HARDLOCK emulator
 

hi all

i decide to write a hardlock emulator. previously i was write a sentinel filter driver that work properly (see rce messageboard, i posted my progress with name nikan).

after some study on data transfer between hardlock protected program and driver i found that all of data transfer is performed via deviceiocontrol.
there are 2 level of encryption on hl_api packet. i gess first level enc is function specefic. second level is done. have anyone any idea about first level encryption algo?

toro.

First of all you need last two versions of hardlock.sys because they contain different packet crypt code. And both do it inside virtual machine. Code of VM and p-code obfuscated.
Good luck.

hi nikita@work

i tested many programs that protected with hardlock. i can devide those programs in 2 category. in category 1 there is no encryption on hl_api packet (possiblly drivers before 2.85) and in category 2 (drivers after 2.85) i have found one kind of encryption but in 2 level. the level 2 of encryption is very easy to emulate. it use a seed that stored in offset (hl_api+0xBC).
but in level 1 the packet is partially encrypted. are you see this thing too?

however are you have any info on hl_api structure, i was studied it but not completly.

toro.

Last version of HL & HASP API was released more than year ago, but practically nobody use it. That's why I reversed driver.

Right. Each field of packet have it's own encrypt/decrypt routine in p-code. Some of them in native code. And pay attention on field +0xBD - it's a version of crypt algo.

Only standard part from SDK.

hi nikita@work

can you explain p-code? i see all encryption routin in native. i saw that level 2 is performed on some portion of begining of hl_api. (first 64 byte) is it true?

however i need some info about sequence of data transfer between driver and program when program call hl_code function. i see that when program call this function some call to deviceiocontrol with different buffersize is happen. and another question: some call to deviceiocontrol with buffersize=4 and 6 is happen why?


toro.

I think you working with old version o hl api. It's true but newest versions of packet crypt algo written in p-code. And algo different (version stored in +0xBD filed).

For example one of these short questions detect softice ;)
Try to see how packet forms while HL_INIT/HL_READ/HL_CODE. It's enough.

hi nikita@work

during last day i was working on level 1 of encryption. till now i have written 25 function to decode 25 field of hl_struct, some of fields are remained.
however i work with hl_api version 383, is it old? i download it from aladdin ftp.
are you have any info about structure of hl_struct? i found usage of some of field in hl_struct, such as major and minor api version, refkey and verkey, memory address and memory content , program processid , status code and modad . but i don't found usage of other fields. can you help me?

the seed is a word that start at hl_struct+0xbc.

toro.

What version stored in +BA field?
0 - no crypt
1 - first version
2 - second version

Sent via PM.

hi nikita@work

very tanks for hl_packet structure. the version stored in 0xba is 1 so after work on this version i must work on next version. this project is very harder than superpro!!!. i will try to download new hl_api from aladdin ftp.


tanks
toro.

Nikita, can you send hl_struct structure to me too?
Thanks in advance!

hi nikita@work

very tanks for your helpfull info. i have seen your id in brain studio emulator so you must be an expert in hardlock and hasp (posibly sentinel, tanks for your first reply to me about sentinel).
i see ealaddin site. there is a hl_api installation file that can be download. its time is 11/2002 . i download it last mount. there is no new version. after installing it, i foun a hl_demo project. so i compiled it with msvc and worked with it. in hl_struct+0xba i see 1. also i test some program that envelpoed with hardlock and see version 1. in which program you see version 2 and p-code?

tanks

toro

As I told before it was latest hardlock.sys =)
(from hinstall.exe v4.95)

hi nikita@work

my level 1 & level 2 enc/dec routin compeleted. in level 1 there are 37 fields that encoded and decoded but your hl_struct has 26 member. this means that other members is not used?

you say the hardlock.sys that installed with hinstall version 4.95 has a different enc\dec algo in p-code, are you see any hardlock protected program that making use of this hardlock.sys?

toro.

Reserved area contain fileds like PortFlags that used only by driver.
But it seems some of them used in HL RUS API.

At this moment - no =)

hi nikita

as i say before currently i found 2 version of hardlock.sys. one version has no enc\dec algo and one version has. can you tell me about version 0, is it the same as uncrypted version?
however my problem is to distinguish between crypted an uncrypted packets in runtime. my approach is to test the seed, if it is 0 then packet is not crypted and if is not 0 then packet crypted in 2 level is it true?

toro