Hi!

I have done already a dump of my RSLogix Software (USB Hardlock) with HL-dump v2.
Now I have a .reg and a .dat file.

How to go on to emulate the dongle?

please help!

cu

OK,

I probably ought to put this as a *sticky* reply for this question. So here goes for the final time ;-).

1. HL-DUMP produces an 8kb table of Hardlock responses (plus an additional 128 bytes if the key contains memory), so usual dump sizes are 8,192 or 8,320 bytes. The queries have been designed in such a way as to take advantage of the weakness of the Hardlock internal algorithm.

2. The Hardlock internal algorithm is quite well known, most of the SafeKey Hardlock emulators that can be found around the web and on my own site implement it, so recovering it is fairly trivial, these emulators can also be adapted (i.e. *.FST files created) once you have the 3 seeds

3. The Hardlock security depends on the recovery of 3 16-bit seeds. The 8kb table enables a very reduced brute force attack, (this is the big secret and is the missing information most people do not have).

If your dongles module address does not & with 0x1F and leave 0x1F (basically module addresses ending 0x1F/0x3F/0x5F.....) you require only 1 known set of encrypt/decrypt data to be able to brute force the seeds yourself, (the 8k table should be represented as an array of words and each word extracted as a candidate for seed 2 - in virtually every dump I've seen this has produced a maximum of 16 seed 2 candidates).

The caveat is simple, without the missing information I described above (which enables brute forcing of the seeds in sub-5 minutes you will have to brute force a key space of something like 2^36).

In fact this crude brute force is quite a slow attack even after code optimisations, I timed something like 4 days of CPU time, and you'll virtually always get 3 candidates of seed sets.

I have been writing for about the last 2 years an article on Hardlock in its entirety (including discussion of the VM and envelope but just can't seem to get it finished, I will get it done though, I damn promise too!).

Send me your dump if you would like more information or assistance.

Regards

CrackZ.

I tried now the patch the programm itself.

HL_LOGIN, HL_AVAIL, HL_READ...

are succesfully patched.
Now I have the problem with the HL_CODE.

I just patched the status register (eax=0).
With dongle the software starts without any problems.
Without dongle it crashs with the messag:

LPM004: Licence could not be found!......

Ollydebugger is showing me a fatal error...

How can I reverse the .dat file of the dongle dump to implement the algo?
Also I don't understand the OUT-IN of the HL_CODE. What registers are used to send the data to the hlvdd.dll? Where is the returned data of the dongle?

Here the Link to the dump:
http://rapidshare.de/files/30697711/RSLogix.rar.html

Please Help!