Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 04-15-2010, 04:27 AM
gus gus is offline
Senior Member
 
Join Date: Nov 2007
Posts: 331
Default How to extract/resolve the dtable "30"?

How to extract the dtable "30"?

hi all
I have this file. reg, and I could create Dtable "10", but the program asks for the tables "30"
the tables could be drawn from memory with hexedit, but I can not extract the "30"
could someone help me?

reg file : http://rapidshare.com/files/376088872/type3.html
tables : http://rapidshare.com/files/37608927..._tabl.rar.html
software : typ e-ed it 200-7
log file : http://rapidshare.com/files/376089951/NoName.txt.html

Does anyone have the complete file, v.2007 or v.2008?

thanks
Reply With Quote
  #2  
Old 04-15-2010, 06:18 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

There are two reasons for Q/A pairs being used. The common one is when the whole program exe is wrapped in the shell/envelope. The Q/A values for this are stored in data arrays and are easily extracted, they are always 16 bytes (0x10) long. The second reason is correct use of the API, where the program will make random encrypt/decrypt calls to ensure the dongle is still there, or to decrypt some data or code used in the program. In those cases, the Q/A pairs can be 16, 32 or 48 bytes (0x10, ox20 or 0x30) long. These Q/A pairs are not stored in the program, so you have to use a logger/monitor to capture them while your program is running.

Git
Reply With Quote
  #3  
Old 04-15-2010, 07:17 AM
gus gus is offline
Senior Member
 
Join Date: Nov 2007
Posts: 331
Default


thanks git
Reply With Quote
  #4  
Old 10-26-2010, 09:19 AM
soh73 soh73 is offline
Member
 
Join Date: Dec 2009
Posts: 7
Default Please upload reg table dmp for typeedit 2007

GUS

Please upload reg table dmp for typeedit 2007
i have no dongle so upload dumps
thanks
Reply With Quote
  #5  
Old 10-26-2010, 11:38 AM
gus gus is offline
Senior Member
 
Join Date: Nov 2007
Posts: 331
Default

no dongle impossible extract Q/A "30:"
Reply With Quote
  #6  
Old 10-26-2010, 12:09 PM
nodongle nodongle is offline
Senior Member
 
Join Date: Oct 2007
Posts: 320
Default

Emulate envelope queries is not enough.
You need analyze the protected files.
Reply With Quote
  #7  
Old 12-11-2010, 12:41 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

Quote:
Originally Posted by Git View Post
The second reason is correct use of the API, where the program will make random encrypt/decrypt calls to ensure the dongle is still there, or to decrypt some data or code used in the program. In those cases, the Q/A pairs can be 16, 32 or 48 bytes (0x10, ox20 or 0x30) long. These Q/A pairs are not stored in the program, so you have to use a logger/monitor to capture them while your program is running.
Let us preassume that we would not use logger/monitor to catch the Q/A pairs which are not be stored in the program.
Is it possible to catch them from disassembler/debugger by applying some hasphl signatures ?

@ all - Is it possible to retrieve p1 & p2 of hasp4/hl dongle from "decrypting" a log of USB protocal analyzer softwares such as USBTrace ?
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.