Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 12-18-2012, 05:49 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default VUSBBUS Type 0xEA -> MK?

Hi!

I'm trying to convert a VUSBBUS dongle to Multikey (for x64 support) and I'm quite unsure how to dump the virtual dongle because I've never seen this "type" (0xEA) before. Therefore, none of my favorite dumping tools detect the dongle.

Windows recognizes a SafeNet HASP Key, Sentinel HL Key and USB Key.

Here's the current reg branch:
Code:
REGEDIT4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ru-board\gamebit0\Dump\23957ce5]
"Name"=""
"Copyright"="Copyright (C) 2009 t"
"Created"="14/09/2009 11:02:41"
"SN"=dword:1147968f
"Type"=dword:000000EA
"Memory"=dword:00000001
"SecTable"=hex:00,00,00,00,00,00,00,00
"NetMemory"=hex:00,00,00,00,00,00,00,00,00,00,00,00
"Option"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00
"Data"=hex:\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"ColumnMask"=dword:00000000
"CryptInitVect"=dword:00000000
I know it looks quite useless but the underlying application is already partially patched and therefore the dongle memory isn't relevant anymore. It only checks the presence of the dongle...

Thanks for any help!
Reply With Quote
  #2  
Old 12-18-2012, 06:39 AM
kjms kjms is offline
Senior Member
 
Join Date: Aug 2009
Posts: 336
Default

for multikey
12 - Time HASP 3
0A - HASP4 M1 (deafult)
1A - HASP4 Time
EA - HASP HL
DA - HASP HL Time
Code:
REGEDIT4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Multikey\Dumps\23957ce5]
"DongleType"=dword:00000001
"SN"=dword:1147968f
"Type"=dword:000000EA
"Memory"=dword:00000001
"SecTable"=hex:00,00,00,00,00,00,00,00
"NetMemory"=hex:00,00,00,00,00,00,00,00,00,00,00,00
"Option"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00
"Data"=hex:\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"ColumnMask"=dword:00000000
"CryptInitVect"=dword:00000000
Reply With Quote
  #3  
Old 12-18-2012, 08:38 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

Thanks for making that clear. I've already tried this by taking a look at MK's examples. Unfortunately this results in a non-starting akusb service (Code 10) but I'll keep trying!
Reply With Quote
  #4  
Old 12-19-2012, 01:46 AM
nodongle nodongle is offline
Senior Member
 
Join Date: Oct 2007
Posts: 299
Default

Dongle type bit flags:
0x01 HARDLOCK
0x02 HASP3
0x04 ?
0x08 HASP4
0x10 RTC
0x20 AES
0x40 New Int.Func
0x80 Monster ASIC

So, 0xEA = 0x80 | 0x40 | 0x20 | 0x08 | 0x02
Reply With Quote
  #5  
Old 12-19-2012, 05:36 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

Unfortunately, this one doesn't work. Dongle gets detected by Windows (as it would using VUSBBUS) but the application won't "see" the dongle.

I've tried to "swap" the PW from 0x2395 0x7ce5 to 0x7ce5 0x2395 but that won't make any difference. Even if I adapt the values for ColumnMask and CryptInitVect to the one from the MK example reg file it won't make any difference.

Maybe someone could take a look at the attached DMP file (created by h5dmp on a system with a working VUSBBUS dongle). The memory dump was completely empty so it's not included...
Attached Files
File Type: zip hasp.zip (296 Bytes, 69 views)
Reply With Quote
  #6  
Old 12-19-2012, 05:09 PM
Lomex Lomex is offline
Senior Member
 
Join Date: Dec 2009
Posts: 139
Default

The dongle dump posted by kjms is working for 100% !!!
You can also try to change the dongle number. Maybe it got blacklisted....

I know it. Already tested in the past

That means, somewhere you did something wrong.

And this is one of the stupid apps, which does not expect to have anything usefull in the dump, except the dongle number.
Reply With Quote
  #7  
Old 12-19-2012, 07:26 PM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

Hmm, I would also say that the reg file should work perfectly but it's quite strange that it won't work in conjunction with MK x64 (which serves a dongle for another application quite well) but it does when using VUSBBUS on x86.

I don't expect blacklisting by the application itself because the same executable works fine on the x86 system.

So the only possibilities I can think of are:

- akusb driver on x64 detects MK (or is blacklisting the dongle), although I've already modified the registry key names
- VUSBBUS has been somehow modified/patched

Unfortunately, the only way I know to "spy" the communication between the target, akusb and MK on an x64 system is to use API Monitor's hook to CreateFile because TORO's logging tools won't work on x64.

API Monitor logs several attemps to open an USB device with a vendor ID 0x5b2 which isn't present in my system. The vid provided by MK (and VUSBBUS on the x86 system) is different and this particular CreateFile call won't happen on the (working) x86 installation...
Reply With Quote
  #8  
Old 12-19-2012, 08:02 PM
Lomex Lomex is offline
Senior Member
 
Join Date: Dec 2009
Posts: 139
Default

Again. It works with simple MK V1.8.0.3 or MK V1.8.10 for 64 Bit.

Didnt I wrote that I ALREADY TESTED it completly on Win 7 - 64 Bit SP1 !!!

NO waste of time needed to check or debug something. You better check your Hast Drivers. Maybe delete everthying of the Hasp drivers and install an older one.
Reply With Quote
  #9  
Old 12-20-2012, 02:51 PM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

I did understand you but I have to admit that the target has been somehow "pre-patched" or crippled (by someone else) and I really suspect there's something wrong. I already tried different hasp drivers (5.5 to 6.9) on three different systems and a VM.

Now I'll suspend this until I get an untouched release of the target... but thanks for confirming that the dump should work!
Reply With Quote
  #10  
Old 12-21-2012, 07:01 AM
Lomex Lomex is offline
Senior Member
 
Join Date: Dec 2009
Posts: 139
Default

Yes. The Installer you have is prepatched by some IDIOT.

Get the "untouched" Retail DVD and your problems are gone.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.