|
HARDLOCK emulator
hi all
i decide to write a hardlock emulator. previously i was write a sentinel filter driver that work properly (see rce messageboard, i posted my progress with name nikan). after some study on data transfer between hardlock protected program and driver i found that all of data transfer is performed via deviceiocontrol. there are 2 level of encryption on hl_api packet. i gess first level enc is function specefic. second level is done. have anyone any idea about first level encryption algo? toro. |
Quote:
Good luck. |
hi nikita@work
i tested many programs that protected with hardlock. i can devide those programs in 2 category. in category 1 there is no encryption on hl_api packet (possiblly drivers before 2.85) and in category 2 (drivers after 2.85) i have found one kind of encryption but in 2 level. the level 2 of encryption is very easy to emulate. it use a seed that stored in offset (hl_api+0xBC). but in level 1 the packet is partially encrypted. are you see this thing too? however are you have any info on hl_api structure, i was studied it but not completly. toro. |
Quote:
Quote:
Quote:
|
hi nikita@work
can you explain p-code? i see all encryption routin in native. i saw that level 2 is performed on some portion of begining of hl_api. (first 64 byte) is it true? however i need some info about sequence of data transfer between driver and program when program call hl_code function. i see that when program call this function some call to deviceiocontrol with different buffersize is happen. and another question: some call to deviceiocontrol with buffersize=4 and 6 is happen why? toro. |
Quote:
Quote:
Try to see how packet forms while HL_INIT/HL_READ/HL_CODE. It's enough. |
hi nikita@work
during last day i was working on level 1 of encryption. till now i have written 25 function to decode 25 field of hl_struct, some of fields are remained. however i work with hl_api version 383, is it old? i download it from aladdin ftp. are you have any info about structure of hl_struct? i found usage of some of field in hl_struct, such as major and minor api version, refkey and verkey, memory address and memory content , program processid , status code and modad . but i don't found usage of other fields. can you help me? the seed is a word that start at hl_struct+0xbc. toro. |
Quote:
0 - no crypt 1 - first version 2 - second version Quote:
|
hi nikita@work
very tanks for hl_packet structure. the version stored in 0xba is 1 so after work on this version i must work on next version. this project is very harder than superpro!!!. i will try to download new hl_api from aladdin ftp. tanks toro. |
Nikita, can you send hl_struct structure to me too?
Thanks in advance! |
hi nikita@work
very tanks for your helpfull info. i have seen your id in brain studio emulator so you must be an expert in hardlock and hasp (posibly sentinel, tanks for your first reply to me about sentinel). i see ealaddin site. there is a hl_api installation file that can be download. its time is 11/2002 . i download it last mount. there is no new version. after installing it, i foun a hl_demo project. so i compiled it with msvc and worked with it. in hl_struct+0xba i see 1. also i test some program that envelpoed with hardlock and see version 1. in which program you see version 2 and p-code? tanks toro |
Quote:
(from hinstall.exe v4.95) |
hi nikita@work
my level 1 & level 2 enc/dec routin compeleted. in level 1 there are 37 fields that encoded and decoded but your hl_struct has 26 member. this means that other members is not used? you say the hardlock.sys that installed with hinstall version 4.95 has a different enc\dec algo in p-code, are you see any hardlock protected program that making use of this hardlock.sys? toro. |
Quote:
But it seems some of them used in HL RUS API. Quote:
|
hi nikita
as i say before currently i found 2 version of hardlock.sys. one version has no enc\dec algo and one version has. can you tell me about version 0, is it the same as uncrypted version? however my problem is to distinguish between crypted an uncrypted packets in runtime. my approach is to test the seed, if it is 0 then packet is not crypted and if is not 0 then packet crypted in 2 level is it true? toro |
Quote:
Quote:
|
BadBoy
Hello Nikita .
Can you send hl_struct structure to me too? Thanks in advance! |
hi nikita
i am workin on hl_code. its packet size is 0x138; 0x100 byte is coded and uncoded via enc\dec routins. i tested hl_code with bcnt=4. for one hl_code call only one deviceiocontrol is called with packet size=0x138. that packet only contain first block of data at hl_packet+0x128. at return it contain crypted first block plus a 0x8 byte in hl_packet+0x100 that i gess is hardlock signature. because it seems that encryption of other blocks is performed in programs itself by use of that signiture, is it true? however i found some of function numbers, but not all of them. can you help me. tanks toro. |
Quote:
Quote:
|
hi nikita
Quote:
Quote:
tanks. toro |
hi nikita
are you there? finally i found an apllication that use version 2 of algo. after compeletion of my emulator when i work with bistro2.5, i see that function numbers are incorect. so i test the calls to driver and find version 2 in hlvdd. i wonder that hlvdd is packed with upx, i unpacked it manually ( is there an unpacker that uncpack upx packed dlls aotumaticlly?). you don't answer to my last question, previously i read in another forum that for emulation of hl_code function , 8kB of hl_code blocks is needed (meteo), but as i see in hlvdd, a signature is return from driver that the caller can calculate encrypted datablocks by it, is it true? toro. |
Quote:
Quote:
|
hi nikita
thanks for your reply and forgive me for my questions. i added version 2 of algo to my driver and it is completed. i deside to start a same project on hasp. can you compair hardlock and hasp from packet encryption point of view? previously you say that there are 2 version of enc\dec algo for sentinel, are you know there are 3. toro |
Quote:
Quote:
|
hi nikita
for sentinel enc\dec version detection, i use (packet+0x4). i saw that in superpro 6.3 this memory address contain 0x7. in last versions i saw 0x6. so i decide to use this memory address for detection of version, am i true? however in a target that this memory address contain 6, i saw 2 different algo, both of them is in shell. toro. |
Quote:
|
Aladdin released new dongle with AES crypt algo.
hppt://www.ealaddin.com/hasp/hasphl.asp And new hasp hl driver - ver 5.11 _ftp://ftp.ealaddin.com/pub/hasp/hl/windows/installed/redistribute/drivers/HASPDinst.zip CD _ftp://ftp.ealaddin.com/pub/hasp/hl/HASP_HL_CD_1.10.iso Tools _ftp://ftp.ealaddin.com/pub/hasp/hl/windows/HASP_HL_For_Windows.zip |
hi nikita
i found another algo version in sx32w.dll version 5.0.0.0 . it is used by rnbosprofunctions and its packet version is 4 also packet size is 0xffc that is very bigger than 6 and 7 versions. toro |
Hello Nikita .
Can you send hl_struct structure to me too? Thanks. |
Hello Nikita .
Can you send hl_struct structure to me too? orshare it here Thanks. :) |
to papi and minawahib1
you can see include files of hasp or hardlock apis for complete details of hl_struct . |
yes.. i found it on SDK(starter Kit)
thanks alot |
| All times are GMT +8. The time now is 01:20. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX