Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Rockey4 (https://forum.exetools.com/showthread.php?t=9775)

Kyrios 07-02-2006 02:21

Rockey4
 
Hi,

Anyone has experinces with rockey4? I have a program (17MB) with rockey4 protection. I also have the dongle right now. But i want to use it without the dongle.
Before the call to Rockey, the flag is set to ax.

Mov ax, some word
Call Rockey
mov eax, dword ptr (esp)

The result always static value. It could be token left, dongleID, expiration date, etc. And always depend of the value of AX. For example if AX=1, always return token left. If AX=2, always return dongle ID. IF AX=3, always return expiration date. I have no problem with this kind of routine. It's done. I could modify the return value to anything i want coz it's static value.

But i have trouble with this kind of routine.
Mov ax, some dword
Push [ebp]
push [ebp+4]
Call Rockey4
mov ecx, [ebp]
mov edx, [ebp+4]

The final result depend on the push [ebp] and push [ebp+4]. And the initial value (before call to rockey) is always differ, depend on the library (music) file i load. The library music file came from the author of the program. And the amount is huge, about 10k files (3 DVDs). And the whole files are encrypted. In the beginning of each file there's 2 dword which are ALWAYS differ from each other. These values are used for initial push before call to Rockey. And the result values (which are moved to ecx and edx) are used the decrypt the music library file currently load. So you already know my currently situation.
So my question is how do i know what rockey doing with the inital values being pushed to stack? So i can ripped the code and inject it to the exe?

If someone interested with the target, i have upload it to yahoo mail i created for this purpose. Also my current progess which it can run without the dongle but can't decrypt the music libraries from the DVDs (came from author, package from purchase). Just PM me, i'll send the ID and the passw to you.

BR,
kyrios

toro 07-02-2006 14:08

hi
you can see rockey manual for function descripion. rocekys dongle protection logic are different with other traditional dongles. the developer can insert some portions (functions) of his code to dongle in design time , and in run time send parameters to dongle and recieve result of function from dongle. acctually dongle can execute some functions by itself. so patch method can not work for it.
however rockey 4 is very simple and you can guess functions which is in it by some effort. or somtimes even you can do a full search on all possible values as input parametes and create a table for output valuse.
and there are other approach...

i think you are lucky becasue you have rockey4 not rockey5.

regards

FoxB 07-03-2006 00:52

hi,

your rockey4 use the function named "Generate Seed Code".
for static dword value the dongle received four seed (word) based on dongle passwords.

wbr

.:hack3r2k:. 07-17-2006 04:10

Rockey 4 is far more advanced then u think and Rockey 5 and 6 used well leave no option for hacking. Rockey 4 dongle can include beisides data u can store in dongle a user algo zone where u can store small algos. That zone is write only so is little chances fix that if author used it. Anyway if u like i could take a look at to see how it works. Anyway before start such thing i suggest good understanting of their sdk.

Br;)

toro 07-18-2006 01:32

Quote:

Rockey 5 and 6 used well leave no option for hacking
are you sure? ;)

JMI 07-18-2006 03:27

Documentation is available here:

http://www.rockey.nl/en/support/rockey-download.html

They even have developer's guides and (gasp) sample code.

;)

Regards,

Shub-Nigurrath 07-18-2006 06:52

1 Attachment(s)
have you seen here?
http://bbs.pediy.com/showthread.php?&threadid=29075

here's too attached.

.:hack3r2k:. 07-18-2006 22:50

Quote:

Originally Posted by toro
are you sure? ;)

I told if used properly buddy. Rockey 5 and Rockey 6 act like smartcards this mean u can write applets with algos and store inside dongle without possibility to read. So explain how u plan to remove the dongle when 1000 lines algo is stored inside for example :D

Br;)

.:hack3r2k:. 07-18-2006 23:09

Quote:

Originally Posted by JMI
Documentation is available here:

http://www.rockey.nl/en/support/rockey-download.html

They even have developer's guides and (gasp) sample code.

;)

Regards,


www.ftsafe.com aswell and pass is rockey.

@Shub:
Pretty useless unless dongle used bad and allways static data. Also note that rockey 4 is both lpt/usb and also have several variants. Arround 3 if i remember well.

@kyrio: I'm dl now thx.

Br;)

Br;)

toro 07-19-2006 20:51

Quote:

So explain how u plan to remove the dongle when 1000 lines algo is stored inside for example
extarction of that 1000 line algo from dongle. ;)

JMI 07-20-2006 00:45

A journey of 1000 miles begins with a single step. ;)

Regards,

etienne 07-20-2006 01:28

well, if you think dongle cracking has anything except direct relation to software reversing, I can come with some ideas :D :D
but it would be nice to have some snippets of the code you have. basically you only have to record queries and store them in a table, do this twice by executing the program and compare the tables.
if the tables match with no or slight difference you grabbed the d**k of God :)

.:hack3r2k:. 07-23-2006 09:36

:cool: Unless queries change using params that maybe are not given by soft.

Br;)

.:hack3r2k:. 07-23-2006 09:38

Quote:

Originally Posted by toro
extarction of that 1000 line algo from dongle. ;)

Easy to talk :D Lets take for example smartcards ... i have some persons happy to pay 5000$ if u can extract algo from them :D Best is to speak on facts then on supositions.

Br;)

toro 07-23-2006 14:36

Quote:

Best is to speak on facts then on supositions
i didnt talked about smart card generally, i talked about rockey and specially rockey5. extraction of code is possible, exactly becuase they let developer to add some code to card. and code can be a trojan, and ....
i think you can underestand what i am saying about. ;) . you can ensure that this is done before.


All times are GMT +8. The time now is 20:28.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX