Rockey4

[Kyrios]

Hi,

Anyone has experinces with rockey4? I have a program (17MB) with rockey4 protection. I also have the dongle right now. But i want to use it without the dongle.
Before the call to Rockey, the flag is set to ax.

Mov ax, some word
Call Rockey
mov eax, dword ptr (esp)

The result always static value. It could be token left, dongleID, expiration date, etc. And always depend of the value of AX. For example if AX=1, always return token left. If AX=2, always return dongle ID. IF AX=3, always return expiration date. I have no problem with this kind of routine. It's done. I could modify the return value to anything i want coz it's static value.

But i have trouble with this kind of routine.
Mov ax, some dword
Push [ebp]
push [ebp+4]
Call Rockey4
mov ecx, [ebp]
mov edx, [ebp+4]

The final result depend on the push [ebp] and push [ebp+4]. And the initial value (before call to rockey) is always differ, depend on the library (music) file i load. The library music file came from the author of the program. And the amount is huge, about 10k files (3 DVDs). And the whole files are encrypted. In the beginning of each file there's 2 dword which are ALWAYS differ from each other. These values are used for initial push before call to Rockey. And the result values (which are moved to ecx and edx) are used the decrypt the music library file currently load. So you already know my currently situation.
So my question is how do i know what rockey doing with the inital values being pushed to stack? So i can ripped the code and inject it to the exe?

If someone interested with the target, i have upload it to yahoo mail i created for this purpose. Also my current progess which it can run without the dongle but can't decrypt the music libraries from the DVDs (came from author, package from purchase). Just PM me, i'll send the ID and the passw to you.

BR,
kyrios

[toro]

hi
you can see rockey manual for function descripion. rocekys dongle protection logic are different with other traditional dongles. the developer can insert some portions (functions) of his code to dongle in design time , and in run time send parameters to dongle and recieve result of function from dongle. acctually dongle can execute some functions by itself. so patch method can not work for it.
however rockey 4 is very simple and you can guess functions which is in it by some effort. or somtimes even you can do a full search on all possible values as input parametes and create a table for output valuse.
and there are other approach...

i think you are lucky becasue you have rockey4 not rockey5.

regards

[FoxB]

hi,

your rockey4 use the function named "Generate Seed Code".
for static dword value the dongle received four seed (word) based on dongle passwords.

wbr

[.:hack3r2k:.]

Rockey 4 is far more advanced then u think and Rockey 5 and 6 used well leave no option for hacking. Rockey 4 dongle can include beisides data u can store in dongle a user algo zone where u can store small algos. That zone is write only so is little chances fix that if author used it. Anyway if u like i could take a look at to see how it works. Anyway before start such thing i suggest good understanting of their sdk.

Br

[toro]

Quote:

Rockey 5 and 6 used well leave no option for hacking

are you sure?

[JMI]

Documentation is available here:

http://www.rockey.nl/en/support/rockey-download.html

They even have developer's guides and (gasp) sample code.



Regards,

[Shub-Nigurrath]

have you seen here?
http://bbs.pediy.com/showthread.php?&threadid=29075

here's too attached.

[.:hack3r2k:.]

Quote:

Originally Posted by toro

are you sure?

I told if used properly buddy. Rockey 5 and Rockey 6 act like smartcards this mean u can write applets with algos and store inside dongle without possibility to read. So explain how u plan to remove the dongle when 1000 lines algo is stored inside for example

Br

[.:hack3r2k:.]

Quote:

Originally Posted by JMI

Documentation is available here:

http://www.rockey.nl/en/support/rockey-download.html

They even have developer's guides and (gasp) sample code.



Regards,

www.ftsafe.com aswell and pass is rockey.

@Shub:
Pretty useless unless dongle used bad and allways static data. Also note that rockey 4 is both lpt/usb and also have several variants. Arround 3 if i remember well.

@kyrio: I'm dl now thx.

Br

Br

[toro]

Quote:

So explain how u plan to remove the dongle when 1000 lines algo is stored inside for example

extarction of that 1000 line algo from dongle.

[JMI]

A journey of 1000 miles begins with a single step.

Regards,

well, if you think dongle cracking has anything except direct relation to software reversing, I can come with some ideas
but it would be nice to have some snippets of the code you have. basically you only have to record queries and store them in a table, do this twice by executing the program and compare the tables.
if the tables match with no or slight difference you grabbed the d**k of God

[.:hack3r2k:.]

Unless queries change using params that maybe are not given by soft.

Br

[.:hack3r2k:.]

Quote:

Originally Posted by toro

extarction of that 1000 line algo from dongle.

Easy to talk Lets take for example smartcards ... i have some persons happy to pay 5000$ if u can extract algo from them Best is to speak on facts then on supositions.

Br

[toro]

Quote:

Best is to speak on facts then on supositions

i didnt talked about smart card generally, i talked about rockey and specially rockey5. extraction of code is possible, exactly becuase they let developer to add some code to card. and code can be a trojan, and ....
i think you can underestand what i am saying about. . you can ensure that this is done before.