HARDLOCK emulator

Quote:

Originally Posted by toro

after some study on data transfer between hardlock protected program and driver i found that all of data transfer is performed via deviceiocontrol.
there are 2 level of encryption on hl_api packet. i gess first level enc is function specefic. second level is done. have anyone any idea about first level encryption algo?
toro.

First of all you need last two versions of hardlock.sys because they contain different packet crypt code. And both do it inside virtual machine. Code of VM and p-code obfuscated.
Good luck.

[toro]

hi nikita@work

i tested many programs that protected with hardlock. i can devide those programs in 2 category. in category 1 there is no encryption on hl_api packet (possiblly drivers before 2.85) and in category 2 (drivers after 2.85) i have found one kind of encryption but in 2 level. the level 2 of encryption is very easy to emulate. it use a seed that stored in offset (hl_api+0xBC).
but in level 1 the packet is partially encrypted. are you see this thing too?

however are you have any info on hl_api structure, i was studied it but not completly.

toro.

Quote:

Originally Posted by toro

i tested many programs that protected with hardlock.

Last version of HL & HASP API was released more than year ago, but practically nobody use it. That's why I reversed driver.

Quote:

Originally Posted by toro

the level 2 of encryption is very easy to emulate. it use a seed that stored in offset (hl_api+0xBC). but in level 1 the packet is partially encrypted. are you see this thing too?

Right. Each field of packet have it's own encrypt/decrypt routine in p-code. Some of them in native code. And pay attention on field +0xBD - it's a version of crypt algo.

Quote:

Originally Posted by toro

however are you have any info on hl_api structure, i was studied it but not completly.
toro.

Only standard part from SDK.

[toro]

hi nikita@work

can you explain p-code? i see all encryption routin in native. i saw that level 2 is performed on some portion of begining of hl_api. (first 64 byte) is it true?

however i need some info about sequence of data transfer between driver and program when program call hl_code function. i see that when program call this function some call to deviceiocontrol with different buffersize is happen. and another question: some call to deviceiocontrol with buffersize=4 and 6 is happen why?


toro.

Quote:

Originally Posted by toro

can you explain p-code? i see all encryption routin in native. i saw that level 2 is performed on some portion of begining of hl_api. (first 64 byte) is it true?

I think you working with old version o hl api. It's true but newest versions of packet crypt algo written in p-code. And algo different (version stored in +0xBD filed).

Quote:

Originally Posted by toro

and another question: some call to deviceiocontrol with buffersize=4 and 6 is happen why?

For example one of these short questions detect softice
Try to see how packet forms while HL_INIT/HL_READ/HL_CODE. It's enough.

[toro]

hi nikita@work

during last day i was working on level 1 of encryption. till now i have written 25 function to decode 25 field of hl_struct, some of fields are remained.
however i work with hl_api version 383, is it old? i download it from aladdin ftp.
are you have any info about structure of hl_struct? i found usage of some of field in hl_struct, such as major and minor api version, refkey and verkey, memory address and memory content , program processid , status code and modad . but i don't found usage of other fields. can you help me?

the seed is a word that start at hl_struct+0xbc.

toro.

Quote:

Originally Posted by toro

during last day i was working on level 1 of encryption. till now i have written 25 function to decode 25 field of hl_struct, some of fields are remained.
however i work with hl_api version 383, is it old? i download it from aladdin ftp.

What version stored in +BA field?
0 - no crypt
1 - first version
2 - second version

Quote:

Originally Posted by toro

are you have any info about structure of hl_struct?

Sent via PM.