Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #201  
Old 07-18-2008, 08:50 AM
unforgiven unforgiven is offline
Member
 
Join Date: Feb 2007
Posts: 44
Default

Quote:
What emulation you you recomand ?
You Must Extract Pair Table From .Protect.
And its need Software installation and Deluging experience.
As i know Sporaw Have Full Solution(Universal) for HL Max with envelope.
Reply With Quote
  #202  
Old 07-18-2008, 09:04 PM
Freeware Freeware is offline
Member
 
Join Date: Jul 2008
Posts: 22
Default

Quote:
You Must Extract Pair Table From .Protect.
Exactly from where ? Toro Monitor ?

Quote:
And its need Software installation and Deluging experience.
My software or what kind of software do you mean ? Can you explain in 2-3 words what is the "deluging experience" ?

Quote:
As i know Sporaw Have Full Solution(Universal) for HL Max with envelope.
But is he willing to help me with his solution ?
Reply With Quote
  #203  
Old 07-19-2008, 01:41 AM
benito benito is offline
Senior Member
 
Join Date: Jul 2007
Posts: 685
Default

debugging experiences...it dont need any other explanation.
If you still dont know what we are talking about: http://en.wikipedia.org/wiki/Debugging

BR
Reply With Quote
  #204  
Old 07-19-2008, 04:11 AM
Freeware Freeware is offline
Member
 
Join Date: Jul 2008
Posts: 22
Default

10x I started a new topic about my problem
Reply With Quote
  #205  
Old 08-15-2008, 05:45 AM
viperware viperware is offline
Junior Member
 
Join Date: Aug 2008
Posts: 1
Default

Quote:
Originally Posted by bloodlust026 View Post
First post here...

I have the same problem. I start the monitor and then my software. It starts to read the table keys and then software gives an error and monitor stops. I tried both Toro and Xyrurg&Sataron. It gives me less than 100 table keys. I save log file and convert to dump file. Then convert to registry. I add the Q/A tables to registry file. I add file to registry and then try to run my software. It gives me error "Unknown Envelope". I think that SW detects monitor and stops the table generation. Is there a way to hide the monitor from SW?

I was able to get the dump files from the dongle and the passwords. Is it possible to emulate a dongle without getting the Q/A tables?

(Using Hasp HL 2.16)
I think I am getting the same problem. I have dumped my dongle and converted it to .reg file. But my software detects the use of both TORO's and Sataron's dongle monitors. Since I have my reg file, I think all I need now is my Q/A tables but have not yet been able to log them yet. I was able to monitor the dongle during the installation of my software, and I did log some information. I also tried starting toro monitor after software startup. The result is my software begins to react strangely.
My log file says I have logged 109 pairs. Is this amount standard? These were logged during installation of software only, I have no Q/A pairs logged from operating the software. My next guess is to attempt to monitor with busTrace 6.0. Has anyone tried monitoring for Q/A pairs with this software? I have also logged the installation of my software with Sataron's logger.
If anyone is curious, I can post log files as well. Thanks for any info.
Reply With Quote
  #206  
Old 08-18-2008, 03:22 AM
Freeware Freeware is offline
Member
 
Join Date: Jul 2008
Posts: 22
Default

try to install the usb filter first
__________________
I hope those who helped me with my dongle will win the lottery, find a great wife, have a long and happy lasting marriageand have healthy children. I really wish for this...
Reply With Quote
  #207  
Old 08-18-2008, 08:24 AM
Freeware Freeware is offline
Member
 
Join Date: Jul 2008
Posts: 22
Default

double post
__________________
I hope those who helped me with my dongle will win the lottery, find a great wife, have a long and happy lasting marriageand have healthy children. I really wish for this...
Reply With Quote
  #208  
Old 08-25-2008, 02:11 PM
Sinaptik Sinaptik is offline
Junior Member
 
Join Date: Aug 2008
Posts: 3
Smile Clarification request

Hi to everyone,

First, I would like to thanks all participant of this topic for great information and sources for HL Max dongle.

So, I need some help about a dongle, here's my questions.

I got a dongle from my work, it's an HL Max one (green USB).
The software protected with it seems to use random QA pairs.

My first question is about QA pairs, if I got something like that:

Code:
2008/08/25  17:43:06.812	 ==> HaspHL_decrypt: Status = 0x00

==================================================================

2008/08/25  17:43:06.875	 <== Application: C2.EXE

2008/08/25  17:43:06.875	 <== HaspHL_decrypt: Pass1 = 0x795F (31071), Pass2 = 0x1F82 (8066)

2008/08/25  17:43:06.875	 <== HaspHL_decrypt: Length = 0x30

2008/08/25  17:43:06.875	 <== HaspHL_decrypt: Input Data = 

2008/08/25  17:43:06.875	

  4B BE E8 6D | 82 9D 42 CF | 8D 7A 49 35 | A4 5A 56 F0 	[K..m..B..zI5.ZV.]

  7F B3 B6 AE | 4D 05 09 A1 | 8F 6C 5B 70 | 30 AD C2 61 	[...M....l[p0..a]

  26 D3 DB FC | E5 6F 48 4B | 84 CE E2 EE | 56 0B 74 58 	[&....oHK....V.tX]



2008/08/25  17:43:06.937	 ==> HaspHL_decrypt: Output Data = 

2008/08/25  17:43:06.937	

  A4 F4 6B 02 | 39 04 56 C6 | 48 00 64 A1 | 00 00 00 00 	[..k.9.V.H.d.....]

  7F B3 B6 AE | 4D 05 09 A1 | 8F 6C 5B 70 | 30 AD C2 61 	[...M....l[p0..a]

  26 D3 DB FC | E5 6F 48 4B | 84 CE E2 EE | 56 0B 74 58 	[&....oHK....V.tX]
Am I right if I say it's a 48 bytes long key ?
If so, the question has to be encoded in 1 line on the QTable and 1 line in ATable, like follow ?

Code:
 4B,BE,E8,6D,82,9D,42,CF,8D,7A,49,35,A4,5A,56,F0,7F,B3,B6,AE,4D,05,09,A1,8F,6C,5B,70,30,AD,C2,61,26,D3,DB,FC,E5,6F,48,4B,84,CE,E2,EE,56,0B,74,58,\
Secondly, it seems I got a 32 bytes long key then a 48 bytes one that is partially the same as the 32 bytes long, is it common from HL protected software to act like this ?
Here's an example to illustrate my word:

Code:
2008/08/25  17:43:07.000	 <== HaspHL_decrypt: Input Data = 

2008/08/25  17:43:07.000	

  6A 41 C3 DC | D2 2C F5 40 | 17 C2 BD 89 | C4 82 78 97 	[jA...,.@......x.]

  D2 40 99 BB | 8D E9 03 35 | 6F 75 32 79 | 55 A1 29 4D 	[.@.....5ou2yU.)M]



2008/08/25  17:43:07.062	 ==> HaspHL_decrypt: Output Data = 

2008/08/25  17:43:07.062	

  47 51 3F 7F | 2D 04 B3 C7 | 95 CD 36 EB | 7E 2B 0D 14 	[GQ?-.....6.~+..]

  D2 40 99 BB | 8D E9 03 35 | 6F 75 32 79 | 55 A1 29 4D 	[.@.....5ou2yU.)M]

2008/08/25  17:43:07.062	 ==> HaspHL_decrypt: Status = 0x00

==================================================================

2008/08/25  17:43:07.125	 <== Application: C2.EXE

2008/08/25  17:43:07.125	 <== HaspHL_decrypt: Pass1 = 0x795F (31071), Pass2 = 0x1F82 (8066)

2008/08/25  17:43:07.125	 <== HaspHL_decrypt: Length = 0x30

2008/08/25  17:43:07.125	 <== HaspHL_decrypt: Input Data = 

2008/08/25  17:43:07.125	

  6A 41 C3 DC | D2 2C F5 40 | 17 C2 BD 89 | C4 82 78 97 	[jA...,.@......x.]

  D2 40 99 BB | 8D E9 03 35 | 6F 75 32 79 | 55 A1 29 4D 	[.@.....5ou2yU.)M]

  1D 61 36 95 | E2 FA AC 11 | CC 37 91 13 | 46 6C F2 47 	[.a6......7..Fl.G]



2008/08/25  17:43:07.187	 ==> HaspHL_decrypt: Output Data = 

2008/08/25  17:43:07.187	

  38 50 79 F3 | 2A 0A 19 09 | 8B 55 FC C7 | 82 00 02 00 	[8Py.*....U......]

  D2 40 99 BB | 8D E9 03 35 | 6F 75 32 79 | 55 A1 29 4D 	[.@.....5ou2yU.)M]

  1D 61 36 95 | E2 FA AC 11 | CC 37 91 13 | 46 6C F2 47 	[.a6......7..Fl.G]
Next, I would like to know if the 5 tables with 256 key for each is an true information, if so, my software can request 1280 keys wich are 16 bytes long ?
And it can request a lot more if mixing them to make 32 or 48 bytes long keys, right ?

Next, I would like to know why Toro monitor (version 3.2) didn't work at all with this dongle, could it be detected by the software and by any way be desactivated ?

Last question, I use Hasploger to log QA pairs but I think it can't help to generate QA pairs table, so is there any way to make it with an other software or do I have to build it manually ?
If it's the case, I think I'll try to write a little app' which will parse an output log file and make the QA Table automatically.
Sataron said he will implement such a fonction in his hasploger, but I think it doesn't exist yet.
For information, I use Hasploger 1.71, I think it's the last version available.

Thank you for your help and please, excuse me for my poor english, I did my best to be understandable, thanks again.
Reply With Quote
  #209  
Old 08-25-2008, 02:33 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

1) Q/R pairs can be 16, 32 or 48 bytes long between the driver and the dongle/emulator.

2) Yes, there often is repetition of 16 or 32 byte block in next 32 or 48 byte block. Record exactly what the monitor logs into the reg file. Do NOT try to reorder the data.

3) Not sure where your 5*256=1280 comes from. The Q data is input to the AES encryption algorithm and the R data is the Q data encrypted. It works on 16 byte blocks. So there are an almost infinite number of possible Q/R pairs. Well, OK, 2^128 -1 , not quite infinite but more than the number of Hydrogen atoms in the known Universe.

Git
Reply With Quote
  #210  
Old 08-25-2008, 02:57 PM
y8y8y8y y8y8y8y is offline
Senior Member
 
Join Date: Sep 2007
Posts: 210
Default

2Sinaptik

The Hasp HL Envelop can contain up to 5 tables of Q/R. For envelop protection, you can extract the 16b Q/A tables for emulator.

Any developer that respect himself will implemented more Soft <-> Dongle communications and in this case like Git wrote the number can be ... well.
__________________
Saving the drowning is a job for the drowning themselves.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.