bloodlust026
03-18-2008, 08:52 AM
This is a segment from a pdf file that shows you how to remove the envelope of a HaspHL encrypted program. The part I'd like to show you is where it says "Hardening OllyDbg".
Hasp-HL Envelope Removal
The Encryption itself encrypts code and data. Resources are not encrypted even
if the resource section is included in the list of sections to be encrypted.
The Import Address Table (IAT) is encrypted and some APIs are redirected
to the security engine (see also the detailed list of the redirected 633 APIs in
the appendix). For the runtime check a separate thread is initiated.
Anti debugging measures are in place which are mainly active at program startup
time. Once the Security engine has decrypted the program it can be dumped to
disk. After the IAT of the dump is restored and the program is reset to the
Original Entry Point (OEP) the executable can be run without the HASP-HL.
2.1 Locating the Original Entry Point (OEP)
The OEP can be located using the standard hacker tool OllyDbg.
Due to anti-debug measures some hardening of the debugger is required.
2.1.1 Installing OllyDbg and the necessary plugins
OllyDbg is copied into a separate directory. There is no dedicated installation
necessary. OllyDbg can be obtained from various websites including the
homepage of OllyDbg:
http://www.ollydbg.de/
The current version 1.10 is the preferred version.
To analyze HASP-HL it is necessary to install two plugins into OllyDbg:
IsDebuggerPresent and OllyDump. These plugins are available from:
http://ollydbg.win32asmcommunity.net/stuph/
The plugins are simply copied into the same directory as OllyDbg.
2.1.2 Hardening OllyDbg
OllyDbg will be recognized by one of the several text references to OllyDbg inside
the code. The usual way to evade this kind of debugger detection is to
replace all occurrences of the string OllyDbg inside the executable to
something else with the same length. Also the filename of the executable should
be changed to this alternate name. Due to the structure of the plugins it is
necessary to keep an original copy of OllyDbg in the same directory as
the modified version. The string replacement can be done with any usual hex-editor.
That is done to ensure that the protected software doesnt detect OllyDbg as a debugger. Is there a similar method that can be applied to any Hasp Loggers? (Toro? Xyrurg+Sataron? Others?) The dongle I'm trying to emulate requires me to make a Q/A table but the software detects all of the loggers and crashes. I need to modify a logger to hide it as a debugger.
Has anyone done this before or have a different solution?
Hasp-HL Envelope Removal
The Encryption itself encrypts code and data. Resources are not encrypted even
if the resource section is included in the list of sections to be encrypted.
The Import Address Table (IAT) is encrypted and some APIs are redirected
to the security engine (see also the detailed list of the redirected 633 APIs in
the appendix). For the runtime check a separate thread is initiated.
Anti debugging measures are in place which are mainly active at program startup
time. Once the Security engine has decrypted the program it can be dumped to
disk. After the IAT of the dump is restored and the program is reset to the
Original Entry Point (OEP) the executable can be run without the HASP-HL.
2.1 Locating the Original Entry Point (OEP)
The OEP can be located using the standard hacker tool OllyDbg.
Due to anti-debug measures some hardening of the debugger is required.
2.1.1 Installing OllyDbg and the necessary plugins
OllyDbg is copied into a separate directory. There is no dedicated installation
necessary. OllyDbg can be obtained from various websites including the
homepage of OllyDbg:
http://www.ollydbg.de/
The current version 1.10 is the preferred version.
To analyze HASP-HL it is necessary to install two plugins into OllyDbg:
IsDebuggerPresent and OllyDump. These plugins are available from:
http://ollydbg.win32asmcommunity.net/stuph/
The plugins are simply copied into the same directory as OllyDbg.
2.1.2 Hardening OllyDbg
OllyDbg will be recognized by one of the several text references to OllyDbg inside
the code. The usual way to evade this kind of debugger detection is to
replace all occurrences of the string OllyDbg inside the executable to
something else with the same length. Also the filename of the executable should
be changed to this alternate name. Due to the structure of the plugins it is
necessary to keep an original copy of OllyDbg in the same directory as
the modified version. The string replacement can be done with any usual hex-editor.
That is done to ensure that the protected software doesnt detect OllyDbg as a debugger. Is there a similar method that can be applied to any Hasp Loggers? (Toro? Xyrurg+Sataron? Others?) The dongle I'm trying to emulate requires me to make a Q/A table but the software detects all of the loggers and crashes. I need to modify a logger to hide it as a debugger.
Has anyone done this before or have a different solution?