Hello Friends

I want to ask a quactions I hava NoName.txt log file from hasploger and How I convert "QTable"=hex:\ and "ATable"=hex:\
I use haSploGer K-Di and have error can not convert I'm waiting your answer
Thanks

@oxxomoon - The answer for your unclear description is start to see the following image :

http://i37.tinypic.com/29cm9i1.png

Also find and read a file called Manual.txt of multikey emulator.

BR
SonofabiT

Lol!

Git

Nice one there SonofabiT!

:D:D:D:D

Share your experience with us,;)

Problem is finished I find How I convert thanks for funny answers

@oxxomoon - Then, you may share your new experience to besoeso :D

@ all - I still don't understand the meaning of a pair Table(single), 2 pair(s) Table, .... 5 pair(s) Table.

Let says that we have one pair table below :
... regfile
"QTable"=hex:\
42,84,... 84,AD,A4,\
"ATable"=hex:\
82,22,C2 ... 84,AD,A4,\

1. Then, am i right if we will write more than one(single) pair(s) Table like below ?
Let says 2 pair(s) Table for instance.
... regfile
"QTable"=hex:\
42,84,... 84,AD,A4,\
"ATable"=hex:\
82,22,C2 ... 84,AD,A4,\

"QTable"=hex:\
12,34,... 9A,BC,DE,\
"ATable"=hex:\
11,22,33 ... 44,55,55,\

2. If there are 5 max pair(s) Table, Does't it mean we should write 5 "QTable" and 5 "ATable" notations ?

3. Could anyone please explain a little bit clear about "Master Pair(s) Table" ?

I am sory for my funny questions because i 've been confused.

P.S. i 've refered to : http://reteam.org/board/showpost.php?p=5246&postcount=1

We are talking about the earlier format that MultiKey does NOT use any more. "QTable" and "ATable" are the names of that segment of the registry file and each must only appear ONCE only. The emulator knows that each entry after the name is 16, 32 or 48 bytes long, but becuase of the way the encryption is used, it reads the entries as 16 bytes each. So, 5 pairs means there would be 80 values under QTable and 80 values under ATable. a 'pair' is 16 byes from the same line number from each table. The QTable and ATable are for decryption. For encryption it used QEncTable and AEncTable

At version 18, MultiKey changed to a new form of entry, where each pair is on one line

"0123456789ABCDEF0123456789ABCDEF"=hex:12,34,56,78,90,AB,CD,EF,12,34,56,78,90,AB,CD, EF

The left side is the 16 bytes from QTable and the right side is the 16 bytes from ATable. They appear together under the registry entry name 'DTable'. The D is for Decryption. So, DTable is the old QTable and ATable. ETable is the old QEncTable and AEncTable.

Summary. Let's say we have a log which has 2 entries :

================================================== ================
2008/01/13 07:37:21.281 <== Application: Advisor.exe
2008/01/13 07:37:21.281 <== HaspHL_decrypt: Pass1 = 0x29D7 (10711), Pass2 = 0x414F (16719)
2008/01/13 07:37:21.296 <== HaspHL_decrypt: Length = 0x10
2008/01/13 07:37:21.296 <== HaspHL_decrypt: Input Data =
2008/01/13 07:37:21.296
39 73 42 B0 | 4D F2 76 F1 | E2 04 16 90 | 99 D2 1E 60 [9sB.M.v........`]

2008/01/13 07:37:21.343 ==> HaspHL_decrypt: Output Data =
2008/01/13 07:37:21.343
00 0B 95 AD | 06 37 B8 BF | 4F 73 88 31 | 42 16 7F 8E [.....7..Os.1B..]

2008/01/13 07:37:21.343 ==> HaspHL_decrypt: Status = 0x00
================================================== ================
2008/01/13 07:37:21.406 <== Application: Advisor.exe
2008/01/13 07:37:21.406 <== HaspHL_decrypt: Pass1 = 0x29D7 (10711), Pass2 = 0x414F (16719)
2008/01/13 07:37:21.421 <== HaspHL_decrypt: Length = 0x10
2008/01/13 07:37:21.421 <== HaspHL_decrypt: Input Data =
2008/01/13 07:37:21.421
6F 5F EF 0D | 38 0F 77 61 | 07 FA 89 1C | D8 CD 22 D7 [o_..8.wa......".]

2008/01/13 07:37:21.468 ==> HaspHL_decrypt: Output Data =
2008/01/13 07:37:21.468
C8 BF 21 FD | BA D5 8E B3 | 9E CA 61 CF | EF 6B 50 F8 [..!.......a..kP.]

2008/01/13 07:37:21.593 ==> HaspHL_decrypt: Status = 0x00
================================================== ================

The first entry tells you that the hasphl_decrypt function is being called with Question data :
39 73 42 B0 4D F2 76 F1 E2 04 16 90 99 D2 1E 60 (call it Q1)

And it replies with Answer :
00 0B 95 AD 06 37 B8 BF 4F 73 88 31 42 16 7F 8E (call it A1)

The second entry call hasphl_decrypt with Question :
6F 5F EF 0D 38 0F 77 61 07 FA 89 1C D8 CD 22 D7 (call it Q2)

And it replies with Answer :
C8 BF 21 FD BA D5 8E B3 9E CA 61 CF EF 6B 50 F8 (call it A2)

MultiKey V17 and other emulators would expect these registry entries :

"QTable"=hex:\
39,73,42,B0,4D,F2,76,F1,E2,04,16,90,99,D2,1E,60,\
6F,5F,EF,0D,38,0F,77,61,07,FA,89,1C,D8,CD,22,D7

"ATable"=hex:\
00,0B,95,AD,06,37,B8,BF,4F,73,88,31,42,16,7F,8E,\
C8,BF,21,FD,BA,D5,8E,B3,9E,CA,61,CF,EF,6B,50,F8

So QTable has Q1 and Q2. ATable has A1 and A2.

In MultiKey V18, the format changed. The same 2 pairs would now be expressed like this :

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiK ey\Dumps\12345678\DTable]
"10:397342B04DF276F1E204169099D21E60"=hex:00,0B,95,AD,06,37,B8,BF,4F,73,88,31,42,16,7F, 8E
"10:6F5FEF0D380F77610 FA891CD8CD22D7"=hex:C8,BF,21,FD,BA,D5,8E,B3,9E,CA,61,CF,EF,6B,50, F8

The 10: at the start tells the emulator that the entry is 0x10 hexadecimal = 16 bytes long. It could be 32 or 48 also, which would then have 20: or 30: at the start. The Question becomes the name of the entry and it's matching Answer becomes the data. This way, Q and matching A are kept together. Earlier, people would individually sort the Q list and the A list and suddenly it would not work, because a given line did not have a matching pair.

If your log contains also hasphl_encrypt entries, then it is just the same.QTable is replaced by QEncTable, ATable replaced by AEncTable. For V18,

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiK ey\Dumps\12345678\DTable]
is replaced by :
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiK ey\Dumps\12345678\ETable]

One other small point to make this post worth coming back to. The '\' backslash at the end of a line. It is nothing more than a separator or continuation marker. A very big line can be split into multiple lines as long as every line EXCEPT the LAST ends in a \ . Also look at the use of commas. Even data at the end of a line has a comma EXCPET the very data entry. So a comma separates individual data elements in a registry value.

Git

Search Tags : HaspHL Hasp HL Log pairs Table Tables pair

Everybody think I'm Stupid man if i said this question.


"How to use Multikey to make a reg file I don't know what command to use it?

I need reg file like "GIT" Show from Multikey 18 How I can do like that??"

I think everybody right because I'm stupid man really

Tell me please I try it all 48 hours past (no sleep)

2vaingum

There is nothing stupid in learning. First ask more specific questions. For your one the answer is:
dump -> convert -> collect Q/A if necessary -> REG.

In any case, here is latest MultiKey 18.1 (http://rapidshare.com/files/235280513/mk18.1.7z) from Elite_r with samples and Q/A converting tool.
Pass: ru-board

Thank you y8y8y8y

I'm stupid man really because I don't know how to use it

I haven't study in com sci or IT I do from example and try

I try to learning by myself and google

I don't know command in dos I try to make .bat file from notepad and save in .bat but it's not work

in last i sorry in eng language i'm Thai


Thank you for your help y8y8y8y

Please don't post the same message in more than one place. If you have a new question to ask then start a new thread.

Git

Search Tags : HaspHL Hasp HL Log pairs Table Tables pair
Hello guys
I am waiting for answers from experienced user for my 3 questions in this post : http://reteam.org/board/showpost.php?p=16273&postcount=15
On that post, i have used multikey 0.16.1.0. Now i will try to use the new multikey 0.18.1.0 - release and i wish my problem on that post would be solved.

I 've search and read many archieve. Until i 've found a little clear reference here : http://reteam.org/board/showpost.php?p=16170&postcount=8

Actualy, my problem here is very simply. I am still confusing while i want to manage DTable/ETable notation for the use of Multikey 0.18.1.0. The Query-Respond which i would extract is from .master pair(s) Table. I other words, not from log.txt which is usualy be catched from Xyrurg&Sataron's Hasp Loger 1.71 or Toro's Hasp Monitor 3.2.

Let said that the following bytes long represent a single Master Pair Table which i had been extracted. ;)
0000h : A1 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF \
..... : .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. > A
..... : FF EE DD CC BB AA 99 88 77 66 55 44 33 22 11 01 /
..... : 01 AA BB CC DD EE FF 11 22 33 44 55 66 77 88 99 \
..... : .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. > Q
0FF0h : 11 01 FF EE DD CC BB AA 99 88 77 66 55 44 33 22 /

I usualy use multikey 0.16.1.0 because i have been confortable with the use of a hex editor to export the .bin into .txt file. Also, A Hexeditor usualy provide an option to export a large Bytes of .hex into .txt. I am glad that there is an option to split the "Bytes per Row" = 10h. Next i edit the .txt by hand :mad: and will get the following result :
"QTable"=hex:\
01,AA,BB,CC,DD,EE,FF,11,22,33,44,55,66,77,88,99,\
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..,\
11 01 FF EE DD CC BB AA 99 88 77 66 55 44 33 22

"ATable"=hex:\
A1,11,22,33,44,55,66,77,88,99,AA,BB,CC,DD,EE,FF,\
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..,\
FF EE DD CC BB AA 99 88 77 66 55 44 33 22 11 01
Now, I am confusing while i will use the Decrypt/Encrypt notation for the use of multikey 0.18.1.0. Now i need prespective if i would have wrong because i have been imagined that there would be two posibilities of Form, as follows :

1st Form :
I have imagined that my Decrypt entries will containt very large row because each row will containt 0x10 Bytes.
[HKEY_LOCAL_MACHINE\System\..................\DTabl e]
"10:01AABBCCDDEEFF112233445566778899"=hex:A1,11,22,33,44,55,66,77,88,99,AA,BB,CC,DD,EE, FF ; First RoW
"10:................................"=hex:..,..,..,..,..,..,..,..,..,..,..,..,..,..,.., ..
"10:1101FFEEDDCCBBAA9988776655443322"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33,22,11, 01 ; Last Row
2st Form
I wonder that my Decrypt entries will containt only single row. While the single row will containt all bytes long, as follow :
[HKEY_LOCAL_MACHINE\System\..................\DTabl e]
"80:01AABBCCDDEEFF112233445566778899............... .................1101FFEEDDCCBBAA9988776655443322"=hex:A1,11,22,33,44,55,66,77,88,99,AA,BB,CC,DD,EE, FF,FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33,22,11,01 ; Large Bytes of DTable in a single row.

Questions : :confused:
1. I would be grateful if someone direct me which is the right form ? Or both of forms totaly wrong ?
2. Is the meaning of "Pair(s) Table (From log/monitor)" NOT same as "Master Pair(s) Table (From .protect section)" ?
3. If the answer will be "Yes" or "No", please explain me a little bit clear ?

I knew i should try them all to prove which is the right Form or both of them will totaly wrong. But it would be very long time for me because over the nights, i have ever done them by hand for Q/A Table notation of multikey 0.16.1.0. For a while, the basic concept would be enough for me. :)

BR
SonofabiT

I already posted a long reply to you describing just how to make the reg file for both MultiKey formats. You have not replied to that thread. Search my posts, read it, and ask specific questions.

In general, you would get better replies by by typing 80% less. There is just too much info to assimilate. Young people can't concentrate long enough and us oldies can't remember long enough!. That said, I am now going to post a really long message :)

Form 1 is correct
Form 2 is wrong.

Each line starts 10:, 20: or 30: . The DTable entry is made up from multiple lines, 1 line per pair.

Let me try to explain again :

Let me try different approach. Let the query be Q and let the answer be A. Each of Q and A have length of N bytes, N is always 0x10, 0x20 or 0x30. 0x10 = 16, 0x20 = 32 and 0x30 = 48. So, the table is made of many entries E1, E2, E3,... En:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiK ey\Dumps\12345678\DTable]
E1
E2
E3
...
En

Each entry, E looks like this :

"N:Q"=hex:A

Example :


N = 0x10 =16
Q = 12, 34, 56, 78, 90, AB, CD, EF, 12, 34, 56, 78, 90, AB, CD, EF
A = 01, 23, 45, 67, 89, AB, CD, EF, 01, 23, 45, 67, 89, AB, CD, EF

then our entry E1 looks like this :

"10:1234567890ABCDEF1234567890ABCDEF"=hex:01,23,45,67,89,AB,CD,EF,01,23,45,67,89,AB,CD, EF

Maybe we have another entry E2 :


Code:
10:00112233445566778899AABBCCDDEEFF"=hex:69,73,20,70,72,6F,67,72,A7,11,CF,F3,61,6E,6E, 6F

And a third entry with

N = 32
Q = 55,00,A9,34,CD,E5,D7,B6,19,56,85,15,F7,4D,32,36,95 ,EC,75,E8,C4,8F,6B,5D,98,80,F6,A8,8B,25,1C,48
A = 4F,8A,A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,34,FD,B7 ,BD,6F,B0,4E,E3,AD,73,51,C3,D9,13,0B,7F,0E,32

in this case, we have the full Query, but only first 16 bytes of Answer :

"20:5500A934CDE5D7B619568515F74D323695EC75E8C48F6B5 D9880F6A88B251C48"=hex:4F,8A,A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,34, FD

So now we put it together :


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiK ey\Dumps\12345678\DTable
"10:1234567890ABCDEF1234567890ABCDEF"=hex:01,23,45,67,89,AB,CD,EF,01,23,45,67,89,AB,CD, EF
"20:5500A934CDE5D7B619568515F74D323695EC75E8C48F6B5 D9880F6A88B251C48"=hex:4F,8A,A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,34, FD

So DTable is the name of the Registry Key. A Registry Key can have many Values. In this case, each Q/A pair is a Value. The name of the values, in our symbolism, is N:Q


Git

A specific question:

Because you don´t use Xyrurg&Sataron's Hasp Loger 1.71 or Toro's Hasp Monitor 3.2 for got pair values?

Please a response clearly and respectfully.

I already posted a long reply to you describing just how to make the reg file for both MultiKey formats. You have not replied to that thread. Search my posts, read it, and ask specific questions.
@Git - i apologize for all my mistake. I am on the very long journey so i can't replay your thread. I have searched your post and even found many posts but most of them only explain how to write Queries-Answer notations from LOG.TXT. I had knew about that before my first post in this forum !!!. Now i am dealing with very large of bytes to extract from a binary file !!!

In general, you would get better replies by by typing 80% less. There is just too much info to assimilate. Young people can't concentrate long enough and us oldies can't remember long enough!.
I understand .. pardon me.

Form 1 is correct
Thank your very much ... it would be long night for me. ;)

Let me try different approach. Let the query be Q and let the answer be A. Each of Q and A have length of N bytes, N is always 0x10, 0x20 or 0x30. 0x10 = 16, 0x20 = 32 and 0x30 = 48. So, the table is made of many entries E1, E2, E3,... En:
My God ..... You need not use different approach. Of course i already knew this explanation if i will manage reg from Xyrurg&Sataron haspLoger or Toro HaspMonitor manually (by hand). Even i can use log2Table.exe in order to manage these logs automatically into reg. Right now, i DO NOT deal with any LOGS.TXT ...

You should understand that i am asking N bytes from a binary file (not from xyrurg&sataron's hasloger or Toro's hasp monitor). I decide to write all N=0x10 because i don't have reasonable reason to write all row will be N=0x20 or all row will be N=0x30 or several row will be N=0x20 and else N=30 ????

From 4096 or more block binary file (Not from logs.txt), how i can decide to write several row will be N=0x10, N =0x20 and the other will be 0x30 ?

¿Anyone know how got values pairs without Xyrurg&Sataron's Hasp Loger 1.71 or Toro's Hasp Monitor 3.2? (Other method)

If you are dealing with 4096 byte envelope blocks extracted from binaries, then all are N=0x10

Git

@ Git - Yeeeeeeeesss ! Thank you....This is the answer that i want. Finally you understand what i mean.

[largest quotation ever seen by mankind removed]

Thank you very much,very clearly!

sungog - that is the worst quoting I have ever seen and totally unncecessary. Everybody can see the original message so there is no need to repeat it here. I have edited your post.

This is the answer that i want.

Yes, but look back at your long post, and you will see that you did not ask that question.

N=0x10 for all Q/A is ONLY true for the 4096 byte Envelope blocks. You can NOT make that assumption when hasphl_encrypt is used from the API inside the program. The programmer can encrypt or decrypt any length string (s)he likes. The API splits it into lumps of 16, 32 or 48 bytes.

So :

Envelope : N=0x10=16, and Q/A pairs appear in groups of 128 pairs. 128 * (16 + 16) = 4096 bytes. The envelope can be applied up to 5 times consequetively.

API : N=0x10=16 or 0x20=32 or 0x30=48 and can appear in isolation or groups anywhere in the program.

A program can have API ed/decryption calls AND then finally have the Envelope applied from 1 to 5 times.

Git

Yes, but look back at your long post, and you will see that you did not ask that question.
@Git - I think you did read my description carefuly. Read back my problem description on the
paragraph-3 and Question number-1 (http://reteam.org/board/showpost.php?p=16301&postcount=13). :)

API : N=0x10=16 or 0x20=32 or 0x30=48 and can appear in isolation or groups anywhere in the program.
Thank's for your aditional prespective. :)
Are these groups parts the Input-Output of hasp Decrypt or hasp Encrypt which usualy apears on both Xyrurg&Sataron HaspLoger1.71 and Toro HaspMonitor32 ?

I'm happy to admit when I'm wrong (well, happyish...) but I just read it again and I cannot see anything that asks about the length. I did see something about "splitting into 0x10 lines..." which is worrying - you now know that is wrong I hope?. You cannot split queries, ever.

Are these groups parts the Input-Output of hasp Decrypt or hasp Encrypt which usualy apears on both Xyrurg&Sataron HaspLoger1.71 and Toro HaspMonitor32 ?

The logger will show any and all instances of hasp_encrypt or hasp_decrypt. The logger has no knowledge of how they were created, as part of the Envelope or as a random API call. The only thing you can infer when looking at the log is that if there are less than 128 consequetive calls to hasp_decrypt then those calls did NOT originate from an Envelope.

Most dongles have these two ways of being used, and in most cases the two ways can be used separately or together.

i) Envelope/Shell. This is the idiots "press a button to protect your program" button. Clcik one button and the dongle programmers toolkit will take your exe, pack it or encryp it or both, and store information about how to unpack/decrypt it inside the modified exe. In a way, the program is wrapped in an envelope or a shell. Often, this envelope/shell is applied multiple times, like putting a letter in an envelope, then putting that envelope inside another bigger envelope and so on. For the Hasp HL this happens a maximum of 5 times. Each time 128 Queries and 128 Answers are stored, each is 16 bytes long.

ii) API. Anybody who is more serious about protecting their program knows the envelope is not enough. The API allows calls to encrypt or decrypt strings or blocks of data. The data or string can be up to 1024 bytes long. To decrypt the string the application must make a call to the dongle and this will be caught and displayed by the logger. The toolkit also allows the programmer to encrypt strings outside of the program, so the encrypted value is then used in the program and can be drypted by a call to the dongle and compared to the known correct value. So things like passwords etc can be stored in encrypted form inside the program and only encrypted to the correct value if the dongle is fitted. Note that the dongle will both encrypt and decrypt. This type of use of the API can be done in many ways and spread around the whole program. A good example of this is DecoStudio. Not only the main application exe but also about 10 DLL's all have the envelope fully applied. Not only that, but extensive use of the API is made by both program and DLL's. A full reg file to emulate that set of applications is several MB I believe.

One last thing worth knowing is that the AES encryption used by HL and many dongles is symmetrical. If you encrypt "John Doe" and get "DJ8d*^nj&h", then feeding "DJ8d*^nj&h" to the decyption function will give you the original "John H Doe".

Git

@Git - Many Thank's. That was wonderfull post !!! People like you realy make this kind of forum grow up as should be ...
Not only the main application exe but also about 10 DLL's all have the envelope fully applied.
btw, I 've used Envelope File Finder feature of Toro HaspMon32 and i saw there were so many .dll file in the list. Could anyone hint me how to ovecome the .dll files which had enveloped ?

Same method for DLL as for Exe. OllyDbg has a tool to enable it to load DLL's and you can use OllyDump plugin to make the required Dump. or you can use LordPE. Select the Exe in the top list. LordPE then shows a list of all DLL's used by that Exe in the bottom list. Select the DLL you want and choose Full Dump from the popup menu.

I had not seen that feature of Toro's logger. The clue that it has an Aladdin Envelope is the presense of a section named ".protect". The clue for Sentinel dongles is all the sections being renamed to .00000001, .00000002 etc. That said, there's nothing to stop somebody from renaming the sections to anything they like after applying the envelope. A favourite trick is to rename the .vmp1, .vmp2 sections of a VMProtected program .UPX1, .UPX2 so you think the target is only UPX packed.

Git

On the window of "Enveloped Files Finder & Loaders" of Toro's haspmon32, i saw a "LoadBatch" button.
Could anyone please explain about the use of "LoadBatch" feature ?

And a third entry with

N = 32
Q = 55,00,A9,34,CD,E5,D7,B6,19,56,85,15,F7,4D,32,36,95 ,EC,75,E8,C4,8F,6B,5D,98,80,F6,A8,8B,25,1C,48
A = 4F,8A,A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,34,FD,B7 ,BD,6F,B0,4E,E3,AD,73,51,C3,D9,13,0B,7F,0E,32

in this case, we have the full Query, but only first 16 bytes of Answer :

"20:5500A934CDE5D7B619568515F74D323695EC75E8C48F6B5 D9880F6A88B251C48"=hex:4F,8A,A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,34, FD

So now we put it together :

I have a little problem with my hasplog.txt. Let says that Toro Hasp Monitor 3.2 show the logs like below :
HaspHL In:> Hasphl_decrypt, Length=32
Data:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEE

Hasp Out:> HaspStatus Status=0 (0x0) P1=4 P2=1

HaspHL In:> Hasphl_decrypt, Length=32
Data:
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFF

HaspHL Out:> Hasphl_decrypt Status=0 (0x0)
Response:
22222222222222222222222222222222

Defaultly, Log2Tables v2.0.3.4 give me reg-entries which consist of 2 rows of pair. But Queries have been copied to 0x10 bytes long meanwhile Reponses copied to "empty Responses" separated by comma, like below :
"10:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"=hex:,,,,,,,,,,,,,,,
"10:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"=hex:,,,,,,,,,,,,,,,

1. Should i accept the above output for merging into my reg ?
2. If no, i should not. Then how to write the proper DTable entries for this case?

BR
SonofabiT

No, it is definitely wrong to my mind, unless the author has done some very strange trick, but I don't think the operating system will read ",,,,,,,,,,,,,," when it is expecting several hex numbers.

I can't tell you what should be there because the log shows 32 byte input and only 16 byte output.

That said, the guy who wrote the emulator says use only the first 16 bytes of the response so you had better do what he says. Personally, I can't see how that can work but I can't remember the full details of Hasp HL query lengths, other than it is a much more complex subject than it should be. So follow the 18.1.0 manual which has notes on the changes he made to handling of queries longer than 16 bytes. You will have to translate from Russian.

The vital part is this :

Если в протоколе встречается одиночный запрос длиной в 32 (20h) байта, за которым сразу нет запроса длиной 48 (30h) байт (или если сказать по другому, в котором вторые 16 байт запроса НЕ РАВНЫ вторым 16 байт ответа) , то такой запрос необходимо сохранять в таблицу как два запроса по 16 (10h) байт

We really need a translation by a native Russian speaker. Systran thinks it says this :

If before the protocol is encountered single query by length beside 32 (20h) the byte, above which immediately there is no query with length 48 (30h) of bytes (or if we say on other, before which the second 16 bytes of the query ARE NOT EQUAL to the second 16 bytes of answer), then this query must be preserved beside the table as two queries on 16 (10h) byte

Git

I can't tell you what should be there because the log shows 32 byte input and only 16 byte output.
LogToTables.exe only read and convert the input which have been given by Toro's hasplog.txt. For this case, i am trying to make sure my self and i 've been wondered that my pair entries will be consist of 0x20 bytes query and 0x10 bytes response.

Since there are no response in the first 0x20 bytes hasplog.txt then i 've preassumed that the responses for the first hasphl decrypt function will be 0x10 bytes long with all the data =0x00. Meanwhile the second one will be 0x10bytes long with all the data =0x22. Refers to my Toro's hasplog.txt, i 've been managed the pairs manualy like below :
20:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEE"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, 00
20:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFF"=hex:22,22,22,22,22,22,22,22,22,22,22,22,22,22,22, 22

Could anyone please correct me if have been totaly wrong about this and how these pairs should be wrote ? :confused:

Yes, BUT the proviso that he has added for 18.1.0 is very important. My best translation of it;s meaning is this :

IF(we have single 32 byte Query) AND
(
(Previous Query is NOT 48 bytes) OR ( (Second 16 bytes of previous Query) NOT EQUAL TO (Second 16 bytes of previous Answer) )
)
THEN
(the 32 byte Query is entered in table as two 16 byte Queries)


Git

@Git - Do you mean that i have been totaly wrong and you have been corrected me ?

hello guys
Could anyone (native Russian speaker) translate these cyrillic writing into English please. All available Translator such as SysTran, Babylon, Google Language Tools, etc wouldn't enough to give us a better understanding.

btw, i realy want to learn Russian Language.

With respect, I think you need to finish learning English before you start learning Russian.

I have answered your question to say YES you ARE doing it correctly, BUT... and then given you not just a translation of the Russian, but a description of exactly what it means to what you are doing.

Not for the first time, you seem to have completely brushed aside my reply, only to ask the same question again. I suggest you READ what is written and readit again and again until you understand it. If you still don't understand it it, just ask and the posted will explain it differently.

Git