // everything OK
break;
}

So, I've plugged in the dongle and set a bp on process_dongle_protection function. Executed step-over and watched what cases I have to patch and what case if correct. I've patched about 3 conditional jumps, just to be sure that it comes to 'default' case which is executed when the dongle is plugged in and everything is OK.

Violla!
Application is working just fine.

Q: what about the data from the dongle?
A: seems that application doesnt use anything, it was all only in dongle fnc

Q: why not write simple table based emulator?
A: because it's not simple, the enc/dec packet algorithm needs to be discovered :-(

Q: so what to do with hardlock protections?
A: - plug in the dongle, trace the HL APIs (ret. values, conditional jumps, ...).
- unplug the dongle, trace the same HL APIs again and compare values
- patch the differences
- NOTE: always look in function above (that called your HL APIs), maybe it's a st*pid check like : if (dongle_check != TRUE) { end(); }

Sorry for not giving concrete informations, I don't have them. I'll have something in another thread where I studied WIBU dongle.