Hasp SRM

[dave_omirora]

If you have dongle then here is many hints availble for unpacked the hasp SRM Protection.

[besoeso]

I will be good a monitor can to do this.

logtest-haspsrm.txt

[gokilaravee]

this looks decrypted usbtrace log..Is this based on hasp4 en/decrypt(cipher) function?

[orfei]

IMO this is more like dll function hooking/monitoring/logging.

[hp3]

i have a dump file and log file for tems 10

can help me to emul it
thanks

[kjms]

http://www.unpack.cn/thread-68333-1-1.html

HASP HL Envelope
Recent study of HASP HL Envelope in the shelling, the search to a nice HASP HL Envelope IAT Fixer, has been successfully used to repair my program IAT. Original author of s0cpy.
lostdongle in the online issue of the shelling of a hasp srm video, which with the hasp srm Envelope iat fixer and the same, just to "find prtc_sec, # FFFF82D18BE55DC3 #", was revised to: "find prtc_sec, # 66C1E7?? 5E5B8BE566C1E6?? 5DC3 # ", the need to hasp srm Envelope version to modify. This code corresponds to the position of a retn (. Protect section), where there is a need to restore esp in the API function's address.

/*
/////////////////////////////////////////////////////////////////////////////////
HASP_HL Envelop 1.2x/1.3x import resolver script v0.1a
Author: s0cpy
Email : s0cpy.store@gmail.com
OS : WinXP SP2, Ollydbg 1.1, ODbgScript 1.65.4
Date : 2008-01-12
Action: Fix IAT, but not fix emulated functions.
Config: Ignore all exceptions, start from OEP.
Some emulated functions need to be resolved manually:
GetCommandLineA
GetProcAddress
GetCurrentProcess
GetStartupInfoA
GetCurrentProcessId
GetCurrentThreadId
/////////////////////////////////////////////////////////////////////////////////
*/

var prtc_sec
var iat_cell
var ss
var es
var gtc
var endp
var iatstart
var iatend
var gtc_c
var sysmod

gpa "GetTickCount", "kernel32.dll"
mov gtc, $RESULT
ask "Enter start code section address"
cmp $RESULT, 0
je @halt
mov ss, $RESULT
mov es, $RESULT
ask "Enter start address of IAT"
cmp $RESULT, 0
je @halt
mov iatstart, $RESULT
ask "Enter end address of IAT"
cmp $RESULT, 0
je @halt
mov iatend, $RESULT
ask "Enter start address of `.protect` section"
cmp $RESULT, 0
je @halt
mov prtc_sec, $RESULT
ask "Enter start address of system modules memory"
cmp $RESULT, 0
je @halt
mov sysmod, $RESULT

@end_point:
find prtc_sec, #66C1E7??5E5B8BE566C1E6??5DC3#
mov endp, $RESULT
add endp, 4
bphws endp, "x"

@search:
cmp iat_cell, iatend
je @halt
mov iat_cell, iatstart
cmp [iatstart], 00000000
add iatstart, 4
je @search
cmp [iat_cell], sysmod
ja @search

@scan:
mov eip, [iat_cell]
jmp @run

@count:
inc gtc_c
cmp gtc_c, 2
je @fix

@run:
run
sti
sti
sti
cmp eip, gtc
je @count
cmp gtc_c, 0
je @search

@zero_c:
mov gtc_c, 0

@fix:
mov [iat_cell], eip
cmp iat_cell, iatend
je @halt
jmp @search

@halt:
bphwc endp
mov eip, oep
an eip
pause
ret

[ali56s]

Sentinel HASP (HASP SRM) Dumper v.1.0 (public)
build on (22:00:22 Jul 23 2011)

[ali56s]

out put dmp file can open with notpad