MultiKey Manual

Manual of MultiKey with changes to multikey 0.19.1.9 inclusive ********************************************* To complete the work in the emulator requires a registry of data on emulated key . For each type of key data will be different. In drawing up the reg files, it is recommended to look at the content of example s reg files. Path in the registry data for the emulator: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\xxxxxxxx] xxxxxxxx - password key (8 hex characters) To use the keys with the same password you need to add any character after the k ey password: ... MultiKey\Dumps\xxxxxxxxa] ... MultiKey\Dumps\xxxxxxxx1] "Name" = "xxx" "Copyright" = "xxx" "Created" = "xxx" "DongleType" = dword: 0000000x - the key type 1 - HASP (3,4, HL, SRM) 2 - HARDLOCK 3 - SENTINEL (spro, upro) 4 - GUARDANT (I, II) 5 - DINKEY License data for the emulator: "License" = hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx To obtain a license for x32 system using the online form on the site of generati on http://testprotect.com/appendix/LicMkOnline *** HASP (3,4, HL, SRM) ************************************* "SN" = dword: xxxxxxxx - serial number "Type" = dword: 000000xx - model 12 - Time HASP 3 0A - HASP4 M1 (deafult) 1A - HASP4 Time EA - HASP HL FA - HASP HL Time "Memory" 00000001 00000004 00000020 00000021

= -

dword: 00000001 - memory size 0x80 0x1F0 0xFD0 0x70

"SecTable" = hex:00,00,00,00,00,00,00,00 - Reserved table "NetMemory" = hex:03,00,0F,D0,02,00,00,00,FF,FF,FE,FF - cell "network" of memory // Typical data into NetMemory:

// // // // // // // // //

12 12 03 70 02 00 FF FF FF

1A 0F 12 03 00 70 00 02 00 00 FF FF FF FF FF 1A 12 0F - sn 00 - key type 00 - memory size in bytes FF - ?? 00 - net user count FF - ?? - key type (FF - local, FE - net, FD - time) - ??

"Option" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00 - additional options: (To build on 18.2.4) [0] = 01 .. 7F - sets a time delay when working with a key (tipovaya-1. .4) [0] = 0 - no delay (to build on 18.2.4) "Data" = hex: - memory = TIME dongles = For Time-Hasp keys are added to such fields, for example: "NetMemory" = hex: 05,00,80,00,02,FF,00,00,FF,FF,FD,FF "HaspTimeMemory" = hex:\ 00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,\ 3f,db,95,7d,00,00,00,00,\ 00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00 "TimeShift" = hex: 00,00,00,00,00,00,00,00 where: 3f,db,95,7d - serial key number is a recorded byte = HL encrypt / decrypt = Table-emulated functions hasp_decrypt + hasp_encrypt, in the absence of values i n tables values are processed by the Inland AES agoritmu. If necessary, change defoltnogo key AES algorithm to make a reg file its value: "AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 The tables are arranged in podvetkah basic layout dump: Decrypt: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345604\DT able]; Encrypt: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345604\ET able]. The format of entries in the tables for multikey version < 1.18.x (all values ar e hexadecimal): "10:00112233445566778899AABBCCDDEEFF"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33 ,22,11,00 "20:00112233445566778899AABBCCDDEEFF"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33 ,22,11,00 "30:00112233445566778899AABBCCDDEEFF"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33

,22,11,00 ************************************************** For multikey version >= 18.1.x in the names of the queries 20h and 30h must take 32 bytes request! "10:0123456789 ABCDEF0123456789ABCDEF"=hex:12,34,56,78,90,AB,CD,EF,12,34,56,78,9 0,AB,CD,EF "20:5500A934CDE5D7B619568515F74D323695EC75E8C48F6B5D9880F6A88B251C48"=hex:4F,8A, A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,19,34 "30:9A2B6F7F80A2F2E36334D3258BAFD06FBB7286766A24910911648D98D8C56628"=hex:12,71, B7,B5,3D,47,B4,2B,DC,93,4F,00,00,1C,2C,4E ************************************************** where - "10:00112233445566778899AABBCCDDEEFF" - an inquiry into the key "10 (20.30) - query length in bytes "00112233445566778899AABBCCDDEEFF" - the first 16 bytes of the query - Hex: FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33,22,11,00 - the answer key, we take only the first 16 bytes of the real answer. For example: ================================================== ================ 2008/10/10 07:13:25.109 HaspHL_decrypt: Status = 0x00 ================================================== ================ 2008/10/10 07:13:23.484 HaspHL_decrypt: Status = 0x00 ================================================== ================ 2008/10/10 07:13:23.609 HaspHL_decrypt: Status = 0x00 ================================================== =============== The resulting table: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345604\DTable]; "10:2AE1F0A2E1B2F1F99FC872F6CA4B0149" = hex: 53,9D,4D,03,00,00,00,00,CB,D2,6B,04 ,00,00,00,00 "20:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=hex:02,B0, 3C,6E,DA,88,46,BA,4C,7E,5A,12,8E,D6,DE,76 "30:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=hex:77,64,

61,62,63,5F,60,61,A2,B9,AC,60,61,62,63,5F If the protocol meets a single query of 32 (20h) bytes, followed immediately No query length of 48 (30h) bytes (or should say to another, in which the second 16-byte query NOT equal to the second 16 bytes of response), then such a request must be saved in the table as two queries to 16 (10h) bytes = SRM = To emulate the SRM addition to the data as HL key additional data. On looking for is a private information. // // List of supported functions for hasp key // enum KEY_FN_LIST { // HL KEY_FN_SET_CHIPER_KEYS = 0x80, KEY_FN_CHECK_PASS = 0x81, KEY_FN_READ_3WORDS = 0x82, KEY_FN_WRITE_WORD = 0x83, KEY_FN_READ_ST = 0x84, KEY_FN_READ_NETMEMORY_3WORDS = 0x8B, KEY_FN_HASH_DWORD = 0x98, KEY_FN_GET_TIME = 0x9C, // Get time (for HASP time) key KEY_FN_PREPARE_CHANGE_TIME = 0x1D, // Prepare to change time (for HASP time) KEY_FN_COMPLETE_WRITE_TIME = 0x9D, // Write time (complete) (for HASP time) KEY_FN_PREPARE_DECRYPT = 0x1E, // qwestions KEY_FN_COMPLETE_DECRYPT = 0x9E, // answers KEY_FN_ECHO_REQUEST = 0xA0, // Echo request to key KEY_FN_ECHO_REQUEST2 = 0xA1, // Echo request to key // Srm KEY_FN_SRM_A2 = 0xA2, KEY_FN_SRM_26 = 0x26, KEY_FN_SRM_A6 = 0xA6, KEY_FN_SRM_AA = 0xAA, KEY_FN_SRM_AB = 0xAB, KEY_FN_SRM_AC = 0xAC, KEY_FN_SRM_AE = 0xAE, KEY_FN_SRM_27 = 0x27, KEY_FN_SRM_A7 = 0xA7, KEY_FN_SRM_29 = 0x29, KEY_FN_SRM_A9 = 0xA9, KEY_FN_SRM_28 = 0x28, he signature (update) KEY_FN_SRM_A8 = 0xA8, KEY_FN_SRM_38 = 0x38, KEY_FN_SRM_B8 = 0xB8 };

// // // // // // // // // // // //

read table Fitch 26/A6 - reading values Fitch key and memory login in key logout key hasp_get_rtc - getting time from the key xs, like with 3.25 appeared 27/A7 - write to the memory key 29/A9 - Crypto dekript 28/A8 - read the key without encryption protocol with t

// // 38/B8 - updated keys and proshivy //

*** HARDLOCK ********************************************** "ID" = dword: xxxxxxxx - serial number "WithMemory" = dword: 0000000x - key with memory or without "Seed1" = dword: 0000xxxx "Seed2" = dword: 0000xxxx "Seed3" = dword: 0000xxxx "HlkMemory" = hex: - memory // // List of supported functions for HARDLOCK key

// enum HARDLOCK_KEY_FN_LIST { HDK_KEY_FN_SET_CHIPER_KEYS = 0x80, HDK_KEY_FN_CHECK_PASS = 0x81, HDK_KEY_FN_READ_WORD = 0x82, HDK_KEY_FN_WRITE_WORD = 0x83, HDK_KEY_FN_HL_VERKEY = 0x87, HDK_KEY_FN_READ_ID = 0x8B, HDK_KEY_FN_HL_CODE = 0x8C, HDK_KEY_FN_HL_CRYPT = 0x8D, HDK_KEY_FN_HL_CODE_PAR = 0x0C, HDK_KEY_FN_HL_CRYPT_PAR = 0x0D, HDK_KEY_FN_HL_CALC = 0x89 }; *** SENTINEL ********************************************** ... MultiKey\Dumps\0000xxxx] - xxxx - Developer ID "Type" = dword: 00000000 - model, 0-SuperPro, 1-all other types; "SntMemory" = hex: - memory for "Type" = 0 - 64 cell, for "Type" = 1, depending on the type of key "CellType" = hex: - types of cells, and for "Type" = 0 - 64 bytes for the "Type" = 1, depending on the type of key "Type" = 0 - full internal algorithm to spro, reg-file old-fashioned "Type" = 1 - only a table emulation for all types of keys in the reg file to add new fields: "Option" = hex: 02,00,03,80,7F,00,00,00 (for example SPRO with the support of AE C-tunnel) where: [0 ]...[ 3] - the value type of key, we get functions, the GET_KEYINFO [4] - the value of a physically readable memory key, usually 7F or FF [5]...[7] - reserve "AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 - aes key for AE S-tunnel (so far, so get out prog) !!!!! To form the correct reg-file is recommended to use the dumper SSUMD v1.1 ! !!!! Spro default dump the old regime ("Type" = 0). Table format: ... MultiKey\Dumps\0000xxxx\cell_yy] - yy - number of the cell, for which the ta ble for every Sell your table "12345678" = hex: 22,33,44,55 "1122334455667788" = hex: 11,12,13,14,15,16,17,18 "11223344556677888877665544332211" = hex: 88,77,66,55,44,33,22,11,11,22,33,44,55 ,66,77,88 // // List of supported functions for Sentinel key // enum SENT_KEY_FN_LIST { SENT_KEY_FN_FIND_FIRST_UNIT = 0x10, SENT_KEY_FN_READ = 0x11, SENT_KEY_FN_QUERY_SHORT = 0x12, SENT_KEY_FN_QUERY_LONG = 0x13, SENT_KEY_FN_WRITE_0 = 0x14, SENT_KEY_FN_WRITE_1 = 0x15, SENT_KEY_FN_WRITE_2 = 0x16, SENT_KEY_FN_WRITE_3 = 0x17, SENT_KEY_FN_OVERWRITE_0 = 0x18, SENT_KEY_FN_OVERWRITE_1 = 0x19, SENT_KEY_FN_OVERWRITE_2 = 0x1A,

SENT_KEY_FN_OVERWRITE_3 = 0x1B, SENT_KEY_FN_ACTIVATE = 0x1C, SENT_KEY_FN_DECREMENT = 0x1D, SENT_KEY_FN_GET_KEYINFO = 0x00, SENT_KEY_FN_SET_PARAMETER = 0x03, SENT_KEY_FN_GET_PARAMETER = 0x02, USENT_KEY_FN_GET_LOGIN = 0x05, / / for ULTRA and new SPRO USENT_KEY_FN_LOGIN_21 = 0x21, USENT_KEY_FN_AES_TUNNEL = 0x07, USENT_KEY_FN_2F = 0x2F }; *** GUARDANT ********************************************** ... MultiKey\Dumps\xxxxxxxx] - xxxxxxxx - pwRead - key password for reading; "DongleType" = dword: 00000004 "PWrite" = dword: 23232323 >>> password on the account, optional if the prog doe s not use record "Data" = hex: \ ... (256 bytes - a full dump of the descriptors) Table format: if the handle of the algorithm is equal to 0 in the reg file, then search for da ta in the table ... MultiKey\Dumps\xxxxxxxx\ algo_yy] where yy - number of algorithm "1122334455667788" = hex: 11,12,13,14,15,16,17,18 Used a simplified table - query reg file is limited to 8 bytes, ie, if the lengt h Request transforms more than 8 bytes, the query name in the register take only t he first 8 bytes, the answer is written in full. *** DINKEY ********************************************** ... MultiKey\Dumps\12345678] where 12345678 - dinkSerial "DongleType" = dword: 00000005 "DinkValue" = dword: xxxxxxxx "DinkMemory" = hex: \ **************************************************