Hello!
Recently I read Frog Print's fantastic essay about Dongle bashing.
I had have success with a couple of sentinel protected ones and now I'm working on a hasp protection.
Target is Icarus v2.42 3429307 bytes big (swedish software, they do have an english page too)www.keylogic.se/old/download/icarus/icarus242.exe
It will run in demo mode if no dongle is detected and you have to restart the "server services" after 3 hours time.

The dongle check is done 19 times starting with this one at:
00030941 mov eax, 5
00030946 call sub_1FEA8 <-main routine

inside that call you have another call and a check ->HASPUT16.DLL .
I do not uderstand what's going on in all 19 locations, an example that I do understand:

000309E3 mov edx, 665h
000309E8 mov eax, 2 <--hasp service 2
000309ED call sub_1FEA8 <-main
000309F2 test bl, bl <-test
000309F4 jz short loc_30A1A <-beggar off
000309F6 cmp [ebp+var_8], 0A0F1h <-retcode 1
000309FD jnz short loc_30A1A
000309FF cmp [ebp+var_C], 0D0ECh <- retcode 2
00030A06 jnz short loc_30A1A
00030A08 cmp [ebp+var_10], 63C6h <-retcode 3
00030A0F jnz short loc_30A1A
00030A11 cmp [ebp+var_4], 5D1Bh <- retcode 4
00030A18 jz short loc_30A1E <- good guy
00030A1A xor eax, eax <-beggar off
00030A1C jmp short loc_30A20
00030A1E mov al, 1
00030A20 mov ebx, eax

there is some similar checks that's pretty easy to understand but I need help to grep the other ones.

regards
merlin

Goto the main hasp call, look at the addresses that calls it, and then go pack and take not the value pushed before the call, this will be the service number, 1 = IsHasp, must return 1 in eax. 2 = Haspcode,
like this:

push 0000XXX2 <- Pas2
push 0000XXX1 <- Pas1
mov edx, 00001234 <- Seedcode
push 00000002 <- service #
Call _Hasp

Then u got all u need to generate the returncodes useing the UCL haspcode generator. For other services, why not try to consult the manual? Its easy to figure out what is needed to be returned at given services. And 3rd option would be visiting zencrack2.cjb.net as it has some good tuturials explaining the hasp services. Good luck there

Hi Cast!
Sorry for my late reply.
I downloaded manuals.zip from hasp authors page, they give away some great information about their own protection
I think my target is doomed to die tonight, I had some problems at first finding IsHasp but a nice BPX CreateFileA did the job for me
I think the solution I have is not the best, but I'm happy with it because it's my first hasp dongle.

regards
meRlin

Hiya,

I took a brief look at your target (about 5 minutes), and managed to get it working, so I'll bore you with some code snippets / meaningless information ;-).

CODE:0001FECB cmp bh, 32h
CODE:0001FECE jb short loc_1FED5
CODE:0001FED0 mov esi, [ebp+arg_0]
CODE:0001FED3 mov eax, [esi]
CODE:0001FED5
CODE:0001FED5 loc_1FED5: ; CODE XREF: sub_1FEA8+26j
CODE:0001FED5 mov esi, [ebp+arg_8]
CODE:0001FED8 mov esi, [esi]
CODE:0001FEDA push ebp
CODE:0001FEDB call sub_21DB0 <-- haspreg().
CODE:0001FEE0 pop ebp

Thats your haspreg() call. Eyes glimmer (emulator here maybe ;-) ).

Icarus calls service 5 first, I suggest you patch this as a MemoHASP-1, return, EAX=1, EBX=1, ECX=60. The next time haspreg() is called the passwords will be different (0x5185 & 0x4903).

Service 0x32 (50) is used to read a block of memory from the HASP (return buffer is -> EAX), all 38 words are read. At 40FAE5 a loop sums all the individual bytes of word 0 through word 1Ah inclusive (a table algorithm is used during this process), at the end this check word is compared too word 1Bh (from the dongle), match good guy.

Next up similar summing of words 1Ch through 1Eh, check word compared to word 1Fh. Final checks are trickier, word 6, word 7, word 9 are read individually with ReadWord (service 3), word 6 ^ 12h will find its way as a seed code parameter for HaspCode(), return code 1 of which must pass some AND checks. Word 9 also has AND checks.

Once your satisfied with what is an acceptable return code 1 from (word 6 ^ 12 as seed to HaspCode() call) then you can bruteforce correct word 6.

Anyhow, if you want any further help with this, e-mail me. Server32.exe is the only file with protection too ;-).

Regards

CrackZ.