Manual of MultiKey with changes to multikey 0.19.1.9 inclusive *********************************************
To complete the work in the emulator requires a registry of data on emulated key .
For each type of key data will be different.
In drawing up the reg files, it is recommended to look at the content of example s reg files.
Path in the registry data for the emulator:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\xxxxxxxx] xxxxxxxx - password key (8 hex characters)
To use the keys with the same password you need to add any character after the k ey password: ... MultiKey\Dumps\xxxxxxxxa] ... MultiKey\Dumps\xxxxxxxx1] "Name" = "xxx" "Copyright" = "xxx" "Created" = "xxx"
"DongleType" = dword: 0000000x - the key type 1 - HASP (3,4, HL, SRM)
2 - HARDLOCK
3 - SENTINEL (spro, upro) 4 - GUARDANT (I, II) 5 - DINKEY
License data for the emulator:
"License" = hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
To obtain a license for x32 system using the online form on the site of generati on
http://testprotect.com/appendix/LicMkOnline
*** HASP (3,4, HL, SRM) ************************************* "SN" = dword: xxxxxxxx - serial number
"Type" = dword: 000000xx - model 12 - Time HASP 3
0A - HASP4 M1 (deafult) 1A - HASP4 Time
EA - HASP HL FA - HASP HL Time
"Memory" = dword: 00000001 - memory size 00000001 - 0x80
00000004 - 0x1F0 00000020 - 0xFD0 00000021 - 0x70
"SecTable" = hex:00,00,00,00,00,00,00,00 - Reserved table
"NetMemory" = hex:03,00,0F,D0,02,00,00,00,FF,FF,FE,FF - cell "network" of memory // Typical data into NetMemory:
// 12 1A 0F 12 03 00 70 00 02 00 00 FF FF FF FF FF // 12 1A 12 0F - sn
// 03 00 - key type
// 70 00 - memory size in bytes // 02 FF - ??
// 00 00 - net user count // FF FF - ??
// FF - key type (FF - local, FE - net, FD - time) // FF - ??
"Option" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00 - additional options: (To build on 18.2.4)
[0] = 01 .. 7F - sets a time delay when working with a key (tipovaya-1. .4) [0] = 0 - no delay (to build on 18.2.4)
"Data" = hex: - memory = TIME dongles =
For Time-Hasp keys are added to such fields, for example: "NetMemory" = hex: 05,00,80,00,02,FF,00,00,FF,FF,FD,FF "HaspTimeMemory" = hex:\ 00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,\ 3f,db,95,7d,00,00,00,00,\ 00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00 "TimeShift" = hex: 00,00,00,00,00,00,00,00
where: 3f,db,95,7d - serial key number is a recorded byte
= HL encrypt / decrypt =
Table-emulated functions hasp_decrypt + hasp_encrypt, in the absence of values i n tables
values are processed by the Inland AES agoritmu. If necessary, change defoltnogo key AES algorithm to make a reg file its value:
"AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 The tables are arranged in podvetkah basic layout dump:
Decrypt: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345604\DT able];
Encrypt: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345604\ET able].
The format of entries in the tables for multikey version < 1.18.x (all values ar e hexadecimal): "10:00112233445566778899AABBCCDDEEFF"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33 ,22,11,00 "20:00112233445566778899AABBCCDDEEFF"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33 ,22,11,00 "30:00112233445566778899AABBCCDDEEFF"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33
,22,11,00
**************************************************
For multikey version >= 18.1.x in the names of the queries 20h and 30h must take 32 bytes request! "10:0123456789 ABCDEF0123456789ABCDEF"=hex:12,34,56,78,90,AB,CD,EF,12,34,56,78,9 0,AB,CD,EF "20:5500A934CDE5D7B619568515F74D323695EC75E8C48F6B5D9880F6A88B251C48"=hex:4F,8A, A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,19,34 "30:9A2B6F7F80A2F2E36334D3258BAFD06FBB7286766A24910911648D98D8C56628"=hex:12,71, B7,B5,3D,47,B4,2B,DC,93,4F,00,00,1C,2C,4E ************************************************** where
- "10:00112233445566778899AABBCCDDEEFF" - an inquiry into the key "10 (20.30) - query length in bytes
"00112233445566778899AABBCCDDEEFF" - the first 16 bytes of the query
- Hex: FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33,22,11,00 - the answer key, we take only the first 16 bytes of the real answer.
For example:
================================================== ================ 2008/10/10 07:13:25.109 <== HaspHL_decrypt: Length = 0x10
2008/10/10 07:13:25.109 <== HaspHL_decrypt: Input Data = 2008/10/10 07:13:25.109
2A E1 F0 A2 | E1 B2 F1 F9 | 9F C8 72 F6 | CA 4B 01 49 2008/10/10 07:13:25.171 ==> HaspHL_decrypt: Output Data = 2008/10/10 07:13:25.171
53 9D 4D 03 | 00 00 00 00 | CB D2 6B 04 | 00 00 00 00 2008/10/10 07:13:25.171 ==> HaspHL_decrypt: Status = 0x00
================================================== ================ 2008/10/10 07:13:23.484 <== HaspHL_decrypt: Length = 0x20
2008/10/10 07:13:23.484 <== HaspHL_decrypt: Input Data = 2008/10/10 07:13:23.484
7B 6E 8C DF | D6 51 A3 0C | 47 E1 FA 60 | 51 6C 79 71 2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A 2008/10/10 07:13:23.546 ==> HaspHL_decrypt: Output Data = 2008/10/10 07:13:23.546 02 B0 3C 6E | DA 88 46 BA | 4C 7E 5A 12 | 8E D6 DE 76 2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A 2008/10/10 07:13:23.546 ==> HaspHL_decrypt: Status = 0x00 ================================================== ================ 2008/10/10 07:13:23.609 <== HaspHL_decrypt: Length = 0x30
2008/10/10 07:13:23.609 <== HaspHL_decrypt: Input Data = 2008/10/10 07:13:23.609
7B 6E 8C DF | D6 51 A3 0C | 47 E1 FA 60 | 51 6C 79 71 2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A 9C F3 2A BD | A4 DA 3B 78 | 97 CC 44 ED | 42 47 42 E6 2008/10/10 07:13:23.671 ==> HaspHL_decrypt: Output Data = 2008/10/10 07:13:23.671 77 64 61 62 | 63 5F 60 61 | A2 B9 AC 60 | 61 62 63 5F 2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A 9C F3 2A BD | A4 DA 3B 78 | 97 CC 44 ED | 42 47 42 E6 2008/10/10 07:13:23.671 ==> HaspHL_decrypt: Status = 0x00 ================================================== =============== The resulting table:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345604\DTable]; "10:2AE1F0A2E1B2F1F99FC872F6CA4B0149" = hex: 53,9D,4D,03,00,00,00,00,CB,D2,6B,04 ,00,00,00,00 "20:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=hex:02,B0, 3C,6E,DA,88,46,BA,4C,7E,5A,12,8E,D6,DE,76 "30:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=hex:77,64,
61,62,63,5F,60,61,A2,B9,AC,60,61,62,63,5F
If the protocol meets a single query of 32 (20h) bytes, followed immediately No query length of 48 (30h) bytes (or should say to another, in which the second 16-byte query
NOT equal to the second 16 bytes of response), then such a request must be saved in the table as two queries to 16 (10h) bytes
= SRM =
To emulate the SRM addition to the data as HL key additional data. On looking for is a private information.
//
// List of supported functions for hasp key // enum KEY_FN_LIST { // HL KEY_FN_SET_CHIPER_KEYS = 0x80, KEY_FN_CHECK_PASS = 0x81, KEY_FN_READ_3WORDS = 0x82, KEY_FN_WRITE_WORD = 0x83, KEY_FN_READ_ST = 0x84, KEY_FN_READ_NETMEMORY_3WORDS = 0x8B, KEY_FN_HASH_DWORD = 0x98,
KEY_FN_GET_TIME = 0x9C, // Get time (for HASP time) key
KEY_FN_PREPARE_CHANGE_TIME = 0x1D, // Prepare to change time (for HASP time) KEY_FN_COMPLETE_WRITE_TIME = 0x9D, // Write time (complete) (for HASP time) KEY_FN_PREPARE_DECRYPT = 0x1E, // qwestions
KEY_FN_COMPLETE_DECRYPT = 0x9E, // answers
KEY_FN_ECHO_REQUEST = 0xA0, // Echo request to key KEY_FN_ECHO_REQUEST2 = 0xA1, // Echo request to key // Srm
KEY_FN_SRM_A2 = 0xA2, // read table Fitch
KEY_FN_SRM_26 = 0x26, // 26/A6 - reading values Fitch key and memory KEY_FN_SRM_A6 = 0xA6, //
KEY_FN_SRM_AA = 0xAA, // login in key KEY_FN_SRM_AB = 0xAB, // logout key
KEY_FN_SRM_AC = 0xAC, // hasp_get_rtc - getting time from the key KEY_FN_SRM_AE = 0xAE, // xs, like with 3.25 appeared
KEY_FN_SRM_27 = 0x27, // 27/A7 - write to the memory key KEY_FN_SRM_A7 = 0xA7, //
KEY_FN_SRM_29 = 0x29, // 29/A9 - Crypto dekript KEY_FN_SRM_A9 = 0xA9, //
KEY_FN_SRM_28 = 0x28, // 28/A8 - read the key without encryption protocol with t he signature (update)
KEY_FN_SRM_A8 = 0xA8, //
KEY_FN_SRM_38 = 0x38, // 38/B8 - updated keys and proshivy KEY_FN_SRM_B8 = 0xB8 //
};
*** HARDLOCK ********************************************** "ID" = dword: xxxxxxxx - serial number
"WithMemory" = dword: 0000000x - key with memory or without "Seed1" = dword: 0000xxxx
"Seed2" = dword: 0000xxxx "Seed3" = dword: 0000xxxx "HlkMemory" = hex: - memory //
// enum HARDLOCK_KEY_FN_LIST { HDK_KEY_FN_SET_CHIPER_KEYS = 0x80, HDK_KEY_FN_CHECK_PASS = 0x81, HDK_KEY_FN_READ_WORD = 0x82, HDK_KEY_FN_WRITE_WORD = 0x83, HDK_KEY_FN_HL_VERKEY = 0x87, HDK_KEY_FN_READ_ID = 0x8B, HDK_KEY_FN_HL_CODE = 0x8C, HDK_KEY_FN_HL_CRYPT = 0x8D, HDK_KEY_FN_HL_CODE_PAR = 0x0C, HDK_KEY_FN_HL_CRYPT_PAR = 0x0D, HDK_KEY_FN_HL_CALC = 0x89 }; *** SENTINEL ********************************************** ... MultiKey\Dumps\0000xxxx] - xxxx - Developer ID
"Type" = dword: 00000000 - model, 0-SuperPro, 1-all other types;
"SntMemory" = hex: - memory for "Type" = 0 - 64 cell, for "Type" = 1, depending on the type of key
"CellType" = hex: - types of cells, and for "Type" = 0 - 64 bytes for the "Type" = 1, depending on the type of key
"Type" = 0 - full internal algorithm to spro, reg-file old-fashioned
"Type" = 1 - only a table emulation for all types of keys in the reg file to add new fields:
"Option" = hex: 02,00,03,80,7F,00,00,00 (for example SPRO with the support of AE C-tunnel)
where: [0 ]...[ 3] - the value type of key, we get functions, the GET_KEYINFO [4] - the value of a physically readable memory key, usually 7F or FF
[5]...[7] - reserve
"AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 - aes key for AE S-tunnel (so far, so get out prog)
!!!!! To form the correct reg-file is recommended to use the dumper SSUMD v1.1 ! !!!!
Spro default dump the old regime ("Type" = 0). Table format:
... MultiKey\Dumps\0000xxxx\cell_yy] - yy - number of the cell, for which the ta ble for every Sell your table
"12345678" = hex: 22,33,44,55
"1122334455667788" = hex: 11,12,13,14,15,16,17,18
"11223344556677888877665544332211" = hex: 88,77,66,55,44,33,22,11,11,22,33,44,55 ,66,77,88
//
// List of supported functions for Sentinel key // enum SENT_KEY_FN_LIST { SENT_KEY_FN_FIND_FIRST_UNIT = 0x10, SENT_KEY_FN_READ = 0x11, SENT_KEY_FN_QUERY_SHORT = 0x12, SENT_KEY_FN_QUERY_LONG = 0x13, SENT_KEY_FN_WRITE_0 = 0x14, SENT_KEY_FN_WRITE_1 = 0x15, SENT_KEY_FN_WRITE_2 = 0x16, SENT_KEY_FN_WRITE_3 = 0x17, SENT_KEY_FN_OVERWRITE_0 = 0x18, SENT_KEY_FN_OVERWRITE_1 = 0x19, SENT_KEY_FN_OVERWRITE_2 = 0x1A,
SENT_KEY_FN_OVERWRITE_3 = 0x1B, SENT_KEY_FN_ACTIVATE = 0x1C, SENT_KEY_FN_DECREMENT = 0x1D, SENT_KEY_FN_GET_KEYINFO = 0x00, SENT_KEY_FN_SET_PARAMETER = 0x03, SENT_KEY_FN_GET_PARAMETER = 0x02,
USENT_KEY_FN_GET_LOGIN = 0x05, / / for ULTRA and new SPRO USENT_KEY_FN_LOGIN_21 = 0x21,
USENT_KEY_FN_AES_TUNNEL = 0x07, USENT_KEY_FN_2F = 0x2F
};
*** GUARDANT **********************************************
... MultiKey\Dumps\xxxxxxxx] - xxxxxxxx - pwRead - key password for reading; "DongleType" = dword: 00000004
"PWrite" = dword: 23232323 >>> password on the account, optional if the prog doe s not use record
"Data" = hex: \
... (256 bytes - a full dump of the descriptors) Table format:
if the handle of the algorithm is equal to 0 in the reg file, then search for da ta in the table
... MultiKey\Dumps\xxxxxxxx\ algo_yy] where yy - number of algorithm "1122334455667788" = hex: 11,12,13,14,15,16,17,18
Used a simplified table - query reg file is limited to 8 bytes, ie, if the lengt h
Request transforms more than 8 bytes, the query name in the register take only t he first 8 bytes, the answer is written in
full. *** DINKEY ********************************************** ... MultiKey\Dumps\12345678] where 12345678 - dinkSerial "DongleType" = dword: 00000005 "DinkValue" = dword: xxxxxxxx "DinkMemory" = hex: \ **************************************************
