Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Thread Tools Display Modes
Old 06-25-2011, 03:45 AM
resac resac is offline
Join Date: Jun 2011
Posts: 41
Default Hasp Hl Unpacking.

hello to all seniors.
here i am with new question of HASP HL.
i have dongle dump and working application also and i want to unpack.


1. i have dongle dump but while debugging in olly either it gives error or else machine completely restarts.
2. How to unpack. I tried All old tuts. while put BreakPoint on code section and dumping. and all . problem facing is that in IMPREC it giving all invalid thunks so how to solve it.
3. the udated application is not debugging in olly with emulator. can we create new dongle dump with emulator?

thank you so much.
Reply With Quote
Old 06-25-2011, 04:52 AM
SunBeam SunBeam is offline
Senior Member
Join Date: Jun 2011
Posts: 61

Hello. I am currently writing an article on how Sentinel HASP Protection System works, with live target and code explanations (removed junk, redundant and complementary code). It should prove a nice asset once I finish it ;-)

Back to your problem:

1. The error you see in OllyDbg is due to anti-debug used in initial envelope. I've not had the time to test if further along, when hardware key is inserted, extra anti-debugging is issued. But what I know is that HASP uses CreateToolhelpSnapshot32 to map a list of all running process. Once it does that, uses Process32First and Process32Next APIs to retrieve pe32.szExeFile, the process' name. It then appends ".exe" string at the end of it, if no "." is found. In the end it compares it against a list of predefined targets ("ollydbg.exe" is one of them). You can simply rename it and see if HASP errors anymore. If it does, then there's extra anti-debugging I've not gotten to yet ;-)

2. In order to unpack the target, let it run at first. Navigate your way to 401000 (usually that's the beginning of code for MOST programs - 98%). Once there, get a feel on what compiler's been used. If it's Delphi, you should find the sysinit function - the function appointed by FIRST call in a Delphi program, containing a GetModuleHandleA call. If It's Visual Basic, then you simply look for the one PUSH after the whole JMP DWORD PTR [x] sequences (look for these bytes in Olly - FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ??). Lastly, if it's C++, then you have a few variants - but from what I know, only 2 methods stick out. First one involves GetVersionExA API, while second is for newer builds (MSVC2003,2005,2008,2010), and involves GetSystemTimeAsFileTime.

Whichever your culprit is, APIs need to be resolved beforehand. Why your OS reboots is probably due to anti-debug pluggins used - I found that StrongOD and Phant0m often collide with HASP's driver, when used.

ImpREC will show invalid thunks because you didn't solve redirections. HASP creates a copy of API thunks, so you have 2 API tables - one holds the REAL values, the other holds original values + FFFFFFFFs. Find out where your IAT starts and ends, find where the comparison is made to redirect APIs, and also find the magic jump (the conditional based on which HASP redirects and API or not) and you should be able to make HASP rebuild IAT on its own ;-)

3. I've not used any emulators so far, be it HASP HL or HASP SRM. I assume the connaiseurs around can give you a hand ;-)

Reply With Quote
Old 06-25-2011, 06:52 AM
besoeso besoeso is offline
Senior Member
Join Date: Dec 2008
Posts: 118


Good explanation friend, waiting your great work.
Reply With Quote
Old 06-25-2011, 11:18 AM
resac resac is offline
Join Date: Jun 2011
Posts: 41

Thanks for great explination sir,

my question in explination is that , how to find api to resolve the thunks as i getting all invalid thunks and how to find which have to resolve.

thank you. and waiting for your reply. and even i am waiting for your work sir.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.