For CrackZ/HypnoticZ/TNT the hasp prot prog [Archive]

View Full Version : For CrackZ/HypnoticZ/TNT the hasp prot prog

hack3r2k

June 11th, 2002, 10:10

Hey !

Things that i found till now :

pass1 - 2b83 (can i do anything with it ?)
pass2 - 618f (idem)
seed - 0 ??? kinda impossible
port - 0 ??? this one too

It uses hasp api cause i found HASPDOSDRV string inside the program.
Seems to be a TimeHasp or Hasp - Time because it uses function 47.

Offcourse that i tried to crack it !

All i did it was to reverse some jumps after some checkings before the dialogbox to show(MessagePopup api), but why i reopened this subject is because the program seems not to work how it should.

So all i'm asking is to help me crack it right.

Best regards,
.:hack3r2k:.

file (2.55MB)

://sagemboard.web1000.com/telech.zip

best regards,
hack3r2k

goatass

June 11th, 2002, 15:47

Just changing jumps as to avoid a message box will not correctly crack the program. Many times the program reads stuff from the dongle and uses it for something, if the correct bytes are not read then the program doesn't run right.

Try to find the Hasp APIs and emulate them so they will return the correct values.

goatass

hack3r2k

June 11th, 2002, 22:09

Hey !

I started to write an emulation routine for the prog above(it uses services 1, 5 and 71).

;GetTime -=function 71=- emulation

sub esp, sizeof(SYSTEMTIME)
push esp
call GetLocalTime
xor eax, eax
xor ebx, ebx
xor edx, edx
mov ax, word ptr [esp+SYSTEMTIME.wSecond] ;second
mov bx, word ptr [esp+SYSTEMTIME.wMinute] ;minute
mov dx, word ptr [esp+SYSTEMTIME.wHour] ;hour
xor ecx, ecx ;all things went ok !
add esp, sizeof(SYSTEMTIME)

Is this ok for 71 ?

1 and 5 code i will not post because it easy to emulate ...

The problem is tha i dont know for sure if i must redirect all 'call _hasp' to 'call _emurutine' ...

And its another problem... if i put this code is some dll will work ?

I mean instead of call _hasp to do a call to the emulation routine from the dll.

CrackZ

June 11th, 2002, 23:06

Hiya,

My findings seem to disagree (a little) with yours.

I found it calls IsHasp(), HaspStatus() and then HaspID(), services 1, 5 & 4Eh respectively. Actually you may be right that it calls other TimeHASP related services after this or 47h if you change the HaspStatus() return to TimeHASP-4 (didn't actually experiment with that), since I got some annoying message box about missing files when my drivers emulated the first 3 services.

PWD1 = 2B83
PWD2 = 618F (we agree).

Remember, the seed is only relevant to a handful of HASP() functions.

The HASP() routine is inside telechtest.exe (4065A0) & telechomm.dll (1000322C).

Your emulation routine looks OK to me, I don't know why you don't use the shorter movzx overrides though when accessing the SYSTEMTIME structure, rather than zero'ing EAX/EBX/EDX and then moving ;-).

This program uses basic HASP API so patching an emulation routine in the aforementioned places should be sufficient.

Regards

CrackZ.

hack3r2k

June 12th, 2002, 10:49

I forgot to tell you that telechtest.exe must be executed from command line.

ex. telechtest some_file.bis ? ? and other 2 params that seems not to work respectively com port nr and baud rate.

Anyway you didnt told me if i must redirect all call _hasp to my emulated routine ...

I'll post here my full emulation it's ready...

Do you have a email where i can contact you (hotmail ?/if so maybe we can meet on msn messenger to talk more)

best regards,
.:hack3r2k:.

goatass

June 12th, 2002, 15:45

it is recommended that you redirect all call_hasp routines to your emulation routine, this way you can manipulate the return values of any of the services. Say you run the program and find out that after an hour it calls a service that was not emulated. It would be easier to go directly to your code and emulate this service. Just as a good measure you want to be able to say that you covered all your bases.

goatass

hack3r2k

June 12th, 2002, 23:22

Yo !

Thank you for helping me CrackZ and goatass !

This is my full emulated routine but it's something wrong with it !!!

;92 bytes emulation rutine

cmp bh, 1h ;IsHasp()
jnz next_1 ;ummm nope
xor eax, eax ;make it 00000000h
ret ;return after call hasp
next_1: ;Let's try something else
cmp bh, 5h ;HaspStatus()
jnz next_2 ;ummm nope
mov eax, 0h ;Other hasp ...
mov ebx, 3h ;I think ... TimeHasp
mov ecx, 1h ;Port number
ret
next_2:
cmp bh, 47h ;GetTime()
jnz next_3
sub esp, 10h
push esp
db 255, 15h, 1Ch, 70h, 44h, 00h
;alias call dword ptr [0044701Ch] section
;.import from telechtest.exe/GetLocalTime api
;

it's fu**in' hard to fit the code to your
;needs but not impossible

movzx eax, word ptr [esp+0Ch] ;second
movzx ebx, word ptr [esp+0Ah] ;minute
movzx edx, word ptr [esp+08h] ;hour
xor ecx, ecx ;all things went ok !
add esp, 10h
ret
next_3:
cmp bh, 4Eh ;HaspID()
jnz next_0
mov eax, 0h
mov ebx, 0h
xor ecx, ecx ;Yeah we have hasp v0.0 !!!
ret
next_0:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
ret

I added this routine in the .hasp (section added) section of the telechtest.exe and it uses the GetLocalTime api added in .import section of the .exe.

After i redirected all 11 calls to my emulated routine i discovered when i executed the exe the same fucking, stupid message box !!!

Ummm...i said to me, i think that i forgot to emulate somethin', so i did a break in my emu routine and i discovered that 'bh' had value 20H but i didn't find any info in my haspman about how can i emulate it...

Maybe somethin in my emu routine is WRONG emulated ???

The emu routine is OK ???

I attached here the pathed exe and the binary form of my hasp routine !

All i can say now is ... HELP !!!!!!!!
new section added to telechtest.exe

.imports -> GetLocalTime api added
.hasp -> The emulation routine

best regards,
.:hack3r2k:.

http://sagemboard.web1000.com/Telech+hasp_emu.zip (click on the bottom link) -> Contains the patched exe and hasp emu in binary form

ZenLoren

June 13th, 2002, 05:24

Hi

cmp bh, 1h ;IsHasp()
jnz next_1 ;ummm nope
xor eax, eax ;make it 00000000h
ret ;return after call hasp

IsHasp () should return 1 not 0
try rectify it & check.

Regards
zenloren

hack3r2k

June 13th, 2002, 10:08

Hi ! (thanx ZenLoren)

I repatched the program so it could return 1 at IsHasp() call but it still doesn't work !

http://sagemboard.web1000.com/Telech+hasp_emu.zip (click on the bottom link) -> Contains the patched exe and hasp emu in binary form

CrackZ don't let me down know !!!

HypnoticZ/TNT

June 13th, 2002, 14:36

see your PM

regards HypnoticZ

CrackZ

June 14th, 2002, 00:47

Bah!.

I got screwed by the msgboard here and logged out automatically, reply lost ;-).

Anyway, the gist of what I said, was something like make sure you redirect the call haspreg() to your new code (address 4065D6), it sounded to me like you were redirecting at the xref level and hence BH wasn't getting the service code loaded.

The emulation routine was fine, IsHasp() does clear EBX/ECX/EDX and ECX's return for HaspStatus() should be 66h (EDX=driver version), but 1 shouldn't make much difference. Also, general point, avoid sending back 0:0 for HaspID if you can, some programs do not like it ;-).

Regards and contact me if you want any further assistance.

CrackZ.

hack3r2k

June 14th, 2002, 21:53

Hi there HypnoticZ/TNT/CrackZ !

I wrote a function called HaspServicesSpy that called instead of haspreg() its able to display in a message box what service tried the program to execute.

so i discovered that the program executes the following services:

1h
5h
47h
4eh
49h
4dh
4ch

I inserted the emu routine all funtions work ok, less WriteBlock/ReadBlock that i don't know for sure how to emulate so it gives "locked key" and that because i dont know how much mem (bytes) requires !!!

BTW the dongle used by this prog is fuckin' strange cause it uses services from TimeHasp and MemoHasp can someone explain me how it's possible ??

best regards,
.:hack3r2k:.

thanx CrackZ, HypnoticZ/TNT (Yep ! that was my problem ! now works)

goatass

June 14th, 2002, 23:19

The dongle is a TimeHasp dongle, this dongle has both time and memo hasp routines in it just like the NetHasp has net and memo routines in it.
To emulate the read and write calls you need to do something like this:

push ebp
call eip+5
pop ebp ;get delta offset into ebp
add ebp, 20h ;puts you at the start of your dongle data(number varies)
mov ecx, esi ;puts length of block in ecx
lea esi, [ebp+eax] ;address to your dongle data, eax=cell#
repz movsw ;edi is the return buffer
pop ebp
db 0000 1111 2222 3333 4444

something along these lines, you have to play with it a bit to get it to work for you correctly
To emulate the write routine just to switch the read and write buffers.

p.s. TimeHasp has 512bytes of memory

hope that helps.

goatass

hack3r2k

June 16th, 2002, 22:29

Now i need some more info about ReadBlock !!!

Let's supose that hasp emu mem is like this :

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
---------------------------------------------------------------
BH -> 77
DI -> 7;start address ?? what does this mean regarding hasp mem above ??
SI ->2;block length ?? this means that it want to read 2 bytes ??
AX ->F918;buffer offset ?? what this ??? like start reading position ??? isn't too big for a timehasp with 512 bytes of mem ???

btw , edi it's an pointer to a buffer that contains the values readed or it contains the values (like 00000000h after reading 2 bytes ??)

Can u explain how does this function works ???

Hey CrackZ/goatass please explain me !!! (i can't code if i don't understand how it works ....)

best regards,
.:hack3r2k:.

hack3r2k

June 18th, 2002, 22:47

Can anyone answer to my question above ?(the one abou ReadBlock stuff)

Anyone knows what service 68 does ?? I didn't found any info in hasp manuals !

best regards,
.:hack3r2k:.

goatass

June 19th, 2002, 01:01

First of all take your memory map above and look at it in WORD format: That is how HASP reads, it reads WORDs not bytes, this should make it easier to understand.
Each WORD in this memory map is a cell, starting at cell #0

0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000

Service 77: ReadBlock
ECX, EDX = Pass1,2
EAX = Buffer to put read words into
DI = Block length
SI = Start address (cell)

When it returns, the buffer in EAX will hold the 7 WORDs starting from cell #2 and ECX will be 0 since it's the error code.

Does this answer your question? now with the code I posted earlier you should be able to modify it a bit to make it work for the ReadBlock service.

I'm not really sure what service 68 is, can you tell me what parameters are pushed to this service?

goatass

CrackZ

June 19th, 2002, 22:57

Hiya,

The previous post isn't quite correct.

At haspreg():

EAX -> buffer to receive data.
ECX/EDX = pass1 / pass2.
ESI = block length.
EDI = address to start read from.

On return:

EAX = EDI.
EBX = block length.
ECX = status (0).
EDX = EAX.

At least this is the case for the latest drivers.

Service 68h or 68d?, the only one that exists is 68d i.e. 0x44 which is NetHASP ReadWord().

Regards

CrackZ.

hack3r2k

June 19th, 2002, 23:03

CrackZ i have a question ...

If i can't find the services enumerated in the last hasp manual(haspman4) then where i can find them !??

best regards,
.:hack3r2k:.

goatass

June 20th, 2002, 02:06

Thanks CrackZ, I tend to get SI and DI switched especially when I haven't worked on HASP protected apps lately.

goatass

hack3r2k

June 21st, 2002, 13:27

Hey goatass/CrackZ/ anyone !

Here is my emu routine for ReadBlock :

cmp bh, 4Dh ;ReadBlock()
;EAX -> buffer to receive data.
;ECX/EDX = pass1 / pass2.
;ESI = block length.
;EDI = address to start read from.
pushad
imul edi, 2 ;a cell contains 2bytes and we multiply it with edi
;that represent the cell from where we want to
;start the reading
imul esi, 2 ;no of bytes to read
mov ecx, esi ;counter
lea esi, [HaspMemory + edi]
lea edi, byte ptr [eax]
rep movsb
popad
xor ecx, ecx
ret

HaspMemory is a pointer to memory block (512 bytes) allocated with the help of GlobalAlloc and GlobalLock apis (all mem it's initialy zero)

MY EMULATION ROUTINE FOR THIS SERVICE IT CORECT(i guess so cause at return eax ->has the values readed inside and ecx = 0 )

best regards,
.:hack3r2k:.

hack3r2k

June 21st, 2002, 19:52

Hi !

I just want to know if the routine above is ok ......

BTW for WriteBlock i just have to change :

lea esi, byte ptr [eax]
lea edi, [HaspMemory + edi]

this all.

bye (i know that shoul be ok but the prog still shows loked key)

I have to emulate the mem contents also ???

bye, bye

haec_est

June 25th, 2002, 18:16

Quote:

Originally posted by hack3r2k
...
I have to emulate the mem contents also ???
...

Hi !

..yes, you MUST emulate the mem contents; better if you can dump the memory

for the read/write block routine... i use a snippet of code from CrackZ's site, (coded by cyberheg for
sentinel spro key), slightly edited for hasp keys :

Code:

.hasp:00442097 

.hasp:00442097 r_w_block:                              ; CODE XREF: .hasp:00442021j

.hasp:00442097                                         ; .hasp:00442026j

.hasp:00442097                 mov     ecx, esi

.hasp:00442099                 shl     ecx, 1          ; bytes to read

.hasp:0044209B 

.hasp:0044209B                 call    $+5

.hasp:004420A0                 pop     esi             ; get eip

.hasp:004420A1                 add     esi, 1Ch        ; setup delta

.hasp:004420A1                                         ; 

.hasp:004420A4                 shl     edi, 1          ; start addr ---> offset (bytes)

.hasp:004420A4                                         ; 

.hasp:004420A6                 add     esi, edi        ; 

.hasp:004420A6                                         ; 

.hasp:004420A8                 lea     edi, [eax]      ; get buffer

.hasp:004420A8                                         ; 

.hasp:004420AA                 cmp     bh, 32h         ; check read/write operation

.hasp:004420AD                 jz      short not_switch

.hasp:004420AF                 xchg    esi, edi        ; for write operation source is buffer

.hasp:004420B1 

.hasp:004420B1 not_switch:                             ; CODE XREF: .hasp:004420ADj

.hasp:004420B1                 repe movsb              ; read/write

.hasp:004420B1                                         ; 

.hasp:004420B3                 mov     edx, eax        ; reset par4 = lp_buffer

.hasp:004420B3                                         ; 

.hasp:004420B5                 xor     eax, eax        ; not used

.hasp:004420B7                 xor     ebx, ebx        ; not used

.hasp:004420B7                                         ; 

.hasp:004420B9                 xor     ecx, ecx        ; status ok

.hasp:004420B9                                         ; 

.hasp:004420BB                 retn

.hasp:004420BB ; ---------------------------------------------------------------------------

.hasp:004420BC hasp_mem        dw      0,     0,     0,     0,     0,     0,     0,     0

.hasp:004420BC                 dw      0,     0,     0,     0,     0,     0,     0,     0

.hasp:004420BC                 dw      0,     0,     0,     0,     0,     0,     0,     0

.hasp:004420BC                 dw      0,     0,     0,     0,     0,     0,     0,     0

.hasp:004420BC                 dw      0,     0,     0,     0,     0,     0,     0,     0

.hasp:004420BC                 dw      0,     0,     0,     ... and so on ...

remind that TIME4 key (hasp type = 5) work also with service 32h/33h of MEMO hasp

(see the manual)

regards,

tgodd

June 28th, 2002, 08:06

try readblock starting at -8 and increment your range by 8.
This will give you the entire memory range including the haspid.