merags
April 26th, 2011, 11:11
Hi,
I have a program that is packed using HASP-HL 2.x envelope. I have successfully extracted the key from dongle and emulated it using Multikey (with help from some good folks at reteam.org). So emulation is *NOT* an issue.
Since I have some time on hand, I want to get rid of the HASP envelope altogether. I have not been successful so far and would appreciate some pointers. Here is what I have till now,
1. Hardened the OllyDbg by renaming OllyDBG exe and also changing references inside it. Installed Phantom & Anti-debugger detection plugins.
2. Ensured the protected app runs perfectly under debugger
3. Extracted OEP. Confirmed using ImpRec that the IAT is being redirected.
4. Patched a specific 'JE' instruction in the .protect section to disable IAT redirection
5. Rerun app & confirm using ImpRec that IAT redirection is disabled now. Around 200+ functions are properly detected.
6. Dump exe & fix IAT. The dumped exe works but only with the dongle connected. Iam unable to remove the .protect section. If removed, the dumped exe does not start.
As is obvious, now I have a dumped exe with an actual entry point in .text section of my exe instead of the .protect section. But apparently it still tries to do HASP calls. I tracked this using a HASP logger. My attempts to trace this call (for example the HASP init/login) in the code section is taking me in circles and am finding it very hard to pin-point the exact calls. Also, calls are being made into a specific address in .protect section from several locations in the .text section. Again tracing these calls are proving to be difficult. A simple 'RETN' assembled at the specific address in .protect section crashes the application with 'invalid memory access' error.
Please refer to the attached pix. It shows my application stopped at the OEP (0079E716) and the code that I modified at 00AE909D in the main window and the IAT table as read by ImpRec. As can be seen, only one address 00AE91B7, as a part of kernel32.dll remains unresolved. This address is in the .protect section and is the same address referred to in the last but one para of my original post. Iam guessing that this a second type of redirection. But I have been unable to prevent/correct this redirection or get any clues by monitoring write to the VA (0087B304) in the IAT containing 00AE91B7.
Does anyone have any suggestions on way forward?
Cheers
Vijay
PS: I have followed a couple of tutorials claiming unpack for HASP-HL v1.x. But they don't seem to work in my case.
1. HASP HL Envelope 1.x (Unpacking)
2. Cracking HASP By Koudelka
I have a program that is packed using HASP-HL 2.x envelope. I have successfully extracted the key from dongle and emulated it using Multikey (with help from some good folks at reteam.org). So emulation is *NOT* an issue.
Since I have some time on hand, I want to get rid of the HASP envelope altogether. I have not been successful so far and would appreciate some pointers. Here is what I have till now,
1. Hardened the OllyDbg by renaming OllyDBG exe and also changing references inside it. Installed Phantom & Anti-debugger detection plugins.
2. Ensured the protected app runs perfectly under debugger
3. Extracted OEP. Confirmed using ImpRec that the IAT is being redirected.
4. Patched a specific 'JE' instruction in the .protect section to disable IAT redirection
5. Rerun app & confirm using ImpRec that IAT redirection is disabled now. Around 200+ functions are properly detected.
6. Dump exe & fix IAT. The dumped exe works but only with the dongle connected. Iam unable to remove the .protect section. If removed, the dumped exe does not start.
As is obvious, now I have a dumped exe with an actual entry point in .text section of my exe instead of the .protect section. But apparently it still tries to do HASP calls. I tracked this using a HASP logger. My attempts to trace this call (for example the HASP init/login) in the code section is taking me in circles and am finding it very hard to pin-point the exact calls. Also, calls are being made into a specific address in .protect section from several locations in the .text section. Again tracing these calls are proving to be difficult. A simple 'RETN' assembled at the specific address in .protect section crashes the application with 'invalid memory access' error.
Please refer to the attached pix. It shows my application stopped at the OEP (0079E716) and the code that I modified at 00AE909D in the main window and the IAT table as read by ImpRec. As can be seen, only one address 00AE91B7, as a part of kernel32.dll remains unresolved. This address is in the .protect section and is the same address referred to in the last but one para of my original post. Iam guessing that this a second type of redirection. But I have been unable to prevent/correct this redirection or get any clues by monitoring write to the VA (0087B304) in the IAT containing 00AE91B7.
Does anyone have any suggestions on way forward?
Cheers
Vijay
PS: I have followed a couple of tutorials claiming unpack for HASP-HL v1.x. But they don't seem to work in my case.
1. HASP HL Envelope 1.x (Unpacking)
2. Cracking HASP By Koudelka
