View Single Post
  #2  
Old 06-25-2011, 04:52 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

Hello. I am currently writing an article on how Sentinel HASP Protection System works, with live target and code explanations (removed junk, redundant and complementary code). It should prove a nice asset once I finish it ;-)

Back to your problem:

1. The error you see in OllyDbg is due to anti-debug used in initial envelope. I've not had the time to test if further along, when hardware key is inserted, extra anti-debugging is issued. But what I know is that HASP uses CreateToolhelpSnapshot32 to map a list of all running process. Once it does that, uses Process32First and Process32Next APIs to retrieve pe32.szExeFile, the process' name. It then appends ".exe" string at the end of it, if no "." is found. In the end it compares it against a list of predefined targets ("ollydbg.exe" is one of them). You can simply rename it and see if HASP errors anymore. If it does, then there's extra anti-debugging I've not gotten to yet ;-)

2. In order to unpack the target, let it run at first. Navigate your way to 401000 (usually that's the beginning of code for MOST programs - 98%). Once there, get a feel on what compiler's been used. If it's Delphi, you should find the sysinit function - the function appointed by FIRST call in a Delphi program, containing a GetModuleHandleA call. If It's Visual Basic, then you simply look for the one PUSH after the whole JMP DWORD PTR [x] sequences (look for these bytes in Olly - FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ??). Lastly, if it's C++, then you have a few variants - but from what I know, only 2 methods stick out. First one involves GetVersionExA API, while second is for newer builds (MSVC2003,2005,2008,2010), and involves GetSystemTimeAsFileTime.

Whichever your culprit is, APIs need to be resolved beforehand. Why your OS reboots is probably due to anti-debug pluggins used - I found that StrongOD and Phant0m often collide with HASP's driver, when used.

ImpREC will show invalid thunks because you didn't solve redirections. HASP creates a copy of API thunks, so you have 2 API tables - one holds the REAL values, the other holds original values + FFFFFFFFs. Find out where your IAT starts and ends, find where the comparison is made to redirect APIs, and also find the magic jump (the conditional based on which HASP redirects and API or not) and you should be able to make HASP rebuild IAT on its own ;-)

3. I've not used any emulators so far, be it HASP HL or HASP SRM. I assume the connaiseurs around can give you a hand ;-)

Peace,
Sun
Reply With Quote