Thread: HASP SRM dump
View Single Post
Old 08-28-2013, 06:13 AM
Larry Larry is offline
Join Date: Oct 2008
Posts: 23
Send a message via ICQ to Larry

HASP SRM USB Protocol are crypting by AES. You need make UsbTrace decode tool to decrypt the log.

Dongle use a few AES keys. At least:

* One - for communicate with aksusb.sys driver (functions 2F/AF: check the dongle by white-box AES crypto; you can skip to solve this key now, just install old Sentinel HASP driver < 6.56);

* One - for communicate with HASP License Manager (difference versions of HASP License Manager used defferent AES Keys; now it's a 3 different keys);

* One - for communicate with the protected software (read memory, write memory, hasp_encrypt() / hasp_decrypt() operations, etc).

To decrypt UsbTrace log you need reverse HASP License Manager and modify public HASP Emulator source by Chingachguk & Denger2K.

You can use this drivers' version to reverse the USB Protocol crypting:

It isn't good packed and crypted. You need research the file Windows\system32\hasplms.exe.

You need to use Rjindael AES C++ source code as base for decrypt/encrypt USB Packets. You can find it in Google.

If you done the reverse of decrypt/encrypt packets between HASP SRM and HASP License Manager after dongle's plug, you will need to get the next AES key from the protected software to decrypt UsbTrace Log between HASP SRM - HASP License Manager - The Protected Software. Just open the protected software in IDA Pro or OllyDbg, find the place where api calls to the dongle are forming and crypting by AES, put the breakpoint on the AES setup key function and get the AES key. After it decode respective packets.

Other case if your software used new white-box AES. It's more difficult to recover the AES-key for decode packets between HASP SRM - HASP License Manager - The Protected Software.