Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: HardLock Envelope unpacking (WITH dongle)

  1. #1
    fritzFS
    Guest

    HardLock Envelope unpacking (WITH dongle)

    Hello,

    as the title says, I am trying to unpack a hardlock envelope.

    Yes, I have read the posts on this forum related to hardlock/envelope/hasp.

    Tools: OllyDbg, OllyDump.

    Target executable file has .text, .rdata, .data, .rsrc and .protect section.
    (LordPE SS: http://img358.imageshack.us/img358/5697/lordpe1jc4.jpg)

    Things I've done so far:
    1. plug the dongle
    2. opened the target with ollydbg
    3. set a breakpoint on new thread (ollydbg: options->debugging options->events)
    OEP is starting within a new created thread ...
    4. ollydbg breaks here:

    Code:
    7C810856   33ED             XOR EBP,EBP --> HERE
    7C810858   53               PUSH EBX
    7C810859   50               PUSH EAX
    7C81085A   6A 00            PUSH 0
    7C81085C  ^E9 73ACFFFF      JMP kernel32.7C80B4D4
    
    7C80B4D4   6A 10            PUSH 10 --> HERE
    7C80B4D6   68 18B5807C      PUSH kernel32.7C80B518
    7C80B4DB   E8 EB6FFFFF      CALL kernel32.7C8024CB
    7C80B4E0   8365 FC 00       AND DWORD PTR SS:[EBP-4],0
    7C80B4E4   64:A1 18000000   MOV EAX,DWORD PTR FS:[18]
    7C80B4EA   8945 E0          MOV DWORD PTR SS:[EBP-20],EAX
    7C80B4ED   8178 10 001E0000 CMP DWORD PTR DS:[EAX+10],1E00
    7C80B4F4   75 0F            JNZ SHORT kernel32.7C80B505
    7C80B4F6   803D 0830887C 00 CMP BYTE PTR DS:[7C883008],0
    7C80B4FD   75 06            JNZ SHORT kernel32.7C80B505
    7C80B4FF   FF15 E812807C    CALL DWORD PTR DS:[<&ntdll.CsrNewThread>>; ntdll.CsrNewThread
    7C80B505   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
    7C80B508   FF55 08          CALL DWORD PTR SS:[EBP+8] -> OEP?
    7C80B50B   50               PUSH EAX
    7C80B50C   E8 98170000      CALL kernel32.ExitThread
    In this disassembly we see the OEP:
    7C80B508 FF55 08 CALL DWORD PTR SS:[EBP+8] ; XXXXXX.0046A630

    So, our new start functions looks like:

    Code:
    0046A630  /. 55             PUSH EBP
    0046A631  |. 8BEC           MOV EBP,ESP
    0046A633  |. 6A FF          PUSH -1
    0046A635  |. 68 40776500    PUSH XXXXXX.00657740
    0046A63A  |. 68 E2D66000    PUSH XXXXXX.0060D6E2                   ;  JMP to MSVCR71._except_handler3; SE handler installation
    0046A63F  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
    0046A645  |. 50             PUSH EAX
    0046A646  |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
    0046A64D  |. 81EC 18010000  SUB ESP,118
    0046A653  |. 53             PUSH EBX
    0046A654  |. 56             PUSH ESI
    0046A655  |. 57             PUSH EDI
    0046A656  |. 8965 E8        MOV DWORD PTR SS:[EBP-18],ESP
    0046A659  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8] --> problem #1
    0046A65C  |. 8B18           MOV EBX,DWORD PTR DS:[EAX]
    0046A65E  |. 8B48 04        MOV ECX,DWORD PTR DS:[EAX+4]
    0046A661  |. 894D E0        MOV DWORD PTR SS:[EBP-20],ECX
    0046A664  |. 8B70 08        MOV ESI,DWORD PTR DS:[EAX+8]
    0046A667  |. 50             PUSH EAX                                 ; /block
    0046A668  |. 8B3D 78156300  MOV EDI,DWORD PTR DS:[631578]            ; |MSVCR71.free
    0046A66E  |. FFD7           CALL EDI                                 ; \free
    0046A670  |. 56             PUSH ESI                                 ; /src
    0046A671  |. 8D95 D8FEFFFF  LEA EDX,DWORD PTR SS:[EBP-128]           ; |
    0046A677  |. 52             PUSH EDX                                 ; |dest
    0046A678  |. FF15 50156300  CALL DWORD PTR DS:[631550]               ; \wcscpy
    0046A67E  |. 56             PUSH ESI
    0046A67F  |. FFD7           CALL EDI
    0046A681  |. 83C4 10        ADD ESP,10
    0046A684  |. FF15 90116300  CALL DWORD PTR DS:[631190]               ; [GetCurrentThreadId
    0046A68A  |. 8BF0           MOV ESI,EAX
    0046A68C  |. 8975 E4        MOV DWORD PTR SS:[EBP-1C],ESI
    0046A68F  |. 8D85 D8FEFFFF  LEA EAX,DWORD PTR SS:[EBP-128]
    0046A695  |. 50             PUSH EAX                                 ; /Arg2
    0046A696  |. 56             PUSH ESI                                 ; |Arg1
    0046A697  |. E8 C4030000    CALL XXXXXX.0046AA60                   ; \XXXXXX.0046AA60
    0046A69C  |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
    0046A6A3  |. 8B4D E0        MOV ECX,DWORD PTR SS:[EBP-20]
    0046A6A6  |. 51             PUSH ECX
    0046A6A7  |. FFD3           CALL EBX
    0046A6A9  |. 8BF8           MOV EDI,EAX
    0046A6AB  |. 897D DC        MOV DWORD PTR SS:[EBP-24],EDI
    0046A6AE  |. 56             PUSH ESI                                 ; /Arg1
    0046A6AF  |. E8 3C040000    CALL XXXXXX.0046AAF0                   ; \XXXXXX.0046AAF0
    0046A6B4  |. C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1
    0046A6BB  |. 8BC7           MOV EAX,EDI
    0046A6BD  |. 8B4D F0        MOV ECX,DWORD PTR SS:[EBP-10]
    0046A6C0  |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
    0046A6C7  |. 5F             POP EDI
    0046A6C8  |. 5E             POP ESI
    0046A6C9  |. 5B             POP EBX
    0046A6CA  |. 8BE5           MOV ESP,EBP
    0046A6CC  |. 5D             POP EBP
    0046A6CD  \. C2 0400        RETN 4
    Anyway, when I get to this OEP (0046A630), I do next step:

    5. Dump the file using OllyDump with OEP


    Problem:

    Of course, now I try to run the dumped executable file and it crashes.
    The problem is with this new start function, some parameters are passed from the hardlock envelope decrypt when it finishes, that's marked as 'problem #1'.

    Should I hardcode that value?
    Replace it with :

    Code:
    0046A659  |. 8B45 08        MOV EAX,0x011CD488
    Have anyone come across such hardlock envelope?

    Thank you.
    Last edited by fritzFS; August 7th, 2006 at 15:37.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    fritzFS
    Guest

    some progress had been made

    Seems like start of new thread wasn't an OEP.

    I've discovered real OEP with the help of IDA, it is located at 0x60D35A.

    I have dumped the process at new OEP, but still doesn't working, exe crashes.
    Also, ImpRec isn't much helping since there are 2 invalid pointers left, and when I trace it, seems that protection isn't done yet:-(

    OEP starts here:

    Code:
    0060D35A > $ 6A 74          PUSH 74
    0060D35C   . 68 C0006700    PUSH dumped_h.006700C0
    0060D361   . E8 22060000    CALL dumped_h.0060D988
    0060D366   . 33FF           XOR EDI,EDI
    0060D368   . 897D E0        MOV DWORD PTR SS:[EBP-20],EDI
    0060D36B   . 57             PUSH EDI                                 ; /pModule => NULL
    0060D36C   . 8B1D 58116300  MOV EBX,DWORD PTR DS:[631158]            ; |kernel32.GetModuleHandleA
    0060D372   . FFD3           CALL EBX                                 ; \GetModuleHandleA
    The problem lies here, this is a function that is called at the begging ...

    Code:
    0060DA9C  /. 55             PUSH EBP
    0060DA9D  |. 8BEC           MOV EBP,ESP
    0060DA9F  |. 83EC 10        SUB ESP,10
    0060DAA2  |. A1 90746B00    MOV EAX,DWORD PTR DS:[6B7490]
    0060DAA7  |. 85C0           TEST EAX,EAX
    0060DAA9  |. 74 07          JE SHORT dumped_h.0060DAB2
    0060DAAB  |. 3D 4EE640BB    CMP EAX,BB40E64E
    0060DAB0  |. 75 4E          JNZ SHORT dumped_h.0060DB00
    0060DAB2  |> 56             PUSH ESI
    0060DAB3  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]
    0060DAB6  |. 50             PUSH EAX                                 ; /pFileTime
    0060DAB7  |. FF15 68116300  CALL DWORD PTR DS:[631168]               ; \GetSystemTimeAsFileTime
    0060DABD  |. 8B75 FC        MOV ESI,DWORD PTR SS:[EBP-4]
    0060DAC0  |. 3375 F8        XOR ESI,DWORD PTR SS:[EBP-8]
    0060DAC3  |. FF15 3C116300  CALL DWORD PTR DS:[63113C]               ; [GetCurrentProcessId
    0060DAC9  |. 33F0           XOR ESI,EAX
    0060DACB  |. FF15 90116300  CALL DWORD PTR DS:[631190]               ; [GetCurrentThreadId
    0060DAD1  |. 33F0           XOR ESI,EAX
    0060DAD3  |. FF15 C4116300  CALL DWORD PTR DS:[6311C4]               ; [GetTickCount
    0060DAD9  |. 33F0           XOR ESI,EAX
    0060DADB  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]
    0060DADE  |. 50             PUSH EAX
    0060DADF  |. FF15 C8116300  CALL DWORD PTR DS:[6311C8] --> points to 1010968
    0060DAE5  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
    0060DAE8  |. 3345 F0        XOR EAX,DWORD PTR SS:[EBP-10]
    0060DAEB  |. 33F0           XOR ESI,EAX
    0060DAED  |. 8935 90746B00  MOV DWORD PTR DS:[6B7490],ESI
    0060DAF3  |. 75 0A          JNZ SHORT dumped_h.0060DAFF
    0060DAF5  |. C705 90746B00 >MOV DWORD PTR DS:[6B7490],BB40E64E
    0060DAFF  |> 5E             POP ESI
    0060DB00  |> C9             LEAVE
    0060DB01  \. C3             RETN
    Address point in red is invalid (1010968). Seems that unpacker creates that memory block during the unpacking process and application uses this.

    Anyway, this is the problem ... I've dumped that memory block with OllyDbg, seems like array of addresses or something like that.

    Anyone?
    Last edited by fritzFS; August 7th, 2006 at 15:36.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    If you run the original app, with the dongle attached, and trace into:

    0060DADF |. FF15 C8116300 CALL DWORD PTR DS:[6311C8] --> points to 1010968


    call, where does it take you?

    One thing I have found valuable is to trace the dumped and original apps (one in a virtual machine, the other in the host OS) IN PARALLEL finding smilarities and differences in the code flow.

    Could you emulate the address table fillup routine that the unpacker places around 6311C8? at least do it manually with the debugger and see if it remedies the crash.

    I think it was cyberheg who described reversing Hardlock protection as "peeling and onion".

  4. #4
    fritzFS
    Guest
    naides,
    thank you for your reply.

    Code:
    0060DADF  |. FF15 C8116300  CALL DWORD PTR DS:[6311C8] --> 01030968
    btw, this is also the difference ...
    with dongle, this is 01030968, without dongle 01010968.

    anyway, here it goes:

    Code:
    01030968   E8 F1F383FF      CALL XXXXX.0086FD5E
    0103096D   0000             ADD BYTE PTR DS:[EAX],AL
    0103096F   00E8             ADD AL,CH
    01030971  -E9 F383FF00      JMP 02028D69
    
    0086FD5E   8ADB             MOV BL,BL
    0086FD60   8AFF             MOV BH,BH
    0086FD62   55               PUSH EBP
    0086FD63   87F9             XCHG ECX,EDI
    0086FD65   66:8BF6          MOV SI,SI
    0086FD68   87CF             XCHG EDI,ECX
    0086FD6A   8BEC             MOV EBP,ESP
    0086FD6C   51               PUSH ECX
    0086FD6D   53               PUSH EBX
    0086FD6E   C0E7 20          SHL BH,20                                ; Shift constant out of range 1..31
    0086FD71   EB FF            JMP SHORT XXXXX.0086FD72
    
    0086FD72   FFF6             PUSH ESI
    0086FD74   8D00             LEA EAX,DWORD PTR DS:[EAX]
    0086FD76   EB FF            JMP SHORT XXXXX.0086FD77
    
    0086FD77   FFF7             PUSH EDI
    0086FD79   8BC0             MOV EAX,EAX
    0086FD7B   60               PUSHAD
    0086FD7C  ^0F81 F9D6FFFF    JNO XXXXX.0086D47B --> jump is taken
    0086FD82   70 03            JO SHORT XXXXX.0086FD87
    0086FD84   44               INC ESP
    0086FD85   77 FF            JA SHORT XXXXX.0086FD86
    0086FD87  ^0F80 EED6FFFF    JO XXXXX.0086D47B
    0086FD8D   D8F4             FDIV ST,ST(4)
    0086FD8F  ^0F85 A8D9FFFF    JNZ XXXXX.0086D73D
    0086FD95   74 03            JE SHORT XXXXX.0086FD9A
    0086FD97   93               XCHG EAX,EBX
    0086FD98   7B 10            JPO SHORT XXXXX.0086FDAA
    0086FD9A  ^0F84 9DD9FFFF    JE XXXXX.0086D73D
    0086FDA0   25 DEE969E5      AND EAX,E569E9DE
    
    0086D47B   8BED             MOV EBP,EBP
    0086D47D   8B4424 34        MOV EAX,DWORD PTR SS:[ESP+34]
    0086D481   0F88 3D040000    JS XXXXX.0086D8C4
    0086D487   52               PUSH EDX
    0086D488   5A               POP EDX
    0086D489   79 03            JNS SHORT XXXXX.0086D48E --> jump is taken
    
    
    0086D48E   0F89 30040000    JNS XXXXX.0086D8C4 --> jump is taken
    
    0086D8C4   8D36             LEA ESI,DWORD PTR DS:[ESI]
    0086D8C6   E8 BE420000      CALL XXXXX.00871B89
    0086D8CB   D8FB             FDIVR ST,ST(3)
    0086D8CD   68 24D08600      PUSH XXXXX.0086D024
    0086D8D2   C3               RETN
    ...

    So, as you can see ... this is it ... it goes back to the dongle (0086B ... -> .protect section)
    Last edited by fritzFS; August 7th, 2006 at 15:39.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    OK. I see. You are now tracing into heavily obfuscated code
    starting at 0086FD5E, which you mention is located at the .protect section.

    Provided the unpacking is done, the task now would be to emulate the answer(s) and tasks that these calls retrieve and perform so the app believes the dongle is attached.
    I am less than the ideal person to give you further guidance (I certainly can suggest educated guesses and problem solving approaches) but perhaps CrackZ or cyberheg may read this postings and take a little pity on us

  6. #6
    fritzFS
    Guest
    Naides,
    but how can I just emulate those API's when the application (dumped) is crashing because of this unavailable memory (0x0103...) in dumped version?

    Btw, I've analyzed the protection more, this time with TORO's great monitor by side.

    During the unpacking process, the following calls to hardlock has been made:

    HLM_LOGIN
    HL_GETINF
    HL_CRYPT (0xE function)
    HL_CRYPT
    ...


    Everything till OEP.
    Starts with this address, somewhere inside it calls appears again:

    Code:
    0060DADF |. FF15 C8116300 CALL DWORD PTR DS:[6311C8] --> 01030968
    Now, this calls :
    HLM_LOGIN
    HL_READ
    HL_GETINF
    ...

    And that's it ...

    Only HL_GETINF is repeating while the application is running ...
    Last edited by fritzFS; August 7th, 2006 at 15:38.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    fritzFS:

    Please take the time to surround your code printouts with the following:

    at the beginning, place; CODE (with [ ] around it)

    and at the end, place /CODE also with [ ] around it. (I have to do it this way or it would create the box itself. )

    This will create a "codebox" with a thumbnail which will allow your posted code sections to be shorter on the actual page and, if the code output is wider than the normal page view (which yours are not), it will prevent the page from going beyond the normal width.

    You can also use the edit button and go back and fix your previous posts in this Thread, or I will do it for you. It just makes a long display of code neater and easier to read.

    Thanks.

    Regards,
    JMI

  8. #8
    fritzFS
    Guest
    JMI, thank you for the notice, I've updated them.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    fritzFS
    Guest
    I have found the code section with dongle communication ...

    Code:
    005ED960  /$ 68 6C497F00    PUSH XXXXXXXX.007F496C
    005ED965  |. 68 64497F00    PUSH XXXXXXXX.007F4964
    005ED96A  |. 6A 01          PUSH 1
    005ED96C  |. 68 685B0000    PUSH 5B68 --> MODAD
    005ED971  |. E8 F3AB0100    CALL XXXXXXXX.00608569 --> HLM_LOGIN; failes
    005ED976  |. 83C4 10        ADD ESP,10
    005ED979  |. 66:85C0        TEST AX,AX
    005ED97C  |. 75 12          JNZ SHORT XXXXXXXX.005ED990
    005ED97E  |. E8 4DFCFFFF    CALL XXXXXXXX.005ED5D0
    005ED983  |. 83F8 02        CMP EAX,2
    005ED986  |. 75 08          JNZ SHORT XXXXXXXX.005ED990
    005ED988  |. E8 2EA70100    CALL XXXXXXXX.006080BB
    005ED98D  |. 33C0           XOR EAX,EAX
    005ED98F  |. C3             RETN
    005ED990  |> E8 26A70100    CALL XXXXXXXX.006080BB
    005ED995  |. 56             PUSH ESI
    005ED996  |. 68 6C497F00    PUSH XXXXXXXX.007F496C
    005ED99B  |. 68 64497F00    PUSH XXXXXXXX.007F4964
    005ED9A0  |. 6A 01          PUSH 1
    005ED9A2  |. 68 735B0000    PUSH 5B73 --> MODAD
    005ED9A7  |. E8 BDAB0100    CALL XXXXXXXX.00608569 --> HLM_LOGIN - OK
    005ED9AC  |. 83C4 10        ADD ESP,10
    005ED9AF  |. 66:85C0        TEST AX,AX
    005ED9B2  |. 74 0C          JE SHORT XXXXXXXX.005ED9C0 --> Jump taken
    005ED9B4  |. E8 02A70100    CALL XXXXXXXX.006080BB
    005ED9B9  |. B8 02000000    MOV EAX,2
    005ED9BE  |. 5E             POP ESI
    005ED9BF  |. C3             RETN
    005ED9C0  |> 8B7424 08      MOV ESI,DWORD PTR SS:[ESP+8]
    005ED9C4  |. 68 B0308300    PUSH XXXXXXXX.008330B0
    005ED9C9  |. 56             PUSH ESI
    005ED9CA  |. E8 51FCFFFF    CALL XXXXXXXX.005ED620 --> HL_READ
    005ED9CF  |. 83C4 08        ADD ESP,8
    005ED9D2  |. 85C0           TEST EAX,EAX
    005ED9D4  |. 74 11          JE SHORT XXXXXXXX.005ED9E7
    005ED9D6  |. 833E 00        CMP DWORD PTR DS:[ESI],0
    005ED9D9  |. 77 15          JA SHORT XXXXXXXX.005ED9F0 --> Jump taken
    005ED9DB  |. E8 DBA60100    CALL XXXXXXXX.006080BB
    005ED9E0  |. B8 03000000    MOV EAX,3
    005ED9E5  |. 5E             POP ESI
    005ED9E6  |. C3             RETN
    005ED9E7  |> E8 D4FDFFFF    CALL XXXXXXXX.005ED7C0
    005ED9EC  |. 85C0           TEST EAX,EAX
    005ED9EE  |. 74 0C          JE SHORT XXXXXXXX.005ED9FC
    005ED9F0  |> E8 C6A60100    CALL XXXXXXXX.006080BB --> HL_LOGOUT
    005ED9F5  |. B8 01000000    MOV EAX,1
    005ED9FA  |. 5E             POP ESI
    005ED9FB  |. C3             RETN
    005ED9FC  |> E8 BAA60100    CALL XXXXXXXX.006080BB
    005EDA01  |. B8 04000000    MOV EAX,4
    005EDA06  |. 5E             POP ESI
    005EDA07  \. C3             RETN
    Last edited by fritzFS; August 7th, 2006 at 16:08.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Questions:

    Are these the only calls to CALL XXXXXXXX.00608569 --> HLM_LOGIN - OK

    or are there more? and IDA dissasembly should tell you that, because you have to emulate each one of them, or modify the code at 608569 to return the right answers.

    At least in this code snip, success appears to be signaled by placing 1 in eax and returning an "answer to the challenge" to the address [ebp + 8] which is indirected using ESI. If you look at whatever gets written to the address pointed by ESI at the instruction

    005ED9D6 |. 833E 00 CMP DWORD PTR DS:[ESI],0


    while the dongle is connected, and artificially write this value to that address in your dumped code, then make sure EAX return 1, you have emulated this dongle check ( at least this one).
    Last edited by naides; August 7th, 2006 at 18:23.

  11. #11
    fritzFS
    Guest
    Yes, there is more ... more beyond this call ...
    Actually, it's too much to trace and monitor :-(

    This is getting real hard and I'm loosing my focus ..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    hi
    if after using imprec, you have only 2 unresolved pointer, you must set them manually to getprocaddress and exitprocess function.

    regards

  13. #13
    fritzFS
    Guest

    no more envelope

    Thank you everyone for your help ...

    Hardlock envelope is gone (nikita, you rock!), now there is only HLM_LOGIN, HL_READ and HL_LOGOUT in application ...

    Here it goes, what is left of Hardlock:

    Code:
    .text:005ED960 do_dongle_check proc near               ; CODE XREF: sub_49DA20+4Dp
    .text:005ED960                                         ; sub_6017C0+56p
    .text:005ED960
    .text:005ED960 arg_0           = dword ptr  4
    .text:005ED960
    .text:005ED960                 push    offset unk_7F496C
    .text:005ED965                 push    offset unk_7F4964
    .text:005ED96A                 push    1
    .text:005ED96C                 push    5B68h
    .text:005ED971                 call    call_HLM_LOGIN
    .text:005ED976                 add     esp, 10h
    .text:005ED979                 test    ax, ax
    .text:005ED97C                 jnz     short loc_5ED990
    .text:005ED97E                 call    sub_5ED5D0
    .text:005ED983                 cmp     eax, 2
    .text:005ED986                 jnz     short loc_5ED990
    .text:005ED988                 call    call_HL_LOGOUT
    .text:005ED98D                 xor     eax, eax
    .text:005ED98F                 retn
    .text:005ED990 ; 
    .text:005ED990
    .text:005ED990 loc_5ED990:                             ; CODE XREF: do_dongle_check+1Cj
    .text:005ED990                                         ; do_dongle_check+26j
    .text:005ED990                 call    call_HL_LOGOUT
    .text:005ED995                 push    esi
    .text:005ED996                 push    offset unk_7F496C
    .text:005ED99B                 push    offset unk_7F4964
    .text:005ED9A0                 push    1
    .text:005ED9A2                 push    5B73h           ; my MODAD
    .text:005ED9A7                 call    call_HLM_LOGIN
    .text:005ED9AC                 add     esp, 10h
    .text:005ED9AF                 test    ax, ax
    .text:005ED9B2                 jz      short dongle_is_here
    .text:005ED9B4                 call    call_HL_LOGOUT
    .text:005ED9B9                 mov     eax, 2
    .text:005ED9BE                 pop     esi
    .text:005ED9BF                 retn
    .text:005ED9C0 ; 
    .text:005ED9C0
    .text:005ED9C0 dongle_is_here:                         ; CODE XREF: do_dongle_check+52j
    .text:005ED9C0                 mov     esi, [esp+4+arg_0]
    .text:005ED9C4                 push    offset unk_8330B0
    .text:005ED9C9                 push    esi
    .text:005ED9CA                 call    call_HL_READ
    .text:005ED9CF                 add     esp, 8
    .text:005ED9D2                 test    eax, eax
    .text:005ED9D4                 jz      short failes
    .text:005ED9D6                 cmp     dword ptr [esi], 0
    .text:005ED9D9                 ja      short finish
    .text:005ED9DB                 call    call_HL_LOGOUT
    .text:005ED9E0                 mov     eax, 3
    .text:005ED9E5                 pop     esi
    .text:005ED9E6                 retn
    .text:005ED9E7 ; 
    .text:005ED9E7
    .text:005ED9E7 failes:                                 ; CODE XREF: do_dongle_check+74j
    .text:005ED9E7                 call    sub_5ED7C0
    .text:005ED9EC                 test    eax, eax
    .text:005ED9EE                 jz      short loc_5ED9FC
    .text:005ED9F0
    .text:005ED9F0 finish:                                 ; CODE XREF: do_dongle_check+79j
    .text:005ED9F0                 call    call_HL_LOGOUT
    .text:005ED9F5                 mov     eax, 1
    .text:005ED9FA                 pop     esi
    .text:005ED9FB                 retn
    .text:005ED9FC ; 
    .text:005ED9FC
    .text:005ED9FC loc_5ED9FC:                             ; CODE XREF: do_dongle_check+8Ej
    .text:005ED9FC                 call    call_HL_LOGOUT
    .text:005EDA01                 mov     eax, 4
    .text:005EDA06                 pop     esi
    .text:005EDA07                 retn
    .text:005EDA07 do_dongle_check endp
    Notice: those functions are called from couple of places so I cannot just patch this one function ...

    Anyway, what would be the most elegant way to solve this to the end?

    As nikita@work said: patch the HL_LOGIN and HL_LOGOUT, emulate HL_READ?

    I tried to patch the HL_LOGIN and HL_LOGOUT at call_HL_LOGIN and call_HL_LOGOUT, but different errors occurs so ...

    anyone?

    Btw, I tried to emulate this function with TORO's Monitor (&emulator) 1.6, but there's unsupported function in it (the rest is working fine). I use 2.5 version of his monitor (everything supported), but cannot create a .reg file (there's no sample .reg file) ... does anyone have a sample .reg file for his 2.5 version of monitor?
    Last edited by fritzFS; August 8th, 2006 at 12:37.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    fritzFS
    Guest
    Ok, I've analyzed it further and there's no way to just patch this file and make it work ...

    Maybe it is possible, but ... too much work ...

    I would like to take this approach:
    - code a simple .dll with HLM_LOGIN, HL_READ and HL_LOGOUT
    - make the targets uses it

    Of course, this .dll is ONLY for this target ... memory will be hardcoded inside it so no fancy stuff is needed or support for other dongle or anything like it.

    Does anyone has some pointers?

    Thank you!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    fritzFS
    Guest
    Problem solved due to few who helped ...

    I have managed to remove the need for dongle.

    I would comment it here, but I doubt anyone would appreciate it due to number of replies.

    Moderators, please close this thread!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Wibu dongle unpacking
    By DongleGuru in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: October 12th, 2007, 07:27
  2. HASP DOS Envelope
    By potros in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: November 22nd, 2006, 19:04
  3. Hasp Envelope help please
    By LaptoniC in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: June 22nd, 2001, 14:03
  4. Any kind of help on HardLock dongle reversing can help me
    By moZfet in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: May 12th, 2001, 15:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •