Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 04-19-2009, 08:42 AM
anakunda2k2 anakunda2k2 is offline
Junior Member
 
Join Date: Apr 2009
Posts: 1
Default help me please with hasp hl

hey
before sorry for my english
i Have a key usb hasp hl pupre (pro ,I think),i have make a dump with h5dmp.exe i have 2 files hasp.dump and hhl_mem.dump
i have converted with unidump2reg with option vusbhasp hl.
After i make a log with hasploger and toromonitor 3.2 i extratct q/a pair,i put in reg file but i have always 1031 error envellop i use multikey 1.82 as emulator

thank for your responses

ps:it's a hasp hl 3.21
Reply With Quote
  #2  
Old 04-20-2009, 01:31 AM
nodongle nodongle is offline
Senior Member
 
Join Date: Oct 2007
Posts: 320
Default

You need extract pair table(s) from enveloped files.
Reply With Quote
  #3  
Old 04-20-2009, 02:41 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

Quote:
Originally Posted by nodongle View Post
You need extract pair table(s) from enveloped files.
I am very understand if there aren't instant explanation how to extract pair table(s).

At least, Please give us hints how to extract Q/A and Qenc/Aenc pair(s) under debugger or USB device tracer utilities such as Perisoft BusHound and Sysnucleus USB Trace.

Last edited by SonofabiT : 04-20-2009 at 03:12 AM.
Reply With Quote
  #4  
Old 04-20-2009, 06:27 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Search the forum, this subject has been discussed many times.

Git
Reply With Quote
  #5  
Old 04-20-2009, 11:58 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

Of Course i have been search the forum. What i mean "under debugger" is how to extract pair(s) table from .protect section ?
Reply With Quote
  #6  
Old 07-16-2009, 10:41 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

@all
Do I always need plug my HaspHL Max dongle to extract Aenc/Qenc pair(s) table from .protect section ?

Last edited by SonofabiT : 07-16-2009 at 11:03 AM.
Reply With Quote
  #7  
Old 07-16-2009, 11:55 AM
rooky2000 rooky2000 is offline
Member
 
Join Date: Jul 2008
Posts: 41
Default No

Quote:
Originally Posted by SonofabiT View Post
@all
Do I always need plug my HaspHL Max dongle to extract Aenc/Qenc pair(s) table from .protect section ?
No!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Reply With Quote
  #8  
Old 07-16-2009, 12:51 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Often thie shell/envelope encryption is applied several times on top of each other. Unless you have tools to generate the emulator parameters, it can be a pain to do manually. It is achieved with multiple layers of encryption using the dongle API hasp_encrypt and decrypted during run with hasp_decrypt.

Usual method is to make basic emulator, run target and hasp logger until it puts up error dialog, then save dump as dump01.exe. Search the dump01.exe for input parameter to any of the hasp_decrypt calls in the log. When you find it, search back in the file for non-Unicode string GetTickCount followed by 4 0x00 bytes. Count another 4 bytes and then you have the start of the Q/A pairs block, so if GetTickCount string starts at 0x11F50, block starts at 0x11F64. Copy 0x1000 bytes from that address to a file called, say, pairs01.bin. The first 2048 bytes of that file represent 128 ATable entries for emulator and last 2048 bytes represent 128 corresponding QTable entries. Add those 128 Q/A pairs to the emulator and restart emulator. Much easier if you write a small program to convert pairs.bin to registry entries.

Now run application and hasp logger again. Again, it will maybe put up error dialog about Envelope. Again save dump, this time as dump02.exe. Search through dump02.exe for input value of hasp_decrypt call in log. Same as before, search back for GetTickCount, copy 4096 byte block from 8 bytes past GetTickCount to new file pairs02.bin. Add the new 128 pairs to the emulator and restart. This time the application may run, maybe not. Repeat procudure until no Envelope error. You now have emulator covering all envelope hasp_decrypt calls. If the programmer was clever, he has used the API and there will be many hasp_decrypt and hasp_encrypt calls in the program with random parameters and it is almost impossible to emulate. However, many programmers do nothing more than put shell/envelope around program and call it protected. If so, you now have 100% emulation of dongle for that app.

Git
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.