Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-04-2004, 22:10
toro toro is online now
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
HARDLOCK emulator

hi all

i decide to write a hardlock emulator. previously i was write a sentinel filter driver that work properly (see rce messageboard, i posted my progress with name nikan).

after some study on data transfer between hardlock protected program and driver i found that all of data transfer is performed via deviceiocontrol.
there are 2 level of encryption on hl_api packet. i gess first level enc is function specefic. second level is done. have anyone any idea about first level encryption algo?

toro.
Reply With Quote
  #2  
Old 09-04-2004, 22:49
nikita@work
 
Posts: n/a
Quote:
Originally Posted by toro
after some study on data transfer between hardlock protected program and driver i found that all of data transfer is performed via deviceiocontrol.
there are 2 level of encryption on hl_api packet. i gess first level enc is function specefic. second level is done. have anyone any idea about first level encryption algo?
toro.
First of all you need last two versions of hardlock.sys because they contain different packet crypt code. And both do it inside virtual machine. Code of VM and p-code obfuscated.
Good luck.
Reply With Quote
  #3  
Old 09-04-2004, 23:28
toro toro is online now
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
hi nikita@work

i tested many programs that protected with hardlock. i can devide those programs in 2 category. in category 1 there is no encryption on hl_api packet (possiblly drivers before 2.85) and in category 2 (drivers after 2.85) i have found one kind of encryption but in 2 level. the level 2 of encryption is very easy to emulate. it use a seed that stored in offset (hl_api+0xBC).
but in level 1 the packet is partially encrypted. are you see this thing too?

however are you have any info on hl_api structure, i was studied it but not completly.

toro.
Reply With Quote
  #4  
Old 09-05-2004, 01:55
nikita@work
 
Posts: n/a
Quote:
Originally Posted by toro
i tested many programs that protected with hardlock.
Last version of HL & HASP API was released more than year ago, but practically nobody use it. That's why I reversed driver.

Quote:
Originally Posted by toro
the level 2 of encryption is very easy to emulate. it use a seed that stored in offset (hl_api+0xBC). but in level 1 the packet is partially encrypted. are you see this thing too?
Right. Each field of packet have it's own encrypt/decrypt routine in p-code. Some of them in native code. And pay attention on field +0xBD - it's a version of crypt algo.

Quote:
Originally Posted by toro
however are you have any info on hl_api structure, i was studied it but not completly.
toro.
Only standard part from SDK.

Last edited by nikita@work; 09-05-2004 at 01:57. Reason: mistyping
Reply With Quote
  #5  
Old 09-05-2004, 03:50
toro toro is online now
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
hi nikita@work

can you explain p-code? i see all encryption routin in native. i saw that level 2 is performed on some portion of begining of hl_api. (first 64 byte) is it true?

however i need some info about sequence of data transfer between driver and program when program call hl_code function. i see that when program call this function some call to deviceiocontrol with different buffersize is happen. and another question: some call to deviceiocontrol with buffersize=4 and 6 is happen why?


toro.
Reply With Quote
  #6  
Old 09-05-2004, 19:25
nikita@work
 
Posts: n/a
Quote:
Originally Posted by toro
can you explain p-code? i see all encryption routin in native. i saw that level 2 is performed on some portion of begining of hl_api. (first 64 byte) is it true?
I think you working with old version o hl api. It's true but newest versions of packet crypt algo written in p-code. And algo different (version stored in +0xBD filed).

Quote:
Originally Posted by toro
and another question: some call to deviceiocontrol with buffersize=4 and 6 is happen why?
For example one of these short questions detect softice
Try to see how packet forms while HL_INIT/HL_READ/HL_CODE. It's enough.
Reply With Quote
  #7  
Old 08-17-2005, 18:50
papi's Avatar
papi papi is offline
VIP
 
Join Date: Jan 2005
Location: UN
Posts: 200
Rept. Given: 279
Rept. Rcvd 18 Times in 6 Posts
Thanks Given: 226
Thanks Rcvd at 18 Times in 13 Posts
papi Reputation: 18
Hello Nikita .
Can you send hl_struct structure to me too?
Thanks.
Reply With Quote
  #8  
Old 09-12-2005, 07:26
learner38 learner38 is offline
Reseacher
 
Join Date: Aug 2002
Posts: 176
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 7 Times in 7 Posts
learner38 Reputation: 2
Hello Nikita .
Can you send hl_struct structure to me too? orshare it here
Thanks.
Reply With Quote
  #9  
Old 09-13-2005, 14:50
toro toro is online now
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
to papi and minawahib1
you can see include files of hasp or hardlock apis for complete details of hl_struct .
Reply With Quote
  #10  
Old 09-15-2005, 17:31
learner38 learner38 is offline
Reseacher
 
Join Date: Aug 2002
Posts: 176
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 7 Times in 7 Posts
learner38 Reputation: 2
yes.. i found it on SDK(starter Kit)
thanks alot
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 17:27.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )