Log in

View Full Version : VXD vagaries


LaptoniC
September 16th, 2003, 18:05
I am trying to remove time limit protection of brstudio's hasp emulator w9x version.VXD code is harder to follow because it jmps or call function with below type of code
Code:

push ebp
call $+5
pop ebp
lea ebp,[ebp+12h] ;
call ebp

or
push offset xxxxxxx
push ebp
push eax
call $+5
pop ebp
lea ebp, [ebp-15h]

call ebp

etc..


After 30 minutes VXD disables itself and emulator do not works.I have found 3 time functions in the vxd

C00105C5:
VMMCall Get_System_Time

patched to mov eax,0

C0006A84:
Int21 ah=2Ah Exec_VXD_Int ;GET SYSTEM DATE
patched to

xor ecx,ecx
xor edx,edx

C00067E:
Int21h ah= 2Ch Exec_VXD_Int ;GET SYSTEM TIME
same as above

Emulator exe always show 29 minutes remaining in the about box however after 29-30 minutes vxd disables itself.Could you help me on this subject.

ps:I have some problems about bpx on vxd.I have tried bpx hasp95dll+xxxxx but it doesnt break.

Thanks.

qweasdzxc
September 16th, 2003, 21:42
it sounds like you have disabled the display of the time changing, but the clock is still running somewhere else.

look for amounts of time, milliseconds, seconds, minutes.
Or look for gettickcount, you might find a section of code that counts down/up to your limit.

CrackZ
September 19th, 2003, 15:22
Hiya,

1. There is a release (so say time de-limited) of this emulator out there, so you can do a simple fc /b listing to find out what has been patched, sounds like you are hunting around the right areas though.

2. Don't use bpx style breakpoints. You need to use bpmb <address> x style ones instead, find the control_proc address in SoftICE with the command vxd hasp95dl and bpmb there or set your bpmb's once you reach there.

3. A requirement of any HASP emulator (old style) is that they take over the INT 6 handler, depending on how the emulator is implemented, certain functions that call the invalid opcode handler disable breakpoints, can be VERY tedious.

4. I'll probably have a trace sometime of the code and post a little more. In the interim, if you can set i3here on in SoftICE drop me an e-mail and I'll send you my drivers to *play with*. As far as I know mine are now the only ones supporting the new style hardlock communication routines ;-).

Regards

CrackZ.

LaptoniC
September 19th, 2003, 20:57
Hi Crackz;
Thanks for replying.My real interest isnt hasp3 protection as we know it is dead.I just want to learn how to reverse vxds how to put breakpoints and want to learn how good its protection.

Someone(thanks) from board send me that cracked version.I looked and saw that it only patches VMMCall Get_System_Time I tried that one and it doesnt works after 30 minutes
I will try your bpm tip

I have your old version of emulator+src before you took out from web saying that it had a bug.

I appreciate your answer if you find how this program knows time please letme know I really wonder.

Best Regards

separator
September 20th, 2003, 00:17
CrackZ: Did you check thier web page? I found something like this: "For October, 1, 2003 it is planned to first reliase HASP Emulator Professional Edition V 2.33.A001
The emulator will support completely all functions HASP4 dongle, including 3C-HaspEncodeData and 3D-HaspDecodeData, and complete support HASP to HARDLOCK driver."

I think its pretty interesting. If its true then I think HASP is dead

CrackZ
September 20th, 2003, 07:37
Hiya separator et al,

I hadn't seen this post, so just checked it out, looks like Glasha also has released his previous emulators (minus the time restriction) for public download (not verified this though since I never needed anyone elses emulator ;-) ). LaptoniC, I guess this reduces studying his time trial protection to a trivial / interesting pasttime.

It will be interesting to see what actually materialises. From what I can see this guy is looking to make money off his HASP emulator, doesn't take a rocket scientist to figure out that by disclosing the encode/decode services he effectively is giving away everything of value. I'll be one of the first just to plug in the algorithms to my current Hardlock/HASP emulator and make them public, the scene will be hot on my tails I'm sure.

As a background, about 18 months ago I heard from a guy that said these services had been broken, no enquiry since then has ever received a reply or anything plausible in details, thats unusual (at least in my experience), so I'm maintaining a little scepticism about all of this.

These guys could save themselves much work if they just disclosed the algorithm, I'm assuming they must have it, I'd happily share then the code I'm using for the hardlock emu (since they are probably doing lots of tedious tracing to uncover what in reality is a very simple decryption).

Regards

CrackZ.

PS - I received a few e-mails from Glasha a while back, but he never really came out and asked me for anything, struck me as odd, almost as if he didn't think I'd know who he was ;-).

LaptoniC
September 20th, 2003, 11:14
CrackZ time limit exists.I dont know where did you get impression of"minus time limit". I like the gui of this program and the small utilty inside called secret table finder.AFAIK, hasp4 uses same algo but it has secret tabe different than hasp3 so with enough seed and return values one can get the secret table.After we got secret table we can emulate except 3c and 3d.Please correct me if I am wrong.

CrackZ
September 20th, 2003, 14:27
LaptoniC,

I'll download and take a look, when I'd looked before Glasha had always *advertised* the time limit and when I checked today, it was no longer present, hence the assumption ;-).

Your theory is correct for the HaspCode() implementation. HASP4 = HASP3 (different secret table), exefoliator published a paper a while back regarding utilising some known HaspCode() responses to recover it, 2 or 3 is usually sufficient. There are afaik no direct secret table readers for HASP 4, actually that might be incorrect since I remember someone telling me HASPGrab could do it, but it never worked for me.

All this is kind of irrelevant since the target is the HASP 4 envelope, and that requires knowledge of encrypt/decrypt services which look to me to be very simple block ciphers.

Regards

CrackZ.

separator
September 22nd, 2003, 12:09
CrackZ: We will see very soon. They will release thier new 1st. October. If they know how to emulate these functions, then i think envelope will be breaked too. But I don't know if they will release public trial version, because i think many other people then will create emulators If they will, then someone will publish HASP's enc/dec algo and HASP is really dead (until new version).
Btw: I heard some time ago, some people in Russia can create fake HASP4 dongles. You just send them one dongle and they will create fake dongles. Of course for money. I didn't believe it until two weeks ago, because then I have one of these fake dongles and it worked nice (with envelope too).

Goudurix
March 4th, 2004, 05:36
hi,

i visit the site of glasha
http://www.brstudio.com/Keys/eFAQ.htm
look at this
Code:
The emulator supports only calls to HASP dongle through HARDLOCK the driver.

this is my need , i think, my emulator doesnt work since new release of the soft i use (Windev)
and after my research, i find that it was the calls through hardlock who dont work

i mailed glasha to get his emulator, huhu , here is his answer
Code:
HASP Emulator Professional Edition not have Demo or Trial versions!
Now, in the new emulator the policy(politics) of registration is changed.
The emulator is adhered (attached) to the computer, i.e. works only
on that computer on which registration is received.

Costs:
1 license ( one computer) - $250
5 license - $500
10 license - $900


this guy is nice, but at this price, i buy another dongle

@CrakZ: need help to develop a free emu ? i can spend my time on this, but my knowledge in device driver are limited...

scuse for my english, im french ^^

CrackZ
March 4th, 2004, 19:42
Hiya Goudurix,

I posted a long time ago, actually about 9 months maybe about new HASP communication routines, sparing you the nitty gritty details, it went something like this. A few years back Aladdin set about "merging" the HASP & Hardlock technologies, remember a few old posts asking why hardlock.* got installed by the HASP drivers?, well thats when they probably had the idea (conveniently it would break most of the HASP emulators too ;-) ).

The first implementation of this merging had a really bad weakness, only a structure got passed in by the HASP side to the Hardlock driver, so one could still emulate on the HASP side and / or call Hardlock for original routines.

In API 12.0 (June 2003) or so Aladdin finally merged everything into Hardlock, the HASP drivers now exist solely to support backwards compatibility (old INT 6 handler), even these routines end up inside Hardlock (but can still be emulated in the old manner).

The Hardlock drivers are heavily obfuscated, in fact I think Glasha has probably borrowed a trick or 2 from them; I can't say much publically about the contents of his commercial emulator in public on this board ;-).

I undertook a project to de-obfuscate the Hardlock drivers a long time ago, the API encryption they use is amazingly simple, I actually still have very good IDA listings for them now, without any of the junking/anti-disassembling/stupid tricks.

Favourites of mine include :

xor eax, eax
jb _some_stupid_location (obviously never happens)

Masses of :

jnz _location
jz+4
junk opcodes in here
jz _location

And yet more fabulous anti-hacking technology :

xchg eax, ebx
xchg ebx, eax
shl ebx, 40h
shr edx, 20h

Ad nauseam .....

I don't think much of this 'security by junk' but I've found really effective ways to remove 90-95% of it in one go ;-).

Back to the plot, I posted a month or 2 ago asking if anyone was really interested in going forward with this, I'm actually pretty much there now and may get a release of a free emulator out in the next month or 2, but don't bank on it happening for sure. For obvious reasons, like the month of work or so, not many have replied to help since a lot of the final analysis stuff is just tedious IDA work.

Regards

CrackZ.

tgodd
March 5th, 2004, 00:27
Hasp 3C/3D is being emulated by safekey.
As is Sentinels Superpro Enhanced Algo.

Goudurix
March 5th, 2004, 05:32
hi CrackZ,

well it's good to see you working on this project

i dunno if there are many interested people with this, but me, i'm very very interested ^^

if i can help you in one way or another, just ask me...
I am ready to invest me in this project , and share this experiment ...

I have some concepts of ASM , and littles experiments about cracking...

bye

Goudurix