Reverse Engineering Team
Unregistered, You must accept the Forum Rules below to be able to use some forum functions.

Read forum rules below...

1. All posts must be written in English.
2. Don't spam/abuse any other member via E-mail or Private Messages.
3. Have phun!

For breaking above rules you may be warned/banned appropriately!

Tools for converting hasploger / toro log output to DTables reg

View previous topic View next topic Go down

Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Sat Mar 30, 2013 8:44 am

I have successfully done the following:-
(a) Obtained the passwords for a HASP HL (Green) dongle by Toro Monitor
(b) Used h5dmp.exe to dump the dongle and got hasp.dmp and hhl_mem.dmp
(c) Created .reg file with these files
(d) Installed the .reg with multikey.

Now - the h5dmp.exe with the virtual dongle is identical to the original.
However, the software has envelope protection and hence I get a envelope error. I have the toro monitor log and hasploger outputs of the original dongle.
How do I convert them to DTable?
Doing it manually seems a long and error prone task. Was wondering if some one has coded a utility for the same? Have found spliter etc which output Q and A tables - which are no longer used by Multikey. Was looking for a tool that will generate the AESKey and DTable.
Thanks in advance and apologies - my first post and first attempt.

EDIT1 - Essentially looking for a tool like haSploGer K-Di - any ideas?
Further was wondering - in the tor log and the hasploger output couldnt find the queries or replies being repeated - have checked at random and am still in the process of coding a distiller( or finding one !! - preferable) but the non repetitive nature of the q and a - is that expected? and will a table based solution work? Anyone with success story?


Last edited by New Bee on Sat Mar 30, 2013 9:30 am; edited 1 time in total (Reason for editing : Have been reading up the forum again and again :))

New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by hasp on Sat Mar 30, 2013 12:01 pm

post your toro & hasp logger files here.

hasp

Posts : 447
Points : 605
Reputation : 150
Join date : 2011-12-16

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Sat Mar 30, 2013 12:54 pm

The files are huge - 2.3 MB and 3.2 MB - hope they are accepted as codes.

New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by hasp on Sat Mar 30, 2013 12:56 pm

zip the file and upload it & post the links here

hasp

Posts : 447
Points : 605
Reputation : 150
Join date : 2011-12-16

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Sat Mar 30, 2013 1:16 pm

Umm 7 day limit Sad Can you complete the links below at www(dot)megafileupload(slash)en(slash) +
file/406951/TORO-LOG-rar.html
file/406950/hasplogeroutput-rar.html

New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by hasp on Sat Mar 30, 2013 1:55 pm

rar pass= hasp
[You must be registered and logged in to see this link.]

hasp

Posts : 447
Points : 605
Reputation : 150
Join date : 2011-12-16

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Sat Mar 30, 2013 2:43 pm

Thank for the reg file - have tried it but with no luck.
Copied the contents of the file you send at the end of the existing reg file. With only the reg file - the application used to detect the HASP HL dongle as installed but gave a envelope error.
Now with the changed .reg file original plus the one you have provided - it doesnt even detect it as the correct dongle.
Edit 1 : Apologies that was a typo in the .reg file - post correcting it back at status quo with Error 1031 : Envelope unknown error
Have added as below
From Original File
"EDStruct"=hex:\
20,00,9F,69,74,96,01,4A,79,8E,BF,66,75,A2,B3,00,\
....
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"ColumnMask"=dword:000000FB
"CryptInitVect"=dword:00000033
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\283D5B4B\DTable]
"10:0004A9BED4A4F57B5BEB515DEA6EDE15"=hex:31,4B,4E,C4,D0,11,A8,E0,BB,FC,DB,6D,BB,85,1E,2F
.....
And thanks a ton for all the help.
Best Regards


Last edited by New Bee on Sat Mar 30, 2013 2:59 pm; edited 1 time in total

New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by hasp on Sat Mar 30, 2013 2:50 pm

may be your reg file is wrong, show the dump file here or PM

hasp

Posts : 447
Points : 605
Reputation : 150
Join date : 2011-12-16

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Sat Mar 30, 2013 3:12 pm

Further on - I tried running the program with your Dtable and have observed the following:-
(a) Without the DTable entry - the program halts with hardly any entries in the hasploger - just the initial "handshake"
(b) With the DTable - several screens of decrypt and encrypt scroll out before the envelope error is reported - that is the envelope error is now delayed. Could it because the Torro Log did NOT capture all Q's and A's and I need to run it for longer?? ( Unfortunately I dont have the dongle now - so will take time doing it ..)

New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Sat Mar 30, 2013 3:17 pm

Ummm ok - being a very basic programmer found that a little daunting - but will try getting the Q/ A from the .exe and . dll and get back. It might take me some time Smile so will be back in a day or two.
Regards

New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by BfoX on Sun Mar 31, 2013 2:09 am

after you got static Q/A table you need access to real dongle for logging additional Q/A

BfoX

Posts : 1017
Points : 1318
Reputation : 232
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Sun Mar 31, 2013 10:25 am

hasp,all - thanks for all the inputs
Still on the job - have dumped a lot of GetTickCount sections ( the main application plus 03 dll's have .protect section - and each of them has 05 GetTickCount parts - so have dumped all of these and converted them to .reg entries. Now the application starts, goes through the initialization boxes and THEN reports a Envelope error. I am assuming this is due to incomplete 20 and 30 length keys and will run the haspmon / hasplogger with the dongle installed to get more keys.
However, was examining the .reg file you have sent based on the toro log I had sent and there are a few entries of length 10 with only ",,,,,,,," in the output. Have not been able to correlate why that has happened - presume you have used LogtoTables.exe tools. Was able to locate the tool for myself and the rsults are same - a few entries with only ",,,,,,,," are being created. Maybe somebody needs to have a look at this.
Further a question, while using PETools - on 3 out of 5 tries - the PETool dump of the main application hs.exe did not find any GetTickCount. All three dll were consitent with only the location of the GetTickCounts changing - the content remaining same and obtainable every time. Does the application detect PETools?? Seems difficult because I had launched PETools after the Envelope error is detected. Any explanations?

New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Thu Apr 04, 2013 2:16 pm

Hi all,
Well - have done the GetTickCount as follows:-
(a) Loaded Toro Aladdin Dongles Monitor.exe
(b) Selected File menu -> Envelope File Finder
- it listed all exe and dll with .protect section - essentially it lists all the files and dll that are using hasp envelope protection.
(c) - Ran the application till I got the ENvelope error
- Loaded PE Tools
- Dumped the exe
- Searched the exe for GetTickCOunt - found 7 instances
- 02 instances had readable text beyond it "Get Curr Process etc - so Ignored them
- Dumped 4096 bytes (0x1000 Hex bytes - depend on how the hex editor displays selected block size) AFTER 08 bytes from completion of GetTickCount
- Dumped 05 such blocks
- Used LogToTables.exe to convert them to .reg file.
- Suffixed the file at the end of the .reg file created earlier from h5dmp.exe
- repeated the process for each dll with envelope protection - in my case got 05 'valid' tickpoints for each dll
- not essential - but since the reg file was HUGE - imported the QA portion it into excel - eliminated the duplicates and exported the file back to text and .reg ( reduced file size to approx 30 % )
- merged the reg file in registry
- ran Multikey - install
- Voila !! DOngle no longer required

Issue faced:-
(a) Log to tables has a few entried with ",,,,,,,,,," as answer - still working on it. If i can figure out the cause and the remedy shall post it. FOr present have simply deleted the Q/A sets
(b) Application at times does not load / hangs - attributable to the Q/A set NOT being complete. Suspect the 20 and 30 length sets are not complete and require a longer logging session for completeness. On receipt of dongle again shall do it and see if results improve.
(c) Intially, the .reg file created would not show as a virtual usb when the "Chingachguk & Denger2k" option is used in UniDumpToReg.exe.
On using "Chingachguk based Hasp HL (table)" - issue resolved. A check of the two .reg files indicates that the former does NOT have a DATA section - and hence does NOT show up as a virtual USB even though the device gets loaded. Even simply adding the DATA reg entry with no / any daya - makes the .reg file load and USB detection to happen.
Hope this helps someone - if in doubt - ASK Smile I did - and thanks to hasp and BFox - almost there Smile


New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Fri Apr 12, 2013 11:18 pm

Hi all,
Just a quick update for info - may be of some help to others.
For reference with one exe and 03 dlls with envelope protection - I managed to get about 10,000 Q/A with the GetTickcCount procedure. Using this Q/A, the application would run approximately one out of every five times.
Logging data with hasp logger, I took the Q/A table count to 25,000 - almsot identical results ( 01 out of 05 tries successful)
When I could get approx 50,000 Q/A - was getting like 1 out of 2 tries successful - but it took like 15 mins to import the .reg file into the registry.
Kept on logging data and now have like 1,13,000 Q/A - and EXCEL is hanging when i try to process that data - so am not pursuing it further ( actually happy with one of two tries being successful Very Happy )
was playing with the data in Excel - and observed following points:-
(a) Entries of same Q with different Answers - the hasplogger output did not have it but the merged .reg file containing the GetTickCount Q/A and hasplogger Q/A did.
(b) Conversely, a few of the A's and multiple Q's.
Just wondering if there's a upper limit to these Q/A ?

New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by New Bee on Fri Apr 12, 2013 11:22 pm

Again just for information - tried one of the dongle services ( where they provide you a .dng file to run with the HaspHL2009 or 2010 - the .dng file based on the dump you forward ONLY emulates the dongle correctly - that is the virtual dongle is detected by the application as the correct dongle but it DOES NOT cater for the Q/A 's - that you have to do it yourself. Seeing that the tools ( hasplogger, h5dmp, etc) accomplish the same for no cost - does not seem any point in going the HaspHL etc way.

New Bee

Posts : 10
Points : 12
Reputation : 0
Join date : 2013-03-23

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by frankleng on Wed Oct 23, 2013 3:17 am

New Bee wrote:Hi all,
Well - have done the GetTickCount as follows:-
(a) Loaded Toro Aladdin Dongles Monitor.exe
(b) Selected File menu -> Envelope File Finder
- it listed all exe and dll with .protect section  - essentially it lists all the files and dll that are using hasp envelope protection.
(c) - Ran the application till I got the ENvelope error
  - Loaded PE Tools
  - Dumped the exe
  - Searched the exe for GetTickCOunt - found 7 instances
  - 02 instances had readable text beyond it "Get Curr Process etc - so Ignored them
  - Dumped 4096 bytes (0x1000 Hex bytes - depend on how the hex editor displays selected block size) AFTER 08 bytes from completion of GetTickCount
 - Dumped 05 such blocks
 - Used LogToTables.exe to convert them to .reg file.
 - Suffixed the file at the end of the .reg file created earlier from h5dmp.exe
- repeated the process for each dll with envelope protection - in my case got 05 'valid' tickpoints for each dll
- not essential - but since the reg file was HUGE - imported the QA portion it into excel - eliminated the duplicates and exported the file back to text and .reg ( reduced file size to approx 30 % )
 - merged the reg file in registry
 - ran Multikey - install
- Voila !! DOngle no longer required

Issue faced:-
(a) Log to tables has a few entried with ",,,,,,,,,," as answer - still working on it. If i can figure out the cause and the remedy shall post it. FOr present have simply deleted the Q/A sets
(b) Application at times does not load / hangs - attributable to the Q/A set NOT being complete. Suspect the 20 and 30 length sets are not complete and require a longer logging session for completeness. On receipt of dongle again shall do it and see if results improve.
(c) Intially, the .reg file created would not show as a virtual usb when the "Chingachguk & Denger2k" option is used in UniDumpToReg.exe.
On using "Chingachguk based Hasp HL (table)" - issue resolved. A check of the two .reg files indicates that the former does NOT have a DATA section - and hence does NOT show up as a virtual USB even though the device gets loaded. Even simply adding the DATA reg entry with no / any daya - makes the .reg file load and USB detection to happen.
Hope this helps someone - if in doubt - ASK :)I did - and thanks to hasp and BFox - almost there Smile

You are absolutely right. Every word worth reading carefully.
I'm confused by the Dtable for a couple of days. After readying your post,
I just dumped all related exe and dll file that located under the software installation inventory with PETools (if not working, i planed to dump those related in C: driver too.),
and found 4 files that contains GetTickCount (excluding those followed closely by text like Current..ect),
I totally got 20 blocks, 5 from each, and use logstotable.exe to extract the information.
Then, I use Hasploger to get the other pairs and used those marked with 20 and 30 (longth).
after adding all of them to the reg i made before, it finally works.
Very helpful.

PS: The important thing to get Dtable is to look into every related files with PEtools, it's boring, but you have to. I tried to remove the duplicates, but failed after import the reg. I have to keep the duplicated pairs in the reg. The reg is about 2.3M. Big, but, it works now. Nice. Thank you.

Interestingly, I first forgot to change the address generated previously in reg file. But, it works. However, to prevent future problem, i changed the add to HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\ as explained. Funny.

frankleng

Posts : 7
Points : 11
Reputation : 0
Join date : 2013-10-21

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by neopl on Wed Oct 15, 2014 9:54 am

Hi, I made logs of my HASP HL Dongle with TORO.HASP.LOGGER.v4.0.public.
This Logger created file named like TORO_HASP_LOG_.....BIN, do you know ho to open those files or create DTables from those files for multikey ?

I created lite software what can make DTable from toro logs like this:
...
Code:

Fn80:> KEY_FN_SET_CHIPER_KEYS

Data:

    02 EA 00 19 03



FnA1, SubFn01:> Read Hardware Parameters

Data:

    01 2E 96 2D 06 01 00 00 02 CA 00 0B 00 00 3D BD

    02 54 00 02 00 00 00 00 03 19 22 C3 7B 00 00 00

    00 00 00 00 34 00 00 60 00 01 4C 78 00 00



Fn2F:> Unknwon



Fn2F:> Unknwon



FnAF:> Unknwon

...
 

but i can't do this from BIN files.

neopl

Posts : 2
Points : 2
Reputation : 0
Join date : 2014-05-22

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by BfoX on Wed Oct 15, 2014 11:01 am

Fn2F/FnAF is hasp SRM Functions

BfoX

Posts : 1017
Points : 1318
Reputation : 232
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by neopl on Wed Oct 15, 2014 11:19 am

This is only an example log from toro hasp logger v4.
I'm, asking how to open/read BIN file from this logger or convert to DTable ?

neopl

Posts : 2
Points : 2
Reputation : 0
Join date : 2014-05-22

Back to top Go down

Re: Tools for converting hasploger / toro log output to DTables reg

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum