<<< Back
Manual of MultiKey with changes to the multikey 0.19.1.9 inclusive
*** General часть ****************************************************************************** ********************************
To view this emulator requires a registry key data emulated. For each type of ke y data will differ. In drawing up the reg-file is recommended to look at the contents of the examples of registration files. The path in the registry data for the emulator: [HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ MultiKey \ Dumps \ xxxxxxxx] xxxxxxxx - key password (8 hex characters) To use the key with the same password, you must add any character After the password key: ... MultiKey \ Dumps \ xxxxxxxxa] ... MultiKey \ Dumps \ xxxxxxxx1]
"Name" = "xxx" "Copyright" = "xxx" "Created" = "xxx" "DongleType" = dword: 0000000x - key type 1 - HASP (3,4, HL, SRM) 2 - HARDLOCK 3 - SENTINEL (spro, upro) 4 - GUARDANT (I, II) 5 - DINKEY
Licensing information for the emulator:
"License" = hex: xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx To obtain a license under x32 systems use the online form on the site of generation http://testprotect.com/appendix/LicMkOnline
****************************************************************************** **************************************************
*** HASP (3,4,HL,SRM) ****************************************************************************** *************************
"SN" = dword: xxxxxxxx - serial number "Type" = dword: 000000xx - Model 12 - Time HASP 3 0A - HASP4 M1 (deafult) 1A - HASP4 Time EA - HASP HL FA - HASP HL Time "Memory" = dword: 00000001 - memory size 00000001 - 0x80 00000004 - 0x1F0 00000020 - 0xFD0 00000021 - 0x70
"SecTable" = hex: 00,00,00,00,00,00,00,00 - private table "NetMemory" = hex: 03,00,0F, D0,02,00,00,00, FF, FF, FE, FF - cell "network" Memory // Typical data into NetMemory: // 12 1A 12 0F 03 00 70 00 02 00 00 FF FF FF FF FF // 12 1A 12 0F - sn // 03 00 - key type 70 // 00 - memory size in bytes // 02 FF -? // 00 00 - net user count // FF FF -? // FF - key type (FF - local, FE - net, FD - time)
// FF -?
"Option" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00 - additional options: (to build on 18.2.4) [0] = 01..7F - sets a time delay when working with keys (type-1..4) [0] = 0 - without time delays (to build on 18.2.4) "Data" = hex: - memory
= TIME dongles = For the time HASP keys are added to the field, for example: "NetMemory" = hex: 05,00,80,00,02, FF, 00,00, FF, FF, FD, FF "HaspTimeMemory" = hex: \ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 \ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 \ 3f, db, 95,7d, 00,00,00,00,00,00,00,00,00,00,00,00, \ 00,00,00,00,00,00,00,00 "TimeShift" = hex: 00,00,00,00,00,00,00,00 where: 3f, db, 95,7d - the serial number of a recorded key byte
= HL encrypt / decrypt = The table-emulated function hasp_decrypt + hasp_encrypt, in the absence of values in the tables values are processed by the Inland AES agoritmu. If necessary, change the default AES key algorithm to make reg file its value: "AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 The tables are located in the main location of the dump podvetkah: Decrypt: [HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ MultiKey \ Dumps \ 12345604 \ DTable]; Encrypt: [HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ MultiKey \ Dumps \ 12345604 \ ETable].
The format of entries in the tables for multikeya v ersion <18.1 (all values are hexadecimal): "10: 00112233445566778899AABBCCDDEEFF" = hex: FF, EE, DD, CC, BB, AA,
99,88,77,66,55,44,33,22,11,00 "20: 00112233445566778899AABBCCDDEEFF" = hex: FF, EE, DD, CC, BB, AA, 99,88,77,66,55,44,33,22,11,00 "30: 00112233445566778899AABBCCDDEEFF" = hex: FF, EE, DD, CC, BB, AA, 99,88,77,66,55,44,33,22,11,00 ************************************************** *************************************** !!! for multikeya version> = 18.1 in the names of queries 20h and 30h should take 32 bytes request !!! "10: 0123456789ABCDEF0123456789ABCDEF" = hex: 12,34,56,78,90, AB, CD, EF, 12,34,56,78,90, AB, CD, EF "20:5500A934CDE5D7B619568515F74D323695EC75E8C48F6B5D9880F6A88B251C48"=he x:4F,8A,A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,34,FD "30:9A2B6F7F80A2F2E36334D3258BAFD06FBB7286766A24910911648D98D8C56628"=he x:12,71,B7,B5,3D,47,B4,2B,DC,93,4F,00,00,1C,2C,4E ************************************************** *************************************** where - "10: 00112233445566778899AABBCCDDEEFF" - a request to the key "10 (20.30)" - request length in bytes "00112233445566778899AABBCCDDEEFF" - the first 16 bytes of the request - Hex: FF, EE, DD, CC, BB, AA, 99,88,77,66,55,44,33,22,11,00 - answer key, taken only the first 16 bytes of the actual response. For example: ================================================== ================ 2008/10/10 07: 13: 25.109 <== HaspHL_decrypt: Length = 0x10 2008/10/10 07: 13: 25.109 <== HaspHL_decrypt: Input Data = 2008/10/10 07: 13: 25,109 2A E1 F0 A2 | E1 B2 F1 F9 | 9F C8 72 F6 | CA 4B 01 49 2008/10/10 07: 13: 25.171 ==> HaspHL_decrypt: Output Data = 2008/10/10 07: 13: 25,171 9D 4D 03 53 | 00 00 00 00 | CB D2 6B 04 | 00 00 00 00 2008/10/10 07: 13: 25.171 ==> HaspHL_decrypt: Status = 0x00 ================================================== ================ 2008/10/10 07: 13: 23.484 <== HaspHL_decrypt: Length = 0x20 2008/10/10 07: 13: 23.484 <== HaspHL_decrypt: Input Data =
2008/10/10 07: 13: 23,484 7B 6E 8C DF | D6 51 A3 0C | E1 FA 60 47 | 51 79 71 6C 2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A 2008/10/10 07: 13: 23.546 ==> HaspHL_decrypt: Output Data = 2008/10/10 07: 13: 23,546 02 B0 3C 6E | DA 88 46 BA | 4C 7E 5A 12 | 8E D6 DE 76 2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A 2008/10/10 07: 13: 23.546 ==> HaspHL_decrypt: Status = 0x00 ================================================== ================ 2008/10/10 07: 13: 23.609 <== HaspHL_decrypt: Length = 0x30 2008/10/10 07: 13: 23.609 <== HaspHL_decrypt: Input Data = 2008/10/10 07: 13: 23,609 7B 6E 8C DF | D6 51 A3 0C | E1 FA 60 47 | 51 79 71 6C 2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A 9C F3 2A BD | A4 DA 3B 78 | 97 CC 44 ED | 42 47 42 E6 2008/10/10 07: 13: 23.671 ==> HaspHL_decrypt: Output Data = 2008/10/10 07: 13: 23,671 77 64 61 62 | 63 60 61 5F | A2 B9 AC 60 | 61 62 63 5F 2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A 9C F3 2A BD | A4 DA 3B 78 | 97 CC 44 ED | 42 47 42 E6 2008/10/10 07: 13: 23.671 ==> HaspHL_decrypt: Status = 0x00 ================================================== =============== The resulting table: [HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ MultiKey \ Dumps \ 12345604 \ DTable]; "10: 2AE1F0A2E1B2F1F99FC872F6CA4B0149" = hex: 53,9D, 4D, 03,00,00,00,00, CB, D2,6B, 04,00,00,00,00 "20:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=h ex:02,B0,3C,6E,DA,88,46,BA,4C,7E,5A,12,8E,D6,DE,76 "30:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=h ex:77,64,61,62,63,5F,60,61,A2,B9,AC,60,61,62,63,5F If a single request protocol found in length 32 (20h) byte followed immediately there is no request of 48 (30h) bytes (or to put it another way, in which the second byte of the request 16 Is not equal to a second 16-byte response), such a request must be saved in the table as two queries 16 (10h) bytes
= SRM = To emulate addition SRM HL key data like more data are needed. In looking for is this private information.
// // List of supported functions for hasp key // enum KEY_FN_LIST { // HL KEY_FN_SET_CHIPER_KEYS = 0x80, KEY_FN_CHECK_PASS = 0x81, KEY_FN_READ_3WORDS = 0x82, KEY_FN_WRITE_WORD = 0x83, KEY_FN_READ_ST = 0x84, KEY_FN_READ_NETMEMORY_3WORDS = 0x8B, KEY_FN_HASH_DWORD = 0x98, KEY_FN_GET_TIME = 0x9C, // Get time (for HASP time) key KEY_FN_PREPARE_CHANGE_TIME = 0x1D, // Prepare to ch ange time (for HASP time) KEY_FN_COMPLETE_WRITE_TIME = 0x9D, // Write time (complete) (for HASP time) KEY_FN_PREPARE_DECRYPT = 0x1E, // qwestions KEY_FN_COMPLETE_DECRYPT = 0x9E, // answers KEY_FN_ECHO_REQUEST = 0xA0, // Echo request to key KEY_FN_ECHO_REQUEST2 = 0xA1, // Echo request to key // srm KEY_FN_SRM_A2 = 0xA2, // read the table of features KEY_FN_SRM_26 = 0x26, // 26 / A6 - reading values key features and memory KEY_FN_SRM_A6 = 0xA6, // KEY_FN_SRM_AA = 0xAA, // log into the key KEY_FN_SRM_AB = 0xAB, // logout key KEY_FN_SRM_AC = 0xAC, // hasp_get_rtc - getting time with key KEY_FN_SRM_AE = 0xAE, // xs, like there was a 3.25 KEY_FN_SRM_27 = 0x27, // 27 / A7 - write to memory key KEY_FN_SRM_A7 = 0xA7, // KEY_FN_SRM_29 = 0x29, // 29 / A9 - crypt dekript KEY_FN_SRM_A9 = 0xA9, // KEY_FN_SRM_28 = 0x28, // 28 / A8 - reading without key encryption protocol signed (update) KEY_FN_SRM_A8 = 0xA8, // KEY_FN_SRM_38 = 0x38, // 38 / B8 - key update and stitching KEY_FN_SRM_B8 = 0xB8 // };
****************************************************************************** **************************************************
*** HARDLOCK ****************************************************************************** ************************************
"ID" = dword: xxxxxxxx - serial number "withMemory" = dword: 0000000x - key with memory or without it "Seed1" = dword: 0000xxxx "Seed2" = dword: 0000xxxx "Seed3" = dword: 0000xxxx "HlkMemory" = hex: - memory
// // List of supported functions for HARDLOCK key // enum HARDLOCK_KEY_FN_LIST { HDK_KEY_FN_SET_CHIPER_KEYS = 0x80, HDK_KEY_FN_CHECK_PASS = 0x81, HDK_KEY_FN_READ_WORD = 0x82, HDK_KEY_FN_WRITE_WORD = 0x83, HDK_KEY_FN_HL_VERKEY = 0x87, HDK_KEY_FN_READ_ID = 0x8B, HDK_KEY_FN_HL_CODE = 0x8C, HDK_KEY_FN_HL_CRYPT = 0x8D, HDK_KEY_FN_HL_CODE_PAR = 0x0C, HDK_KEY_FN_HL_CRYPT_PAR = 0x0D, HDK_KEY_FN_HL_CALC = 0x89 }; ****************************************************************************** **************************************************
*** SENTINEL ****************************************************************************** ************************************
... MultiKey \ Dumps \ 0000xxxx] - xxxx - Developer ID "Type" = dword: 00000000 - model 0-SuperPro, 1 all other types; "sntMemory" = hex: - a memory cell for "Type" = 0 - 64 cell for "Type" = 1 depending on the type of key "CellType" = hex: - types of cells; for "Type" = 0 - 64 bytes for "Type" = 1 depending on the type of key
"Type" = 0 - total internal algo to SPRO, reg-file old-fashioned "Type" = 1 - only tabular emulation for all types of keys, in the reg file to add new fields: "Option" = hex: 02,00,03,80,7F, 00,00,00 (for example SPRO supporting AES-tunnel) where: [0] ... [3] - the value of the type of key, we get the Funk GET_KEYINFO [4] - the value of physically readable memory key, usually 7F or FF [5] ... [7] - reserve "AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 - aes AES-key for the tunnel (so far so get out prog) !!!!! To form a correct registration file is recommended dumper SSUMD v1.1 !!!!! Spro default dump the old regime ("Type" = 0).
The format of the tables: ... MultiKey \ Dumps \ 0000xxxx \ cell_yy] - yy - the number cell, for which tables for each table its Sella "12345678" = hex: 22,33,44,55 "1122334455667788" = hex: 11,12,13,14,15,16,17,18 "11223344556677888877665544332211" = hex: 88,77,66,55,44,33,22,11,11,22,33,44,55,66,77,88
// // List of supported functions for Sentinel key // enum SENT_KEY_FN_LIST { SENT_KEY_FN_FIND_FIRST_UNIT = 0x10, SENT_KEY_FN_READ = 0x11, SENT_KEY_FN_QUERY_SHORT = 0x12, SENT_KEY_FN_QUERY_LONG = 0x13, SENT_KEY_FN_WRITE_0 = 0x14, SENT_KEY_FN_WRITE_1 = 0x15,
SENT_KEY_FN_WRITE_2 = 0x16, SENT_KEY_FN_WRITE_3 = 0x17, SENT_KEY_FN_OVERWRITE_0 = 0x18, SENT_KEY_FN_OVERWRITE_1 = 0x19, SENT_KEY_FN_OVERWRITE_2 = 0x1A, SENT_KEY_FN_OVERWRITE_3 = 0x1B, SENT_KEY_FN_ACTIVATE = 0x1C, SENT_KEY_FN_DECREMENT = 0x1D, SENT_KEY_FN_GET_KEYINFO = 0x00, SENT_KEY_FN_SET_PARAMETER = 0x03, SENT_KEY_FN_GET_PARAMETER = 0x02, USENT_KEY_FN_GET_LOGIN = 0x05, // for ULTRA and new SPRO USENT_KEY_FN_LOGIN_21 = 0x21, USENT_KEY_FN_AES_TUNNEL = 0x07, USENT_KEY_FN_2F = 0x2F }; ****************************************************************************** **************************************************
*** GUARDANT ****************************************************************************** ************************************
... MultiKey \ Dumps \ xxxxxxxx] - xxxxxxxx - pwRead - key password to read; "DongleType" = dword: 00000004 "pWrite" = dword: 23232323 >>> write password, optional, if the program does not use record "Data" = hex: \ ... (256 bytes - full dump descriptors)
The format of the tables: if the handle is 0 in the algorithm reg file, then we are looking for the data in Table ... MultiKey \ Dumps \ xxxxxxxx \ algo_yy] where yy - the number of the algorithm "1122334455667788" = hex: 11,12,13,14,15,16,17,18 A simplified table - a request to the reg file is limited to 8 bytes, ie if the length
Request transforms more than 8 bytes, the query n ame in the registry take only the first 8 b ytes, a full written response. ****************************************************************************** **************************************************
*** DINKEY ****************************************************************************** **************************************
... MultiKey \ Dumps \ 12345678] where 12345678 - dinkSerial "DongleType" = dword: 00000005 "dinkValue" = dword: xxxxxxxx "dinkMemory" = hex: \ ****************************************************************************** **************************************************
