Hi,

I have an application protected with HASP4 (and I have the dongle).
There are .protect and _TEXT_HA sections.
I thought that since I have the dongle it will be easy to remove the envelope but...

1. Softice doesn't break - bpx, bpm aaaa X don't work.
This seems strange to me. In the essays regarding HASP4 it is decribed that bpm should work on CreateFileA, FreeEnvironmentStringsA etc. Any ideas?

Windbg didn't help me too(the program doesn't run at all).
Olly works...

First I noticed that the runnung program uses msvcrt.dll
To my way of thinking this means that the entry point of original(unpacked) exe will look like WinMainCRTStartup. So I created something like signature of WinMainCRTStartup and searched the process memory. I found two instances of the signature - one in the .text section and one in the .protect section.
I decided that the oep is where I found (what I think is)WinMainCRTStartup code in the .text section.
Next I dumped the running exe, removed the .protect section, correct the ep in a pe editor.
Next I used ImpRec to fix the imports.
And finally...my exe doesn't run.

(I also tried to dump the exe when the debugger breaks at the oep with no success)

Is this the right way to deal with the HASP4 envelope?
What to do further?

Regards!

Hello,
HASP envelope is very easy for unpacking. Your breakpoints don't work because you set them to start address of API and HASP envelope emulates some instructions from start of every API call. Try to use bpmb GetModuleHandleA+7 x I think it will work fine. You can try use /tracex command from IceDump for find EOP or You can use some breakpoints to APIs (GetModuleHandleA works fine most times).
When you find EOP then just dump application and use ImpRec for resolving import table. You will have three not resolved API calls. Two of them have same address and one is different. These two are GetProcAddress and last is ExitProcess.

Thank you for your reply!

Dongle removed!

Greetings!

One thing I don't understand. They didn't update thier envelope very long time. I don't understand why, because its not problem remove it. Maybe they didn't update it because its free

Hello separator

Just in case if you are interested in the new flavour of hasp4 envelope get it from below url fxp://fxp.ealaddin.com/pub/hasp/new_releases/docseal/DocSeal.zip

Also the favourite brk pt technique to reach the highest level is gone. Its slightly different.

Regards, Sope.

Having a quick look on newest hasp4 envelope, just
having some notepads enveloped for study
-> a win2K notepad with size 1MB, that's pretty hefty..

1. code around HASP entry is now something like this:

cmp eax, 09
push edi
jnz smth


2. iceext 0.53 will manage the sice checks...

3. the flow of (crazy options set, prolly the hardest) envelope is like this:

FN 01/02(1st_seed)/3C(len 0x08)/02/02(2nd_seed)/
/many 3D (len 0x0E) (some of them random -that means no right answer needed)
(some of them are needed and stored in a 2 indexed tables with IN data and OUT data
- space between arrays is 0x800 in my case -this reminds me of the spro envelope
and their random sproqueries indexed as well...) (a cmp eax, edx in a loop
will compare byte by byte the answers stored in the 2nd indexed table)
/then follows 3D with a few blocks needed for restoring the encrypted PE
in my case blocks were with len: 6*0xFFE + 0x4c3 for decrypting/then again 3D with a block
with len 0x5EE/

4. background hasp checks: 01/02/twice fixed 3C blocks

If anyone willing to contact me for new tricks found in HASP newest envelope
please feel free to PM or post them here..

Hello TOTEU,

Also will like to add we can also see service 3, 5, 6 depending on the options used.

One thing i like in these envelop is the Decrypting of important files at runtimes, seen only one implementation of it yet, but waiting for many to come. Also unpacking of such envelope will not be a solution of it. Check the above link given once u unpack it run it & try open the crypted files see what happens. Carry on the fantasy....

Regards, Sope.

hi all,

Dont if this should be in newbies or unpacking...
I have a hasp envelope program here w/the dongle
it has several enveloped dll. Easy to find oep with tracex or
bpx on redirected api: bpx getversion+5, etc. Here
is what i tried:
dump exe twice, one w/procdump, one w/lordpe, lordpe options
paste header, fix header.
Fix oep, Lordpe dump runs, Procdump one does not.
Just curiosity, compare them, differences were
raw offset and size. Manually entered ro&rs to match
va&vs in procdump, still crashes. One other difference
lordpe one now has value in pointer to symbol & number
of symbols, procdump one doesn't(what does this mean?)
So i abandon procdump one...curiosity again load exe
in imprec, one unresolved api, seems to be getprocaddress.
So, let imprec rebuild imports, and try to run, crash
page fault "module unknown" with wierd value in eax like
a6a6a6a6. Back to one without rebuilt iat. Run dumped
exe and dump first dll(is this correct, should dump dll
w/dumped exe running or original exe running, or does it
matter?) w/lordpe same options, fix oep and run, crash
in kernel32. Rebuild iat of dll w/imprec, 2 unresolved
getprocaddress & exitprocess. now it runs. but...reboot
without softice, and exe almost load, splash screen, then
page fault user32, seems to point to destroycursor. Reboot
w/softice+icedump, runs fine, ...what? What is going on
here? Unload icedump, hasp driver(or exe?) detects softice,
no run. reboot, no softice, page fault user32. Suspect
reloc problem w/dll, so attempt to load dumped dll at different
addresses w/b&e, no, even four of them at once all load
at same image base(?). so try with original dll, won't load
at all, suspect some shit in .protect section pulls the
plug. Would like to try compile dll loading source code posted
here by cyberheg some time ago, but will have to wait
until i can borrow copy of vc++.......so i have:
dumped exe+dumped dll-run if softice & icedump are loaded
original exe+dumped dll-run in any case...with 4or5 dlls still
to be dumped(ugh)
what is going on here? Last question: the iats for these dlls
seem to be in .rdata. When i look at them in softice using
loadlibrary they look strange compared to what ive read
about, the iid follow the ascii, is this possible, or am i
looking at the wrong thing?

any ideas, hints appreciated
thanks, n

they where are talking about the newest Alladin HASP envelope whitch one is quite different from the previous, did you are talking about the newest or previous?

hi dee,
v. 10 or 11 i think.
Guess my main question from the chaotic post above
is can the iat have different format than what is
usual:can the iid follow the ascii, or am i looking
at a *really* trashed iat?
I still think i have reloc problem here, but am unable
to get these dlls to load at different image bases to
compare and rebuild.
n

Hi All,
I think that new version of HASP - HASP4 has 2 new API functions
- 0x3C and 0x3D for crypting and decripting of a string. This API fn is used in protecting schemes of HASP envelope.
I don't know that anybody was able till now to find the working algorithm for this functions!!!

Any idea to solve the problem !?

Dimdas

It has been cracked.

tgodd

Hello tgodd

Thanks for the info. Can we know how it works or its not good to talk over it in public ? I would be interested since i use hasp4 sometimes for my own.

Regards, Sope.

At least two russian sites claim that they can emulate 3C/3D (polnaia emulatzia -> complete emulation).This is true because since 2001 a .by site (byelorus site) provides true hardware based copies of HASP4.
Searching through russian based forums will give you more.
(the only problem now seems it's to keep up to date with deviceiocontrol encryption flow (the so called internal API) updated with new releases of the HASP/Hardlock (mixed driver code by now).
Seems it's also a quest(..) because some russians know to emulate Hardlock's HL_CODE and the other team knows to emulate HASP's HaspEncodeData/HaspDecodeData and they are not willing to XCHG the routines...

SSPRO's sproQuery it's 100% emulated by tgodd (great work man.., sometimes I wish I'd know a little bit more from hardware engineer's view point, not only from the software engineer's view point, but I also know that having 10-15 years (maybe more) of dealing with HW based devices, speaks by itself ).
Also Rainbow introduced new high-level functions since 6.2 release.

Bottom line:
Dongles are not so secure as marketed, however the companies that uses them keep a good balance between legal use and illegal use, a special proportion giving them wider chances of winning market paradoxically( in other words software piracy isn't that bad as they are trying to show us).

Hello TOTEU

Thanks for the info. Surely Russian's are miles ahead in RE field. I do visit few forums & do came to know about what you said above. Well lets hope sooner or later we all will know the algorithm used for 3C/3D & including the hardlock HL_Code. Till then we will require the original dongle for our emulation.

Small update for people reading with interest.

The feature of Decrypting of important files at runtimes is killed itself by the maker of it. Please d/l the below file fxp://fxp.ealaddin.com/pub/hasp/new_releases/docseal/HASP_DScrypt.zip

Usage is pretty straight forward. Only important to know now is -k option which is not at all hard to find & original dongle. Now we can decrypt the files as well.

Regards, Sope.

I happen to know both.
Hasp4 as well as HL_Code.
Unfortuneately I am unable to share this knowledge due to Non-disclosure.

tgodd
P.S. Canuks are #1 in RE

Lol, Oh yeah, it's a hotbed for sure. World renowned for Reverse Engineers, hockey players, lumberjacks and igloos. We keep the RCMP running in circles, eh? ;-))

Hello tgodd

One question a bit off topic from the subject line of this topic if you don't mind. It's regarding HL_Code. I have read on this forum that we require some 8K bytes of data from the dongle for successfully emulating it.

1. Do you rip some code then put the dongle data (8k) + crypted data & you get back the good data ? i.e. Brute Force it.

OR

2. You take the dongle data (8k) + crypted data & put in the known algorithm to get back the good data ?

OR its something else ?

I guess the answer will be second but i just want to clarify my doubts.

Regards, Sope.

Actually first off Dongle cracking started in canada back in the 80's

Now that that is off my chest.

You have to use the algorythm, or at least what is known of the algorythm to
Back calculate the 48 bits, from the encrypted access table generated by accessing the algorythm.

The Memory contents does NOT come into play.

And Kayaker Super Pro Enhanced algo is also cracked.



tgodd

Hello tgodd,

Thank you for clarification of doubts & for the info provided.

Regards, Sope.

Hi all...

i have a similar Problem as described in this thread...
since 1 month ago i have an prog which is protected with Hasp...after reading so much tutorials and following the tips from CrackZ
downloading all the stuff from Hasp...reading and learning...i worked out the hasp routine and patched 8 files of this prog...but now i have an dll which is protected with the hasp envelope...

after reading this thread i've decided to do the same...but i can't get the OEP/EOP...

this is were i land if i bp GetModuleHandleA:

05A6A23A 0000 ADD BYTE PTR DS:[EAX],AL
05A6A23C 0000 ADD BYTE PTR DS:[EAX],AL
05A6A23E 0000 ADD BYTE PTR DS:[EAX],AL
05A6A240 > 55 PUSH EBP <----- Is this the real OEP?
05A6A241 8BEC MOV EBP,ESP
05A6A243 53 PUSH EBX
05A6A244 56 PUSH ESI
05A6A245 57 PUSH EDI
05A6A246 60 PUSHAD
05A6A247 8BC4 MOV EAX,ESP
05A6A249 A3 D4A4A605 MOV DWORD PTR DS:[5A6A4D4],EAX
05A6A24E B8 00AFA605 MOV EAX, 05A6AF00
05A6A253 2B05 20AFA605 SUB EAX,DWORD PTR DS:[5A6AF20]
05A6A259 A3 20AFA605 MOV DWORD PTR DS:[5A6AF20],EAX
05A6A25E 833D D0A4A605 00 CMP DWORD PTR DS:[5A6A4D0],0
05A6A265 0F84 14000000 JE 05A6A27F
05A6A26B A1 D4A4A605 MOV EAX,DWORD PTR DS:[5A6A4D4]
05A6A270 50 PUSH EAX
05A6A271 FF15 D0A4A605 CALL DWORD PTR DS:[5A6A4D0]
05A6A277 83C4 04 ADD ESP,4
05A6A27A E9 A3000000 JMP 05A6A322
05A6A27F 68 24AFA605 PUSH mgui.05A6AF24 ; ASCII "kernel32"
05A6A284 FF15 90AFA605 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
05A6A28A A3 D8A4A605 MOV DWORD PTR DS:[5A6A4D8],EAX ; kernel32.77E40000
05A6A28F 68 30AFA605 PUSH mgui.05A6AF30 ; ASCII "user32"
05A6A294 FF15 90AFA605 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
05A6A29A A3 DCA4A605 MOV DWORD PTR DS:[5A6A4DC],EAX
05A6A29F A1 94AFA605 MOV EAX,DWORD PTR DS:[<&KERNEL32.GetProcAddress>]
05A6A2A4 A3 E0A4A605 MOV DWORD PTR DS:[5A6A4E0],EAX
05A6A2A9 A1 9CAFA605 MOV EAX,DWORD PTR DS:[<&USER32.MessageBoxA>]
05A6A2AE A3 E4A4A605 MOV DWORD PTR DS:[5A6A4E4],EAX
05A6A2B3 C705 E8A4A605 00>MOV DWORD PTR DS:[5A6A4E8],0
05A6A2BD C705 ECA4A605 00>MOV DWORD PTR DS:[5A6A4EC],0
05A6A2C7 A1 20AFA605 MOV EAX,DWORD PTR DS:[5A6AF20]
05A6A2CC 0305 ECAEA605 ADD EAX,DWORD PTR DS:[5A6AEEC]
05A6A2D2 A3 D0A4A605 MOV DWORD PTR DS:[5A6A4D0],EAX
05A6A2D7 A1 00AFA605 MOV EAX,DWORD PTR DS:[5A6AF00]
05A6A2DC 50 PUSH EAX
05A6A2DD A1 F8AEA605 MOV EAX,DWORD PTR DS:[5A6AEF8]
05A6A2E2 50 PUSH EAX
05A6A2E3 A1 20AFA605 MOV EAX,DWORD PTR DS:[5A6AF20]
05A6A2E8 0305 F4AEA605 ADD EAX,DWORD PTR DS:[5A6AEF4]
05A6A2EE 50 PUSH EAX
05A6A2EF E8 2B010000 CALL 05A6A41F
05A6A2F4 83C4 0C ADD ESP,0C
05A6A2F7 E8 2B000000 CALL 05A6A327
05A6A2FC BE D8A4A605 MOV ESI, 05A6A4D8
05A6A301 8B3D 08AFA605 MOV EDI,DWORD PTR DS:[5A6AF08] ; 05A6B6F8
05A6A307 B9 06000000 MOV ECX,6
05A6A30C F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
05A6A30E A1 D4A4A605 MOV EAX,DWORD PTR DS:[5A6A4D4]
05A6A313 50 PUSH EAX
05A6A314 FF15 D0A4A605 CALL DWORD PTR DS:[5A6A4D0]
05A6A31A 83C4 04 ADD ESP,4
05A6A31D E9 00000000 JMP 05A6A322
05A6A322 5F POP EDI
05A6A323 5E POP ESI
05A6A324 5B POP EBX
05A6A325 C9 LEAVE
05A6A326 C3 RETN
05A6A327 55 PUSH EBP <----- Look similar for me to the first OEP!
05A6A328 8BEC MOV EBP,ESP
05A6A32A 83EC 14 SUB ESP,14
05A6A32D 53 PUSH EBX
05A6A32E 56 PUSH ESI
05A6A32F 57 PUSH EDI
05A6A330 A1 20AFA605 MOV EAX,DWORD PTR DS:[5A6AF20]
05A6A335 0305 E8AEA605 ADD EAX,DWORD PTR DS:[5A6AEE8]
05A6A33B 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
05A6A33E 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
05A6A341 8378 04 00 CMP DWORD PTR DS:[EAX+4],0


hope someone can help...and yes i searched in google and at this board

p.s: sorry for my english...it's very long ago since i had it in school

For succesfull remove hasp4 envelope set bpm esp-4 and dump all sections at 2nd breakpoint stop. Next step: set breakpoint on access to memory at import data, which points to first entry of list of used dll's. when you stop at this breakpoint, a few jumps before it you will see mov eax, [ebp+0ch], set bpm here. When you run program again you'll see Import offset.

After it, restore fixups and do not forget to remove .protect section. thats all.

Sorry for my poor language, cause english is not my native.

For information:

Atm not need have orignal dongle, or use any Dumper tools.
Exist private tools for restore all secret data of Hasp4 dongle from envelope, and unpack it. For remove enveloppe on Celeron 1200 Tualatin need not more 20minutes.

For devellopers of sw i not recomend use Envelope, becouse it give back all secret data of H4 dongle.

alladdin always make weak dongles. I've see it at 1999 when hasp3 was complete recovered by me & Fixit.

wait for hasp5...

Hasp Emulatuion has been around since 1994.

Just stating the facts.....

But in public h3 became only at 1999, since bajunny (also russian as me) publish his research at fravia