Hello,
Is there a way to emulate a dongle "hardlock e-y-e" (luna) in dos?
The program don't have calls to DLL or VXD so I suppose the protection is verified by an exe or com.
I can emulate the original dongle with wkpe1.81 in W98 dos prompt but this one don't run in WXP or W2K .
A way to run the program under this last o.s. is by an emulator (virtual pc, dos box) but I've problems with the parallel port under NT systems.
I've dump the original dongle (with hl_dump and fastread) and tried to search in the forum but not found an answer...

Thanks in advance for any answer.

| Сообщение посчитали полезным:

hi, man

I suppose you are going to emulate lock via trapping ins/outs command.

At first I purpose you try to use i/o permission map method which had been used (see attach (with my logger) for more details):

; Values EMM386 I/O dispatch function is called with:
; CX = Ring0 code selector for I/O handler's segment
; DS = Ring0 data selector for I/O handler's segment (alias of CS)
; EDX = faulting I/O address
; ECX = direction (00000008h for byte output, 00000000h for byte input)
; (reportedly 00h for byte/word input, 04h for byte/word output
; under DOS 6.22 EMM386)
; EAX = data in/out
;Return: (via FAR RET)
; CF clear if I/O access successfully virtualized
; CF set if access not virtualized (default handler will be called to
; perform the I/O)
;BUG: 32-bit I/O on trapped ports hangs the DOS 6.22 EMM386

Perhaps it will work in XP, may be shan't. If no, I'll try to give you next method.

Good luck.


3722_04.03.2007_CRACKLAB.rU.tgz - WATCH_P.rar

-----
The one derivative you manage is the one I abhore (c) Slipknot

| Сообщение посчитали полезным:

Hi Chingachguk,
thank you for your reply .

First of all, my assembly is a bit "rusty".
I've compiled the asm with masm but I don' t understand how to (and where) use the exe builded.
Is there any command line arguments?
I've ran it under virtual pc with msd6.22 : it "locks" the prompt and shows a lot of "strange" characters on screen. In the asm there is an hotkey (left alt+Scroll Lock): what is for?, when I hit the alt key the program crash with an EMM error.
The same problem if it's put in the batch file that ends with the start of "program with dongle" before the call to this last one.

In the asm file there are some instructions to made a sound, the "beep" is generate only on win cmd prompt, but probably is the vpc that don't "play" .

If I don't have misunderstood the asm there is a file generated (log?), where it will be written (same directory,root,...)?

Thanks and sorry for my english.

| Сообщение посчитали полезным:

hi again, man!

I want to say that this tool is not emulator! It's only a logger, initial purpose of this (almost demo) program was to log i/o commands for some IDE (hard disk special [manufacture] ATA-commands).

First feature:

This is not EXE-module, it's COM-file. Plz, compile it through:

Echo On
tasm.exe %1.asm
if errorlevel 1 goto MakeError
tlink.exe %1.obj /t /3
if errorlevel 1 goto MakeError
del *.obj
del *.map
:AllDone
Echo Done !!!
exit
:MakeError
Echo Make Error
exit

Result file must have size: 14 815 (WATCH_P.COM).

Second feature:

Yeah, it has cmd-line parameters, see:

; Read Command Line
mov bx,80h
; cx= lenght of CMD
...
; put number of port to dx

So the first (and last) parametr in CMD - it's base number of trapped port (in HEX). For example, if you started the program by the way:

WATCH_P.COM 0170

You'd monitor (==hook) the next ports area: 0x0170,0x0171...0x017F (total amount is 16 ports).

If any program used port access in this area (for example: mov DX,171h, in AL,DX), you'd get a trap (and log it onto the file).

Third feature:

This demo does have some "activate key": you absolutely correct founded that it is "alt+Scroll Lock". If you pressed this key combination, this demo will log the traps info onto file (LogFileName db 'c: empwatch!.log',0).

Finally I wanna say that if this method shan't work well under XP(or virtual PC), you have to search for another ways to emulate hlock.

And (repeatedly) I want to ask you: are you going to emulate h-lock through trapping ins/outs commands? (I mean it's hard way 'cause you have to know in/out commands key format).

Chingachguk

-----
The one derivative you manage is the one I abhore (c) Slipknot

| Сообщение посчитали полезным:

Well,

I've made a mistake : take the EXE output from masm (ML) without thinking that it must be a COM (TSR)...sorry

I've tried to compile with your instruction but the tasm shows me some errors (I probably have the wrong version).
Compiled again with masm but with your link parameters : COM is generated and it runs.
I ran it with "watch_p.com 0378" for trapping LPT1 calls and it shows on the screen:
Start !
Trap setted !
Finish !

It seems terminate ("Finish !") but not "stay resident" : the hotkey "left_alt-screen_lock" doesn't write the log file as you said.


are you going to emulate h-lock through trapping ins/outs commands?



My first question was related to a way to emulate the dongle with the data known from hardlock's dump.In some posts I've seen somethings about a DLL calls, but my dos prog doesn't use these.
I've thought something like wkpe: trapping the parallel port calls and emulate these , it seems at this point the right way.

The program that I use isn't a single executable but many exe based by which functions are required.I've seen (hope) which is the executable that checks/manages the dongle.
With hexedit and ida I found some strings:
HARDLOCK.VXD
HLRegisterIni
HLVDD.DLL
HLDispatch
HL_SEARCH

but I'm sure there are not vxd or dll that the program needed: inside the dir/subdir there are not dll (none hide,too).
Infact, if I copy the directory (and the subdir) in another pc, the program runs fine with the original dongle or wkpe emulator, of course in "pure dos" or w98 command prompt.

Maybe the dll or vxd hides in an executable or the strings above are created by a "crypt compiler" and inserted in the exe that manages the dongles as a "standard"?


I remember as sometime ago, a friend that used the same program, showed me his dongle and it wasn't a "black fasteye" but a "purple" one (rainbow?).
Now I think the wkpe's data files that I use for emulation are comming from the "capture" of that dongle and not from the black one.
Infact, after I tried a "data capture" procedure in wkpe with the "black" the log file shows a lot of "capture packets" but the file that I used for working emulation has only this one.
The emulation with the black's capture doesn't works: I suppose the hardlock generates a kind of "rolling code" continuosly.

I'll try to find the "purple dongle" for the program and make some tests with that one.

News soon...

| Сообщение посчитали полезным:

hi again!

(this is short answer, probably I'll say something else).

1. About logger. I suppose you may check:

resident part of logger (see usal dos memory - utilities like "mem" or something else);

trapping efficiency - at first, try to force trapping. For example, after successful loading of logger, execute something like:

mov dx,378h
in al,dx

Which can be just part of your little demo program (I used to use it for debugging while writing my logger);

And finally I suppose you bettter use COM1 port area (0x278) instead of using COM2 (0x378).

2. About "hardlock" strings inside prog. Yeah, I'd agree that it's only stub or hardlock.vxd itself is inside your program. I'd recommend to study int 2F way (which could be used to connect dos-apps and VXD's). For example:

DeviceBig_ID equ 3543h ; ID hardlock
DeviceLitt_ID equ 3CDCh ; ID of little VxD

cseg189:1AD5 mov ax, 1684h
cseg189:1AD8 mov bx, 3543h
cseg189:1ADB int 2Fh ; - Multiplex - MS WINDOWS - GET DEVICE API ENTRY POINT
cseg189:1ADB ; BX = virtual device (VxD) ID, ES:DI = 0000h:0000h
cseg189:1ADB ; Return: ES:DI -> VxD API entry point, or 0:0 if the VxD does not support an API

(this text was ripped from the same topic: http://exelab.ru/f/action=vthread&forum=1&topic=7553&page= 1, but it's in Russian).

And I want to add - you can perform i/o trapping via DRx traps (bpio command in Sice, etc).

Good researches!

++

> I suppose the hardlock generates a kind of "rolling code" continuosly

If I understood you correctly, you're thinking about the "in-out commands slip" - just store all out answers (like AL register after some in AL,DX) and give (to program) such facked answers? Hmm, (if its true) I'd say - it's hard way, especially if program implements "different" requests (for example - random requests or requests from table). Hardlock algo isn't strong secret and if you know in/out packets format...

But - of course - more easier way is to hook hardlock's api (like VxD's entry points, etc).

-----
The one derivative you manage is the one I abhore (c) Slipknot

| Сообщение посчитали полезным: