Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   Reverse Code Engineering (http://www.reteam.org/board/forumdisplay.php?f=23)
-   -   Rockey4 Emulator (http://www.reteam.org/board/showthread.php?t=594)

ngoksun 12-13-2007 10:28 AM

As I know, softcrk was real Rockey4 expert. He can emu this dongle better than nodongle.biz team.
Actually, RY_seed function just depend on the HID and Basic PW1&PW2. the Advanced PW3&PW4 is used for user algo function.;)

pivasik 12-13-2007 06:02 PM

Quote:

Originally Posted by cEnginEEr (Post 4801)
BWAHAHHAHAHA..nodongle.biz..HEHEEE...so you are here just to advertise nodongle...;)

PS I'm 100% sure that www.nodongle.biz team do not have full emul for Rockey4%..contact me if you desire and I can prove;

I don't think that he want advertise nodongle.
Also, I confirm that nd.biz team never had or proposed universal (full) solution for Rockey 3/4/5/6 dongles. All solutions were software-specific.

Quote:

Originally Posted by ngoksun
He can emu this dongle better than nodongle.biz team.

Don't want to flame here, but LOL... Solution should be so simple as possible, but not simpler. It means if you want solution for specific software - you can make and use it, not depends of it's internals or implementation. It can be bithack, loader, emulation, etc. Universal vs specific solutions like atomic bomb vs gun.

p.s. (special for cEngenEEr) exactly, nd.biz team not exists at all in common sense of "team" word. And... thanks for good releases on the scene.

cEnginEEr 12-14-2007 05:46 AM

well, after a long time an interesting thread has began and hopefully it won't die so soon...:cool:

Quote:

Originally Posted by ngoksun (Post 4805)
As I know, softcrk was real Rockey4 expert....

hmmm....well, the emul itself is totally VMProtected and there is no chance for direct analysis, so I coded a simple filter driver for monitoring R4 api call; I run "E4_NOTEPAD_SHELL_TEST.EXE" 3 times and found the following output in the logger...

PHP Code:

RY_Find  |  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001 -> Ret:0000
RY_Open  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001,LP2:00000001,Handle:0000 -> Ret:0000
RY_Seed  
|  P1:9ACC,P2:139A,P3:2FD7,P4:DFA0 LP2:00001000 -> Ret:0000
RY_Close 
|  Handle:0000 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0016EAB3 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0016FE3B -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:001711C3 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0017254B -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:001738D3 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00174C5B -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00175FE3 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0017736B -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:001786F3 -> Ret:0000 

PHP Code:

RY_Find  |  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001 -> Ret:0000
RY_Open  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001,LP2:00000001,Handle:0000 -> Ret:0000
RY_Seed  
|  P1:9ACC,P2:139A,P3:2FD7,P4:DFA0 LP2:00001000 -> Ret:0000
RY_Close 
|  Handle:0000 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00022C36 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00023FCE -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00025356 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:000266ED -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00027A75 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00028DFD -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0002A185 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0002B50D -> Ret:0000 

PHP Code:

RY_Find  |  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001 -> Ret:0000
RY_Open  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001,LP2:00000001,Handle:0000 -> Ret:0000
RY_Seed  
|  P1:9ACC,P2:139A,P3:2FD7,P4:DFA0 LP2:00001000 -> Ret:0000
RY_Close 
|  Handle:0000 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00040905 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00041C8D -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00043024 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:000443BC -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00045744 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00046ACC -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00047E54 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:000491DC -> Ret:0000 

Here I can see that each time the first call to RY_SEED returns correct answers, using this value R4SELL calculates a 192-bit DES key and decrypts the software itself; for the rest of RY_SEED calls which are perform for envelope background checks, the emulator simply return the basic passwords which are totally useless; I know that neither envelope nor the software itself doesn't use them and SW successfully starts, what I was saying is that this can't be universal solution but a custom emul;

@Softcrk: if this you really have hardware algo of R4, then why your emul doesn't calculate simply the right answer for all of RY_SEED request?

Quote:

Originally Posted by ngoksun (Post 4805)
...Actually, RY_seed function just depend on the HID and Basic PW1&PW2...

I disagree..you have missed Adv.P3, Adv.P4; ;)

Quote:

Originally Posted by ngoksun (Post 4805)
...the Advanced PW3&PW4 is used for user algo function.;)

user algoes are defined by user and their result\calculation has nothing to do advanced passwords. you need PW3&PW4 just for writing the algoes on dongle...

Quote:

Originally Posted by pivasik (Post 4812)
....Universal vs specific solutions like atomic bomb vs gun....

me thinks exactly the same.

Regards
___________
cEnginEEr

Softcrk 12-14-2007 08:16 AM

Quote:

Originally Posted by cEnginEEr (Post 4816)
well, after a long time an interesting thread has began and hopefully it won't die so soon...:cool:


hmmm....well, the emul itself is totally VMProtected and there is no chance for direct analysis, so I coded a simple filter driver for monitoring R4 api call; I run "E4_NOTEPAD_SHELL_TEST.EXE" 3 times and found the following output in the logger...

PHP Code:

RY_Find  |  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001 -> Ret:0000
RY_Open  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001,LP2:00000001,Handle:0000 -> Ret:0000
RY_Seed  
|  P1:9ACC,P2:139A,P3:2FD7,P4:DFA0 LP2:00001000 -> Ret:0000
RY_Close 
|  Handle:0000 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0016EAB3 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0016FE3B -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:001711C3 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0017254B -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:001738D3 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00174C5B -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00175FE3 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0017736B -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:001786F3 -> Ret:0000 

PHP Code:

RY_Find  |  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001 -> Ret:0000
RY_Open  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001,LP2:00000001,Handle:0000 -> Ret:0000
RY_Seed  
|  P1:9ACC,P2:139A,P3:2FD7,P4:DFA0 LP2:00001000 -> Ret:0000
RY_Close 
|  Handle:0000 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00022C36 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00023FCE -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00025356 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:000266ED -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00027A75 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00028DFD -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0002A185 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:0002B50D -> Ret:0000 

PHP Code:

RY_Find  |  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001 -> Ret:0000
RY_Open  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP1:00000001,LP2:00000001,Handle:0000 -> Ret:0000
RY_Seed  
|  P1:9ACC,P2:139A,P3:2FD7,P4:DFA0 LP2:00001000 -> Ret:0000
RY_Close 
|  Handle:0000 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00040905 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00041C8D -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00043024 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:000443BC -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00045744 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00046ACC -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:00047E54 -> Ret:0000
RY_Seed  
|  P1:1111,P2:2222,P3:0000,P4:0000 LP2:000491DC -> Ret:0000 

Here I can see that each time the first call to RY_SEED returns correct answers, using this value R4SELL calculates a 192-bit DES key and decrypts the software itself; for the rest of RY_SEED calls which are perform for envelope background checks, the emulator simply return the basic passwords which are totally useless; I know that neither envelope nor the software itself doesn't use them and SW successfully starts, what I was saying is that this can't be universal solution but a custom emul;

@Softcrk: if this you really have hardware algo of R4, then why your emul doesn't calculate simply the right answer for all of RY_SEED request?


I disagree..you have missed Adv.P3, Adv.P4; ;)


user algoes are defined by user and their result\calculation has nothing to do advanced passwords. you need PW3&PW4 just for writing the algoes on dongle...


me thinks exactly the same.

Regards
___________
cEnginEEr


You are the master:) ..................
You too were formidable.............

cEnginEEr 12-14-2007 08:27 AM

Quote:

Originally Posted by Softcrk (Post 4818)
You are the master:) ..................
You too were formidable.............

Don't get me wrong Softcrk, I'm not trying to prove anything about myself at all...your work is very good and no one can deny, I just ask some questions to clarify state of the emulator.

Softcrk 12-14-2007 09:35 AM

Quote:

Originally Posted by cEnginEEr (Post 4819)
Don't get me wrong Softcrk, I'm not trying to prove anything about myself at all...your work is very good and no one can deny, I just ask some questions to clarify state of the emulator.



you are the best one that i have ever seen about analysis debug.
my driver is made myself.
this is a DEMO.publish.
i can emul all of api .
the driver , i can do the univeral publish ,but i do not want to do the univeral publish .
there is something is personal,so i do not talk on internet.
for the results , wong or right , i just know
and i think that you know,too
all of dongle shell is the most difficult : algo or uses table-based method
i can do anything to approach the right result .
i come from Taiwan.
i am not good at ENGLISH.
this paper is someone writen for me.
give me your e-lmail address , i want to talk you more.
:D

BfoX 12-15-2007 04:50 AM

RY_seed function depend on the Basic PW1&PW2 ONLY.

Old shell can be removed without dongle. New shell used 3DES cipher and need knowledge algo or make table for removing it.

Softcrk 12-15-2007 05:10 AM

Quote:

Originally Posted by BfoX (Post 4838)
RY_seed function depend on the Basic PW1&PW2 ONLY.

Old shell can be removed without dongle. New shell used 3DES cipher and need knowledge algo or make table for removing it.



New shell always success

:D

BfoX 12-15-2007 05:15 AM

Quote:

Originally Posted by Softcrk (Post 4839)
New shell always success :D

Show it here :P

Softcrk 12-15-2007 05:21 AM

Quote:

Originally Posted by BfoX (Post 4840)
Show it here :P


Can you emulator new shell ?
Give me you shell software and monitoring data or debug dongle data.....I make it

please mail to softcrk@gmail.com or softcrk@hotmail.com


All times are GMT -4. The time now is 11:28 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.