HELLO FRIENDS,
i actually started to learn about Dongle,when i got a software named XXXXXXXXXXXXX from XXXXXXX,actually its found in the update section of XXXXXXXX site,the real thing is that it was not all an update but full version, protected with HASP.

All my search related to dongle going on with this software residing on the otherpart of my brain,well again im not saying that i failed to crack the dongle,instead igot some idea about dongles especially to its HASP version such as checking of various services ,the passwords,seedcode ,par1,2,3 etc.As a basic dongle cracker i started with making a bp at FreeEnvironmentStringsA,and finally i reached a location shown below,

(im using OLLYDBG as my decompiler)



00620307 80FF 32 CMP BH,32
0062030A 72 05 JB SHORT xxxxxxx.00620311
0062030C 8B75 28 MOV ESI,DWORD PTR SS:[EBP+28]
0062030F 8B06 MOV EAX,DWORD PTR DS:[ESI]
00620311 8B75 20 MOV ESI,DWORD PTR SS:[EBP+20]
00620314 8B36 MOV ESI,DWORD PTR DS:[ESI]
00620316 55 PUSH EBP
00620317 E8 15240000 CALL xxxxxxx.00622731
0062031C 5D POP EBP
0062031D 8B7D 1C MOV EDI,DWORD PTR SS:[EBP+1C]
00620320 8907 MOV DWORD PTR DS:[EDI],EAX
00620322 8B7D 20 MOV EDI,DWORD PTR SS:[EBP+20]
00620325 891F MOV DWORD PTR DS:[EDI],EBX
00620327 8B7D 24 MOV EDI,DWORD PTR SS:[EBP+24]
0062032A 890F MOV DWORD PTR DS:[EDI],ECX
0062032C 8B7D 28 MOV EDI,DWORD PTR SS:[EBP+28]
0062032F 8917 MOV DWORD PTR DS:[EDI],EDX
00620331 5E POP ESI ; xxxxxxx.00638598



and from tutorials i came to know that hasp id mark is CMP BH,32,but my problem is i couldnot able to find the locations corresponding to various HASP services such as CMP BH, 1 CMP BH,2 etc,and hence i cannot emulate the dongle

my doubts are

1.is it the problem of OLLYDBG ,Or im not able to set the breakpoints correctly??

if the problem is the latter one please help to set break points using OLLYDBG to find various services.
There are .protect section .code sections etc and i have a wage idea of applying HASP such as only applying hasp envelope and by applying HASP api from inside the code of the program or applying both

2.How can i identify, what type protection used in the target program,and about what type of HASP and it version???

This program only produces the message "Dongle not found,please attach the dongle and try again (-3) "

3.As I got a HASP emulator from the site,what actually this emulator do,i mean does we have to supply various parameters inorder to work the HASP EmuLator??

hope that no one will dissapoint this new bee...

Howdy,

I understand that you are stuck BUT, no names of targets allowed.
That type of stuff is done VIA PM or email.

Now go into the bathroom, pull down your boxers/briefs/boxerbriefs/pants (if you dont wear no unders) and spank yourself for posting target names.

OK, now that the spanking has been done, come on back with some better info's .

Woodmann

sorry administrator ,actually i dont know that it is my first message in this forum.but i found somebody mentioning about lightwave etc,and also
i thought the direct link to the site was the problem,sorry once again
help me to solve mmy doubts

friends,
i got a half answer to my question,i think im able to find the services after tracing
the call after cmp bh,32 ,and i got something like this,like 3C 3D services,please
give me suggestions to emulate this dongle,im posting the routines i got

00622FAC 80FF 3C CMP BH,3C
00622FAF 74 11 JE SHORT program.00622FC2
00622FB1 80FF 3D CMP BH,3D
00622FB4 74 0C JE SHORT program.00622FC2
00622FB6 80FF 58 CMP BH,58
00622FB9 74 07 JE SHORT program.00622FC2
00622FBB 80FF 59 CMP BH,59
00622FBE 74 02 JE SHORT program.00622FC2
00622FC0 F8 CLC
00622FC1 C3 RETN
00622FC2 F9 STC
00622FC3 C3 RETN
00622FC4 80FF 28 CMP BH,28
00622FC7 74 55 JE SHORT program.0062301E
00622FC9 80FF 28 CMP BH,28
00622FCC 72 4B JB SHORT program.00623019
00622FCE 80FF 30 CMP BH,30
00622FD1 76 43 JBE SHORT program.00623016
00622FD3 80FF 35 CMP BH,35
00622FD6 74 3E JE SHORT program.00623016
00622FD8 80FF 34 CMP BH,34
00622FDB 74 39 JE SHORT program.00623016
00622FDD 80FF 55 CMP BH,55
00622FE0 74 34 JE SHORT program.00623016
00622FE2 80FF 60 CMP BH,60
00622FE5 74 2F JE SHORT program.00623016
00622FE7 80FF 64 CMP BH,64
00622FEA 74 2A JE SHORT program.00623016
00622FEC 80FF 78 CMP BH,78
00622FEF 74 25 JE SHORT program.00623016
00622FF1 80FF 79 CMP BH,79
00622FF4 74 20 JE SHORT program.00623016
00622FF6 80FF 7D CMP BH,7D
00622FF9 74 1B JE SHORT program.00623016
00622FFB 80FF 65 CMP BH,65
00622FFE 74 16 JE SHORT program.00623016
00623000 80FF 66 CMP BH,66
00623003 74 11 JE SHORT program.00623016
00623005 80FF 58 CMP BH,58
00623008 74 0C JE SHORT program.00623016
0062300A 80FF 59 CMP BH,59
0062300D 74 07 JE SHORT program.00623016
0062300F 80FF 68 CMP BH,68

help me to crack his dongle

if i convert je to jne will do the trick,???or i have to do something else help me

I think you are far away from the actual Hasp implementation routine. This (incomplete, poorly commented and irrelevant) code is only sorting out what to do with unexpected contents of BH, which specify the service number. You need to learn assembly and code flow, no way around it. . .

Look somewhere else for the implementation, emulation, DO NOT PM asking me to do the work for you. . .

hello naides,
Actually i searched through basic hasp cracking,read the documents,and got an idea of various services,(im using ollydbg),
AND FINALLY i got this one,as a new bee help me to give some hints,
you said THOSE ARE un important codes,then how can i find the relevant ones please consider that im a newbee,please dont ask me to search,i virtually gone through all of the threads relating to HASP,AND I THINK I GOT
SOME IDEA,im sure im not a big zero in dongles,i knew something
anD as woodman's response i got stuck into something, again im
requesting you yo consider me and please give me some hints

with hope,
blackhat.

Hints:

When
00622FC0 F8 CLC
00622FC1 C3 RETN
00622FC2 F9 STC
00622FC3 C3 RETN

returns AND BH== 3C, AND carry flag is set (==1) the code proceeds to implement wantever service 3C is. follow the code

Hint 2:

00622FC4 80FF 28 CMP BH,28
00622FC7 74 55 JE SHORT program.0062301E

aparently something important happens when BH == 28; Look at the code at .0062301E and see what is the deal

00622FC9 80FF 28 CMP BH,28
00622FCC 72 4B JB SHORT program.00623019

if BH happens to be <28 some more stuff happens at .00623019. . .

look at the code there and see what happens

DESPITE MY BLACK HUMOR, I AM NOT MAKING FUN OF YOU, I was and am giving you hints about where to look. Nothing crucial is going on in this piece of code, patching here does not take you anywhere. . .

this code only figures out what HASP service is being called (BH contains the service identifier) and distributes the code flow acordingly.

dear naides,
really im not thinking that"you are making fun of me"
first of all thanks for giving me hints.im here in dongles for only
about one month ,but virtually i spent almost all time reading about
hasp,both official and unofficial,but u said u r giving me hints ,at the same time u said "Nothing crucial is going on in this piece of code, patching here does not take you anywhere.",but i never said you to crack the dongle but actually i want the real hints ,and i never said you to crack the dongle,BUT IM REQUESTING YOU ,AND I THINK ITS MY RIGHT TO ASK ALL THESE MATTERS TO A SENIOR GUY LIKE YOU.

looking forward from you,
blackhat.

Dude,
What kind of hasp are u trying to crack. Is it hasp 3 or hasp 4 ?? If its hasp 4 then what kind of application is it?? I mean does it protect database or html files?? If thats the case then maybe i can help u .

hello rithuraj,
let me say that im a newbee in dongle cracking,and it is nice to know that you are also using ollydbg,infact one of my best tutorials with
HASP is which i got from your post (from rapid share),from a guy called ricard
navraj,from my above u may came to know that im worknig hard on my dongle,i got cmp bh 32 from bp FreeEnvironmentStringsA(same as the screen shot in ur new post,and after some routines i got the above locations showing various services.But i dont know how to find which HASP its using,
i think u will help me on that i think their is a hard lock envelop on my application ,i have got
.text
.rdata
.data
_TEXT_HA
.rscrc
.protect
..sections,whether my application consists only HASP envelope ? or both

i think the tutorial by ricard navraj is not complete,whether the next part is available?

i think u will help me..
BLACKHAT.

Hiya,

All I can say here is that this thread is VERY confused.....

blackhat - your first code post should have been all you needed, you simply need to put a breakpoint at 620316 and read the HASP assembler implementation (available from my Dongles page if I remember rightly). The service number would be in BH, then you can then simply trace over the haspreg() call and modify the registers according to the service. You won't know what dongle type it expects until you get a call to service 5, (HaspStatus()), then you can trace the checks on the returns.

The rest of the code you have pasted is simply the HASP API going through its internal motions of working out the parameters its been asked to action, its simply nuts to patch at this level unless you plan on re-writing a significant part of the API.

The fact you've hit a breakpoint on FreeEnv.... says to me this is HASP 3 or a very early HASP 4, all the later HASP 4 / HL implementations don't use this API object.

Regards

CrackZ.

Blackhat,
I think we both are on the same footing. The next step for u would be to calculate the response codes one by one. A tedious job !!!. You need more help with tutorials. Yes i have all hasp tutorials of Ricardo Narvaja (including the second part of the above tutorial) If any one wants it, PM me, i will be glad to email them. I have calculated the response codes now all i need is, some help as to where to write it.
Crackz u got to help me on this one. Please take a look at my snapshot (ttp://rapidshare.de/files/4190330/hasp_shot_3.jpg.html) and advice me where to begin writing the emulator. Come on guys, we have come a long way learning to emulate hasp please help us out of this one.

hello crackz,
actually i cant find any services here,i put break point at
PUSH EBP,tracing from their i couldnt get any services and all i get
was this PUSH EBP is cmp bh,5,where is that ISHASP servces etc are?
help me .

with hope,
blackhat

[QUOTE][Originally Posted by CrackZ]

The fact you've hit a breakpoint on FreeEnv.... says to me this is HASP 3 or a very early HASP 4, all the later HASP 4 / HL implementations don't use this API object.

Regards

Sorry to disturb you crackz. But i have a software using hasp that does not break on FreeEnvironmentStringsA. Can you please suggest me a breakpoint to find the hasp calls and api

A simple thought..
Why not download the HASP logger which will log each call to the HASP routine (even without dongle).

Then trace through your target (with ollydbg if you wish) and conduct some step over commands. When you see something appear in the logger note what call you stepped over and then step into it. Repeat and you will easily find the routines checking dongle presence. Then start to guess what the response should be i.e. check for CMP/jne commands and change the register to suit. See what it does etc.

To make it easier Crackz and others have released Signature files for IDA. These can be applied to your target via Ollydbg and will then show you all the HASP routines etc.