hasp/sentinel envelope(s) infos

ketan · #1 04-19-2005, 13:42

as a tradition, hasp envelope util ( sdk v11.0 and below ) hook following functions from importe table...

KERNEL32.DLL!GetProcAddress
KERNEL32.DLL!ExitProcess

in order to increse level of obfuscation, hasp envelope util ( sdk v12.0 and onwards ) started to hook many more functions from important system dlls,

KERNEL32.DLL
USER32.DLL
ADVAPI32.DLL
SHELL32.DLL

and more...

internally, each iat function is assigned unique # and it is mapped into a bit table indicating it is hooked or not ( ie. 1 bit per iat function )

so in order to successfully recover full iat with valid functions,
one must find a code location in .protect section of hasp envelope where this test is performed, and if we patch it in manner that no function is hooked,
we can easy recover needed information.

note: with such trick, still above mentioned two functions need to be corrected!

on the rainbow sentinel part, the envelope is pretty simple and straight
it contains no obfuscation as such except very well developed big switch/case kinda structure and pcode format ( documented on CrackZ pages w/o proper respect given to it's author ie. me! )

Thanks...

CrackZ · #2 04-20-2005, 21:09

Hiya ketan,

I don't remember who sent me the Sentinel envelope structure definitions when I posted them, in fact I don't recall actually getting them from you directly else I would have given you the credits/

However, since I know you of old, I've updated the page to reflect your contribution.

Regards, and keep up the good work.

CrackZ.

#3 04-21-2005, 13:19

Greetings CrackZ & Ketan,

Well it was me to sent to you if i remember correctly

I got it from my russian friends & i send it to you.

Ketan:

Quote:

internally, each iat function is assigned unique # and it is mapped into a bit table indicating it is hooked or not ( ie. 1 bit per iat function )

Just wanted to know can you show the code snippet of what u r saying. It's not that I can't manage it, i need to learn your technique.

Regards, Sope.

infern0 · #4 04-21-2005, 14:11

btw - there are some small idc script to decompile sentinel envelope p-code int readable format. I will post it here today

infern0 · #5 04-24-2005, 05:01

here it is.

s0cpy · #6 04-29-2005, 01:41

little hint how to find VendorCode (736 bytes) in protected application:
run proggy without key & when you take a message that key not found, dump protected app & search in dump with any hex editor "==" (3d3d in HEX). It is usual at the end of VendorCode, scroll up a little & if you see similar like the contents of demoma.hvc from HASP_HL SDK - it is it....
Sorry for my poor english...

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
HASP Dos envelope	AVLab	General Discussion	0	10-08-2003 03:37
hasp envelope v7	VirtualM	General Discussion	1	08-22-2003 16:58

The Following User Says Thank You to ketan For This Useful Post:
Tomy73 (05-23-2021)