You are on page 1of 10

<<< Back

Manual of MultiKey
with changes to the multikey 0.19.1.9 inclusive

*** General
******************************************************************************
********************************

To view this emulator requires a registry key data emulated.


For each type of key data will differ.
In drawing up the reg-file is recommended to look at the contents of the examples of registration
files.
The path in the registry data for the emulator:
[HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ MultiKey \ Dumps \ xxxxxxxx]
xxxxxxxx - key password (8 hex characters)
To use the key with the same password, you must add any character
After the password key:
... MultiKey \ Dumps \ xxxxxxxxa]
... MultiKey \ Dumps \ xxxxxxxx1]

"Name" = "xxx"
"Copyright" = "xxx"
"Created" = "xxx"
"DongleType" = dword: 0000000x - key type
1 - HASP (3,4, HL, SRM)
2 - HARDLOCK
3 - SENTINEL (spro, upro)
4 - GUARDANT (I, II)
5 - DINKEY

Licensing information for the emulator:

"License" = hex: xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx
To obtain a license under x32 systems use the online form on the site of generation
http://testprotect.com/appendix/LicMkOnline

******************************************************************************
**************************************************

*** HASP (3,4,HL,SRM)


******************************************************************************
*************************

"SN" = dword: xxxxxxxx - serial number


"Type" = dword: 000000xx - Model
12 - Time HASP 3
0A - HASP4 M1 (deafult)
1A - HASP4 Time
EA - HASP HL
FA - HASP HL Time
"Memory" = dword: 00000001 - memory size
00000001 - 0x80
00000004 - 0x1F0
00000020 - 0xFD0
00000021 - 0x70

"SecTable" = hex: 00,00,00,00,00,00,00,00 - private table


"NetMemory" = hex: 03,00,0F, D0,02,00,00,00, FF, FF, FE, FF - cell "network" Memory
// Typical data into NetMemory:
// 12 1A 12 0F 03 00 70 00 02 00 00 FF FF FF FF FF
// 12 1A 12 0F - sn
// 03 00 - key type
70 // 00 - memory size in bytes
// 02 FF -?
// 00 00 - net user count
// FF FF -?
// FF - key type (FF - local, FE - net, FD - time)

// FF -?

"Option" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00 - additional options:


(to build on 18.2.4)
[0] = 01..7F - sets a time delay when working with keys (type-1..4)
[0] = 0 - without time delays (to build on 18.2.4)
"Data" = hex: - memory

= TIME dongles =
For the time HASP keys are added to the field, for example:
"NetMemory" = hex: 05,00,80,00,02, FF, 00,00, FF, FF, FD, FF
"HaspTimeMemory" = hex: \
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 \
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 \
3f, db, 95,7d, 00,00,00,00,00,00,00,00,00,00,00,00, \
00,00,00,00,00,00,00,00
"TimeShift" = hex: 00,00,00,00,00,00,00,00
where: 3f, db, 95,7d - the serial number of a recorded key byte

= HL encrypt / decrypt =
The table-emulated function hasp_decrypt + hasp_encrypt, in the absence of values in the tables
values are processed by the Inland AES agoritmu. If necessary, change the default
AES key algorithm to make reg file its value:
"AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
The tables are located in the main location of the dump podvetkah:
Decrypt: [HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ MultiKey \ Dumps \
12345604 \ DTable];
Encrypt: [HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ MultiKey \ Dumps \
12345604 \ ETable].

The format of entries in the tables for multikeya version <18.1 (all values are hexadecimal):
"10: 00112233445566778899AABBCCDDEEFF" = hex: FF, EE, DD, CC, BB, AA,

99,88,77,66,55,44,33,22,11,00
"20: 00112233445566778899AABBCCDDEEFF" = hex: FF, EE, DD, CC, BB, AA,
99,88,77,66,55,44,33,22,11,00
"30: 00112233445566778899AABBCCDDEEFF" = hex: FF, EE, DD, CC, BB, AA,
99,88,77,66,55,44,33,22,11,00
**************************************************
***************************************
!!! for multikeya version> = 18.1 in the names of queries 20h and 30h should take 32 bytes
request !!!
"10: 0123456789ABCDEF0123456789ABCDEF" = hex: 12,34,56,78,90, AB, CD, EF,
12,34,56,78,90, AB, CD, EF
"20:5500A934CDE5D7B619568515F74D323695EC75E8C48F6B5D9880F6A88B251C48"=he
x:4F,8A,A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,34,FD
"30:9A2B6F7F80A2F2E36334D3258BAFD06FBB7286766A24910911648D98D8C56628"=he
x:12,71,B7,B5,3D,47,B4,2B,DC,93,4F,00,00,1C,2C,4E
**************************************************
***************************************
where
- "10: 00112233445566778899AABBCCDDEEFF" - a request to the key
"10 (20.30)" - request length in bytes
"00112233445566778899AABBCCDDEEFF" - the first 16 bytes of the request
- Hex: FF, EE, DD, CC, BB, AA, 99,88,77,66,55,44,33,22,11,00 - answer key, taken only
the first 16 bytes of the actual response.
For example:
================================================== ================
2008/10/10 07: 13: 25.109 <== HaspHL_decrypt: Length = 0x10
2008/10/10 07: 13: 25.109 <== HaspHL_decrypt: Input Data =
2008/10/10 07: 13: 25,109
2A E1 F0 A2 | E1 B2 F1 F9 | 9F C8 72 F6 | CA 4B 01 49
2008/10/10 07: 13: 25.171 ==> HaspHL_decrypt: Output Data =
2008/10/10 07: 13: 25,171
9D 4D 03 53 | 00 00 00 00 | CB D2 6B 04 | 00 00 00 00
2008/10/10 07: 13: 25.171 ==> HaspHL_decrypt: Status = 0x00
================================================== ================
2008/10/10 07: 13: 23.484 <== HaspHL_decrypt: Length = 0x20
2008/10/10 07: 13: 23.484 <== HaspHL_decrypt: Input Data =

2008/10/10 07: 13: 23,484


7B 6E 8C DF | D6 51 A3 0C | E1 FA 60 47 | 51 79 71 6C
2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A
2008/10/10 07: 13: 23.546 ==> HaspHL_decrypt: Output Data =
2008/10/10 07: 13: 23,546
02 B0 3C 6E | DA 88 46 BA | 4C 7E 5A 12 | 8E D6 DE 76
2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A
2008/10/10 07: 13: 23.546 ==> HaspHL_decrypt: Status = 0x00
================================================== ================
2008/10/10 07: 13: 23.609 <== HaspHL_decrypt: Length = 0x30
2008/10/10 07: 13: 23.609 <== HaspHL_decrypt: Input Data =
2008/10/10 07: 13: 23,609
7B 6E 8C DF | D6 51 A3 0C | E1 FA 60 47 | 51 79 71 6C
2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A
9C F3 2A BD | A4 DA 3B 78 | 97 CC 44 ED | 42 47 42 E6
2008/10/10 07: 13: 23.671 ==> HaspHL_decrypt: Output Data =
2008/10/10 07: 13: 23,671
77 64 61 62 | 63 60 61 5F | A2 B9 AC 60 | 61 62 63 5F
2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A
9C F3 2A BD | A4 DA 3B 78 | 97 CC 44 ED | 42 47 42 E6
2008/10/10 07: 13: 23.671 ==> HaspHL_decrypt: Status = 0x00
================================================== ===============
The resulting table:
[HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ MultiKey \ Dumps \ 12345604 \
DTable];
"10: 2AE1F0A2E1B2F1F99FC872F6CA4B0149" = hex: 53,9D, 4D, 03,00,00,00,00, CB,
D2,6B, 04,00,00,00,00
"20:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=h
ex:02,B0,3C,6E,DA,88,46,BA,4C,7E,5A,12,8E,D6,DE,76
"30:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=h
ex:77,64,61,62,63,5F,60,61,A2,B9,AC,60,61,62,63,5F
If a single request protocol found in length 32 (20h) byte followed immediately
there is no request of 48 (30h) bytes (or to put it another way, in which the second byte of the
request 16
Is not equal to a second 16-byte response), such a request must be saved in the table as
two queries 16 (10h) bytes

= SRM =
To emulate addition SRM HL key data like more data are needed.
In looking for is this private information.

//
// List of supported functions for hasp key
//
enum KEY_FN_LIST {
// HL
KEY_FN_SET_CHIPER_KEYS = 0x80,
KEY_FN_CHECK_PASS = 0x81,
KEY_FN_READ_3WORDS = 0x82,
KEY_FN_WRITE_WORD = 0x83,
KEY_FN_READ_ST = 0x84,
KEY_FN_READ_NETMEMORY_3WORDS = 0x8B,
KEY_FN_HASH_DWORD = 0x98,
KEY_FN_GET_TIME = 0x9C, // Get time (for HASP time) key
KEY_FN_PREPARE_CHANGE_TIME = 0x1D, // Prepare to change time (for HASP time)
KEY_FN_COMPLETE_WRITE_TIME = 0x9D, // Write time (complete) (for HASP time)
KEY_FN_PREPARE_DECRYPT = 0x1E, // qwestions
KEY_FN_COMPLETE_DECRYPT = 0x9E, // answers
KEY_FN_ECHO_REQUEST = 0xA0, // Echo request to key
KEY_FN_ECHO_REQUEST2 = 0xA1, // Echo request to key
// srm
KEY_FN_SRM_A2 = 0xA2, // read the table of features
KEY_FN_SRM_26 = 0x26, // 26 / A6 - reading values key features and memory
KEY_FN_SRM_A6 = 0xA6, //
KEY_FN_SRM_AA = 0xAA, // log into the key
KEY_FN_SRM_AB = 0xAB, // logout key
KEY_FN_SRM_AC = 0xAC, // hasp_get_rtc - getting time with key
KEY_FN_SRM_AE = 0xAE, // xs, like there was a 3.25
KEY_FN_SRM_27 = 0x27, // 27 / A7 - write to memory key
KEY_FN_SRM_A7 = 0xA7, //
KEY_FN_SRM_29 = 0x29, // 29 / A9 - crypt dekript
KEY_FN_SRM_A9 = 0xA9, //
KEY_FN_SRM_28 = 0x28, // 28 / A8 - reading without key encryption protocol signed (update)
KEY_FN_SRM_A8 = 0xA8, //
KEY_FN_SRM_38 = 0x38, // 38 / B8 - key update and stitching
KEY_FN_SRM_B8 = 0xB8 //
};

******************************************************************************
**************************************************

*** HARDLOCK
******************************************************************************
************************************

"ID" = dword: xxxxxxxx - serial number


"withMemory" = dword: 0000000x - key with memory or without it
"Seed1" = dword: 0000xxxx
"Seed2" = dword: 0000xxxx
"Seed3" = dword: 0000xxxx
"HlkMemory" = hex: - memory

//
// List of supported functions for HARDLOCK key
//
enum HARDLOCK_KEY_FN_LIST {
HDK_KEY_FN_SET_CHIPER_KEYS = 0x80,
HDK_KEY_FN_CHECK_PASS = 0x81,
HDK_KEY_FN_READ_WORD = 0x82,
HDK_KEY_FN_WRITE_WORD = 0x83,
HDK_KEY_FN_HL_VERKEY = 0x87,
HDK_KEY_FN_READ_ID = 0x8B,
HDK_KEY_FN_HL_CODE = 0x8C,
HDK_KEY_FN_HL_CRYPT = 0x8D,
HDK_KEY_FN_HL_CODE_PAR = 0x0C,
HDK_KEY_FN_HL_CRYPT_PAR = 0x0D,
HDK_KEY_FN_HL_CALC = 0x89
};
******************************************************************************
**************************************************

*** SENTINEL
******************************************************************************
************************************

... MultiKey \ Dumps \ 0000xxxx] - xxxx - Developer ID


"Type" = dword: 00000000 - model 0-SuperPro, 1 all other types;
"sntMemory" = hex: - a memory cell for "Type" = 0 - 64 cell for "Type" = 1 depending on the
type of key
"CellType" = hex: - types of cells; for "Type" = 0 - 64 bytes for "Type" = 1 depending on the
type of key

"Type" = 0 - total internal algo to SPRO, reg-file old-fashioned


"Type" = 1 - only tabular emulation for all types of keys, in the reg file to add new fields:
"Option" = hex: 02,00,03,80,7F, 00,00,00 (for example SPRO supporting AES-tunnel)
where: [0] ... [3] - the value of the type of key, we get the Funk GET_KEYINFO
[4] - the value of physically readable memory key, usually 7F or FF
[5] ... [7] - reserve
"AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 - aes AES-key for the tunnel
(so far so get out prog)
!!!!! To form a correct registration file is recommended dumper SSUMD v1.1 !!!!!
Spro default dump the old regime ("Type" = 0).

The format of the tables:


... MultiKey \ Dumps \ 0000xxxx \ cell_yy] - yy - the number cell, for which tables for each table
its Sella
"12345678" = hex: 22,33,44,55
"1122334455667788" = hex: 11,12,13,14,15,16,17,18
"11223344556677888877665544332211" = hex:
88,77,66,55,44,33,22,11,11,22,33,44,55,66,77,88

//
// List of supported functions for Sentinel key
//
enum SENT_KEY_FN_LIST {
SENT_KEY_FN_FIND_FIRST_UNIT = 0x10,
SENT_KEY_FN_READ = 0x11,
SENT_KEY_FN_QUERY_SHORT = 0x12,
SENT_KEY_FN_QUERY_LONG = 0x13,
SENT_KEY_FN_WRITE_0 = 0x14,
SENT_KEY_FN_WRITE_1 = 0x15,

SENT_KEY_FN_WRITE_2 = 0x16,
SENT_KEY_FN_WRITE_3 = 0x17,
SENT_KEY_FN_OVERWRITE_0 = 0x18,
SENT_KEY_FN_OVERWRITE_1 = 0x19,
SENT_KEY_FN_OVERWRITE_2 = 0x1A,
SENT_KEY_FN_OVERWRITE_3 = 0x1B,
SENT_KEY_FN_ACTIVATE = 0x1C,
SENT_KEY_FN_DECREMENT = 0x1D,
SENT_KEY_FN_GET_KEYINFO = 0x00,
SENT_KEY_FN_SET_PARAMETER = 0x03,
SENT_KEY_FN_GET_PARAMETER = 0x02,
USENT_KEY_FN_GET_LOGIN = 0x05, // for ULTRA and new SPRO
USENT_KEY_FN_LOGIN_21 = 0x21,
USENT_KEY_FN_AES_TUNNEL = 0x07,
USENT_KEY_FN_2F = 0x2F
};
******************************************************************************
**************************************************

*** GUARDANT
******************************************************************************
************************************

... MultiKey \ Dumps \ xxxxxxxx] - xxxxxxxx - pwRead - key password to read;


"DongleType" = dword: 00000004
"pWrite" = dword: 23232323 >>> write password, optional, if the program does not use record
"Data" = hex: \
... (256 bytes - full dump descriptors)

The format of the tables:


if the handle is 0 in the algorithm reg file, then we are looking for the data in Table
... MultiKey \ Dumps \ xxxxxxxx \ algo_yy] where yy - the number of the algorithm
"1122334455667788" = hex: 11,12,13,14,15,16,17,18
A simplified table - a request to the reg file is limited to 8 bytes, ie if the length

Request transforms more than 8 bytes, the query name in the registry take only the first 8 bytes, a
full written response.
******************************************************************************
**************************************************

*** DINKEY
******************************************************************************
**************************************

... MultiKey \ Dumps \ 12345678]


where 12345678 - dinkSerial
"DongleType" = dword: 00000005
"dinkValue" = dword: xxxxxxxx
"dinkMemory" = hex: \
******************************************************************************
**************************************************