Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 01-14-2008, 02:21 PM
fejkus fejkus is offline
Member
 
Join Date: Dec 2007
Posts: 46
Default Emulating Hasp HL max

Dumping Hasp HL keys

How can be emulated hasp HL max http://www.aladdin.com/hasp/max.aspx . It works of course for Pro and Time.

What we need:
  • a key
  • dumper – i used h5dmp.exe
  • TORO hasp monitor
  • Sataron’s UniDMP2reg convertor
  • emulator – i used Chingachguk vusb emulator

1. So at first, install dongle drivers, connect a dongle, run Toro monitor.
2. start your protected application and used it.
3. in TORO monitor you will see password for your key and memory of your dump. So use your protected software as usual, try to open all menus and dialogs, use every function …
4. Save log file, and save log file.
5. use dumper and dump the key. Result will be – two files hasp.dmp (about 790 B in my case) and hhl_mem.dmp (about 4 KB).
6. then use Sataron’s Unidump2reg and make a reg file (use vUSB Hasp HL option). You can edit this regfile and change licensing of your program (if it uses – hl max can be used for 112 programs)
7. And now the most important thing. Hasp HL uses enveloping technology with 128-bit AES symmetric encryption engine on key.

In TORO log we will find pairs. They can be found in the pairs window too.

Instructions can look like this one:

Code:
HaspHL In:> Hasphl_decrypt, Length=32
Data:
4284 ... ... ... 84ADA4 – It is a question for hash key
HaspHL Out:> Hasphl_decrypt Status=0 (0x0)
Response:
8222 ... ... ... 84ADA4 – And the key respond – it is his answer
(I remove part of code)
So what we will do with it? We will do Q/A table. This is Questions and Answers table in reg file. I added it on the end of file.

Data or question of IN – write in Qtable
Response or answer or OUT – write in Atable
Data shoul be write in pairs like these: 4284 ... ... ... 84ADA4 should be write: 42,84, ... ... ... 84,AD,A4

The end of regfile shoul look:

Code:
... regfile

"QTable"=hex:\
42,84,... 84,AD,A4,\

 
"ATable"=hex:\
82,22,C2 ... 84,AD,A4,\
Your program can use only one Q/A or too many. You must add them all. Then you can save your regfile.


8. Add reg file into registry
9. unplug your dongle
10. Install Chingachguk & Denger emulator, vusbbus.sys must be 0.15 or above. If all went fine, new device Hasp HL was found.
11. Your program should run


I hope, this text will help.

Vusb 0.15.1.4 can handle encrypt function too.

For a large Q/A pairs from Toro Emulator, you can use splitter.
Attached Files
File Type: zip Splitter.zip (43.2 KB, 2963 views)
File Type: zip Splitter1.1.zip (39.7 KB, 2440 views)
File Type: zip vusb_0.15.zip (51.4 KB, 2765 views)
File Type: zip vusb_0.15.4.zip (24.1 KB, 2178 views)
File Type: zip multikey_18.0.2-x86.ZIP (59.7 KB, 2077 views)

Last edited by fejkus : 10-13-2009 at 06:08 AM.
Reply With Quote
  #2  
Old 01-14-2008, 02:50 PM
benito benito is offline
Senior Member
 
Join Date: Jul 2007
Posts: 685
Default

Hm, but what will you do if the program generate in each run another Q/A pairs ?
Reply With Quote
  #3  
Old 01-14-2008, 03:25 PM
justine justine is offline
Senior Member
 
Join Date: Dec 2007
Location: Serbia,Belgrade
Posts: 82
Send a message via ICQ to justine Send a message via MSN to justine Send a message via Yahoo to justine Send a message via Skype™ to justine
Default

i never saw application that uses one query/response

i have one haspHL protected soft that have about 1200 pairs )

so its almost imposible to construct table manualy
Reply With Quote
  #4  
Old 01-14-2008, 03:27 PM
Tyrus Tyrus is offline
Senior Member
 
Join Date: Dec 2007
Posts: 60
Default

Quote:
Originally Posted by benito View Post
Hm, but what will you do if the program generate in each run another Q/A pairs ?
dump program on the first AES request & find QA tables, but public emulator is not fully correct works

Last edited by Tyrus : 01-14-2008 at 03:33 PM.
Reply With Quote
  #5  
Old 01-14-2008, 03:43 PM
fejkus fejkus is offline
Member
 
Join Date: Dec 2007
Posts: 46
Default

you can always make some program to solve this problem automaticaly.


this problem Q/A table probably will not solve.

Last edited by Git : 08-10-2010 at 10:37 AM.
Reply With Quote
  #6  
Old 01-14-2008, 05:48 PM
foffa foffa is offline
Senior Member
 
Join Date: Jul 2007
Location: %TEMP%
Posts: 344
Default

Quote:
Originally Posted by fejkus View Post
this problem Q/A table probably will not solve.

i dont know that is this right ??

program generate random q\r
Reply With Quote
  #7  
Old 01-14-2008, 05:49 PM
benito benito is offline
Senior Member
 
Join Date: Jul 2007
Posts: 685
Default

Quote:
Originally Posted by Tyrus View Post
dump program on the first AES request & find QA tables, but public emulator is not fully correct works
I thought that also commercial emulators support only table emulation, so in this case if program generates at each start different Q/A pairs you cant emulate it...?! Or i am wrong and there are full solutions?
Reply With Quote
  #8  
Old 01-14-2008, 06:00 PM
foffa foffa is offline
Senior Member
 
Join Date: Jul 2007
Location: %TEMP%
Posts: 344
Default

I Have Seen Full solutions

HERE IS TABLE BASED EMULATOR WITH THE SAMPLE REG FILE
suitable with what fejkus said
Attached Files
File Type: zip hasp_HL TABLE BASED.zip (58.8 KB, 3714 views)

Last edited by foffa : 01-14-2008 at 06:07 PM.
Reply With Quote
  #9  
Old 01-15-2008, 03:42 AM
Tyrus Tyrus is offline
Senior Member
 
Join Date: Dec 2007
Posts: 60
Default

Quote:
Originally Posted by foffa View Post
I Have Seen Full solutions

HERE IS TABLE BASED EMULATOR WITH THE SAMPLE REG FILE
suitable with what fejkus said
HASP HL have 2 AES funcz - AES Encode & AES Decode [0x013F/0x0140]
but its emulator supports only one function
Reply With Quote
  #10  
Old 01-15-2008, 04:12 AM
TORO TORO is offline
Senior Member
 
Join Date: Dec 2007
Posts: 53
Send a message via ICQ to TORO Send a message via MSN to TORO Send a message via Yahoo to TORO
Default

you must extract pair tables from .protect section of envelope, envelope use these tables to make randome query check.
there are 5 tables at max, each contain 256 pair, then add those pairs with pairs from log file and then construct hasp hl emulator, it will work
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.