I have a target that's protected with HASP.. it's my first HASP expierence..

after reading a lot of tutorials i'm still not quite sure how it works.

when i start the program i get a nice message box that my hasp dongle is not found.
so i put a bpx on freeenvironmentstringsa and i'm near the haspcode.

strange thing is, first call is not with service 1 or 2.. it calls directly with service 32h and esi=38h which means it it will return a 38h block in eax after the call. ecx will hold an errorcode.

so i manually changed the returned block with some random stuff.. (not sure what to put here yet) and changed ecx to 0 (no error)

after that it will break another time with service 6, which will return the HASPID in ebx and edx. and error in ecx.

and that's all, after that i found out it MD5 sums my HASPID i think.. and checks it, i manually changed the jumps but it still fails

so i basically have 2 service calls (32h and 6) and some MD5 check but not sure what to do

i think i need to emulate the readblock, so it will be correct with the haspid.. but i havent found where it makes the check...

Hi !

If program you are talking it's protected with HASP4 the you should forget about cracking it if u don't have the original dongle of the program or if u don't have the new algos for encrypting/decrypting... Anyway for old one this is posible. I attached here the program+soures of my hasp services spy wich i think that u'' find usefull

Also take a look at this link:

http://www.woodmann.net/forum/showthread.php?s=&threadid=3342&highlight=hasp+services+spy

best regards,
.:hack3r2k:.

ok how do i find out if it uses the new algo.. and why will it be impossible?

also the program is enveloped because i cant disassemble it and it has .prot01-prot11 sections..

so i dont think i can use your spy in this case..

I may be wrong here, but I thought the HASP Enveloped programs actually used the dongle to decrypt parts of the code, so unless you know how to do this manually, it's pretty much impossible.

Hiya,

The section names don't sound as if they are the HASP envelope, since its single section and afaik there is no way to get the envelope program to create any more.

So I'd 'guess' you've got a regular HASP API target using a packer.

Service 32 (ReadBlock).

IN EAX->where returned data will be placed, ESI=block count, EDI=offset of read

OUT EAX->number of words read, ECX=status (0), EDX->EAX

Reading 38h=full 112 bytes, most probably this is a MemoHASP, look for checks (bpr on the returned data or fill it with 0xFFFF as a starting point).

Service 6 (HaspID).

OUT EAX=low part of ID, EBX=high part of ID, ECX=status(0), EDX=HASP API version

Don't touch EDX, its not really used.

MD5 doesn't really come into this, the old HASP envelope used the MD5 hash result of the returns from HaspCode() as a decryption key, the new envelope uses HaspCode() internally (modified table) and new 0x3D HaspDecodeData() FEAL service (which really only generates 64 or 128-bit data) for decryption. Either way your target doesn't sound like its using these.

If you've got a target URL, I'll happily take a quick look.

Regards

CrackZ.