Thread: how 2 update a hasp????
View Single Post
  #18  
Old 05-18-2005, 06:11
baatazu
 
Posts: n/a
No, the hasp passwords are already embedded when the software company gets the hasp. They dont need to change. Every hasp family has 4 unique IDs:

1. Family Code : 5digit alpha - like "MATER"
2. Developer ID: 6digits - like 204-42c
3. Password A - like 28124
4. Password B - like 80121

While you have you a family of 100 hasps with the same details (ID) there is also a unique ID for each hasp:

1. Hasp Unique ID - like 8f0af981

The developer uses those 2 passwords to open the hasp memory using the HaspEdit tool and he can put additional information inside such as the customer serial number.

The protected software, requires those 2 passwords to open and validate the key and therefore read the information. But they can also use the unique ID to ban a hasp from running the software. If HaspID == 8f0af981 then UnLicensed();

There are tools that are allow you to find those 2 passwords but the best you can do is to read and write the memory of the hasp, the data that software developer entered.

If you get another hasp from aladdin, you will have a different family ID and Developer ID - and of course 2 new passwords. You cant change those 2 passwords to match the old hasp (the one that you want to duplicate). I also imagine the encrypt/decrypt routines working like that:

(inside hasp)
Encrypt(Family_ID + Developer_ID + Password1 + Password2 + Embedded_Hidden_Key, "hello world");

So what we have here? The communication between software and hasp is encrypted with keys that are based to the original hasp. Even if you manage to know the 2 password there are more things counted here.

So you cant enforce the hasp to change those sensitive details (family id, developer id, passwords). That means is not exactly a single copy/paste. The tool sc0py mentioned is not available on public, at least i was unable to find it. I think duplicating the hardcoded memory of a hasp is not as simple as running a tool in your pc. I know the company that sells the Hasp4 in my country and they have a special hardware (a big one) for that job that programs the hasps based on passwords etc. The software that works with that hardware is connected to the internet and takes data directly from ealladin (mam company). Means even the employee/local distributor cant write hasps for his personal purposes.

Think it twice, I cant imagine a security colossus like eAladdin having a security tool that can be easily duplicated using a single software/tool. My advice is to think for a hasp emulator that will make your job because all data software needed are readed from memory - and as you already know memory is writeable while hasp isnt
Last edited by baatazu; 05-18-2005 at 06:16.
Reply With Quote