Reversing Seeds from Hardlock Key possible
+5
mfav
mindoverflow
uc
BfoX
Lomex
9 posters
Page 3 of 3
Page 3 of 3 • 1, 2, 3
Re: Reversing Seeds from Hardlock Key possible
i have compile and collect the seeds more than 30nos, how could find the right seeds?
kjms- Posts : 194
Points : 201
Reputation : -4
Join date : 2010-09-12
Re: Reversing Seeds from Hardlock Key possible
Let say I have correct Seed1, Seed2, Seed3. Using MK it works, I mean HL_CODE decryption works correctly. But I want to build HL_CODE myself using Seed1, Seed2, Seed3. I've already went through "HARDLOCK Key Seeds brute-force finder" code but don't know if it is good way. Anyone could help?
erick2- Posts : 10
Points : 19
Reputation : 7
Join date : 2012-09-14
Re: Reversing Seeds from Hardlock Key possible
You can extract the HL_CODE function from Hardlock API or from Multikey.
Re: Reversing Seeds from Hardlock Key possible
Hardlock API? Is API asks dongle for seeds and then code it using internal algo? It make no sens. Can you explain this?
erick2- Posts : 10
Points : 19
Reputation : 7
Join date : 2012-09-14
Re: Reversing Seeds from Hardlock Key possible
Early versions of API was with HL_CODE and HL_CALC algo.
Re: Reversing Seeds from Hardlock Key possible
After some test with MultiKey I fill confused. Simple HL_CODE 2x8bytes captured before and after HL_CODE function:
before:8944C1BDF6B413DE1738E72B7D7D4660
after: 34323632312C34303134323037313736
On the same time MK log:
00000069 0.00662289 HDK_KEY_FN_HL_CODE BufferedData=BDC14489DE13B4F6
00000070 0.00681286 HDK_KEY_FN_HL_CODE Response=51CEB3C8BC0EBC44
00000071 0.00701674 HDK_KEY_FN_HL_CODE Response=384308488DA4DEA9
00000072 0.00720197 HDK_KEY_FN_HL_CODE Response=683984DF58766F7C
00000073 0.00738583 HDK_KEY_FN_HL_CODE Response=001D
It seems dongle produces long response for 8 bytes of input. How to use Response from dongle to calculate correct coded answer for HL_CODE?
before:8944C1BDF6B413DE1738E72B7D7D4660
after: 34323632312C34303134323037313736
On the same time MK log:
00000069 0.00662289 HDK_KEY_FN_HL_CODE BufferedData=BDC14489DE13B4F6
00000070 0.00681286 HDK_KEY_FN_HL_CODE Response=51CEB3C8BC0EBC44
00000071 0.00701674 HDK_KEY_FN_HL_CODE Response=384308488DA4DEA9
00000072 0.00720197 HDK_KEY_FN_HL_CODE Response=683984DF58766F7C
00000073 0.00738583 HDK_KEY_FN_HL_CODE Response=001D
It seems dongle produces long response for 8 bytes of input. How to use Response from dongle to calculate correct coded answer for HL_CODE?
erick2- Posts : 10
Points : 19
Reputation : 7
Join date : 2012-09-14
Re: Reversing Seeds from Hardlock Key possible
OK. Now, after some debbuging I know more. First 8bytes block is decoded by dongle. Rest data by hlvdd.dll code. One thing I can't understand is how 1 block of decoded data is been transfer between dll and dongle.
Dump of data before DeviceIoControl in hlvdd.dll:
0A799320 18 F8 EA 00 00 E9 90 7C 98 42 91 7C FF FF FF FF .......|.B.|....
0A799330 8F 42 91 7C 9C D0 01 00 02 00 01 F0 00 00 EA 00 .B.|............
0A799340 80 00 10 40 18 F8 EA 00 82 C4 EA 94 30 08 C5 39 ...@........0..9
and after:
0A799320 76 95 94 C4 6E 59 F7 0F 0F 87 64 C7 98 25 49 AB v...nY....d..%I.
0A799330 33 01 F5 C6 56 E5 95 05 02 00 01 F0 2A 00 EA 00 3...V.......*...
0A799340 31 2C 35 32 56 E5 95 05 31 2C 35 32 34 32 36 32 1,52V...1,524262
Data transfer between dongle, buffer before and after DeviceIoControl. nOutBufferSize = 1C - only response from MK HL_CODE. This is only up to 0A7993C. First block of decoded data starting at +0x28. Who is filling this? Olly don't stop at breakpoint memory write.
Dump of data before DeviceIoControl in hlvdd.dll:
0A799320 18 F8 EA 00 00 E9 90 7C 98 42 91 7C FF FF FF FF .......|.B.|....
0A799330 8F 42 91 7C 9C D0 01 00 02 00 01 F0 00 00 EA 00 .B.|............
0A799340 80 00 10 40 18 F8 EA 00 82 C4 EA 94 30 08 C5 39 ...@........0..9
and after:
0A799320 76 95 94 C4 6E 59 F7 0F 0F 87 64 C7 98 25 49 AB v...nY....d..%I.
0A799330 33 01 F5 C6 56 E5 95 05 02 00 01 F0 2A 00 EA 00 3...V.......*...
0A799340 31 2C 35 32 56 E5 95 05 31 2C 35 32 34 32 36 32 1,52V...1,524262
Data transfer between dongle, buffer before and after DeviceIoControl. nOutBufferSize = 1C - only response from MK HL_CODE. This is only up to 0A7993C. First block of decoded data starting at +0x28. Who is filling this? Olly don't stop at breakpoint memory write.
erick2- Posts : 10
Points : 19
Reputation : 7
Join date : 2012-09-14
Page 3 of 3 • 1, 2, 3
Similar topics
» Reversing reg to DMP (reg editing)
» Sentinel SuperPro Reversing [HELP PLEASE !]
» Hardlock E-Y-E seeds
» Seeds-recovering-by-Olly-debugger
» Sentinel SuperPro Reversing [HELP PLEASE !]
» Hardlock E-Y-E seeds
» Seeds-recovering-by-Olly-debugger
Page 3 of 3
Permissions in this forum:
You cannot reply to topics in this forum
|
|