Hyper Lock Envelope Volume 2: Victory!

by votan , November 2002

Intro

   After my first tutorial about Hyper-Lock, I had to answer some questions to myself. First of all, what is the real difference between 2 different Nakkas exe files? Then what does the envelope mechanism do exactly?
   2 weeks ago, I started reverse the envelope mechanism. Finally, I prepared an emulator for PE envelope mechanism. Sure, you can obtain the emulator (I called it as HLPEmu) on the net. However, in this tutorial, I wanna give you a brief information about the envelope mechanism and also describe a manual technique of mine.

   Part A : A brief info about HL envelope

   For reversing the envelope mechanisms, I used the HL manual and HL envelope utilities that I downloaded from the producer's website.
   HL envelope mechanism encrypts the code section of source programs by default. The customer can prevent the envelope utility from encrypting the code section. In both cases the .pdata section (the envelope loader) is added to source programs.
   At runtime, the loader decrypts its encrypted part first and then checks with HL_Intialize service if correct HL dongle is present. If yes, it checks if the code section is encrypted. If it is encrypted, then it starts the decryption process. The decryption depends on the keys from the pseudo random key generator inside the HL dongle. Thus, no correct HL dongle means no correct encryption.
   At both encryption and decryption, there are 3 important values: a user code, a device ID and a seed. Seed is obtained from the user code, the device ID and a random value. This random value depends on the system time and some random functions during enveloping the source file.
   Remember our Nakkas exe files. One of them was enveloped with code section encryption enabled, the other not. So what I defeated in the tut is the latter one.
   Then I started to reverse the envelope utilities. I choosed PE envelope utility. I enveloped Notepad.exe with random device ID and usercode. After the operation completed, I run the enveloped Notepad.exe: " Hyper-Lock Security device is not found"
   In the past,I had a Hardlock-enveloped program and I investigated Fast Hardlock envelope utilities. They required red Hardlock to decrypt themselves and use key generator inside it. I felt disappointed at that time and gave up.
   On the other hand, I recognized that Hyper-Lock envelope utilities dont require a dongle for creating encryption keys. BINGO!! This means that envelope utilities have the pseudo random key generator implementation in their codes.
   The HL utilities are also not protected like HL drivers. Thus, I disassembled HLwin32.exe (= HL PE envelope utility) with IDA and then reversed the envelope process by Softice and IDA. After my reverse session ended, I commented every instructions in HLwin32.exe already:)
   Let me explain you some info about envelope process:
   The envelope utility takes the user code, the device ID and source file name as input. The destination file is optional. You can cancel code section encryption with a parameter. Anyway, the envelope opens the source file.It adds .pdata section. It obtained a value from system time and some random functions. Then it makes some hard math operation for seed by using that random value, the device id and the user code. At the end, the envelope utility has seed. The encryption is simple:

      xor plaintext,seed

   where plaintext is a dword value from code section of the source file. The envelope utility generates 15 more keys and encrypts the next 15 dwords with each of these keys respectively. Then, it uses the 16th key to encrypt the rest of the code section.
   When the encryption completed, it generates a part called user information. User information consists of OEP, the device ID, the user code, the random value from system time & random functions, the sum of all encryption keys and error msg text for any problems. At the end, the user information is encrypted and added to the beginning of .pdata in the source file. As you can guess, this user information will be decrypted and used by .pdata at runtime.
   Because the encryption is a xor-operation, the decryption is obvious:

      xor ciphertext,seed

   where seed is the same with the one in encryption process. We have the key generator algorithm to obtain keys. First, I found a manual method to decrypt an encrypted code section by using the original envelope utility. I will explain this method in part B below. My first approach was to make an envelope dewrapper. After a while, I recognized that it was a waste of time. The loader makes every dirty works already. It needs only the correct keys. Thus, I decided to add the key generator into driver dll. I could also emulate some basic services, such as HL_Initialize and HL_Rom. Sure, I couldnt copy/paste the codes from HLwin32.exe into hlw32.dll. I modified and improved some parts of the codes. Finally, it finished. I have tested it for a while. It seems to work good. By the way, the emulator is only for PE Envelope version 6.0 and win9x (maybe it works on XP too,I havent tested it there yet).

   As you see, you can defeat any challenges by a foxy mind:)
   In the future, I will make a generic emulator for all HL envelope mechanisms if I have time. Sure, a vxd emulator is better than a dll one. Also note that the emulator code seems to be a bullshit, so it can make you crazy if you decide to reverse it:)

   Download HLPEmu.zip

   Part B : A manual method for decrypting the encrypted code section

   I used the enveloped Notepad.exe that you can find in HLPEmu package. So you can have a chance to practice the manual method. Also you should have HL PE envelope utility: HLwin32.exe.
   Load the Notepad.exe with Softice Loader.
   The entry point of the program is 40E200. The encrypted user information is stored at the entry point - 200. For our exe this is 40E200 - 200 = 40E000. Note that this is the beginning of .pdata section.
   bpm 40E000 and exit , so softice will break when the user information is decrypted.
   When Softice pops up, clear the bpm and put a breakpoint right after the decryption loop. Thus, we will have user information decrypted completely.


0030:0040E000 00 C7 30 FF FF 01 A0 10-00 00 01 00 00 00 31 00 ..0...........1. 
0030:0040E010 00 00 00 00 00 00 22 EE-A1 65 00 D0 00 00 00 40 ......"..e.....@
0030:0040E020 00 00 7A 11 00 00 7A 91-00 00 00 10 00 00 6A C5 ..z...z.......j.
0030:0040E030 83 34 78 03 BC 03 78 02-00 00 55 53 45 52 20 49 .4x...x...USER I
0030:0040E040 4E 46 4F 52 4D 41 54 49-4F 4E 00 00 00 00 00 00 NFORMATION......
0030:0040E050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0040E060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0040E070 00 00 00 00 00 00 00 00-00 00 53 45 43 55 52 49..........SECURI
컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴
0167:0040E29E 3113 XOR [EBX],EDX
0167:0040E2A0 813318327214 XOR DWORD PTR [EBX],14723218 <- after bpm 40e000, we are here. 
This loop decrypts the user information
0167:0040E2A6 83C304 ADD EBX,04 0167:0040E2A9 E2EA LOOP 0040E295 ------- user info decryption loop ends 0167:0040E2AB B97F000000 MOV ECX,0000007F 0167:0040E2B0 8D9D00000000 LEA EBX,[EBP+00000000] 0167:0040E2B6 33C0 XOR EAX,EAX 0167:0040E2B8 0303 ADD EAX,[EBX] 0167:0040E2BA 83C304 ADD EBX,04 0167:0040E2BD E2F9 LOOP 0040E2B8 0167:0040E2BF 3B03 CMP EAX,[EBX] <- after bpx here, d 40e000 and you will see the
decrypted user information in the data window above
0167:0040E2C1 7405 JZ 0040E2C8 0167:0040E2C3 E90F020000 JMP 0040E4D7 0167:0040E2C8 8A85CD040000 MOV AL,[EBP+000004CD] 0167:0040E2CE 8885CE040000 MOV [EBP+000004CE],AL 0167:0040E2D4 8D9D0E000000 LEA EBX,[EBP+0000000E] -> device id 0167:0040E2DA 8B850A000000 MOV EAX,[EBP+0000000A] -> user code 0167:0040E2E0 E890000000 CALL 0040E375 -> HL_Initialize ( 1<= ret value <=4 means dongle ok) 0167:0040E2E5 6683F801 CMP AX,01 -> if ret value >=1 ? 0167:0040E2E9 7302 JAE 0040E2ED 0167:0040E2EB EB10 JMP 0040E2FD 0167:0040E2ED 6683F804 CMP AX,04 -> if ret value <=4 ? 0167:0040E2F1 7602 JBE 0040E2F5 0167:0040E2F3 EB08 JMP 0040E2FD .................... 0167:0040E31C 80BD0500000000 CMP BYTE PTR [EBP+00000005],00 <- if code section encrypted? 0167:0040E323 740B JZ 0040E330 0167:0040E325 E8EC000000 CALL 0040E416 -> decryption function 0167:0040E32A 0F85A7010000 JNZ 0040E4D7 0167:0040E330 E87C010000 CALL 0040E4B1 0167:0040E335 E8BB000000 CALL 0040E3F5 0167:0040E33A C68500000000E9 MOV BYTE PTR [EBP+00000000],E9 <- put "jump" opcode into 40E000 .....................
   Let say 40e000 = X, then the user information is:

   [x+0]= "jump OEP" instruction(E9.......) - 5 byte
   [x+5]= 01 means code section encrypted - 1 byte
   [x+A]= user code in hex - 4 byte
   [x+E]= device id as string - 8 byte
   [x+16]= random value - 4 byte
   [x+2E]= sum of encryption(=decryption) keys - 4 byte

   For manual method we use device ID, user code and random value. In hlwin32.exe:

   00402BC2 call sub_401649 - this call determines random value
         by calling GetSystemtime and some random functions

   00402BC7 mov ecx, dword_40D358
   00402BCD mov [ecx+16h], eax - ret value= random value in eax

   with Hex Editor patch it like this:

   00402BC2 mov eax,03483C56A

   Then with a hex editor copy the encrypted code section of Notepad.exe to the code section of a PE host file (note that the size of code section of host program >= the encrypted code section size)
   At MS-DOS command line enter hlwin32 usercode deviceID host.exe result.exe
   The envelope utility will envelope host.exe and encrypt the code section. However, it decrypt the code section because of xor-operation. Then copy the exact code section byte you pasted from host.exe to Notepad.exe.
   Finally, replace the entrypoint of Notepad.exe with OEP: You dont need to calcuate OEP, just play with the conditionals at 0040E2E5, 0040E2ED, 0040E314 and 0040E32A. You come 40E000 at the end. You can see the OEP at that line in "jmp XXXXXXXX" format. Sure, the program will crash after "jump XXXXXXXX" because of incorrect decryption. For Notepad.exe, this is "jump 004010CC".
   That is all..

   Note: the usercode you obtained from exe is in hex. Before entering it in the commandline, you should convert it into decimal.

   Final Notes:

   Greetings & Hello to: CYDONIA, OrbitalDX, Axis, Terliksi
   For any feedbacks related to both this tutorial and HLPEmu, send an email to votanmail@yahoo.com
   NO CRACK REQUESTS! I do NOT distribute cracks.

votan , November 2002