|
Rockey4
Hi,
Anyone has experinces with rockey4? I have a program (17MB) with rockey4 protection. I also have the dongle right now. But i want to use it without the dongle. Before the call to Rockey, the flag is set to ax. Mov ax, some word Call Rockey mov eax, dword ptr (esp) The result always static value. It could be token left, dongleID, expiration date, etc. And always depend of the value of AX. For example if AX=1, always return token left. If AX=2, always return dongle ID. IF AX=3, always return expiration date. I have no problem with this kind of routine. It's done. I could modify the return value to anything i want coz it's static value. But i have trouble with this kind of routine. Mov ax, some dword Push [ebp] push [ebp+4] Call Rockey4 mov ecx, [ebp] mov edx, [ebp+4] The final result depend on the push [ebp] and push [ebp+4]. And the initial value (before call to rockey) is always differ, depend on the library (music) file i load. The library music file came from the author of the program. And the amount is huge, about 10k files (3 DVDs). And the whole files are encrypted. In the beginning of each file there's 2 dword which are ALWAYS differ from each other. These values are used for initial push before call to Rockey. And the result values (which are moved to ecx and edx) are used the decrypt the music library file currently load. So you already know my currently situation. So my question is how do i know what rockey doing with the inital values being pushed to stack? So i can ripped the code and inject it to the exe? If someone interested with the target, i have upload it to yahoo mail i created for this purpose. Also my current progess which it can run without the dongle but can't decrypt the music libraries from the DVDs (came from author, package from purchase). Just PM me, i'll send the ID and the passw to you. BR, kyrios |
hi
you can see rockey manual for function descripion. rocekys dongle protection logic are different with other traditional dongles. the developer can insert some portions (functions) of his code to dongle in design time , and in run time send parameters to dongle and recieve result of function from dongle. acctually dongle can execute some functions by itself. so patch method can not work for it. however rockey 4 is very simple and you can guess functions which is in it by some effort. or somtimes even you can do a full search on all possible values as input parametes and create a table for output valuse. and there are other approach... i think you are lucky becasue you have rockey4 not rockey5. regards |
hi,
your rockey4 use the function named "Generate Seed Code". for static dword value the dongle received four seed (word) based on dongle passwords. wbr |
Rockey 4 is far more advanced then u think and Rockey 5 and 6 used well leave no option for hacking. Rockey 4 dongle can include beisides data u can store in dongle a user algo zone where u can store small algos. That zone is write only so is little chances fix that if author used it. Anyway if u like i could take a look at to see how it works. Anyway before start such thing i suggest good understanting of their sdk.
Br;) |
Quote:
|
Documentation is available here:
http://www.rockey.nl/en/support/rockey-download.html They even have developer's guides and (gasp) sample code. ;) Regards, |
1 Attachment(s)
have you seen here?
http://bbs.pediy.com/showthread.php?&threadid=29075 here's too attached. |
Quote:
Br;) |
Quote:
www.ftsafe.com aswell and pass is rockey. @Shub: Pretty useless unless dongle used bad and allways static data. Also note that rockey 4 is both lpt/usb and also have several variants. Arround 3 if i remember well. @kyrio: I'm dl now thx. Br;) Br;) |
Quote:
|
A journey of 1000 miles begins with a single step. ;)
Regards, |
well, if you think dongle cracking has anything except direct relation to software reversing, I can come with some ideas :D :D
but it would be nice to have some snippets of the code you have. basically you only have to record queries and store them in a table, do this twice by executing the program and compare the tables. if the tables match with no or slight difference you grabbed the d**k of God :) |
:cool: Unless queries change using params that maybe are not given by soft.
Br;) |
Quote:
Br;) |
Quote:
i think you can underestand what i am saying about. ;) . you can ensure that this is done before. |
Quote:
Never heard about it but that doesnt mean is not possible. Anyway i used to work with rockey 4 + and rockey 6. Well atleats for rockey 6 even if u write a trojan all ull get will be an encrypted file thats useless. Anyway interesting to know works for rockey 5. Btw on very old smartcards there was also a bug that permited the dump of applets but was closed long time ago. Anyway lets stick to the sucject and help that guy. Br;) |
ok..
Last I spoke with some re people, both rkey4/5 are fully emulated. And for 5k, go get some hardware reverse engineering services, plenty available. That price will suffice. On a side note, i cannot verify at the moment, but when a dongle backup service offers rockey4/5 as a replacement emu, generally they have the full solution (: See.. http://www.nodongle.biz/ for about 350 bucks, although I wonder if some of my friends or my own emus trickled down to these backup services.. For 5k, i might spend some time to find out. I never seen a "hacker" defend so much a dongle ( : Based on the fact alone this dongle is made in china, i wouldnt trust it with more then a 1k value software application. Thats allllllll.
|
Rockey series are the best dongles around.
Can you name the software? |
Rockey5 or 6 - may be.
|
It's done. Someone has helped me.
|
Kyros can you tell us the software name? Just curious...
|
| All times are GMT +8. The time now is 01:50. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX