Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page HASP HL Time
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #17  
Old 06-18-2009, 18:38
Git's Avatar
Git Git is offline
Old Git
  
Join Date: Mar 2002
Location: Torino
Posts: 1,116
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 110
Thanks Rcvd at 220 Times in 126 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
Many thanks Ahmad. "HASP HL Protection V1.X -> Aladdin " is the shell / envelope tied to the dongle. You can know it is the case usually when you see ".protect" section name. Often this shell/envelope encryption is applied several times on top of each other. Unless you have tools to generate the emulator parameters, it can be a pain to do manually. It is achieved with multiple layers of encryption using the dongle API hasp_encrypt and decrypted during run with hasp_decrypt.

Usual method is to make basic emulator, run target and hasp logger until it puts up error dialog, then save dump as dump01.exe. Search the dump01.exe for input parameter to any of the hasp_decrypt calls in the log. When you find it, search back in the file for non-Unicode string GetTickCount followed by 4 0x00 bytes. Count another 4 bytes and then you have the start of the Q/A pairs block, so if GetTickCount string starts at 0x11F50, block starts at 0x11F64. Copy 0x1000 bytes from that address to a file called, say, pairs01.bin. The first 2048 bytes of that file represent 128 ATable entries for emulator and last 2048 bytes represent 128 corresponding QTable entries. Add those 128 Q/A pairs to the emulator and restart emulator. Much easier if you write a small program to convert pairs.bin to registry entries.

Now run application and hasp logger again. Again, it will maybe put up error dialog about Envelope. Again save dump, this time as dump02.exe. Search through dump02.exe for input value of hasp_decrypt call in log. Same as before, search back for GetTickCount, copy 4096 byte block from 8 bytes past GetTickCount to new file pairs02.bin. Add the new 128 pairs to the emulator and restart. This time the application may run, maybe not. Repeat procudure until no Envelope error. You now have emulator covering all envelope hasp_decrypt calls. If the programmer was clever, he has used the API and there will be many hasp_decrypt and hasp_encrypt calls in the program with random parameters and it is almost impossible to emulate. However, many programmers do nothing more than put shell/envelope around program and call it protected. If so, you now have 100% emulation of dongle for that app.

Git
Reply With Quote
The Following 2 Users Gave Reputation+1 to Git For This Useful Post:
backdoor_b (06-18-2009), DCA (06-20-2009)
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 09:11.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )