Hi,

i'm workin' on a target which is protected by HASP-Dongle.
It uses haspms32.dll.

After short analyzing in IDA i got some information:

.text:0056B4EC hasp proc near ; CODE XREF: sub_446D10+76p
.text:0056B4EC ; sub_446DD0+82p ...
.text:0056B4EC jmp ds:__imp_hasp
.text:0056B4EC hasp endp

hasp()-funktion is only called two times by X-Refs.

sub_446D10+76p

.text:00446D86 call hasp
.text:00446D8B mov eax, [ebp+var_8]
.text:00446D8E add eax, [ebp+var_C]
.text:00446D91 cmp eax, [ebx+6Ch]
.text:00446D94 jz short loc_446D9A
.text:00446D96 xor eax, eax
.text:00446D98 jmp short Bad_Boy
.text:00446D9A ; ---------------------------------------------------------------------------
.text:00446D9A
.text:00446D9A loc_446D9A: ; CODE XREF: sub_446D10+84j
.text:00446D9A mov edx, dword_5C7B7C[esi*4]
.text:00446DA1 mov eax, [edx+8]
.text:00446DA4 sub eax, [ebp+var_4]
.text:00446DA7 cmp edi, [ebx+68h]
.text:00446DAA jnz short loc_446DB0
.text:00446DAC xor eax, eax
.text:00446DAE jmp short Bad_Boy
.text:00446DB0 ; ---------------------------------------------------------------------------
.text:00446DB0
.text:00446DB0 loc_446DB0: ; CODE XREF: sub_446D10+9Aj
.text:00446DB0 lea edx, [eax+edi]
.text:00446DB3 cmp edx, [ebx+68h]
.text:00446DB6 jle short loc_446DBC
.text:00446DB8 xor eax, eax
.text:00446DBA jmp short Bad_Boy
.text:00446DBC ; ---------------------------------------------------------------------------
.text:00446DBC
.text:00446DBC loc_446DBC: ; CODE XREF: sub_446D10+A6j
.text:00446DBC add edi, eax
.text:00446DBE cmp edi, [ebx+68h]
.text:00446DC1 jz short loc_446DC7
.text:00446DC3 xor eax, eax
.text:00446DC5 jmp short Bad_Boy
.text:00446DC7 ; ---------------------------------------------------------------------------
.text:00446DC7
.text:00446DC7 loc_446DC7: ; CODE XREF: sub_446D10+B1j
.text:00446DC7 mov al, 1
.text:00446DC9
.text:00446DC9 Bad_Boy: ; CODE XREF: sub_446D10+88j
.text:00446DC9 ; sub_446D10+9Ej ...
.text:00446DC9 pop edi
.text:00446DCA pop esi
.text:00446DCB pop ebx
.text:00446DCC mov esp, ebp
.text:00446DCE pop ebp
.text:00446DCF retn
.text:00446DCF sub_446D10 endp



sub_446DD0+82p

.text:00446E52 call hasp
.text:00446E57 mov eax, [ebx]
.text:00446E59 add eax, 70h
.text:00446E5C push eax
.text:00446E5D mov edx, [ebx]
.text:00446E5F add edx, 6Ch
.text:00446E62 push edx
.text:00446E63 mov ecx, [ebx]
.text:00446E65 add ecx, 68h
.text:00446E68 push ecx
.text:00446E69 mov eax, [ebx]
.text:00446E6B add eax, 64h
.text:00446E6E push eax
.text:00446E6F mov edx, [ebx]
.text:00446E71 push dword ptr [edx+58h]
.text:00446E74 mov ecx, [ebx]
.text:00446E76 push dword ptr [ecx+54h]
.text:00446E79 mov eax, [ebx]
.text:00446E7B push dword ptr [eax+8Ch]
.text:00446E81 mov edx, [ebx]
.text:00446E83 push dword ptr [edx+60h]
.text:00446E86 push 5
.text:00446E88 call hasp
.text:00446E8D mov ecx, [ebx]
.text:00446E8F mov word ptr [ecx+0Eh], 0
.text:00446E95 mov dword ptr [esi], offset unk_57F4CC
.text:00446E9B mov dword ptr [esi+4], offset unk_5AEA3C
.text:00446EA2 mov dword ptr [esi+8], offset unk_57F4E0
.text:00446EA9 mov dword ptr [esi+0Ch], offset unk_57F4F4
.text:00446EB0 mov dword ptr [esi+10h], offset unk_57F508
.text:00446EB7 mov dword ptr [esi+14h], offset unk_5AEA50
.text:00446EBE mov dword ptr [esi+18h], offset unk_5AEA64
.text:00446EC5 mov dword ptr [esi+1Ch], offset unk_5AEA78
.text:00446ECC mov dword ptr [esi+20h], offset unk_57F51C
.text:00446ED3 mov dword ptr [esi+24h], offset unk_57F530
.text:00446EDA mov dword ptr [esi+28h], offset unk_57F544
.text:00446EE1 mov dword ptr [esi+2Ch], offset unk_57F558
.text:00446EE8 mov eax, [ebp+var_24]
.text:00446EEB mov large fs:0, eax
.text:00446EF1 mov eax, [ebx]
.text:00446EF3 pop esi
.text:00446EF4 pop ebx
.text:00446EF5 mov esp, ebp
.text:00446EF7 pop ebp
.text:00446EF8 retn
.text:00446EF8 sub_446DD0 endp


These are the locations hasp() is called from.

Then i tried to patch it, like it is described in Defilers & CrackZ Essay but i wasn't able to reconstruct the way they beat't up on my target.

I tried to break with sice on this location:

.text:00446D94 jz short loc_446D9A

but sice doesn't. I don't know why !????

Other Question:

.text:00446D82 push dword ptr [edx]
.text:00446D84 push 2
.text:00446D86 call hasp
.text:00446D8B mov eax, [ebp+var_8]

is there hasp service 2 called, i think so, but actually i'm not sure.

Hope someone can help me to understand this target,

thx in advance,

OHPen

First naides, thx for your help

But i still have questions unfortunally, you know i'm newbie and that's the point ;(

Okay let's start:



NAIDES :> Appears to be checking the HASP call return values, present in the STACK (EBP+C, EBP+8 , EBP+4) with some simple math manipulations against values present in a table pointed by EBP+68, EBP+C, etc.

Where in the code is that indicated ? I can't find any (EBP+C, EBP+8 , EBP+4) in this part of the code !? Am i blind !? I hope not...

NAIDES :> You need to analyse the setup of addresses that happen before HASP function is called

.text:00446DE5 call @__InitExceptBlockLDTC
.text:00446DEA mov [ebp+var_14], 8
.text:00446DF0 mov edx, [ebx]
.text:00446DF2 mov dword ptr [edx+54h], 2611h
.text:00446DF9 mov ecx, [ebx]
.text:00446DFB mov dword ptr [ecx+58h], 4B21h
.text:00446E02 mov eax, [ebx]
.text:00446E04 mov dword ptr [eax+60h], 64h
.text:00446E0B mov edx, [ebx]
.text:00446E0D mov dword ptr [edx+5Ch], 1
.text:00446E14 mov ecx, [ebx]
.text:00446E16 xor eax, eax
.text:00446E18 mov [ecx+8Ch], eax
.text:00446E1E mov edx, [ebx]
.text:00446E20 add edx, 70h
.text:00446E23 push edx
.text:00446E24 mov ecx, [ebx]
.text:00446E26 add ecx, 6Ch
.text:00446E29 push ecx
.text:00446E2A mov eax, [ebx]
.text:00446E2C add eax, 68h
.text:00446E2F push eax
.text:00446E30 mov edx, [ebx]
.text:00446E32 add edx, 88h
.text:00446E38 push edx
.text:00446E39 mov ecx, [ebx]
.text:00446E3B push dword ptr [ecx+58h]
.text:00446E3E mov eax, [ebx]
.text:00446E40 push dword ptr [eax+54h]
.text:00446E43 mov edx, [ebx]
.text:00446E45 push dword ptr [edx+8Ch]
.text:00446E4B mov ecx, [ebx]
.text:00446E4D push dword ptr [ecx+60h]
.text:00446E50 push 1
.text:00446E52 call hasp > hasp() called
.text:00446E57 mov eax, [ebx]
.text:00446E59 add eax, 70h
.text:00446E5C push eax
.text:00446E5D mov edx, [ebx]
.text:00446E5F add edx, 6Ch
.text:00446E62 push edx
.text:00446E63 mov ecx, [ebx]
.text:00446E65 add ecx, 68h
.text:00446E68 push ecx
.text:00446E69 mov eax, [ebx]
.text:00446E6B add eax, 64h
.text:00446E6E push eax
.text:00446E6F mov edx, [ebx]
.text:00446E71 push dword ptr [edx+58h]
.text:00446E74 mov ecx, [ebx]
.text:00446E76 push dword ptr [ecx+54h]
.text:00446E79 mov eax, [ebx]
.text:00446E7B push dword ptr [eax+8Ch]
.text:00446E81 mov edx, [ebx]
.text:00446E83 push dword ptr [edx+60h]
.text:00446E86 push 5
.text:00446E88 call hasp > hasp() called
.text:00446E8D mov ecx, [ebx]

So that's the code before the hasp()-routine is called but i don't come along with the code. I only see hasp service 1 and 5 is called, but what about the params before ? What do they excatly do ?

NAIDES :> does [ebx] point to a value returned form the HASP call?

I don't think so, maybe it points so some kind of a table !? I'm not sure atm.

look at this:

.text:00446E39 mov ecx, [ebx]
.text:00446E3B push dword ptr [ecx+58h]
.text:00446E3E mov eax, [ebx]
.text:00446E40 push dword ptr [eax+54h]
.text:00446E43 mov edx, [ebx]
.text:00446E45 push dword ptr [edx+8Ch]
.text:00446E4B mov ecx, [ebx]
.text:00446E4D push dword ptr [ecx+60h]

these value are pushed before Service 1 and Service 5. I know Service 1 is run for checking whether dongle is connected or not, but what about Service 5 ?


NAIDES :> It is setting up a flag as 0

But what is this flag for ? Dongle returned false values ?

NAIDES :> You need to know where the return values of the HASP call get stored. I suspect they are at the offsets 57f30 etc and get moved to a table pointed by esi (+0c, +12, etc) and get validated later in the code. Now you need to find out how and where

Where have you found the offset 57f30 in here ?

.text:00446E95 mov dword ptr [esi], offset unk_57F4CC
.text:00446E9B mov dword ptr [esi+4], offset unk_5AEA3C
.text:00446EA2 mov dword ptr [esi+8], offset unk_57F4E0
.text:00446EA9 mov dword ptr [esi+0Ch], offset unk_57F4F4
.text:00446EB0 mov dword ptr [esi+10h], offset unk_57F508
.text:00446EB7 mov dword ptr [esi+14h], offset unk_5AEA50
.text:00446EBE mov dword ptr [esi+18h], offset unk_5AEA64
.text:00446EC5 mov dword ptr [esi+1Ch], offset unk_5AEA78
.text:00446ECC mov dword ptr [esi+20h], offset unk_57F51C
.text:00446ED3 mov dword ptr [esi+24h], offset unk_57F530
.text:00446EDA mov dword ptr [esi+28h], offset unk_57F544
.text:00446EE1 mov dword ptr [esi+2Ch], offset unk_57F558

??? I can't see it here. The values you suspect to be at this offset , are these the correct return values ? or my fake values ?


NAIDES :> Maybe you already failed a check and this code is never run through the CPU, so the BPX does not break

I'm sure you are right. Maybe i have forgotten something before, i will check this.


Yeah man, i know, lot's of questions, but the day i have learned it i will never ask again, i promise

THX

OHPen

Hey

Where in the code is that indicated ? I can't find any (EBP+C, EBP+8 , EBP+4) in this part of the code !? Am i blind !? I hope not...

you are not blind, but i guess he meant :

.text:00446D8B mov eax, [ebp+var_8] ; EBP+8

.text:00446D8E add eax, [ebp+var_C] ; EBP+C

.text:00446DA4 sub eax, [ebp+var_4] ; EBP+4

Those var_ If you look in your function start, you will find
what those values are equal too..
It that case at least, its pretty clear.

these value are pushed before Service 1 and Service 5. I know Service 1 is run for checking whether dongle is connected or not, but what about Service 5 ?

I suggest your to grab the files that describes each services..
did you look at CrackZ's site ?

Hasp service 5 is : HaspStatus.

his parameters are, the service number, the port number, the password 1 and password 2.. search for more infos.


Where have you found the offset 57f30 in here ?

I suspect he did a typo..

text:00446ED3 mov dword ptr [esi+24h], offset unk_57F530

57F30 and 57F530 are looking a lot equals..
Think a bit please..

I let the other replies to naides.
I didn't play with hasp for some times now.

HopCode

Hiya,

As a suggestion I would advise tracing below the hasp() export you have and finding the haspreg() code, this might give you a better idea of i). where your return codes are on the stack and ii). all of the HASP service parameters.

Regards

CrackZ.

THX CrackZ,

but is the function you are talking about always called haspreg() ?

'Cause i haven't found any other imports used by this app.

greets,

OHPen