Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   Reverse Code Engineering (http://www.reteam.org/board/forumdisplay.php?f=23)
-   -   Hasp Hl Unpacking. (http://www.reteam.org/board/showthread.php?t=4008)

resac 06-25-2011 03:45 AM

Hasp Hl Unpacking.
 
hello to all seniors.
here i am with new question of HASP HL.
i have dongle dump and working application also and i want to unpack.

questions:

1. i have dongle dump but while debugging in olly either it gives error or else machine completely restarts.
2. How to unpack. I tried All old tuts. while put BreakPoint on code section and dumping. and all . problem facing is that in IMPREC it giving all invalid thunks so how to solve it.
3. the udated application is not debugging in olly with emulator. can we create new dongle dump with emulator?


thank you so much.

SunBeam 06-25-2011 04:52 AM

Hello. I am currently writing an article on how Sentinel HASP Protection System works, with live target and code explanations (removed junk, redundant and complementary code). It should prove a nice asset once I finish it ;-)

Back to your problem:

1. The error you see in OllyDbg is due to anti-debug used in initial envelope. I've not had the time to test if further along, when hardware key is inserted, extra anti-debugging is issued. But what I know is that HASP uses CreateToolhelpSnapshot32 to map a list of all running process. Once it does that, uses Process32First and Process32Next APIs to retrieve pe32.szExeFile, the process' name. It then appends ".exe" string at the end of it, if no "." is found. In the end it compares it against a list of predefined targets ("ollydbg.exe" is one of them). You can simply rename it and see if HASP errors anymore. If it does, then there's extra anti-debugging I've not gotten to yet ;-)

2. In order to unpack the target, let it run at first. Navigate your way to 401000 (usually that's the beginning of code for MOST programs - 98%). Once there, get a feel on what compiler's been used. If it's Delphi, you should find the sysinit function - the function appointed by FIRST call in a Delphi program, containing a GetModuleHandleA call. If It's Visual Basic, then you simply look for the one PUSH after the whole JMP DWORD PTR [x] sequences (look for these bytes in Olly - FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ??). Lastly, if it's C++, then you have a few variants - but from what I know, only 2 methods stick out. First one involves GetVersionExA API, while second is for newer builds (MSVC2003,2005,2008,2010), and involves GetSystemTimeAsFileTime.

Whichever your culprit is, APIs need to be resolved beforehand. Why your OS reboots is probably due to anti-debug pluggins used - I found that StrongOD and Phant0m often collide with HASP's driver, when used.

ImpREC will show invalid thunks because you didn't solve redirections. HASP creates a copy of API thunks, so you have 2 API tables - one holds the REAL values, the other holds original values + FFFFFFFFs. Find out where your IAT starts and ends, find where the comparison is made to redirect APIs, and also find the magic jump (the conditional based on which HASP redirects and API or not) and you should be able to make HASP rebuild IAT on its own ;-)

3. I've not used any emulators so far, be it HASP HL or HASP SRM. I assume the connaiseurs around can give you a hand ;-)

Peace,
Sun

besoeso 06-25-2011 06:52 AM

@SunBeam

Good explanation friend, waiting your great work.

resac 06-25-2011 11:18 AM

Thanks for great explination sir,

my question in explination is that , how to find api to resolve the thunks as i getting all invalid thunks and how to find which have to resolve.

thank you. and waiting for your reply. and even i am waiting for your work sir. :)


All times are GMT -4. The time now is 05:30 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.