HASP HL Time

[ahmadmansoor]

my friend Git ...I was talking about unpack just for exe file (main file -DecoStudio.EXE-)
because it has the check ,not other files ( dll files ) .
so the check for Time is passed by the programmer him self not by useing dongole Time limit ..it is just in this target I think ...I don't know I am not that experience in dongle -mabye I will ask some newbi quesion later ,so don't find this strange -
anyway patch this check is very simple it is just patch
jb XXX >>> jmp
not esle .
anyway work on unpack target protected by
"HASP HL Protection V1.X -> Aladdin " ...not easy as well as .
anyway I have but a way to to deal with it and this is the IAT just to make other sure that I don't forget this thread ...heheehe
and the unpack me will send it to u ...
anway pls Git ask backdoor_b to send the program to u ..then I will send the unpack to u later ...because -IDA file for exe file- is very big and I can't upload it to u .
I have limit upload downlaod, here just for 99 MB ...

the iat has some missing kernel API 3 or 4 ..so I need to find how it hide this API ..when finish I will send the file to u .
cya

[Git]

Many thanks Ahmad. "HASP HL Protection V1.X -> Aladdin " is the shell / envelope tied to the dongle. You can know it is the case usually when you see ".protect" section name. Often this shell/envelope encryption is applied several times on top of each other. Unless you have tools to generate the emulator parameters, it can be a pain to do manually. It is achieved with multiple layers of encryption using the dongle API hasp_encrypt and decrypted during run with hasp_decrypt.

Usual method is to make basic emulator, run target and hasp logger until it puts up error dialog, then save dump as dump01.exe. Search the dump01.exe for input parameter to any of the hasp_decrypt calls in the log. When you find it, search back in the file for non-Unicode string GetTickCount followed by 4 0x00 bytes. Count another 4 bytes and then you have the start of the Q/A pairs block, so if GetTickCount string starts at 0x11F50, block starts at 0x11F64. Copy 0x1000 bytes from that address to a file called, say, pairs01.bin. The first 2048 bytes of that file represent 128 ATable entries for emulator and last 2048 bytes represent 128 corresponding QTable entries. Add those 128 Q/A pairs to the emulator and restart emulator. Much easier if you write a small program to convert pairs.bin to registry entries.

Now run application and hasp logger again. Again, it will maybe put up error dialog about Envelope. Again save dump, this time as dump02.exe. Search through dump02.exe for input value of hasp_decrypt call in log. Same as before, search back for GetTickCount, copy 4096 byte block from 8 bytes past GetTickCount to new file pairs02.bin. Add the new 128 pairs to the emulator and restart. This time the application may run, maybe not. Repeat procudure until no Envelope error. You now have emulator covering all envelope hasp_decrypt calls. If the programmer was clever, he has used the API and there will be many hasp_decrypt and hasp_encrypt calls in the program with random parameters and it is almost impossible to emulate. However, many programmers do nothing more than put shell/envelope around program and call it protected. If so, you now have 100% emulation of dongle for that app.

Git

[Git]

I should add that the hasp_decrypt entry that you use to search the dump should be the last one entered in the log before the application failed. You then ensure you are looking at a Q/A pair that has not yet been found in an earlier layer.

Note for Admin : I still cannot see an Edit button on any of my posts so I have to comment to myself rather than editing the original.

Later : OK, I posted that and straight away saw an Edit button!. I think the problem arises if you logout and login again.

Git

[ahmadmansoor]

Ok ....... I have make the easy and the best way to unpack it ,as always .
my friend backdoor_b pls can u send the program to Git .
I need for him to define which version of
"HASP HL Protection V1.X -> Aladdin"
so when I write the tut I will put the exact version .
Git u have explain the inf very Good ...( nice work man ).
tomorrow I will send the unpacked file to backdoor_b and Git .
note :
@Git: about the guy which u told me about it in ur PM .
I have note that he put another tut. it is not his tut and it is not my way in unpack this version .
anyway I am sorry for this mistake from him .

[ahmadmansoor]

guys check ur PM ...
it contain the 2 unpacked files .
1-pure unpacked file
2-Cracked unpacked file

so have fun guys

[backdoor_b]

Thanks, i already send it to git.

I'm sorry but where can I find your tut, ahmadmansoor?

[banch]

Good work.
I will try.

[ahmadmansoor]

Quote:

Originally Posted by remal

I'm sorry but where can I find your tut, ahmadmansoor?

will come soon for the public