Hardlock seed (without dongle & dump)

after searching & reading in this forum I found that it is possible to calculate hardlock seeds using ModAD & ref\ver pair, apparently a tool from Sapu ?!!! but I could not find it anywhere on the net, so can someone calculate this for me:

ref=F0,12,01,43,AA,94,11,90
ver=39,71,F0,10,DA,6E,3D,5B
ModAd = 6ED5 or 6ED6 (software looks for both)


also I was wondering if anybody could post that tool from SaPu for all benefit

thx

Seems something wrong in ref/ver.
From which Conval version you got it?

hi
it is version 9; I checked again; here is some code from IDA;

.text:03653FC4                 push    1
.text:03653FC6                 lea     edx, [ebx+3Ch]
.text:03653FC9                 mov     ecx, 6ED5h  <---ModAd
.text:03653FCE                 mov     eax, ebx
.text:03653FD0                 call    Cvhardlock::TCVHardlock::RUSLogin(System::UnicodeString &,int,int)
.text:03653FD5                 mov     esi, eax
.text:03653FD7                 xor     edx, edx
.text:03653FD9                 mov     eax, esi
.text:03653FDB                 call    Flicensemodule::TFormLicenseModule::DongleFound(int,bool)
.text:03653FE0                 test    al, al
.text:03653FE2                 jz      short loc_3653FEF
.text:03653FE4                 mov     word ptr [ebx+9Ah], 6EE0h
.text:03653FED                 jmp     short loc_3654018
.text:03653FEF ; ---------------------------------------------------------------------------
.text:03653FEF
.text:03653FEF loc_3653FEF:
.text:03653FEF                 push    1
.text:03653FF1                 lea     edx, [ebx+3Ch]
.text:03653FF4                 mov     ecx, 6ED6h  <---ModAd
.text:03653FF9                 mov     eax, ebx
.text:03653FFB                 call    Cvhardlock::TCVHardlock::RUSLogin(System::UnicodeString &,int,int)
.text:03654000                 mov     esi, eax
.text:03654002                 xor     edx, edx
.text:03654004                 mov     eax, esi
.text:03654006                 call    Flicensemodule::TFormLicenseModule::DongleFound(int,bool)
.text:0365400B                 test    al, al
.text:0365400D                 jz      short loc_3654018


and call to HLM_LOGIN:

.text:036557B4                 push    ebx             ; SearchStr
.text:036557B5                 push    0               ; RUSOption
.text:036557B7                 push    offset vKey
.text:036557BC                 push    offset VerKey
.text:036557C1                 push    offset RefKey
.text:036557C6                 mov     eax, [ebp+Access]
.text:036557C9                 push    eax
.text:036557CA                 mov     eax, [ebp+ModAd]
.text:036557CD                 push    eax
.text:036557CE                 call    HLM_LOGIN
.text:036557D3                 movzx   eax, ax
.text:036557D6                 mov     [ebp+var_18], eax
.text:036557D9                 cmp     [ebp+var_18], 7
.text:036557DD                 jnz     short loc_365582E
.text:036557DF                 cmp     [ebp+Access], 2
.text:036557E3                 jnz     short loc_365582E


and finally  parameter:

.data:037C28F8 vKey            db  41h,0C6h,0DCh, 23h, 27h, 0Ch,0EFh,0FBh
.data:037C28F8                 db 0A0h, 92h,0B3h, 27h, 5Fh,0ACh,0ACh,   4
.data:037C28F8                 db 0BDh, 94h,0DBh,0CFh, 50h, 43h,0B6h, 66h
.data:037C28F8                 db  19h, 47h, 33h, 9Bh, 70h,   6,0D4h,   1
.data:037C28F8                 db 0B6h, 1Eh, 86h, 40h, 75h,0ACh, 91h,0DDh
.data:037C28F8                 db  7Fh, 2Ch, 6Ch, 7Bh,0EAh,0AAh,0CFh, 90h
.data:037C2928 RefKey          db 0F0h, 12h, 1, 43h, 0AAh, 94h, 11h, 90h
.data:037C2930 VerKey          db 39h, 71h, 0F0h, 10h, 0DAh, 6Eh, 3Dh, 5Bh

capture the log with toro hasp monitor.haspmon32