PDA

View Full Version : hard1ock envelope without dong1e?


swissknife
November 24th, 2001, 08:14
I'm looking at a prog protected with
hard1ock envelope and i don't own the
dongle.

Before starting an attack i'd like
to know if hl envelope can be broken
without the original key

TIA
swissknife

DakienDX
November 24th, 2001, 11:11
Hello swissknife !

A HL-Crypt (Hardlock envelope) protected program cannot be deprotected without the original dongle.

Each Dongle has it's unique encryption paramters and the algorithm (if there is one) is unknown.

MeteO
December 8th, 2001, 21:53
HL-Code function was already discovered(like HASP_SEED code), but you need to dump 8Kb of some HL-queries. Do no ask me to spread original sequencies to recover HL-code. It's possible to dump HL-protectedprogram without dongle.

DakienDX
December 9th, 2001, 07:23
Interesting, never heard of it before.

According to Aladdin the encryption is different in every dongle, not only the keys. Do you know how it works but don't want to publish it or have you only read it somewhere? It could be false report like "I can crack PGP in eight hours". If you don't want to talk over it in public, you can send me an email. (or a private message if you like to) I would be interested since I use Hardlocks sometimes for my own.

MeteO
December 16th, 2001, 22:03
HL_code was cracked at 1996 by guys at www.safe-key.com, they sell their software emulator. At Russia HL_code was discovered by kab, some months later by guys at //UCL.

But for succesfully emulating hardlock dongle you need to dump 8K of dongle data.

DakienDX
December 17th, 2001, 12:38
Hello MeteO !

I know the www.safe-key.com homepage. I have their Hardlock dumper and used it also on some of my dongles. They offered to send an evaluation version of their emulator to people who send them Dongle dumps. I sent them one of my dumps, but then their site went down and I never heard from them again. So if you can tell me where I could get the emulator now (I'm asking for the eval version, so this is no crack/warez request ), I could do some more research.

But this does not change the problem. If you don't have the Hardlock, you can't dump it and therefor you can't unpack it, unless Aladdin uses a weak algorithm or weak keys. (what I don't expect)

UrgeOverKill
December 17th, 2001, 17:13
Question, when emulating a dongle I know there are others out there that use ISA slots, but can emulation be done with PCI's ??

Being that ISA's are quickly becoming a thing of the past, I would think that cracking the progie would be the matter of choice.

I have a few emulating programs but they require the ISA slots, can they be converted toward using the PCI's ??

scooterk
December 18th, 2001, 01:48
Hi,
I was wondering where to look for a possible schematic to construct a dongle. I happened to see a project once in a book on the AVR microcontroller, but very little info on the web.
scooterk

mueller5321
December 18th, 2001, 05:19
Just for information.
The hardlock dongle have multiple security features.

First with your customer number from aladdin a signature is
written inside a special programming hardware.
(Programminghardware ISA or PCI card).
It is also possible to fetch a different signature from a so called masterdongle.
With this signature and a number which you have to insert during prgramming. The basis dongles ar crypted.
You can only reach them after this on your parallelport via the burned moduladress.
So you can check if a dongle is available or not by a simple check
with HL_LOGIN with your specific moduladress
(Customer.Nr -> Signature; Signature + Module offset -> Module Adress of the Dongle;Signature+??+Sub Module offset burned in Dongle -> Cypherparameter)

Additional the the offest moduladress, which you insert during programming you can insert a second value the submodule adresse. Together which the crypt algorithm is defined.

But intresting to now is, that this crypto algorithm is blockbased on a specific value. So if the algorithm is known it seams to be not the big deal to get the correct values for the not known parameter. The Module offset can only be 0 - 31!!
The submodule offset only 0-about 30000.
Brute force is possible without a problem.
The first value you must know is the moduleaddress.
But this is easy to get. just look to the call of the HL_LOGIN function. The value is on the stack:-)
Together with the evaluation version (no costs) it should be possible to get some additional algoritm but the main algorithm
for the cypher is only inside the dongle.
Is it somewhere available???
But also there is a possible solution.
The cypher is blockbased (8-Byte or 64 bit)
Only the first 8 bytes are different the following blocks of 8 Bytes are equal.
So it seams to me, if the envelope use no additional cypher,it should be possible to crack with a simple cleartext attack.
Ok i know we have not the original dongle but some parts of code hold more than 16 x 00. so if you get a sequence which is repeated you can get the the dongle result .
And also additional information. The algoritm is symmetric :-)

MTB
December 18th, 2001, 19:55
Quote:
Originally posted by scooterk

I was wondering where to look for a possible schematic to construct a dongle. I happened to see a project once in a book on the AVR microcontroller, but very little info on the web.

[/B]

Scooterk

I have an interesting document that has a schematic and description of how a sentinnel dongle works. Rnboi2c.zip is the file name. If you can't find it on the web send me a message. There is also somebody on this BB that has a project started to emulate a dongle in hardware.

MTB

scooterk
December 19th, 2001, 00:09
Hi MTB,
I appreciate your response and would like to discuss this futher.
Email me ...
scooterk
scooterk88@hotmail.cxm

cah
December 19th, 2001, 11:50
Hayya, Mr. SCOOTERK,

I tried the rnboi2c.zip by google, no result. Please mail me if you have this.

Do you have stuff to duplicate hasps?

thanks in advance

cah...

scooterk
December 20th, 2001, 09:53
I myself was looking for some help on this.. waiting for MTB to contact me, so far no response...
scooterk

cah
December 20th, 2001, 10:46
Hayya, Mr. SCOOTERK

I checked my database & I down loaded this file from Mr. Crackz's site long ago.

Please ckeck your mail. I cont upload here, it exceeded file size to max upload size.

cah...

scooterk
December 21st, 2001, 13:22
Hi cah,
I don't have your email but if would like to try to email me the file
that would be great.( I don't know how large it is)
scooterk
scooterk88@hotmail.com

Thanks cah CYM.. scooterk

ramin_rad2000
March 19th, 2004, 06:13
So guys if hardlock shell can't be defeated,why anyone should use hl_api?!!

nikita@work
March 26th, 2004, 18:26
Quote:
[Originally Posted by ramin_rad2000]So guys if hardlock shell can't be defeated,why anyone should use hl_api?!!


always there is some way
envelope can be stripped without original donlge...

sope
March 27th, 2004, 06:09
Hello nikita@work
Quote:
envelope can be stripped without original donlge...

Just curious to ask, r u planning to share info of unpacking hardlock envelope without dongle OR its still private stuff ?

Regards, Sope.

nikita@work
March 27th, 2004, 13:44
Quote:
[Originally Posted by sope]Hello nikita@work
Just curious to ask, r u planning to share info of unpacking hardlock envelope without dongle OR its still private stuff ?

Regards, Sope.


private, but if you have envelope version that i don't... it will be interesting for me to support it

ramin_rad2000
March 30th, 2004, 06:09
Quote:
[Originally Posted by nikita@work]private, but if you have envelope version that i don't... it will be interesting for me to support it

So which version do you need?we are using hardlock since 2 years now,may be i can find something

nikita@work
March 30th, 2004, 13:16
Quote:
[Originally Posted by ramin_rad2000]So which version do you need?we are using hardlock since 2 years now,may be i can find something


there is no any build history, but i think because hl is no longer supported there was a few version in last two years... and i have all of them...

but i'd like to see version list you have