Luna()
{

/*
Luna, younger sister of flora...
touched my face with her tiny hand
and reminded me that I'm dead.

She was at least visible with hardlock.sys and MYLOCK.FST
But our expiration date is reached, sir! she said,
with her voice softer than wind.
she was so unhappy but she was still more beatiful than moon.

all night carrying her body in my arms,
I came to the Toro-mirror and saw:
HARDLOCK OUT:>HLM_CHECKEXPDATE...
i found nothing in black-red magic books
and i wont believe in you god,
if she is dead.

*/

Luna();

}

This is a problem with the Expiry-date of the Dongel (HL-RUS/LiMaS). Can with an Update- File be extended (File by the manufacturer). Thus, it should be possible with a revised Reg-File and a Vusb Emulator to solve the problem.
Tell us more about the program then can certainly somebody help you

Two questions:

1--Is it possible to emulate HLM_CHECKEXPDATE function with
*.dat and *.reg (with sp0raw) and toro monitor files only, If i give you files ?

2-- From aladdin rus_api: a code may look like this.
res = HLM_CHECKEXPDATE(SlotCnt, &Year, &Month, &Day);
Dissassembly looks like that:
if(res==0) --->
tst bx,bx
je $3c

Does code works if I am able to change jne into je in program? or changing hlvdd.dll for this purpose, any other tips to care.


(Please don't answer, rather than pointing google )


@trit0n & @gamebit0

There is no *.vk file in the setup directory.
I have just *.dat and *.reg files made by sp0raw.
And Also with Toro monitor output.

Thank you for the steps.

You can try to change jne into je in Program.
But this is probably not a good solution.
(More Test and Jumps behind?/ Program-Update/ the Program runs only with the Dongle, etc.)
Better you use an Emulator (VUSB)
PM me (.Dat) and (.Reg) and Toro-log (If you trust me :) )
I will then look what can be.
(But I can promise you nothing)

You can try to change jne into je in Program.
But this is probably not a good solution.
(More Test and Jumps behind?/ Program-Update/ the Program runs only with the Dongle, etc.)
Better you use an Emulator (VUSB)
PM me (.Dat) and (.Reg) and Toro-log (If you trust me :) )
I will then look what can be.
(But I can promise you nothing)

I think he doesnt need send you any file. If he will be not lazy he can find all required information in board and dont need send own dump to anyone who has also this solution from this board...

I think he doesnt need send you any file. If he will be not lazy he can find all required information in board and dont need send own dump to anyone who has also this solution from this board...

Benito, thank you very much encouraging me. I really needed it.
Look, I even found your answer for dizzy's similar problem below:).


I have a hardlock on lpt of my pc which expired 2 months ago.
I can read the content of it and reg and dat files are created.Can anyone help me ,what to do after this, to make an emulator?

you should read it before expiration, now it will be problem make it working

I am trying something like blind, but luckly i found some thing:

I compiled a sample program from aladdin rus_api to compare assembly code
with the original program.

I disassemblied code -with my old eyes for hours with hiew32.exe- and I think found vendor key.

push 89A7A8 ---> vendor key addres
push 89B530---->VerKey address
push 89B528---->RefKey addres
push 001
push 00000DEAD---->mod address
e8314d2600 ;call hvldd.54

looking in the vendor key address above(89A7A8), i see 47 bytes.

89A7A8:

5F AF F6...........66 5C ---> 47 bytes vendor key.

Now, i have *.dat,*.reg and 47 bytes.

@ Benito
100% agree, but remember I said "If you trust me"

@kodyazan
- Tell us the real ModAd. (Perhaps someone can give someone help)
- Now look at Dat-file at the address:
00002000h and behind it there you should find something .
- Try to Patch.

@Trit0n

Thank you for the steps:
At 00002000h, 128bytes HL_READBL memory.

I see that some part of this data is also used as an answer for
Rus function HLM_CHECKEXPDATE.

So does it includes expiration date so that I can modify?
In software it says that expiration date is 2005-06-01. And I couln't find this date (in hex) in dongle memory.


To understand the structure of DAT file(to understand what you mean), I read sp0raw's hl-dump.cpp source file. But there is no information about structure of DAT file.

The memory you mention is also "hlkMemory" part of satar0n!'s UniDumpToReg *.reg output. Problem, for me, is the same.

part of
-----------
00,00,0F,DE,A6,99,02,00,00,00,00,00,16,00,27,4D,\
27,09,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,7C,53,E4,03,5C,0D,00,00,00,00,44,64,ED,36
-----------
is similar to DEMO Hardlock
-----------
00,00,0f,de,18,01,00,00,00,08,00,00,16,00,ea,71,\
00,00,00,00,00,00,ff,ff,ff,ff,7f,00,00,00,00,00,\
00,00,75,b8,1b,76,00,00,00,00,00,00,9a,92,30,20
-----------

@Bfox
Thank you for keeping tread alive..

00,00,0F,DE,A6,99,02,00,00,00,00,00,16,00,27,4D,\
27,09,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,7C,53,E4,03,5C,0D,00,00,00,00,44,64,ED,36

Above,
I changed almost everycell -one by one- to be able to find/change DATE info and reinstalled emu.

But when I make a change, RUS_api (compiled from aladdin) returned with error.

(I conclude that, those cells above, in the reg file, may not be directly edited/patched)

By the way,
I read RUS-INFO from dongle, a 348byte *.cvt file. How to use it now?

With olly and hview, I solved my particular program's HLM_EXPCHECKDATE problem.

But is there a short way ? what is the meaning of (and possibility of changing) those cells in reg file?

i known part data of the *.cvt file.
not have RUS solutions...

Is there a way to revise *.reg file, to alter RUS function return?

(I feel this will be the last post of the thread. Thank you.At least we tried.)

There exist few checksums in RUS memory.
You need re-calculate CRC values after change hardlock's memory. :)

@Nodongle, thank you. You say that there is still hope.

Toro says:

(From: http://forum.exetools.com/printthread.php?t=7001)
---
"Constant block relate to some kind of crc of expdate and slots."
---

if i knew the cells where expdate and slot values are stored. Then I would try to recalculate CRC to regenerate REG file.


I wonder on which bytes to calculate CRC below(demo dongle example)? Is CRC done over 256 whole bytes?
..
00,00,0f,de,18,01,00,00,00,08,00,00,16,00,ea,71,\
00,00,00,00,00,00,ff,ff,ff,ff,7f,00,00,00,00,00,\
00,00,75,b8,1b,76,00,00,00,00,00,00,9a,92,30,20
-

for

0f,de,18,01,00,00,00,08,00,00,16,00,ea,71

use it

typedef struct rus_fib
{
Byte MARKER[2];
Long SERIAL_ID;
Byte VERSION[2];
Word FIXED;
Word VAR;
Word CRC;
} ALIGN_GCC RUS_FIB;

@Bfox, you made me feel that I am at the right board. I know, it is already well known. But, for this case, we have to re-invent the wheel, to use it.

After your last post and reading aladdin's "fastapi.h" , I focused on CRC experiments on REG file.

I wrote a simple program to calculate 16bit CRC of RUS_FIB.
But CRC did not return 0 for your sequence:
"0f,de,18,01,00,00,00,08,00,00,16,00,ea,71"

--------
(Note: CRC8 and simple XOR'ing didnt give success.
(Also tried taking CRC over 128 byte memory.)
(Compared results with another dongle memory gave no similarity)

Below is the simple code to calculate CRC of 14byte RUS_FIB structure:

[ Edited: Now below code works. Thanks to Git and Bfox.]

#include <stdio.h>
main()
{
INT8U Mem[14]={0x0f,0xde,0x18,0x01,0x00,0x00,0x00,0x08,0x00,0x0 0,0x16,0x00,0xea,0x71};
INT16U Crcval;
INT8U len=12,i=0;

while (len--) crc=(crc >> 8) ^ crc_table[(crc^Mem[i++])&0xff];

printf("crc= %x",crc);
}

static INT16U crc_table[] = {
0x0000, 0xC0C1, 0xC181, 0x0140,
0xC301, 0x03C0, 0x0280, 0xC241,
0xC601, 0x06C0, 0x0780, 0xC741,
0x0500, 0xC5C1, 0xC481, 0x0440,
0xCC01, 0x0CC0, 0x0D80, 0xCD41,
0x0F00, 0xCFC1, 0xCE81, 0x0E40,
0x0A00, 0xCAC1, 0xCB81, 0x0B40,
0xC901, 0x09C0, 0x0880, 0xC841,
0xD801, 0x18C0, 0x1980, 0xD941,
0x1B00, 0xDBC1, 0xDA81, 0x1A40,
0x1E00, 0xDEC1, 0xDF81, 0x1F40,
0xDD01, 0x1DC0, 0x1C80, 0xDC41,
0x1400, 0xD4C1, 0xD581, 0x1540,
0xD701, 0x17C0, 0x1680, 0xD641,
0xD201, 0x12C0, 0x1380, 0xD341,
0x1100, 0xD1C1, 0xD081, 0x1040,
0xF001, 0x30C0, 0x3180, 0xF141,
0x3300, 0xF3C1, 0xF281, 0x3240,
0x3600, 0xF6C1, 0xF781, 0x3740,
0xF501, 0x35C0, 0x3480, 0xF441,
0x3C00, 0xFCC1, 0xFD81, 0x3D40,
0xFF01, 0x3FC0, 0x3E80, 0xFE41,
0xFA01, 0x3AC0, 0x3B80, 0xFB41,
0x3900, 0xF9C1, 0xF881, 0x3840,
0x2800, 0xE8C1, 0xE981, 0x2940,
0xEB01, 0x2BC0, 0x2A80, 0xEA41,
0xEE01, 0x2EC0, 0x2F80, 0xEF41,
0x2D00, 0xEDC1, 0xEC81, 0x2C40,
0xE401, 0x24C0, 0x2580, 0xE541,
0x2700, 0xE7C1, 0xE681, 0x2640,
0x2200, 0xE2C1, 0xE381, 0x2340,
0xE101, 0x21C0, 0x2080, 0xE041,
0xA001, 0x60C0, 0x6180, 0xA141,
0x6300, 0xA3C1, 0xA281, 0x6240,
0x6600, 0xA6C1, 0xA781, 0x6740,
0xA501, 0x65C0, 0x6480, 0xA441,
0x6C00, 0xACC1, 0xAD81, 0x6D40,
0xAF01, 0x6FC0, 0x6E80, 0xAE41,
0xAA01, 0x6AC0, 0x6B80, 0xAB41,
0x6900, 0xA9C1, 0xA881, 0x6840,
0x7800, 0xB8C1, 0xB981, 0x7940,
0xBB01, 0x7BC0, 0x7A80, 0xBA41,
0xBE01, 0x7EC0, 0x7F80, 0xBF41,
0x7D00, 0xBDC1, 0xBC81, 0x7C40,
0xB401, 0x74C0, 0x7580, 0xB541,
0x7700, 0xB7C1, 0xB681, 0x7640,
0x7200, 0xB2C1, 0xB381, 0x7340,
0xB101, 0x71C0, 0x7080, 0xB041,
0x5000, 0x90C1, 0x9181, 0x5140,
0x9301, 0x53C0, 0x5280, 0x9241,
0x9601, 0x56C0, 0x5780, 0x9741,
0x5500, 0x95C1, 0x9481, 0x5440,
0x9C01, 0x5CC0, 0x5D80, 0x9D41,
0x5F00, 0x9FC1, 0x9E81, 0x5E40,
0x5A00, 0x9AC1, 0x9B81, 0x5B40,
0x9901, 0x59C0, 0x5880, 0x9841,
0x8801, 0x48C0, 0x4980, 0x8941,
0x4B00, 0x8BC1, 0x8A81, 0x4A40,
0x4E00, 0x8EC1, 0x8F81, 0x4F40,
0x8D01, 0x4DC0, 0x4C80, 0x8C41,
0x4400, 0x84C1, 0x8581, 0x4540,
0x8701, 0x47C0, 0x4680, 0x8641,
0x8201, 0x42C0, 0x4380, 0x8341,
0x4100, 0x81C1, 0x8081, 0x4040
};

may be

INT8U Mem[12]={0x0f,0xde,0x18,0x01,0x00,0x00,0x00,0x08,0x00,0x0 0,0x16,0x00 };

or

INT8U Mem[10]={0x18,0x01,0x00,0x00,0x00,0x08,0x00,0x0 0,0x
16,0x00 };

check pls...

kody - bytes 12 and 13 are the CRC-16 of bytes 0..11. Note, *not* CRC-16 CCITT. Polynomial is 0x8005, Initial value 0x0000, XOR out value 0x0000, with In and Out reflection.

Using that form of CRC, it works for both examples posted.

Git

This code produces correct CRC as used by rus_fib struct.

Git


#include <stdio.h>
#include <stdlib.h>

typedef unsigned short WORD;
typedef unsigned long DWORD;
unsigned char BYTE;
typedef signed long ULONG;
typedef void *pVOID;
typedef signed short SHORT;


WORD Crc16X( pVOID blk, ULONG siz );
WORD Crc16Xu( WORD crc, BYTE byt );


int main(int argc, char *argv[])
{
BYTE str[] = {0x0F,0xDE,0x18,0x01,0x00,0x00,0x00,0x08,0x00,0x00 ,0x16,0x00}; // CRC is 0xEA71

printf("CRC16 is %X\n", Crc16X(str, 12) );
return 0;
}

WORD Crc16X( pVOID blk, ULONG siz )
{
BYTE *b = blk;
WORD crc = 0;

if((blk == 0L) || (siz < 0))
return(0);

while( siz-- )
crc = Crc16Xu( crc, *b++ );

return(crc);
}


WORD Crc16Xu( WORD crc, BYTE byt )
{
SHORT i;
WORD msk = byt;

for( i = 0; i < 8; i++ )
{
crc = ((crc ^ msk) & 0x0001) ? ((crc >> 1) ^ 0xA001) : (crc >> 1);
msk >>= 1;
}

return(crc);
}

Thank you Git. You enlightened us. With your point, I corrected/edited the table calculation in my previous post.

Now, we are able to regenerate REG file with new CRC's.

At the below structure. Forexample
(0f,de,18,01,00,00,00,08,00,00,16,00,ea,71)
I experimentaly altered every cell and calculate new CRC's and
made new REG files.

The error responses I got follows:

when I changed serialID --> Got invalid licence error
Changing Cell[10](FIXED variable of struct)from 16 to 17 ---> A wrong parameter occured.
Changing cell[11](VAR variable of struct) from 0x00 to 0x01 --> A wrong parameter occured error.

Note: when crc is wrong, dongle is missing error.

I still didnt understand the benefit of altering RUS_FIB.Does it includes a pointer to date?

typedef struct rus_fib
{
Byte MARKER[2];
Long SERIAL_ID;
Byte VERSION[2];
Word FIXED;
Word VAR;
Word CRC;
} ALIGN_GCC RUS_FIB;

> I still didnt understand the benefit of altering
> RUS_FIB.Does it includes a pointer to date?

No, looks like expiry date is elsewhere in the RUS. If you can post or send dump files to me I will happily have a look. You have only posted a fraction of the info so we don't have anything to work with.

Git

@git,

We can work on demo dongle dump to find answers to our questions. Don't we?
Do you have a demo Luna dump with RUS EXPDATE enabled. Or maybe Bfox has i think..

Can you paste it here?

What can you solve with 1 example?

Git

@Git,

Link for 5 original files: REG,DAT ,47bytes RUS array, toromonitor, and *ctv file is in your mailbox.

Note: I can send those files also to anyone who truely
wants to find a solution for HLM_CHECKEXPDATE RUS modification..

I have to study more..
(May the force be with you. )

may be you have vtc, svk, raw file also?

@Bfox

Link for CRT,SVK ,DAT,REG and Toro monitor files is in your messagebox.

@Git,@Bfox

The expiration date information, for this dongle, is 2005-06-01 (YYYY-MM-DD)

sure,

last access time is 13/05/2008 (DD/MM//YY)
expirity time is 01/06/2005

@Bfox

Link for CRT,SVK ,DAT,REG and Toro monitor files is in your messagebox.

@Git,@Bfox

The expiration date information, for this dongle, is 2005-06-01 (YYYY-MM-DD)

Are these values directly in the Dump?
If so, where?

Example: 7471.REG
"ROM"=hex:
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,0F,DE,18,01,00,00,00,08,00,00,16,00,EA,71 <---0000????h ??
"RAM"=hex:
00,00,00,00,00,00,FF,FF,FF,FF,7F,00,00,00,00,00, <---00002060h ??
00,00,75,B8,1B,76,00,00,00,00,00,00,9A,92,30,20 <---00002070h ??

Maybe someone can share the 7471.dat
(I think it is not really private.)

Kody - your PM message box is full.

Git

@kody: try replace in your dump last 0x20 bytes...

"RAM"=hex:
CB,0D,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,78,35,AC,0E,C8,0D,00,00,00,00,93,0F,46,D5

@Bfox,
Error code: Date fake detected

toro, in exetools, says that:

"in RAM of dongle, expdate and slots plus a constant block and a variable block is saved. constant block relate to some kind of crc of expdate and slots and variable block is relate to some kind of crc of latest date of use of program. this 2 block can be calculated from vk and slots and expdate and latest date of use. you can find the correct value of them just with a little trace of your target"

So, we can dedict that:

in RAM (last 32 bytes), :
-Expiration date (2 bytes , from fastapi.h)
-Slots (12 bytes,96 on/off slots)
-Constant Block (Relate to CRC of EXPDATE and SLOTS)
-Variable Block (Relate to CRC of Latest Date of use of program)
-xx

in EEPROM
typedef struct rus_fib
{
Byte MARKER[2];
Long SERIAL_ID;
Byte VERSION[2];
Word FIXED;
Word VAR;
Word CRC;
} ALIGN_GCC RUS_FIB;

Above, FIXED and VAR maybe the pointers to the blocks TORO mentioned. If so

Looking at demo dongle:

RUS_FIB Structure at the bottom of EEPROM:
00,00,0f,de,18,01,00,00,00,08,00,00,16,00,ea,71 ->FIXED=0, VAR=0x0016 (22)
RAM:
00,00,00,00,00,00,ff,ff,ff,ff,7f,00,00,00,00,00,
00,00,75,b8,1b,76,00,00,00,00,00,00,9a,92,30,20

Variable block maybe (starting from 22th RAM location )
[00,00,00,00,00,00,9a,92,30,20].
Fixed Block may be (starting from 0th RAM location)
[00,00,00,00,00,00,ff,ff,ff,ff,7f,00,00,00,00,00,
00,00,75,b8,1b,76,]

possible alternative solutions:

Cappuccino tool from aladdin.
But It wants Vendorkey in *.svk format. Or Vendor Key Password. (I could not convert 47bytes Vendor Key into a 339byte SVK file. Or dont know password part of vendor key.)

possible re-creation of vendor key with cappucino... (Vendor Key management was disabled in cappuccino, maybe a master hardlock is needed)

From: Cappicinno Help File:
"
The license data are protected against manipulation by a personal Vendor Key. This checks the
licenses and the updates which are loaded. You generate this Vendor Key yourself using the
Vendor Key Manager. It is divided into a signature part and a runtime part. The signature
part is protected by a password and is used by you for encoding the modules and updates. The
runtime part will be integrated into the software and is used for checking the licenses.
"
Below, some experiments i did on REG file, with failures:

-Trying to find a CRC relation on last(RAM) 32 bytes/12 bytes.
-Trying to find a CRC relation on constant block,variable block
-combining 47bytes VK+32bytes RAM=79byte and looking for a possible CRC check.
All failed.

we need (to study) more.

replace bytes in vusb dump from 0x50
to
00,00,0F,DE,A6,99,02,00,00,00,00,00,16,00,27,4D,\
CB,0D,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,78,35,AC,0E,C8,0D,00,00,00,00,93,0F,46,D5

add to registry and restart emualator. it work :)

replace bytes in vusb dump from 0x50
to
00,00,0F,DE,A6,99,02,00,00,00,00,00,16,00,27,4D,\
CB,0D,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,78,35,AC,0E,C8,0D,00,00,00,00,93,0F,46,D5

add to registry and restart emualator. it work :)

Well done Bfox!! New expiry date is 2008-09-01 . Luna thanks to you for this one day.

So, you didn't change anything on RUS_FIB structure.
Did you use cappucinno tool?

Well done Bfox!! New expiry date is 2008-09-01 . Luna thanks to you for this one day.

So, you didn't change anything on RUS_FIB structure.
Did you use cappucinno tool?

i not need change anything on RUS_FIB structure.
no cappucinno...
hand made ;)

i not need change anything on RUS_FIB structure.
no cappucinno...
hand made ;)

Perfect Bfox. where is the relation between vendor key and date expriry.
Should i have to dig into hlvdd.dll?

This is Bfox's 3day RAM:From 29-08-2008 to 1-09-2008

cb,0d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,78,35,AC,0E,c8,0d,00,00,00,00,93,0F,46,D5

I guess:
cb0d=Expiry date.
c80d=Last use date.

This is original RAM. From 13/05/2008 to 01/06/2005:

27,09,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,7C,53,E4,03,5C,0D,00,00,00,00,44,64,ED,36

I guess:
27,09=expiry date
5c,0d=last use date


Confirm for RAM1: 0dcb-0dc8=3 ( Bfox's 3 day )
Confirm for RAM2:0d5c-0927=1077days. (from the original dump)13/05/2008-01/06/2005
Confirm 3: RUS_FIB's VAR offset begins from 0x16.th byte of ram.which is variable date.

If we exclude dates and slots from blocks:
Constant Block=7835AC0E. (probably)
Variable block= 930f46d5. (probably)

PROBLEM REDUCES BELOW:

1-: Find a (CRC) relation below: -To change last usage date(c8,0d)-
c8,0d,00,00,00,00,93,0F,46,D5

2-find a (CRC) relation below: -To change expiriy date(cb,0d),-
cb,0d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,78,35,AC,0E

I don't want to learn if somebody finds a solution. i will sleep now.

------Editing (Results of Above) ----
Below code calculates on all permutation of an array to find a zero(good) return.
Forexample an array of 10 bytes, it calculates CRC16 of 10! (3628800) different arrays.
It prints on the screen if a "zero" return comes.

//kody, with Exeter permutation algorithm.
//Calculates CRC16 of all permutations of an array.
//If any of the permutation returns 0 then prints that array on screen.

unsigned short crc_table[256] = {
0x0000, 0xC0C1, 0xC181, 0x0140,
0xC301, 0x03C0, 0x0280, 0xC241,
0xC601, 0x06C0, 0x0780, 0xC741,
0x0500, 0xC5C1, 0xC481, 0x0440,
0xCC01, 0x0CC0, 0x0D80, 0xCD41,
0x0F00, 0xCFC1, 0xCE81, 0x0E40,
0x0A00, 0xCAC1, 0xCB81, 0x0B40,
0xC901, 0x09C0, 0x0880, 0xC841,
0xD801, 0x18C0, 0x1980, 0xD941,
0x1B00, 0xDBC1, 0xDA81, 0x1A40,
0x1E00, 0xDEC1, 0xDF81, 0x1F40,
0xDD01, 0x1DC0, 0x1C80, 0xDC41,
0x1400, 0xD4C1, 0xD581, 0x1540,
0xD701, 0x17C0, 0x1680, 0xD641,
0xD201, 0x12C0, 0x1380, 0xD341,
0x1100, 0xD1C1, 0xD081, 0x1040,
0xF001, 0x30C0, 0x3180, 0xF141,
0x3300, 0xF3C1, 0xF281, 0x3240,
0x3600, 0xF6C1, 0xF781, 0x3740,
0xF501, 0x35C0, 0x3480, 0xF441,
0x3C00, 0xFCC1, 0xFD81, 0x3D40,
0xFF01, 0x3FC0, 0x3E80, 0xFE41,
0xFA01, 0x3AC0, 0x3B80, 0xFB41,
0x3900, 0xF9C1, 0xF881, 0x3840,
0x2800, 0xE8C1, 0xE981, 0x2940,
0xEB01, 0x2BC0, 0x2A80, 0xEA41,
0xEE01, 0x2EC0, 0x2F80, 0xEF41,
0x2D00, 0xEDC1, 0xEC81, 0x2C40,
0xE401, 0x24C0, 0x2580, 0xE541,
0x2700, 0xE7C1, 0xE681, 0x2640,
0x2200, 0xE2C1, 0xE381, 0x2340,
0xE101, 0x21C0, 0x2080, 0xE041,
0xA001, 0x60C0, 0x6180, 0xA141,
0x6300, 0xA3C1, 0xA281, 0x6240,
0x6600, 0xA6C1, 0xA781, 0x6740,
0xA501, 0x65C0, 0x6480, 0xA441,
0x6C00, 0xACC1, 0xAD81, 0x6D40,
0xAF01, 0x6FC0, 0x6E80, 0xAE41,
0xAA01, 0x6AC0, 0x6B80, 0xAB41,
0x6900, 0xA9C1, 0xA881, 0x6840,
0x7800, 0xB8C1, 0xB981, 0x7940,
0xBB01, 0x7BC0, 0x7A80, 0xBA41,
0xBE01, 0x7EC0, 0x7F80, 0xBF41,
0x7D00, 0xBDC1, 0xBC81, 0x7C40,
0xB401, 0x74C0, 0x7580, 0xB541,
0x7700, 0xB7C1, 0xB681, 0x7640,
0x7200, 0xB2C1, 0xB381, 0x7340,
0xB101, 0x71C0, 0x7080, 0xB041,
0x5000, 0x90C1, 0x9181, 0x5140,
0x9301, 0x53C0, 0x5280, 0x9241,
0x9601, 0x56C0, 0x5780, 0x9741,
0x5500, 0x95C1, 0x9481, 0x5440,
0x9C01, 0x5CC0, 0x5D80, 0x9D41,
0x5F00, 0x9FC1, 0x9E81, 0x5E40,
0x5A00, 0x9AC1, 0x9B81, 0x5B40,
0x9901, 0x59C0, 0x5880, 0x9841,
0x8801, 0x48C0, 0x4980, 0x8941,
0x4B00, 0x8BC1, 0x8A81, 0x4A40,
0x4E00, 0x8EC1, 0x8F81, 0x4F40,
0x8D01, 0x4DC0, 0x4C80, 0x8C41,
0x4400, 0x84C1, 0x8581, 0x4540,
0x8701, 0x47C0, 0x4680, 0x8641,
0x8201, 0x42C0, 0x4380, 0x8341,
0x4100, 0x81C1, 0x8081, 0x4040
};
unsigned char var_blk1[10]={0xC8,0x0D,0x00,0x00,0x00,0x00,0x93,0x0F,0x46,0xD 5};

unsigned short crc16(unsigned char *buffer, unsigned int len)
{
unsigned short crc=0;
while (len--){
crc=(crc >> 8) ^ crc_table[(crc ^(*(buffer++)))&0xff];
}
return crc;
}

void print(unsigned char *v, int size)
{
int i=0;
if (v != 0) {
for ( i = 0; i < size; i++) {
printf("%x,", v[i] );
}
printf("\n");
}
}

void permute(unsigned char *v, const int start, const int n)
{
int i=0;
static int ps=0;
if (start == n-1) {
// print(v, n); //shows all permutation on screen.
if(crc16(v,n)==0)
{ ps++;

printf("CRC returned Zero!, on permutation =%d ",ps);
print(v,n); //prints the array which has CRC16 relation.
//return(0); // returns after first relation.
}
}
else {
for ( i = start; i < n; i++) {
int tmp = v[i];

v[i] = v[start];
v[start] = tmp;
permute(v, start+1, n);
v[start] = v[i];
v[i] = tmp;
}
}
}

void main()
{
permute(var_blk1, 0, 10);
//permute(var_blk1, 5, 7); means first 5 bytes doesnt change in permutation and length is 7.
}

Do you have any reason to suspect that they are taking the CRC of a permutated array?. Seems much more likely to me that it is a non-standard CRC algorithm or different hash than a permutation.

Git

Do you have any reason to suspect that they are taking the CRC of a permutated array?. Seems much more likely to me that it is a non-standard CRC algorithm or different hash than a permutation.

Git

Git,

It was toro who made think that it may be a simple crc, by saying:

"constant block relate to some kind of crc of expdate and slots and variable block is relate to some kind of crc of latest date of use of program."


Now, I am %100 convinced that, it is not the standard crc16. (Brute force of all permutations of constant and variable block says so.) . Also there is a "4byte" (not 2 byte) dynamic/variable/unpredictable bytes in both of those blocks which also proves that it is not any kind of -interrelated- crc16.
I believe you that there may be something different.

The Point I came:
I think we have nothing in our hands except debugging hlvdd.dll or (better) debugging static library for gcc (hlw32_gc.lib).

I found that hlw32_gc.lib(hlvdd.dll) is not exteremly obfuscated or its logical functions atleast may be reached. (being UPX is not problem)

with half day debugging, I can say that:

-hlvdd.dll compares current time with 1998.
Reaching and manuplating time values are easy. So it must not be very difficult to find the function where(how) hash/crc algo goes, even if there are some juicy secrets as you say.

-In hlvdd.dll, during hlm_checkexpdate process, it reaches at vendorkey. "After successfull hlm_login" , if you change vendor key's one byte, then "error message" appear. Those may mean that algorithm touches vendor key.

I want to reverse hlvdd.dll but i have no time/motivation for this game which is already solved 4 years ago. And probably known for lots of people.

But, for tonight, you forced me -again- to put a breakpoint on the memory area where expiry date is stored.

@Git,@Bfox,

This is CRC function in driver(hlvdd.dll) which calculates CRC of Vendorkey array.( in two seperate parts 12 bytes first then 35bytes after some transformations.)And also it calculates CRC of RUS_FIB.

//In the C code below, register names are used as char variables to read and control assemler code easier.
//It is very handmade but should work. Corrections are wellcome.Original assembly code of the driver lies at bottom.
//kodyazan

unsigned short crc_table[16] { //Simplified 16 byte CRC table.
0x0000,0xCC01,0xD801,0x1400,
0xF001,0x3C00,0x2800,0xE401,
0xA001,0x6C00,0x7800,0xB401,
0x5000,0x9C01, 0x8801,0x4400
};

unsigned short CRC_function_in_driver(unsigned char *array,unsigned char len)
{

char ea=0;
char cx=0;
char esi=0;
char dl=0;
char edi=0;

for(edi=0;edi<len;edi+=2)
{
ea=cx;
dl=array[esi];
ea=ea&0x0f;
cx=cx>>4;
cx=cx^crc_table[ea*4];
ea=dl;
ea=ea&0x0f;
dl=dl>>4;
cx=cx^crc_table[ea*4];
ea=cx;
ea=ea&0x0f;
cx=cx>>4;
cx=cx^crc_table[ea*4];
ea=dl;
cx=cx^crc_table[ea*4];
ea=cx;
dl=array[esi+1];
ea=ea&0x0f;
cx=cx>>4;
cx=cx^crc_table[ea*4];
esi+=2;
ea=dl;
ea=ea&0x0f;
dl=dl>>4;
cx=cx^crc_table[ea*4];
ea=cx;
ea=ea&0x0f;
cx=cx>>4;
cx=cx^crc_table[ea*4];
ea=dl;
cx=cx^crc_table[ea*4];
}
}


--Below is the original assembly code--

00414D7B | 90 NOP
00414D7C |> 89C8 MOV EAX,ECX
00414D7E |. 8A16 MOV DL,BYTE PTR DS:[ESI]
00414D80 |. 83E0 0F AND EAX,0F
00414D83 |. 66:C1E9 04 SHR CX,4
00414D87 |. 66:330C83 XOR CX,WORD PTR DS:[EBX+EAX*4]
00414D8B |. 83C7 02 ADD EDI,2
00414D8E |. 89D0 MOV EAX,EDX
00414D90 |. 83E0 0F AND EAX,0F
00414D93 |. C0EA 04 SHR DL,4
00414D96 |. 66:330C83 XOR CX,WORD PTR DS:[EBX+EAX*4]
00414D9A |. 89C8 MOV EAX,ECX
00414D9C |. 83E0 0F AND EAX,0F
00414D9F |. 66:C1E9 04 SHR CX,4
00414DA3 |. 66:330C83 XOR CX,WORD PTR DS:[EBX+EAX*4]
00414DA7 |. 0FB6C2 MOVZX EAX,DL
00414DAA |. 66:330C83 XOR CX,WORD PTR DS:[EBX+EAX*4]
00414DAE |. 89C8 MOV EAX,ECX
00414DB0 |. 8A56 01 MOV DL,BYTE PTR DS:[ESI+1]
00414DB3 |. 83E0 0F AND EAX,0F
00414DB6 |. 66:C1E9 04 SHR CX,4
00414DBA |. 66:330C83 XOR CX,WORD PTR DS:[EBX+EAX*4]
00414DBE |. 83C6 02 ADD ESI,2
00414DC1 |. 89D0 MOV EAX,EDX
00414DC3 |. 83E0 0F AND EAX,0F
00414DC6 |. C0EA 04 SHR DL,4
00414DC9 |. 66:330C83 XOR CX,WORD PTR DS:[EBX+EAX*4]
00414DCD |> 89C8 MOV EAX,ECX
00414DCF |. 83E0 0F AND EAX,0F
00414DD2 |. 66:C1E9 04 SHR CX,4
00414DD6 |. 66:330C83 XOR CX,WORD PTR DS:[EBX+EAX*4]
00414DDA |. 0FB6C2 MOVZX EAX,DL
00414DDD |. 66:330C83 XOR CX,WORD PTR DS:[EBX+EAX*4]
00414DE1 |. 39EF CMP EDI,EBP
00414DE3 |.^72 97 JB SHORT myrus.00414D7C

---And 16 byte CRC table above code uses :----
00425400 00 00 00 00 01 CC 00 00 01 D8 00 00 00 14 00 00
00425410 01 F0 00 00 00 3C 00 00 00 28 00 00 01 E4 00 00 00425420 01 A0 00 00 00 6C 00 00 00 78 00 00 01 B4 00 00
00425430 00 50 00 00 01 9C 00 00 01 88 00 00 00 44 00 00

27,0E,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,02,DA,06,54,5C,0D,00,00,00,00,44,64,ED,36

New Expdate above:2/12/2008.

Although what i found is useless to me,
talking with other coders, I convinced that I have to respect people who also spent lots of time on this subject.

But if you really love a girl and try to save her life, your
solution is already in this thread.(last sentence of post #38.).

Thank you Git, Bfox for sharing your valuable experiences.
And benito, for your encouraging last PM.

dat reg update

u r lic file is valid for one year only

u r lic file is valid for one year only


update lic filies.

You need Vendorkey to update lic.
Vendorkey is 47 bytes, embedded in your protected software.

ya absolutely right

any one can update my hardlock license ??? :D :D


BR,

-kaka-

If you know Vendorkey and have dump, I can.

Finding vendorkey maybe hard/easy if your software is protected/ not protected. (and I can not find VK for you.)

If you know Vendorkey and have dump, I can.

Finding vendorkey maybe hard/easy if your software is protected/ not protected. (and I can not find VK for you.)

how exactly i have to do to get vendorkey ... ??? :confused:

i have dump ... and already success to emulate this stuff ...

just wondering how to make the license being unlimited ....

....

....

....


BTW ... wanna asking about *.key license ???
any body know what kind of this protection style ???
sorry for asking this in yur hardlock thread kody ... :D


BR,

-kaka-

how exactly i have to do to get vendorkey ... ??? :confused:

just wondering how to make the license being unlimited ....



With ollydebugger or hview32.exe find something like:

push 89A7A8 ---> vendor key addres
push 89B530---->VerKey address
push 89B528---->RefKey addres
push 001
push 00000DEAD---->mod address
e8314d2600 ;call hvldd.54

Goto vendorkey address(89A7A8) and you will see 47 bytes.

With ollydebugger or hview32.exe find something like:

push 89A7A8 ---> vendor key addres
push 89B530---->VerKey address
push 89B528---->RefKey addres
push 001
push 00000DEAD---->mod address
e8314d2600 ;call hvldd.54

Goto vendorkey address(89A7A8) and you will see 47 bytes.

Thank you kodyazan.....

With ollydebugger or hview32.exe find something like:

push 89A7A8 ---> vendor key addres
push 89B530---->VerKey address
push 89B528---->RefKey addres
push 001
push 00000DEAD---->mod address
e8314d2600 ;call hvldd.54

Goto vendorkey address(89A7A8) and you will see 47 bytes.

thanks for the steps ...


BR,

-kaka-

i'm not getting it, i should be missing something.

I don't see the use of the vendor key, as you're not editing it. I also tryed to CRC your RAM, in noway I'm getting it right not even the CRC of my vendorkey, is the CRC table the same for all programs, i guess it is as it's from hlvdd. I didn't yet trace hlvdd.

Could someone please enlighten me please. My RAM looks like:
F6,0F,00,00,00,00,FB,FF,FF,FF,FF,00,00,00,00,00,
00,00,A7,4B,9B,75,42,0E,00,00,00,00,FF,0E,E2,EB

tschuss

@mindoverflow: upload your target software and dump...

Here is the dump i'm using in multikey:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiK ey\Dumps\00000DC2]
"Name"="HARDLOCK (new) dump"
"Copyright"="None"
"Created"="1 Jul 2008"
"DongleType"=dword:00000002
"ID"=dword:12345671
"withMemory"=dword:00000001
"Seed1" =dword:00002A3B
"Seed2" =dword:000030FC
"Seed3" =dword:0000CE96
"HlkMemory"=hex:\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,0F,DE,B5,03,00,00,00,00,00,00,16,00,85,A8,
F6,0F,00,00,00,00,FB,FF,FF,FF,FF,00,00,00,00,00,\
00,00,A7,4B,9B,75,42,0E,00,00,00,00,FF,0E,E2,EB
The vendorkey should be:
0xf7, 0xc9, 0x90, 0x43,
0xbf, 0x6d, 0xef, 0x0b,
0x9b, 0x4a, 0x76, 0xd1,
0x18, 0xb4, 0x55, 0x26,
0x09, 0x39, 0xc6, 0xdd,
0xea, 0xe5, 0x92, 0x23,
0xf2, 0xb8, 0x5e, 0xeb,
0x65, 0xfc, 0x57, 0x88,
0x6d, 0xf3, 0xda, 0xed,
0x4a, 0x8f, 0x7a, 0xbf,
0x54, 0x2b, 0xa5, 0x0d,
0xf8, 0x65, 0x0a

I'm not looking for someone to do it for me, I would like to know how it's done.

Thanks

0x8DC2 ?. I thought Hardlock Modad was between 0x0001 and 0x7FFF ?

Git

Sorry for the mistake, the MODAD is 0DC2, but the dump is the right one.

Is HLM_LOGIN() succeeding for you?. I am getting error 21 RUS_INVALID_LIC. Can you double check the VC and Seeds please?

Git

seemed strange for me too, i tought cuz i tryed to force it to expire, but there was a backslash missing at the end of the rom data. This should work fine

"HlkMemory"=hex:\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,0F,DE,B5,03,00,00,00,00,00,00,16,00,85,A8,\
F6,0F,00,00,00,00,FB,FF,FF,FF,FF,00,00,00,00,00,\
00,00,A7,4B,9B,75,42,0E,00,00,00,00,FF,0E,E2,EB

Sorry again.

@Git and @bFox,

There wass no reply from you about the subject. I'm planing to start working on it, then, is there anything you could say before i spend some precious time ?

Thanks.

@mindoverflow: im not see the sporaws dump and target...

to upload the target it would be space consuming and useless as long as the VKey is correct, and about the dump, the regfile that i inserted into the message is fully working.

if all in the your hand - try and get happy...

Ok, thanks anyway, but if i succeed, then i'll make it public.

Vielen danke.

@koolguy,

I havn't yet took a deep look inside it, but one of my ideas is, if you can't spot the right CRC algorithm, cuz it seems there is more than one, then try something similar to the serial fishing. Find where the CRC result is being checked, then change your RUS data without caring about the CRC, run your program and take note of the value being compared, then simply copy it to your dump.

It would probabely work, but not sure.

Gluck

Well, I've just tried what I've told you, and it's a total success.

I wrote a mall program that calls hl_login() and hlm_checkexpdate(), run it and put a memory breakpoint on the dump's CRC after it was loaded and kept it runing, it stoped at:

201B1CC: MOV EAX, [EBP+EBX-04]
201B1D0: SUB EAX, EDI <-- here, edi contains the calculated CRC
201B1D2: MOV ESI, 00000000
201B1D7: CMP EAX, +01
..............


Then i copied it to the dump, and it's done.

I think i kept the half my promess until now by making it public, remains the CRC algorithm, thing that i doubt due to the lack of time, and my rusty neurons adds to this the discouraging long CRC calculating routines that i just saw scrolling. Anyway, i judge it's useful enought up to here.

Next time I'll try to do the same with last use time CRC, to produce the dump of a clean new dongle, cuz I'm having a doubt about it in my case.

And thanks for Git and Bfox for not sharing. @Bfox, see, you don't need the software files ;-)

Have fun.

@Bfox, see, you don't need the software files ;-)

@mindoverflow: the RUS options of hardlock not secret for me long time ago... get happy by your hand. :D

ps: use a target software only for collections

well done mindoverflow, finally i saw one guy in this forum who did something with his hands :)
btw, you have to continue to find one another position for dongle serial number.

Thanks TORO, I don't understand what you mean by:
you have to continue to find one another position for dongle serial number.

And to the public:

About the RUS_FIB the algorithm is short and easy, the problem, is that i found it was different than the one reported by kodyazan, but maybe I did something wrong, cuz even with the one i made I got a problem when i wrote it in c cuz i wasn't handeling register's data sizes correctly the think that i noticed only once i wrote it in assembly, here it is:

.data
crc_t: dd 0x0000,0xCC01,0xD801,0x1400,\ ; same as kodyazan's
0xF001,0x3C00,0x2800,0xE401,\
0xA001,0x6C00,0x7800,0xB401,\
0x5000,0x9C01, 0x8801,0x4400

dump: db 0x0F,0xDE,0xFF,0x0F,0x00,0x00,0x00,0x00,0x00,0x00, 0x16,0x00
; a sample RUS_FIB - CRC


.text
xor eax, eax
xor ecx, ecx
xor ebp, ebp
xor edx, edx ; important to zero'em
xor ebx, ebx ; they falsed my first result

mov esi, 0xc ; size of the data
mov edi, dump

crc_loop:
mov cl, [edi]
xor ebp, ebp
mov bp, ax
mov dl, cl
shr ax, 04
and ebp, 0x0f
and dl, 0x0f
xor ebx, ebx
mov bl, dl
and cl, 0xf3
shr cl, 02
inc edi
mov edx, [ebx*4+crc_t]
xor ebx, ebx
xor dx, ax
xor eax, eax
xor dx, [ebp*4+crc_t]
mov al, cl
mov bx, dx
mov eax, [eax+crc_t]
shr dx, 04
and ebx, 0x0f
xor ax, dx
xor ax, [ebx*4+crc_t]
dec esi
jnz crc_loop

check ax for the checksum.


If not, you could use the same method as for EXPDATE. Is this what TORO was talking about ?

tschuss

@toro & mindoverflow

Hi,

RUS function is still very confusing for me. Can somebody guide me further on this. Thanks

Hi,

What do you need about RUS? to understand it? or to change your dump's expiry date ?

Personaly I don't know it's algorithms too, but to change the data then let hlvdd.dll work for you, I said almost everything how to do it. If you want to know something precise, then be more specific, I'll try to help as much as I can.

regards.

@mindoverflow

Hi,
I am using a s/w which is protected by Hardlock. I was able to make the emulator for the previous versions sucessfully. The new s/w version is not working with the same emulator. There has been no licence file update or dongle update by the s/w manufacturer from the previous ver to the new version.
The emulator was made using SpoRaw's dumer, & Mkey.

After searching through reteam & finding out from ppl, I was told that it is using RUS function. Please advise.

Note: There is no date expiry problem

Thanks

From what you said I understand that you can use the same dongle for both versions. If it's the case, then if your emulator works with the old version, then your emulator is fine, and you don't have to mind about it.

But what i think is that the two versions uses 2 different dongles, and the old one is updated using RUS. Then it would not be the same.

Make the dump of a working new version. If you don't have it, then you could use a debuger to see what is being checked, once you know it change it in your dump and use the algorithm that i posted to recalculate the RUS_FIB's crc (last bytes of the rom) and if you need to modify the ram use the other method.

Good luck.

how to debug the targe software to find the 47bytes vendor key?anyone can tell me.thanks a lot.

@moker: try to study the hardlock api =)