Emulating Hasp HL max

[fejkus]

Dumping Hasp HL keys

How can be emulated hasp HL max http://www.aladdin.com/hasp/max.aspx . It works of course for Pro and Time.

What we need:

• a key
• dumper – i used h5dmp.exe
• TORO hasp monitor
• Sataron’s UniDMP2reg convertor
• emulator – i used Chingachguk vusb emulator

1. So at first, install dongle drivers, connect a dongle, run Toro monitor.
2. start your protected application and used it.
3. in TORO monitor you will see password for your key and memory of your dump. So use your protected software as usual, try to open all menus and dialogs, use every function …
4. Save log file, and save log file.
5. use dumper and dump the key. Result will be – two files hasp.dmp (about 790 B in my case) and hhl_mem.dmp (about 4 KB).
6. then use Sataron’s Unidump2reg and make a reg file (use vUSB Hasp HL option). You can edit this regfile and change licensing of your program (if it uses – hl max can be used for 112 programs)
7. And now the most important thing. Hasp HL uses enveloping technology with 128-bit AES symmetric encryption engine on key.

In TORO log we will find pairs. They can be found in the pairs window too.

Instructions can look like this one:

Code:

HaspHL In:> Hasphl_decrypt, Length=32
Data:
4284 ... ... ... 84ADA4 – It is a question for hash key
HaspHL Out:> Hasphl_decrypt Status=0 (0x0)
Response:
8222 ... ... ... 84ADA4 – And the key respond – it is his answer

(I remove part of code)
So what we will do with it? We will do Q/A table. This is Questions and Answers table in reg file. I added it on the end of file.

Data or question of IN – write in Qtable
Response or answer or OUT – write in Atable
Data shoul be write in pairs like these: 4284 ... ... ... 84ADA4 should be write: 42,84, ... ... ... 84,AD,A4

The end of regfile shoul look:

Code:

... regfile

"QTable"=hex:\
42,84,... 84,AD,A4,\

 
"ATable"=hex:\
82,22,C2 ... 84,AD,A4,\

Your program can use only one Q/A or too many. You must add them all. Then you can save your regfile.


8. Add reg file into registry
9. unplug your dongle
10. Install Chingachguk & Denger emulator, vusbbus.sys must be 0.15 or above. If all went fine, new device Hasp HL was found.
11. Your program should run


I hope, this text will help.

Vusb 0.15.1.4 can handle encrypt function too.

For a large Q/A pairs from Toro Emulator, you can use splitter.

[benito]

Hm, but what will you do if the program generate in each run another Q/A pairs ?

[justine]

i never saw application that uses one query/response

i have one haspHL protected soft that have about 1200 pairs )

so its almost imposible to construct table manualy

[fejkus]

you can always make some program to solve this problem automaticaly.


this problem Q/A table probably will not solve.

[fejkus]

Quote:

Originally Posted by justine

i never saw application that uses one query/response

i have one haspHL protected soft that have about 1200 pairs )

so its almost imposible to construct table manualy

the program for large .pair files is done. it can open .pair file from Toro hasp monitor and create txt files for Q/A table - separated with ",".

it is in testing, if anyone want to try, then PM me.
later i will upload it on Alisa site.

and other thing, program can filter out identical q/a.

[Tyrus]

Quote:

Originally Posted by benito

Hm, but what will you do if the program generate in each run another Q/A pairs ?

dump program on the first AES request & find QA tables, but public emulator is not fully correct works

[benito]

Quote:

Originally Posted by Tyrus

dump program on the first AES request & find QA tables, but public emulator is not fully correct works

I thought that also commercial emulators support only table emulation, so in this case if program generates at each start different Q/A pairs you cant emulate it...?! Or i am wrong and there are full solutions?

[foffa]

I Have Seen Full solutions

HERE IS TABLE BASED EMULATOR WITH THE SAMPLE REG FILE
suitable with what fejkus said

[Tyrus]

Quote:

Originally Posted by foffa

I Have Seen Full solutions

HERE IS TABLE BASED EMULATOR WITH THE SAMPLE REG FILE
suitable with what fejkus said

HASP HL have 2 AES funcz - AES Encode & AES Decode [0x013F/0x0140]
but its emulator supports only one function

[mum_96]

Quote:

Originally Posted by foffa

I Have Seen Full solutions

HERE IS TABLE BASED EMULATOR WITH THE SAMPLE REG FILE
suitable with what fejkus said

Toro, foffa attached the one vusbbus emulator for hasphl, and tyrus says this things (HASP HL have 2 AES funcz - AES Encode & AES Decode [0x013F/0x0140] but its emulator supports only one function), what comments about it?