HASP calls [Archive] - RCE Messageboard's Regroupment

View Full Version : HASP calls

Tom_Smith

December 28th, 2006, 19:08

I'm trying to identify the location of HASP calls in a program I am "reversing".

This program now can be accessed with either a parallel port HASP
or USB HASP (of course, you have to buy the program to get these).

The program only used parallel port HASPs last year, not USBs,
I don't know if that matters.

However, the parallel port HASP from last year still works with the new version of the program.

With last year's version of this program, I "overcame" the HASP via a software "alteration", as the HASP code marker
CMP BH,32
stood out like a sore thumb.

I have looked for the usual HASP marker this year
CMP BH,32
but it's nowhere to be found in any program module.

Some say a search for the API
Call {&Kernal32.FreeEnvironmentStringsA}
would reveal the location of the HASP call, but that was never the case.

Wonder if anyone knows any other code that is generally associated with
HASP calls.

I am going to set conditional breakpoints on register contents and see if some known values get plugged in (namely, values used with last year's program)
- I assume the values from last year are still used as the older parallel port HASP still works
-but I don't know if the same registers are being utilized.

-Tom.

naides

December 28th, 2006, 22:33

Without knowing much detail (RCE involves a lot of guesswork and intuition) this is what I would try.

Disassemble the last year program, and look at the code around CMP BH,32, which you know is involved in hasp validation.

Look at API call patterns, particularly in the code that calls this code.

Programmers like to reuse their code, and while they or HASP may have altered the HASP security code fundamentally, the rest of the program, particularly the code that calls the HASP validation routines may still be the same or similar.

Now disassemble the new version and look for similar API "PATTERNS", constants, series of API calls.

If you want to get more sophisticated get your hands on BINDIFF, or its freeware equivalent (Its name escapes my head right now), which will compare the two IDA disassemblies and pinpoint similar and different code structures. . .

That way you may locate the new HASP routines and, please if you do, get back to the board and inform everyone else the new HASP signatures that you identify

CrackZ

December 29th, 2006, 14:51

Hiya,

If you can priv msg me the name and a location of the target I'm sure I can find the HASP API.

Regards

CrackZ.