Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 09-09-2004, 04:00
nikita@work
 
Posts: n/a
Quote:
Originally Posted by toro
as i say before currently i found 2 version of hardlock.sys. one version has no enc\dec algo and one version has. can you tell me about version 0, is it the same as uncrypted version?
Right. Simply check +0xBA field and if it's zero skip decrypt.

Quote:
Originally Posted by toro
however my problem is to distinguish between crypted an uncrypted packets in runtime. my approach is to test the seed, if it is 0 then packet is not crypted and if is not 0 then packet crypted in 2 level is it true?
If +0xBA field not zero then decrypt first layer (common for both version) and then decrypt each field.
Reply With Quote
  #17  
Old 09-09-2004, 17:30
BadBoy
 
Posts: n/a
BadBoy

Hello Nikita .
Can you send hl_struct structure to me too?
Thanks in advance!
Reply With Quote
  #18  
Old 09-10-2004, 18:41
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
hi nikita

i am workin on hl_code. its packet size is 0x138; 0x100 byte is coded and uncoded via enc\dec routins. i tested hl_code with bcnt=4. for one hl_code call only one deviceiocontrol is called with packet size=0x138. that packet only contain first block of data at hl_packet+0x128. at return it contain crypted first block plus a 0x8 byte in hl_packet+0x100 that i gess is hardlock signature. because it seems that encryption of other blocks is performed in programs itself by use of that signiture, is it true?

however i found some of function numbers, but not all of them. can you help me.

tanks
toro.
Reply With Quote
  #19  
Old 09-10-2004, 20:24
nikita@work
 
Posts: n/a
Quote:
Originally Posted by toro
seems that encryption of other blocks is performed in programs itself by use of that signiture, is it true?
Only 8 bytes transformed with dongle. On each step internal results stored in result block for ring3. It's used to crypt rest part of data.

Quote:
Originally Posted by toro
however i found some of function numbers, but not all of them. can you help me.
Just call function you need and look +0x18 field at the driver.
Reply With Quote
  #20  
Old 09-10-2004, 20:43
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
hi nikita

Quote:
Only 8 bytes transformed with dongle. On each step internal results stored in result block for ring3. It's used to crypt rest part of data.
you are right. my question: is it possible to make other hl_code result with this internal result? in another word is this internal result the hardlock signature?

Quote:
Just call function you need and look +0x18 field at the driver.
again you are right but some function such as hl_meminf call more than one function. for example hl_meminf's function number are 0x17,0x14,0x15. is it true? i want the meaning of this functions if possible.

tanks.
toro
Reply With Quote
  #21  
Old 09-12-2004, 22:03
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
hi nikita

are you there?

finally i found an apllication that use version 2 of algo. after compeletion of my emulator when i work with bistro2.5, i see that function numbers are incorect. so i test the calls to driver and find version 2 in hlvdd. i wonder that hlvdd is packed with upx, i unpacked it manually ( is there an unpacker that uncpack upx packed dlls aotumaticlly?).

you don't answer to my last question, previously i read in another forum that for emulation of hl_code function , 8kB of hl_code blocks is needed (meteo), but as i see in hlvdd, a signature is return from driver that the caller can calculate encrypted datablocks by it, is it true?

toro.
Reply With Quote
  #22  
Old 09-12-2004, 22:53
nikita@work
 
Posts: n/a
Quote:
Originally Posted by toro
finally i found an apllication that use version 2 of algo. after compeletion of my emulator when i work with bistro2.5, i see that function numbers are incorect. so i test the calls to driver and find version 2 in hlvdd.
Are you surprised that aladdin used latest API in own product? ;)

Quote:
Originally Posted by toro
previously i read in another forum that for emulation of hl_code function , 8kB of hl_code blocks is needed (meteo), but as i see in hlvdd, a signature is return from driver that the caller can calculate encrypted datablocks by it, is it true?
This 8 byte hash valid only for current block. For another block it would be another. And about 8kb table... yes, HL can be universally emulated with such table. Private function known since 1992.
Reply With Quote
  #23  
Old 09-13-2004, 01:21
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
hi nikita

thanks for your reply and forgive me for my questions.
i added version 2 of algo to my driver and it is completed. i deside to start a same project on hasp. can you compair hardlock and hasp from packet encryption point of view?

previously you say that there are 2 version of enc\dec algo for sentinel, are you know there are 3.

toro
Reply With Quote
  #24  
Old 09-13-2004, 02:04
nikita@work
 
Posts: n/a
Quote:
Originally Posted by toro
i deside to start a same project on hasp. can you compair hardlock and hasp from packet encryption point of view?
Actually the same, but for some model specific fileds used other routines. In fact it's "union"

Quote:
Originally Posted by toro
previously you say that there are 2 version of enc\dec algo for sentinel, are you know there are 3.
Hm... May be it's very-very old or the newest one (for example from UltraPro key)... so it would be interesing to see.
Reply With Quote
  #25  
Old 09-13-2004, 03:21
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
hi nikita

for sentinel enc\dec version detection, i use (packet+0x4). i saw that in superpro 6.3 this memory address contain 0x7. in last versions i saw 0x6. so i decide to use this memory address for detection of version, am i true?

however in a target that this memory address contain 6, i saw 2 different algo, both of them is in shell.

toro.
Reply With Quote
  #26  
Old 09-13-2004, 04:06
nikita@work
 
Posts: n/a
Quote:
Originally Posted by toro
for sentinel enc\dec version detection, i use (packet+0x4). i saw that in superpro 6.3 this memory address contain 0x7. in last versions i saw 0x6. so i decide to use this memory address for detection of version, am i true?
Try to reverse driver. It contain decrypt routines for all models... and they all different. So then I told about two versions I mean only sspro keys.
Reply With Quote
  #27  
Old 09-14-2004, 13:33
isnull isnull is offline
Friend
 
Join Date: Sep 2004
Location: nodongle.biz
Posts: 192
Rept. Given: 0
Rept. Rcvd 29 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 90 Times in 61 Posts
isnull Reputation: 29
Aladdin released new dongle with AES crypt algo.
hppt://www.ealaddin.com/hasp/hasphl.asp

And new hasp hl driver - ver 5.11
_ftp://ftp.ealaddin.com/pub/hasp/hl/windows/installed/redistribute/drivers/HASPDinst.zip

CD _ftp://ftp.ealaddin.com/pub/hasp/hl/HASP_HL_CD_1.10.iso
Tools _ftp://ftp.ealaddin.com/pub/hasp/hl/windows/HASP_HL_For_Windows.zip
Reply With Quote
  #28  
Old 09-16-2004, 20:41
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
hi nikita

i found another algo version in sx32w.dll version 5.0.0.0 . it is used by rnbosprofunctions and its packet version is 4 also packet size is 0xffc that is very bigger than 6 and 7 versions.

toro
Reply With Quote
  #29  
Old 08-17-2005, 18:50
papi's Avatar
papi papi is offline
VIP
 
Join Date: Jan 2005
Location: UN
Posts: 200
Rept. Given: 279
Rept. Rcvd 18 Times in 6 Posts
Thanks Given: 226
Thanks Rcvd at 18 Times in 13 Posts
papi Reputation: 18
Hello Nikita .
Can you send hl_struct structure to me too?
Thanks.
Reply With Quote
  #30  
Old 09-12-2005, 07:26
learner38 learner38 is offline
Reseacher
 
Join Date: Aug 2002
Posts: 176
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 7 Times in 7 Posts
learner38 Reputation: 2
Hello Nikita .
Can you send hl_struct structure to me too? orshare it here
Thanks.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 10:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )