Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   hasp/sentinel envelope(s) infos (https://forum.exetools.com/showthread.php?t=7388)

ketan 04-19-2005 13:42
hasp/sentinel envelope(s) infos
 
as a tradition, hasp envelope util ( sdk v11.0 and below ) hook following functions from importe table...

KERNEL32.DLL!GetProcAddress
KERNEL32.DLL!ExitProcess

in order to increse level of obfuscation, hasp envelope util ( sdk v12.0 and onwards ) started to hook many more functions from important system dlls,

KERNEL32.DLL
USER32.DLL
ADVAPI32.DLL
SHELL32.DLL

and more...

internally, each iat function is assigned unique # and it is mapped into a bit table indicating it is hooked or not ( ie. 1 bit per iat function )

so in order to successfully recover full iat with valid functions,
one must find a code location in .protect section of hasp envelope where this test is performed, and if we patch it in manner that no function is hooked,
we can easy recover needed information.

note: with such trick, still above mentioned two functions need to be corrected!

on the rainbow sentinel part, the envelope is pretty simple and straight
it contains no obfuscation as such except very well developed big switch/case kinda structure and pcode format ( documented on CrackZ pages w/o proper respect given to it's author ie. me! )

Thanks...

CrackZ 04-20-2005 21:09
Hiya ketan,

I don't remember who sent me the Sentinel envelope structure definitions when I posted them, in fact I don't recall actually getting them from you directly else I would have given you the credits/

However, since I know you of old, I've updated the page to reflect your contribution.

Regards, and keep up the good work.

CrackZ.

sope2001 04-21-2005 13:19
Greetings CrackZ & Ketan,

Well it was me to sent to you if i remember correctly :) I got it from my russian friends & i send it to you.

Ketan:
Quote:
internally, each iat function is assigned unique # and it is mapped into a bit table indicating it is hooked or not ( ie. 1 bit per iat function )
Just wanted to know can you show the code snippet of what u r saying. It's not that I can't manage it, i need to learn your technique.

Regards, Sope.

infern0 04-21-2005 14:11
btw - there are some small idc script to decompile sentinel envelope p-code int readable format. I will post it here today

infern0 04-24-2005 05:01
1 Attachment(s)
here it is.

s0cpy 04-29-2005 01:41
little hint how to find VendorCode (736 bytes) in protected application:
run proggy without key & when you take a message that key not found, dump protected app & search in dump with any hex editor "==" (3d3d in HEX). It is usual at the end of VendorCode, scroll up a little & if you see similar like the contents of demoma.hvc from HASP_HL SDK - it is it....
Sorry for my poor english...


All times are GMT +8. The time now is 04:46.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX