View Single Post
Old 07-16-2009, 12:51 PM
Git Git is offline
Super Moderator
Join Date: Oct 2007
Location: Torino
Posts: 1,797

Often thie shell/envelope encryption is applied several times on top of each other. Unless you have tools to generate the emulator parameters, it can be a pain to do manually. It is achieved with multiple layers of encryption using the dongle API hasp_encrypt and decrypted during run with hasp_decrypt.

Usual method is to make basic emulator, run target and hasp logger until it puts up error dialog, then save dump as dump01.exe. Search the dump01.exe for input parameter to any of the hasp_decrypt calls in the log. When you find it, search back in the file for non-Unicode string GetTickCount followed by 4 0x00 bytes. Count another 4 bytes and then you have the start of the Q/A pairs block, so if GetTickCount string starts at 0x11F50, block starts at 0x11F64. Copy 0x1000 bytes from that address to a file called, say, pairs01.bin. The first 2048 bytes of that file represent 128 ATable entries for emulator and last 2048 bytes represent 128 corresponding QTable entries. Add those 128 Q/A pairs to the emulator and restart emulator. Much easier if you write a small program to convert pairs.bin to registry entries.

Now run application and hasp logger again. Again, it will maybe put up error dialog about Envelope. Again save dump, this time as dump02.exe. Search through dump02.exe for input value of hasp_decrypt call in log. Same as before, search back for GetTickCount, copy 4096 byte block from 8 bytes past GetTickCount to new file pairs02.bin. Add the new 128 pairs to the emulator and restart. This time the application may run, maybe not. Repeat procudure until no Envelope error. You now have emulator covering all envelope hasp_decrypt calls. If the programmer was clever, he has used the API and there will be many hasp_decrypt and hasp_encrypt calls in the program with random parameters and it is almost impossible to emulate. However, many programmers do nothing more than put shell/envelope around program and call it protected. If so, you now have 100% emulation of dongle for that app.

Reply With Quote