Manual of MultiKey with changes to multikey 0.19.1.

9 inclusive
*********************************************
To complete the work in the emulator requires a registry of data on emulated key
.
For each type of key data will be different.
In drawing up the reg files, it is recommended to look at the content of example
s reg files.
Path in the registry data for the emulator:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\xxxxxxxx]
xxxxxxxx - password key (8 hex characters)
To use the keys with the same password you need to add any character after the k
ey password:
... MultiKey\Dumps\xxxxxxxxa]
... MultiKey\Dumps\xxxxxxxx1]
"Name" = "xxx"
"Copyright" = "xxx"
"Created" = "xxx"
"DongleType" = dword: 0000000x - the key type
1 - HASP (3,4, HL, SRM)
2 - HARDLOCK
3 - SENTINEL (spro, upro)
4 - GUARDANT (I, II)
5 - DINKEY
License data for the emulator:
"License" = hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
To obtain a license for x32 system using the online form on the site of generati
on
http://testprotect.com/appendix/LicMkOnline
*** HASP (3,4, HL, SRM) *************************************
"SN" = dword: xxxxxxxx - serial number
"Type" = dword: 000000xx - model
12 - Time HASP 3
0A - HASP4 M1 (deafult)
1A - HASP4 Time
EA - HASP HL
FA - HASP HL Time
"Memory"
00000001
00000004
00000020
00000021

=
-

dword: 00000001 - memory size

0x80
0x1F0
0xFD0
0x70

"SecTable" = hex:00,00,00,00,00,00,00,00 - Reserved table

"NetMemory" = hex:03,00,0F,D0,02,00,00,00,FF,FF,FE,FF - cell "network" of memory
// Typical data into NetMemory:

//
//
//
//
//
//
//
//
//

12
12
03
70
02
00
FF
FF
FF

1A 0F 12 03 00 70 00 02 00 00 FF FF FF FF FF
1A 12 0F - sn
00 - key type
00 - memory size in bytes
FF - ??
00 - net user count
FF - ??
- key type (FF - local, FE - net, FD - time)
- ??

"Option" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00 - additional options:

(To build on 18.2.4)
[0] = 01 .. 7F - sets a time delay when working with a key (tipovaya-1. .4)
[0] = 0 - no delay (to build on 18.2.4)
"Data" = hex: - memory
= TIME dongles =
For Time-Hasp keys are added to such fields, for example:
"NetMemory" = hex: 05,00,80,00,02,FF,00,00,FF,FF,FD,FF
"HaspTimeMemory" = hex:\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,\
3f,db,95,7d,00,00,00,00,\
00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"TimeShift" = hex: 00,00,00,00,00,00,00,00
where: 3f,db,95,7d - serial key number is a recorded byte
= HL encrypt / decrypt =
Table-emulated functions hasp_decrypt + hasp_encrypt, in the absence of values i
n tables
values are processed by the Inland AES agoritmu. If necessary, change defoltnogo
key AES algorithm to make a reg file its value:
"AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
The tables are arranged in podvetkah basic layout dump:
Decrypt: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345604\DT
able];
Encrypt: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345604\ET
able].
The format of entries in the tables for multikey version < 1.18.x (all values ar
e hexadecimal):
"10:00112233445566778899AABBCCDDEEFF"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33
,22,11,00
"20:00112233445566778899AABBCCDDEEFF"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33
,22,11,00
"30:00112233445566778899AABBCCDDEEFF"=hex:FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33

,22,11,00
**************************************************
For multikey version >= 18.1.x in the names of the queries 20h and 30h must take
32 bytes request!
"10:0123456789 ABCDEF0123456789ABCDEF"=hex:12,34,56,78,90,AB,CD,EF,12,34,56,78,9
0,AB,CD,EF
"20:5500A934CDE5D7B619568515F74D323695EC75E8C48F6B5D9880F6A88B251C48"=hex:4F,8A,
A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,19,34
"30:9A2B6F7F80A2F2E36334D3258BAFD06FBB7286766A24910911648D98D8C56628"=hex:12,71,
B7,B5,3D,47,B4,2B,DC,93,4F,00,00,1C,2C,4E
**************************************************
where
- "10:00112233445566778899AABBCCDDEEFF" - an inquiry into the key
"10 (20.30) - query length in bytes
"00112233445566778899AABBCCDDEEFF" - the first 16 bytes of the query
- Hex: FF,EE,DD,CC,BB,AA,99,88,77,66,55,44,33,22,11,00 - the answer key, we take
only the first 16 bytes of the real answer.
For example:
================================================== ================
2008/10/10 07:13:25.109 <== HaspHL_decrypt: Length = 0x10
2008/10/10 07:13:25.109 <== HaspHL_decrypt: Input Data =
2008/10/10 07:13:25.109
2A E1 F0 A2 | E1 B2 F1 F9 | 9F C8 72 F6 | CA 4B 01 49
2008/10/10 07:13:25.171 ==> HaspHL_decrypt: Output Data =
2008/10/10 07:13:25.171
53 9D 4D 03 | 00 00 00 00 | CB D2 6B 04 | 00 00 00 00
2008/10/10 07:13:25.171 ==> HaspHL_decrypt: Status = 0x00
================================================== ================
2008/10/10 07:13:23.484 <== HaspHL_decrypt: Length = 0x20
2008/10/10 07:13:23.484 <== HaspHL_decrypt: Input Data =
2008/10/10 07:13:23.484
7B 6E 8C DF | D6 51 A3 0C | 47 E1 FA 60 | 51 6C 79 71
2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A
2008/10/10 07:13:23.546 ==> HaspHL_decrypt: Output Data =
2008/10/10 07:13:23.546
02 B0 3C 6E | DA 88 46 BA | 4C 7E 5A 12 | 8E D6 DE 76
2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A
2008/10/10 07:13:23.546 ==> HaspHL_decrypt: Status = 0x00
================================================== ================
2008/10/10 07:13:23.609 <== HaspHL_decrypt: Length = 0x30
2008/10/10 07:13:23.609 <== HaspHL_decrypt: Input Data =
2008/10/10 07:13:23.609
7B 6E 8C DF | D6 51 A3 0C | 47 E1 FA 60 | 51 6C 79 71
2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A
9C F3 2A BD | A4 DA 3B 78 | 97 CC 44 ED | 42 47 42 E6
2008/10/10 07:13:23.671 ==> HaspHL_decrypt: Output Data =
2008/10/10 07:13:23.671
77 64 61 62 | 63 5F 60 61 | A2 B9 AC 60 | 61 62 63 5F
2E 0E 0C 38 | C6 99 FE 97 | B2 C2 E1 37 | 7F 61 CD 7A
9C F3 2A BD | A4 DA 3B 78 | 97 CC 44 ED | 42 47 42 E6
2008/10/10 07:13:23.671 ==> HaspHL_decrypt: Status = 0x00
================================================== ===============
The resulting table:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\12345604\DTable];
"10:2AE1F0A2E1B2F1F99FC872F6CA4B0149" = hex: 53,9D,4D,03,00,00,00,00,CB,D2,6B,04
,00,00,00,00
"20:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=hex:02,B0,
3C,6E,DA,88,46,BA,4C,7E,5A,12,8E,D6,DE,76
"30:7B6E8CDFD651A30C47E1FA60516C79712E0E0C38C699FE97B2C2E1377F61CD7A"=hex:77,64,

61,62,63,5F,60,61,A2,B9,AC,60,61,62,63,5F
If the protocol meets a single query of 32 (20h) bytes, followed immediately
No query length of 48 (30h) bytes (or should say to another, in which the second
16-byte query
NOT equal to the second 16 bytes of response), then such a request must be saved
in the table as two queries to 16 (10h) bytes
= SRM =
To emulate the SRM addition to the data as HL key additional data.
On looking for is a private information.
//
// List of supported functions for hasp key
//
enum KEY_FN_LIST {
// HL
KEY_FN_SET_CHIPER_KEYS = 0x80,
KEY_FN_CHECK_PASS = 0x81,
KEY_FN_READ_3WORDS = 0x82,
KEY_FN_WRITE_WORD = 0x83,
KEY_FN_READ_ST = 0x84,
KEY_FN_READ_NETMEMORY_3WORDS = 0x8B,
KEY_FN_HASH_DWORD = 0x98,
KEY_FN_GET_TIME = 0x9C, // Get time (for HASP time) key
KEY_FN_PREPARE_CHANGE_TIME = 0x1D, // Prepare to change time (for HASP time)
KEY_FN_COMPLETE_WRITE_TIME = 0x9D, // Write time (complete) (for HASP time)
KEY_FN_PREPARE_DECRYPT = 0x1E, // qwestions
KEY_FN_COMPLETE_DECRYPT = 0x9E, // answers
KEY_FN_ECHO_REQUEST = 0xA0, // Echo request to key
KEY_FN_ECHO_REQUEST2 = 0xA1, // Echo request to key
// Srm
KEY_FN_SRM_A2 = 0xA2,
KEY_FN_SRM_26 = 0x26,
KEY_FN_SRM_A6 = 0xA6,
KEY_FN_SRM_AA = 0xAA,
KEY_FN_SRM_AB = 0xAB,
KEY_FN_SRM_AC = 0xAC,
KEY_FN_SRM_AE = 0xAE,
KEY_FN_SRM_27 = 0x27,
KEY_FN_SRM_A7 = 0xA7,
KEY_FN_SRM_29 = 0x29,
KEY_FN_SRM_A9 = 0xA9,
KEY_FN_SRM_28 = 0x28,
he signature (update)
KEY_FN_SRM_A8 = 0xA8,
KEY_FN_SRM_38 = 0x38,
KEY_FN_SRM_B8 = 0xB8
};

//
//
//
//
//
//
//
//
//
//
//
//

read table Fitch

26/A6 - reading values Fitch key and memory
login in key
logout key
hasp_get_rtc - getting time from the key
xs, like with 3.25 appeared
27/A7 - write to the memory key
29/A9 - Crypto dekript
28/A8 - read the key without encryption protocol with t

//
// 38/B8 - updated keys and proshivy
//

*** HARDLOCK **********************************************

"ID" = dword: xxxxxxxx - serial number
"WithMemory" = dword: 0000000x - key with memory or without
"Seed1" = dword: 0000xxxx
"Seed2" = dword: 0000xxxx
"Seed3" = dword: 0000xxxx
"HlkMemory" = hex: - memory
//
// List of supported functions for HARDLOCK key

//
enum HARDLOCK_KEY_FN_LIST {
HDK_KEY_FN_SET_CHIPER_KEYS = 0x80,
HDK_KEY_FN_CHECK_PASS = 0x81,
HDK_KEY_FN_READ_WORD = 0x82,
HDK_KEY_FN_WRITE_WORD = 0x83,
HDK_KEY_FN_HL_VERKEY = 0x87,
HDK_KEY_FN_READ_ID = 0x8B,
HDK_KEY_FN_HL_CODE = 0x8C,
HDK_KEY_FN_HL_CRYPT = 0x8D,
HDK_KEY_FN_HL_CODE_PAR = 0x0C,
HDK_KEY_FN_HL_CRYPT_PAR = 0x0D,
HDK_KEY_FN_HL_CALC = 0x89
};
*** SENTINEL **********************************************
... MultiKey\Dumps\0000xxxx] - xxxx - Developer ID
"Type" = dword: 00000000 - model, 0-SuperPro, 1-all other types;
"SntMemory" = hex: - memory for "Type" = 0 - 64 cell, for "Type" = 1, depending
on the type of key
"CellType" = hex: - types of cells, and for "Type" = 0 - 64 bytes for the "Type"
= 1, depending on the type of key
"Type" = 0 - full internal algorithm to spro, reg-file old-fashioned
"Type" = 1 - only a table emulation for all types of keys in the reg file to add
new fields:
"Option" = hex: 02,00,03,80,7F,00,00,00 (for example SPRO with the support of AE
C-tunnel)
where: [0 ]...[ 3] - the value type of key, we get functions, the GET_KEYINFO
[4] - the value of a physically readable memory key, usually 7F or FF
[5]...[7] - reserve
"AesKey" = hex: 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 - aes key for AE
S-tunnel (so far, so get out prog)
!!!!! To form the correct reg-file is recommended to use the dumper SSUMD v1.1 !
!!!!
Spro default dump the old regime ("Type" = 0).
Table format:
... MultiKey\Dumps\0000xxxx\cell_yy] - yy - number of the cell, for which the ta
ble for every Sell your table
"12345678" = hex: 22,33,44,55
"1122334455667788" = hex: 11,12,13,14,15,16,17,18
"11223344556677888877665544332211" = hex: 88,77,66,55,44,33,22,11,11,22,33,44,55
,66,77,88
//
// List of supported functions for Sentinel key
//
enum SENT_KEY_FN_LIST {
SENT_KEY_FN_FIND_FIRST_UNIT = 0x10,
SENT_KEY_FN_READ = 0x11,
SENT_KEY_FN_QUERY_SHORT = 0x12,
SENT_KEY_FN_QUERY_LONG = 0x13,
SENT_KEY_FN_WRITE_0 = 0x14,
SENT_KEY_FN_WRITE_1 = 0x15,
SENT_KEY_FN_WRITE_2 = 0x16,
SENT_KEY_FN_WRITE_3 = 0x17,
SENT_KEY_FN_OVERWRITE_0 = 0x18,
SENT_KEY_FN_OVERWRITE_1 = 0x19,
SENT_KEY_FN_OVERWRITE_2 = 0x1A,

SENT_KEY_FN_OVERWRITE_3 = 0x1B,
SENT_KEY_FN_ACTIVATE = 0x1C,
SENT_KEY_FN_DECREMENT = 0x1D,
SENT_KEY_FN_GET_KEYINFO = 0x00,
SENT_KEY_FN_SET_PARAMETER = 0x03,
SENT_KEY_FN_GET_PARAMETER = 0x02,
USENT_KEY_FN_GET_LOGIN = 0x05, / / for ULTRA and new SPRO
USENT_KEY_FN_LOGIN_21 = 0x21,
USENT_KEY_FN_AES_TUNNEL = 0x07,
USENT_KEY_FN_2F = 0x2F
};
*** GUARDANT **********************************************
... MultiKey\Dumps\xxxxxxxx] - xxxxxxxx - pwRead - key password for reading;
"DongleType" = dword: 00000004
"PWrite" = dword: 23232323 >>> password on the account, optional if the prog doe
s not use record
"Data" = hex: \
... (256 bytes - a full dump of the descriptors)
Table format:
if the handle of the algorithm is equal to 0 in the reg file, then search for da
ta in the table
... MultiKey\Dumps\xxxxxxxx\ algo_yy] where yy - number of algorithm
"1122334455667788" = hex: 11,12,13,14,15,16,17,18
Used a simplified table - query reg file is limited to 8 bytes, ie, if the lengt
h
Request transforms more than 8 bytes, the query name in the register take only t
he first 8 bytes, the answer is written in
full.
*** DINKEY **********************************************
... MultiKey\Dumps\12345678]
where 12345678 - dinkSerial
"DongleType" = dword: 00000005
"DinkValue" = dword: xxxxxxxx
"DinkMemory" = hex: \
**************************************************