Log in

View Full Version : HASP4 (TimeHasp) Cracking..


PoWeRGuArD
July 7th, 2005, 01:47
Hi everybody,

I have a program. Program is hasp4 (timehasp) protecting. Program write to Foxpro. I'm reverse to program i found it haspfp32.dll file. I use to softice in bpx FreeEnvironmentStringsA

ADD EBX, [EBP+10]
MOV EAX, [EBP+0C]
MOV ECX, [EBP+14]
MOV EDX, [EBP+18]
CMP BH, 32
JB XXXXXX
MOV ESI, [EBP+28]
MOV EAX, [ESI]
MOV ESI, [EBP+20]
MOV ESI, [ESI]
PUSH EBP
CALL 01E73073
POP EBP
(i have a orjinal dongle plug)
i found in returned parameters. program is service 32 treble called. first service 32 called is . EAX = 08 EBX = 10 ECX = 0 EDX = "12210814404207610804204204204208" and service 32 second called is EAX = 08 EBX = 10 ECX = 0 EDX = "12210814404207610804204204204208"(ASCII) and last called service 32 ise EAX = 08 EBX = 10 ECX = 0 EDX = 0000000000004983 (ASCII)..

How i can do emulator program ?? Please help friends..

PoWeRGuArD

infern0
July 7th, 2005, 02:41
why you didnt try to decompile fox program ? it can only use declare ... in dll method to acees hasp and while looking into source you can easily find hasp calls.

PoWeRGuArD
July 7th, 2005, 03:39
i decompile exe file. program is in procedure call is fphasp.fxp.(haspfp32.dll) hasp4 read to memory in haspfp32.dll don't work with export module hasp???.vxd . how i can found hasp prosedure call in fphsap.fxp file?? or main.fxp (decompile) file.

PoWeRGuArD

saber
July 7th, 2005, 07:10
There is not much help on net as to how to emulate the funtions. I read the tutorials i went through the articles but most of them are too old for any kind of help. Timehasp is one of the best hasp keys around. I am using a hasp emulator which works fine on all old hasps but gives me error on time hasp . It says failed to initiate automatic data protection. Any one has a workaround of it ??

s0cpy
July 7th, 2005, 07:57
If you can not emulate function of time try to change date in a key with HaspEdit...

PoWeRGuArD
July 7th, 2005, 08:33
himz.. i use to softice in write to EDX ECX EAX register with returdned parametert and program is run to successfully.. but i can't write to loader or patcher.. how i can do patcher or loader?

PoWeRGuArD

infern0
July 12th, 2005, 01:47
so app uses fphash.fxp to communicate with dongle and you have logged all data to run app. so rewrite fphash.prg, compile it and rebuild your exe.

sope
July 12th, 2005, 04:49
Hello saber,
Quote:
It says failed to initiate automatic data protection. Any one has a workaround of it ??
The emulators fails if the target is protected with options of Data files being decrypted at runtimes. Even if we patch the error the programs will run but the files are not decrypted correctly. Solution 1 is to write our own emulators routine.

Solution 2 Is to decrypt the encrypted runtime files using the dscrypt util which has very simple parameters. -k option can be found by searching in memory the below hex pattern in target

41 41 41 41 41 41 41 41 00

just above it we will see the 8 bytes Encrypted Keys used. If we go above we will see the filenames which are decrypted at runtimes. Lastly don't forget to patch the nag!

Regards, Sope

s0cpy
July 14th, 2005, 10:51
The main exe file of the software is used by saber, packed with one of the last version of hasp envelop (IMHO v.11). Enc/dec key is found (Sope, thanks for solution), but i can`t find the names of files which should be decoded.
And last: can anyone give solution about resolving IAT after unpacking last version of hasp envelop?

saber
July 15th, 2005, 11:09
A strange problem. I have a software which uses hasp 4 m1. Since i use a readymade emulator i am getting a weird error "Failed to initiate automatic data protection" So i decided to implement second part of sope's advice. I download dscrypt and try to decrypt the runtime file by this command

dscrypt C:\target.nfo C:\test.nfo 403F 34F9 -k:17BD45A -dec

when i press enter i get error saying invalid password. But the password is quite correct as my dumper dectects the above password.
anyone used this command before? Please help

sope
July 15th, 2005, 22:52
btw, the utility uses decimal values, kindly read the parameters show !

nikan
July 16th, 2005, 01:17
to s0cpy

Quote:
And last: can anyone give solution about resolving IAT after unpacking last version of hasp envelop?


see exetools for what ketan said about hasp envelope.

you must patch a table with few bytes (4 -10) to zero before dumping and also you must manually correct exitprocess and getprocaddress addresses too.

saber
July 16th, 2005, 07:47
how do i know the hasp password in decimal format ?? i tried useing scientific calculator but those values dont work. If my password is 403F 34F9 then what is decimal value of my password??

Damn!!! such a small utility yet so much complicated.

saber
July 16th, 2005, 23:16
Step no.1 :: Find hex pattern 41 41 41 41 41 41 41 41 00 in the main target exe
Step no.2:: just above it we will see the 8 bytes Encrypted Keys used
Step no.3:: If we go above we will see the filenames which are decrypted.
Step no.4:: get dscrypt.exe from aladdin site
Step no.5:: we use dscrypt to decrypt the files

The command i get (after converting password into decimal) is
C:\target.nfo C:\test.nfo 16647 13561 -k:17BD45A -dec


And we get this error

The requested hasp key was not found. Even though the hasp key is inserted and software runs properly when started.
Where did i go wrond ??
Somebody please help

mr.x
July 17th, 2005, 06:14
403F in dec format is 16447
34F9 in dec format is 13561

saber
July 18th, 2005, 22:01
Finally! Finally!! Finally!!!

Hasp is gone and software is now free.

Ok here are the steps to do it

Step no.1 :: Find hex pattern 41 41 41 41 41 41 41 41 00 in the main target exe
Step no.2:: just above it we will see the 8 bytes Encrypted Keys used
Step no.3:: If we go above we will see the filenames which are decrypted.
Step no.4:: get dscrypt.exe from aladdin site
Step no.5:: we use dscrypt to decrypt the files

The command i get (after converting password into decimal) is
C:\target.nfo C:\test.nfo C:\dump.nfo 16647 13561 -k:17BD245A -dec

Two things you make sure is to make sure that you convert the password into decimal (using scientific calculator correctly) and secondly make sure that the target file is easily accessible to dscrypt (If possible copy the same to C:\ and not to keep then in any directory) and lastly use a clean system to do it. Finally when it is done just patch the damned software and u are through. Dont forget to throw ur hasp keys after u do it

Thanks to sope and s0cpy for all the help. Many people have knowledge but few are good enough to share them.

nasty
July 19th, 2005, 05:52
Hi,
but this "match" technic you can do only on TimeHasp4?
I'm trying to search the pattern in an .exe with Hasp4 without any result.
What can i do to find the pattern and then the password to descrypt?
Please let me know.
Thanks

saber
July 19th, 2005, 21:25
The hasp which i used on above technique was memohasp 4 m1. And one more thing. Insert the hasp Run the program then dump the file and then search for the hex(Thanks to s0cpy for the direction)

nasty
July 20th, 2005, 04:57
Hi saber,
before i post i have just tried to find the pattern in the dumped exe but without result.
My Hasp is MemoHASP-4 type 1 .
The only sequence that i find in the .exe (with several 41) is:

41 41 41 41 41 80

But not the sequence that you explain.

Where i'm mistaking?

Thanks.
NaSTy

sope
July 20th, 2005, 05:22
Hello nasty,

Firstly the sequence would be useful if your target decrypts files at runtime. Does your target decrypts files @ runtime? Do you get Automatic Data Protection error in emulator?

Regards, Sope.

nasty
July 20th, 2005, 05:44
Hi Sope, thanks for reply ..
i think that you refer to "enveloped file" really?
Yes is enveloped.

Or you refer to that the main .exe "enveloped", during the execution, de-envelope other "internal" files like dlls?
In this case no ..

After i need to emulate too the HASP API calls in any case.

Is this what you want to know?
Thanks ..
NaSTy

nasty
July 20th, 2005, 06:01
Hi Sope,

sorry .. pardon .. Auto-Correction .. it's my mistakes!

I know about Docseal (enc/dec of entire dirs).
So Dscrypt utility can be only used in this case only.

I made all these questions, why i thought that this utility could be used also for a single enveloped file.

Sorry again .. i understand all, after a little thinking, when you have written me: "your target decrypts files at runtime"

Is correct my Auto-Correction?

PS: sorry also to saber .. however i understood the "pattern search" tech.
THX

saber
August 19th, 2005, 13:26
I have learnt to find hasp password using the 414141 technique(Thanks to sope) . However i have now encountered a new varient which leaves the decryption key blank. Please take a look at the snapshot i have uploaded and let me know what you guys think of it.

http://rapidshare.de/files/4154255/hasp.jpg.html

Any info on this one is welcome
Regards

sope
August 20th, 2005, 01:02
Hello saber,
Interesting -k: option this time. Kindly give the below things & it should work.
-k:<press alt than numlock on press 255 keys> do it 8 times & than spacebar & -dec

Enjoy, Sope!

dream_buyer
August 9th, 2007, 06:25
I have the dump of the key (not the original key ) which i emulated using br studio emulator and geting the automatic data protection error. I couldnt trace the sequences of 41 in my dumped file (of course dump is without the key and running on emulator) However I tried using HASP Edit there is a decrypt function in the menu which takes a input file and decrypts it. Is it same as dscrypt ? Help needed !

JMI
August 9th, 2007, 12:36
So... Without actually READING THE FRIGGIN FAQ you thought YOUR NEED was just SO IMPORTANT that YOU would resurrect this 2 year old Thread WITHOUT showing that YOU have done ANYTHING to HELP YOURSELF answer YOUR question.

Tell US what YOU have done to attempt to find the answer to this question, either HERE or ON THE NET, then maybe someone will help you.

First, go READ THE FAQ!

Regards,

dream_buyer
August 10th, 2007, 03:51
Thanx for your comment ! Its great to be talking to Great JMI. But I have read the FAQ's. I have suggested a possible decrypting method in the above post and asked if the result would be same as using dscrypt.exe. However I am sorry for the last two objectionable words in the post "help needed" and ready to edit them if required.

JMI
August 10th, 2007, 13:16
Apparently, dream_buyer you lack the basic intelligence to understand that attempting to buck the administration is generally not a wise idea.

NOTHING in your original post suggests you had read the FAQ. You obviously did not say you had. You also fail to understand the ISSUE raised by the FAQ which I raised in my Reply, although one of them clearly was reading the FAQ.

The issue you did not address, and although you have wined about your treatment, have still not addressed, is the requirement that YOU attempt to solve YOUR problem BEFORE you post your question here.

YOUR QUESTION is: I tried using HASP Edit. There is a decrypt function in the menu which takes a input file and decrypts it. Is it same as dscrypt ?

I asked YOU to tell US what YOU had done to attempt to answer THAT question YOURSELF, either HERE or ON THE NET!

So far all you've done is post an ineffectual attempt at insult and complaint about your "brutal" treatment.

Rather than simply send you to join the "goners," I am giving you another chance to tell us what "effort" YOU have made to answer YOUR question.

Regards,

dream_buyer
August 12th, 2007, 06:47
My attempt was in noway to buck the administration, if it appeared so then my sincere apology. Infact I have read FAQ's again after your direction and before my second post but what i failed to realise is that I haven't put sufficient information to show my efforts. I beg your pardon and here I try to describe what I have done so far.

Firstly I tried to use different emulators if any of them simply allows to use the dump by brstudio's dumper. (As I dont have the key but the dump only) I have used straton's universal dmp2reg tool. results- brstudio - automatic data protection error, haspusb emulator- did not work firstly with the readymade vusbus.sys but with the one I compiled using WINDDK 2600.1106 worked still - hasp not found (-3) error. TORO hasp4 emulator - loader not working. Search led me to this page and and I tried using the method described by rituraj but couldnt find the sequences of 41 in the dumped file. However in a private communication rituraj confirmed that sequence of 41 will only appear if the key or emulator is working and dump is taken after successfully running the program. The target program keeps the data in a folder which is decrypted during runtime. I tried looking for alternate way and found the decode function in Haspedit which worked fine with brstudio emulator. so I decoded the whole folder but even then the files decrypted so are not in readable format. Now a google search for two terms dscrypt, haspedit returns just one page and that is this page ! haspedit documentation is silent about dscrypt and dscrypt documentation doesnt contain the word haspedit. So here I am..

warm regards

dream_buyer

CrackZ
August 12th, 2007, 10:40
dream_buyer;

I am confused exactly what your problem is so perhaps try explaining it slowly for my benefit ;-).

HaspEdit is a tool for editing HASP's (usually modifying the internal memory) and testing the HASP API functionality.

DSCrypt (or DocSeal Crypt) is a command line utility that can be used to securely encrypt/decrypt files using the HASP key.

Both tools utilise the HASP encrypt/decrypt services but are for different applications. DSCrypt is simply Aladdin's useless attempt to get into the "secure document transfer" market by binding it to a hardware key, neglecting the fact that better methods for secure document exchange have existed for years.

Regards

CrackZ.

dream_buyer
August 13th, 2007, 01:49
Great CrackZ !!!!!!!!!!! Plz accept my greetings ! Before starting any discussion I wish to tell you that I am a great fan of yours like everyone else here and maybe to a degree more. And anything little I know about something named dongle or LM or the very word crack or the real science of Reverse Engineering.. I owe to you, even knowing all these names. And I feel priviledged and honored by my query being answered by you.
Now to my post.. You have asked..

Quote:
"I am confused exactly what your problem is so perhaps try explaining it slowly for my benefit ;-)."


My problem is pretty simple :-) .. I have a program which runs with a usb hasp key, and I have the dump of the key with which program runs. I want to use the program. But the program would not even get installed unless u plug the usb key in.. So tried emulating the key with different emulators available.. none worked for me ( may be I dont know how to use them ) except Brstudio A002, which allowed to install the program but when program is launched "Automatic Data Protection Error". On exetools TORO published a emulator which he says would emulate Automatic Data Protection but the loader hangs and the emulator is not working for me. Another emulator I tried is haspusbemulator after installation and rebooting the PC, hasp key found message pops up in taskbar but when the program is run I again get "hasp key not found" error. Now here sope, s0cpy, saber have described a method to get the program running but as I have mentiond earlier no sequence of 41 and so no decrption key is tracable in my dump taken with olly though hasp key passwords are known to me.

Now the second part where my present query is answered
Quote:
"Both tools utilize the HASP encrypt/decrypt services but are for different applications"
Haspedit takes a binary file and decrypts rather decodes it to another one with the hasp key inserted (It doesn't ask for the encryption or decryption key and perhaps reads them from the key ?) Similarly dscrypt decrypts the binary file with key inserted and when right hasp password and decryption key is supplied. So the output files produced by the two approaches (none changes the extension or the size) would be different. (I hope I understood the answer correctly ). So is there another way to get the decryption key to be used with dscrypt ?

regards

dream_buyer

saber
August 13th, 2007, 21:14
look,

if u do it without the original key then u will never get the decryption key. And u need the decryption key to decrypt using dscrypt. One more thing u may need to unpack the main exe file by unpacking the hasp envelop or make a loader to bypass the 33 34 services.

CrackZ
August 13th, 2007, 23:41
OK, I think I've got this straight.

You are basically comparing the differences between Haspedit (or the HASP enveloping tool) which takes a ready made target and encrypts it and Aladdin dscrypt which simply performs a straight file encrypt or decrypt using the key that you specify on the command line.

The core similarity here is the fact they both use the HASP internal algorithm, except with Haspedit the *keys* are generated during the protection process, dscrypt will simply encrypt/decrypt whatever input with the key you give it.

In effect then your first point of challenge is to unpack the HASP envelope your target is protected with or maybe like others I've done it is the InstallShield package that has been enveloped.

It doesn't sound to me that you should even be looking at dscrypt until you've accomplished this task. If there is some way you can send me something to look at I'll run my de-enveloping tool on it.

Regards

CrackZ.

saber
August 14th, 2007, 06:43
WOOOOO

I would give up everything to have that de enveloping tool.

OHPen
August 14th, 2007, 09:27
For those who want to play...

ftp://ftp.aladdin.com/pub/hasp/new_releases/docseal/HASP_DScrypt.zip

@crackz: Sounds like bruteforce tool, ain't it ?