Any idea for dumping Hasp SRM dongles.....I tried HaspHL2007 and HaspHL2008, I get an error code.

And what will you do after dumping? Neither 2007 nor 2008 doesn't support srm keys.
You can dump it with http://nodongle.biz/files/h6api.zip

I dumped the Hasp SRM dongle through h6api, but no use...you cant emulate it nor can create the dng or reg file........

Sure, you can't :) I wrote that in previous post.

@PIVASIK

make it clear to him

(no public solution for hasp SRM yet)

also I DON'T HAVE the non public :rolleyes:

hasp srm emulation is possible, its as easy as hasp hl. i will share my srm logger version 2 here and in exetools soon. actually version 1 is spread in the net already.

To be clear for all, I have access to non-public solution for SRM. But for certain reasons I wouldn't share it anywhere.
So, as TORO wrote above he will share it's own monitor/solution soon.

i said just i will share logger. i will not share emulator for sure.

Sarik, if you ready to pay - just use PM and you'll get all required information.
Greetings to TORO :)

I finished HASP SRM emulator and need software that is protected by SRM for testing emu on real program. Someone has a similar program with the key? :rolleyes:

If you have own emulator, then simply envelope any software, like calc.exe :)

nodongle
calc.exe & bounce.exe already unenveloped successfully :) envelope is little changed. interest to protections that use many functions.

I finished HASP SRM emulator and need software that is protected by SRM for testing emu on real program. Someone has a similar program with the key? :rolleyes:

Shall I upload the application which is preotected with SRM

Sarik
upload it on my ftp plz (in PM)

anyone could share hasp srm logger from exetools http://forum.exetools.com/showthread.php?t=12018

thanks

carlitos
This logger shows encrypted packets

carlitos : if Toro wanted buggy beta software that can crash your computer posted here then he would do it himself. Be patient.

Git

thats rigth, I know Toro and is a great professional. Thanks to all

HASP SRM AES keys for DEMOMA:
Feature ID 00:
63 92 92 55 AD DD 61 16 23 65 4B 63 16 B2 02 4C
Feature ID 01:
87 A5 6D BF 67 45 5D 75 89 EE BD 17 B8 C0 2F EF
Feature ID 03:
73 9B E9 F8 04 61 31 B6 C0 EB 85 C4 BB 8A FC CC
Feature ID 42:
CF BC CC E6 B7 A2 1E E7 80 36 FB 31 B7 75 CC 5A
Feature ID 101:
A3 F8 82 79 CE 1B 25 89 EC 4B 98 63 C4 2A 34 A4

online AES Calculator
_http://www.unsw.adfa.edu.au/~lpb/src/AEScalc/AEScalc.html

tanx Tyrus, good info, if you have more info about the method of calculation please inform us. how much time their solver need to find keys?

imho this place in the vendor info for DEMOMA...

all member,
please share how to emulate or made emulator after using hasp srm logger ???
all information showing on srm logger...
but dont know how to emulate ???


br

all member,
please share how to emulate or made emulator after using hasp srm logger ???
all information showing on srm logger...
but dont know how to emulate ???

br

This logger shows only the exchange between the program and hasp license manager hasplms.exe. Almost the entire log encoded. Key of encryption protocol is unique for each vendor. Log of usb sniffer "UsbTrace" is quite enough for emulating HASP SRM.

This logger shows only the exchange between the program and hasp license manager hasplms.exe. . Wrong :)


Almost the entire log encoded. Key of encryption protocol is unique for each vendor. Log of usb sniffer "UsbTrace" is quite enough for emulating HASP SRM. True :)

between hasplms.exe and dongle?

between hasplms.exe and dongle?

yes as it should be :)

HaspSrm Dumper 1.0 (http://lix.in/-51ee9a)
do not try dumping any usb emulators!

HaspSrm Dumper 1.0 (http://lavteam.com/uploads/HaspSrm_Dumper_1.0.zip)
do not try dumping any usb emulators!
this is Good you make dumper of Hasp SRM, but we need the log file then what we do? Or this dumper is enough for Hasp SRM and no need log file?

this is Good you make dumper of Hasp SRM, but we need the log file then what we do? Or this dumper is enough for Hasp SRM and no need log file?

log, of course, necessary, but only 1 log of run the program.
use UsbTrace as logger - its enough.
and in some cases, the dump would be enough.

smith - OK, lets pretend for one minute that the dumper gives plain unencrypted data and that you don't need a log.

Now what will you do?. In case it escaped your notice, ther is no SRM emulator available.

Git

smith - OK, lets pretend for one minute that the dumper gives plain unencrypted data and that you don't need a log.

Now what will you do?. In case it escaped your notice, ther is no SRM emulator available.

Git
Yes, without emulator solution is impossible. but my client need soution and then I contact with tyrus. so I ask about it. This is not important that every thing we make by own hand. But this is must important for understand that what we need to make solution about Hasp SRM emulation.

If we don't get dump + Log properly for emulator then solution is uncompleted.

Tyrus...
Iam already dump...
there are 3 dumps..
RO & RW can restore to other dongle...
but sysinfo.bin what for...
can you explain hw to decrypt this dumps ??

BR

Tyrus...
but sysinfo.bin what for...


sysinfo.bin contains information for creating the SRM dongle emulator.

butaktelco

Emulator is not problem.
Check PM.

For make Emulator is Decrypt dump file, & make Vusb bus..

this is correct tyrus,

maybe other members can share how emulator SRM works with Software.


BR

tell me if i'am wrong, but multikey 0.18.0.3 says that it works with hasp SRM drivers... so??? what next???

tell me if i'am wrong, but multikey 0.18.0.3 says that it works with hasp SRM drivers... so??? what next???

Yes, Its true he support only driver. But not support as emulator.

log, of course, necessary, but only 1 log of run the program.
use UsbTrace as logger - its enough.
and in some cases, the dump would be enough.


how can I convert the dump produced by your utility SRm_dumper (key : HL_time black) to reg file

http://lix.in/-51ee9a

thanks in advance

You need the Windows DDK, knowledge, and time.

Git

Hi

As I can turn dump produced by tools h6dmp.exe that I generate a SRM.dmp file to a file of reg?.

As I can turn dump produced by tools h5dmp.exe that I generate 2 archives hasp.dmp and hhl_mem.dmp to a file of reg?

And that emulator of Hasp I can use?

Note: the archives that were generated with the 2 utilerias are of the same hasp hl

thanks of avance

Regards

i need urgend help with hasp srm emu, please i will do many for it

HaspSrm Dumper 1.2 (http://lix.in/-4ed39b)

HaspSrm Dumper 1.2 (http://lix.in/-4ed39b)

good tool;)

Really? And how it is useful for you???

HaspSrm Dumper 1.2 (http://lix.in/-4ed39b)



Dear tyrus show document for this utilites to convert reg files.

imho Tyrys ask money before =)

Dear tyrus show document for this utilites to convert reg files.
I do not use the registry, so I do not have such utility
Why do you want reg file? you have SRM emulator?

imho Tyrys ask money before =)
for converting? imho no

for converting? imho no

i mean about srm emulator ;)

Well thanks for srm emulator as it worked fine but wat abt the output file, i mean .bin file how to convert it to .dmp converter :confused:

or how to use this file...Please help tyrus

It is not an emulator, it is a dongle dumper.

Git

Alrite & thanks alot for replying.
ok...i dumped my dongle with your srm dumper & it produced .bin file if is there any way to convert .bin file to .dmp file so that i can use the convert file with hasp hl 2007 emulator....to emulate my dongle.

Is it possible?:confused:

simple answer is NO

i have a software for textile protect buys senselock, i need more infor how to emulate it and tool to reads log tq

HaspSrmDumper1.3 (http://rapidshare.de/files/48547046/HaspSrm_Dumper_1.3.rar.html)

woxiwox, sonofabit, not here please. If you want to discuss the merits or otherwise of commercial cracking, do it some place else.

Git

tyrus,

i want to ask you ?
for made emulator HASP SRM, i think thats important to know table base HASP SRM

for table Sys info contain :

Feature ID 00:
63 92 92 55 AD DD 61 16 23 65 4B 63 16 B2 02 4C
Feature ID 01:
87 A5 6D BF 67 45 5D 75 89 EE BD 17 B8 C0 2F EF

Table RW have size about 40xx byte contain information in dongle,

Table RO have size about 20xx byte contain information dongle to,

this is correct or not ?

my question,
how to making this structure in registry & will be handle vusb ?
kindly you explain about structure Vusb ?

BR

if the main software upgraded, also the emulator need to do it, but the USB dongle not.:)

HaspSrmDumper1.3 (http://rapidshare.de/files/48547046/HaspSrm_Dumper_1.3.rar.html)

thank you so much!
i read hasp srm ok!
please help me emulator it!

no public solutions for hasp srm...
you can ask the dumper authors for additional info only.

HaspSrm Dumper 1.4 (http://www.megaupload.com/?d=K6COZBZE)
fixed:
- error in determining the size of the dongle memory
- support new firmware v.3.25

Thanks Tyrus.

but I wonder, what can make you release this emu for us. :D

[Stop quoting whole messages, it is pointless]

Come out an emulator share, the light dump is useless, thanks

I have key.reg and a emulator for a software , but they have expired. .... is possible to create one that does not expire?
sorry for my english.:rolleyes:

for flo1408rct, it maybe can

cghots... can you please explain how ,,,[ HASP4 emulator. If I date back before 05.05.2009 it work]

@flo1408rct

lol at your nick.
BTW if its a HASP 4, you can use HASPEdit to edit data inside the dongle. But you must know password for your dongle.

@flo1408rct: 150 % time part in the emulator is vmprotected :)

:eek: I entered in "haspedit". where to find a "date" to change?

@flo1408rct
lol, it's in hex, change it do dec.
If you're lucky you will see it.

no luck :mad:
I think is encrypted

It possible emulate hasp hl max srm(by public emulator).
bolota

bolota
if used SRM api, then no - only private solution

Will there be one in the future? Tyrus

I already dump file by srm dumper.

But, I don't know how can I use dump file.

anyone, Give me a advice for solving in this situlation,

Thank you,

Public solutions to the problem does not exist.

[STOP QUOTING WHOLE MESSAGES!. It is a compete waste of time and hence against the rules]

Thank U for your answer.

How can i make emulator for hasp hl max ?

which emulator is simple to me ?

@kipohome
If you use this (http://www.reteam.org/board/search.php), you will find the topic regarding HASP HL Max.

@gnerogeem

Thank U
I'll try it

@Tyrus
I've managed to read srm_rw_mem, srm_ro_mem is empty, sysinfo what it is?
bolota

sysinfo.bin is features info

@Tyrus
I found it on the net, you think I can emulate my dongle with this emulator and you can help me, please!
bolota

@bolota: imho this have a total vmprotected ;)

¿Can you post it here?

[Enough with the quoting of whole messages, YOU KNOW BETTER]

@Bfox
I do not know anything about programming, but just I try to find tools to emulate the software with which I work.
bolota

@bolota: you can show this in PM?

[Please DO NOT quote whole messages]

This is custom solution
emulator is not universal and not help you

@Tyrus
yes you are right This is custom solution and demo expired.
bolota

Can somebody upload haspsrm dumper 1.4?
I cann't download on megaupload.

Search for h6api or h6dmp or simply hasp srm dumper in google u will get ur goodlcul but what will u do after dumping?

If you have the dongle (Hasp-SRM) Handy, simply unpack the software and reverse the functions. it is the easiest way by the time a public Emulator would be out.

It is really tough to unpack hasp hl and patch(wilcom for example), hasp srm will be worse if nicely done
anyway u can give a try i have seen srm unpacking tutorial somewhere while googling
goodluck

Unpacking SRM is something I have searched for and not found. It would be a useful URL or article to post here if anyone finds it..

Git

I have done HaspSRM unpacking more about 6 ~ 7 times (diferent SRM SDK versions),
also I have reversed too many HaspSRM APIs according to my need ....

If you need any information I would be happy to help...

[Please DO NOT reply to yourself, use the Edit button to add to your post]

Attached tutorial by 'Bl@ckStorm Team' with some minor modification would be much useful.

http://www.4shared.com/file/Sofhc3lS/HASPSRM_V2_1_50.html
http://www.4shared.com/file/NPIeKnRu/HASP_HL_Envelope_1x__Unpacking.html

p.s.:
1) OEP would be better found using 'BPMb w ExitProcess' and then followed by bpm on code section (the same as HaspHL envelope unpacking tutorial).
2) HaspSRM uses 'API Redirection' & 'API Emulation' both, Emulated APIs could be recovered using HASPSRM_V2_1_50 tutorial , but in newer version of SRM envelope for 'API redirection' you need to do more...

I have a dongle,in Device Manager can see"Aladdin HASP HL Key" ,"Aladdin HASP Key","Aladdin USB Key". but the driver is "HASP SRM Run-time".
i havd test toro monitor ,hasphl2008,hasphl2010,hasp_srm logger...nothing is get! Can not get any logger, password....

when i installed the toro monitor driver "UsbFilter_Install.inf" ，the system can not reboot !

is my dongle is hasp hl or hasp srm?why i can not get any logger by use those tools ?thanks !

now i find it,it is "hasp srm",i can dump it by h6dmp,and get SRM.dmp

may be first time somebody is suggesting git to search
hahaha nevermind
Googling for "Hasp srm unpacking" gave me link to movie tut uploaded by souz i think link is down
same has been posted here by robin1044

Hi friends

have original dongle and type SRM Max no easy to clone dongle,
you have another solution can you help me

addition i dump already with h6dmp.exe tool , do you have solution how to convert to reg file or dng file

saludos

marceloenrique

no FREE solutions for the Hasp SRM. only free dumper tools...

Hi, I Have Srm Protected Software, Pls. Five Me Details About Emulate The Programe

i have one of HASP SRM ,,, is it really true no free solution still now?
you can tell me how to get the password1 and password 2 of this HASP srm ?

For extract the PW1 and PW2 you need decrypt VendorCode.

Look,
dump your dongle with Tyrus dumper,
there is vender ID appear example 50890 (C6CA).

Dump your application and find (00CAC6), you find your Dongle ID.

But I don't know without emulator why you need find this? Because without emulator your software not workable.

i do not see in this forum any solution for HASP SRM . so i need to pay for it?

No public solution available yet? can you kindly give link for Tyrus dumper ? i searched it but do not find any link

Hi
this is Tyrus dump tool
http://www.megaupload.com/?d=K6COZBZE

If I have dumped my dongle and got the info.txt, the ro, rw and sysinfo files. Is an emu available to buy? I also want to enable another feature not enabled on this dongle - can this be done?

HASP SRM Win32 Envelope unpacking video tutorial (http://lostdongle.com/?page_id=146)

HASP SRM .Net Envelope unpacking video tutorial (http://lostdongle.com/?page_id=133)

HASP SRM Win32 Envelope unpacking video tutorial (http://lostdongle.com/?page_id=146)

HASP SRM .Net Envelope unpacking video tutorial (http://lostdongle.com/?page_id=133)

Any got hasp srm IAT resolver script for srm dongles ?

only video,no script

Any got hasp srm IAT resolver script for srm dongles ?

For each envelope version need to create your own script for recovery IAT. It is not an universal script. You can find 2 or 3 versions of the script in the web. Understand how it works and make your own - for your version of the envelope.

I am not sure which web u r referring to, I searched and found no clues of any script.
it will be good if u could just attach here

use google:
link (http://www.google.ru/search?client=opera&rls=ru&q=HASP_HL+Envelop+1.2x/1.3x+import+resolver+script+v0.1a&sourceid=opera&ie=utf-8&oe=utf-8)

We have so many smart guys on this forum. Do we really need a messiah for releasing a SRM emulator.

@rituraj
Why don't you learn how to code the emulator and release it?

@rituraj
Why don't you learn how to code the emulator and release it?

err i am not the smart one. :)

hy,
can you help me someone to find the problem whit my aladdin hasp hl pro(Safnet inc. Sentinel HASP Key). Toro monitor it's doesn't work, the hldump when i give him the command to find passwords tells me on the finish he don't find any password. I don't know what to do whit this dongle. i want to try to acces him with hexeditor for aladdin but i don't know the passwords(sorry for my poor english ) and thanks for listen me.

@lostdongle
thanks your Hasp Srm Envelope Unpacking tutorial ,
the script
"find prtc_sec, #66C1E7??5E5B8BE566C1E6??5DC3#"
need change it for every software ?
can you make a tip how to do for it?

jockerros-

You should probably start your own thread.
Have you tried haSploGer.exe?

-G

deco2010
Not for each software. For each envelope version.
You must understand this script logic for making your own.
Trace script execution step by step and you can understand "how to do it".

@lostdongle
can you publish here result unpacking .net from your tutorial...
what methods should be unpack for .net hasp envelope

Anyway original dongle or emulator with correct Q/A required for decipher data in .NET envelope.

Anyway original dongle or emulator with correct Q/A required for decipher data in .NET envelope.

Certainly needed, as well as in Win32 envelope.

is rebranding Tyrus to lostdongle?

i think yes or he is other reseller.:D

I have access to non-public solution for SRM. But for certain reasons I wouldn't share it anywhere.

SundayForever
Another reseller :D

@SundayForever

Where the best place that here???:D

HASP SRM Dumper 1.5 (http://lostdongle.com/bin/HaspSrmDumper1.5.rar) released

There is no free solution for srm, then what purpose of this dumper?

@burhanuddinmna: the dumper author have solutions ;)

no public solutions for hasp srm...
you can ask the dumper authors for additional info only.

But do not forget that any discussion of paying money for cracks or solutions is not allowed on this forum.

Git

I have an application that uses HASP SRM but the program also works with a trial license code that is provided by the software developers. Would i need a HASP SRM dongle emulator or is it possible to crack it in a way that is explained publicly?

the program also works with a trial license code that is provided by the software developers.

Your software uses both SRM and SL capabilities (default SRM envelope protectoin)
In both cases you can unpack and reverse APis.

[Please DO NOT quote whole messages, it is unnecessary]


There is no public SRM emulators on the web, but in your case there is one solution (needed initial skills in Reversing).
1. Use PEiD for detection enveloped files.
2. Unpack enveloped files (Hasp Srm Win32 envelope unpacking video (http://lostdongle.com/?page_id=146)).
3. Detect hasp api calls with IDA Pro and flair signatures for HASP SRM (Signatures (http://lostdongle.com/?page_id=182)).
4. Patch detected api calls to return the correct responses.

Please anyone tell me if it is possible,
my dongle is srm 3.25 and only have 1 feature, it's possible reverse apis to work as a normal hasp hl.
thanks
bolota

bolota

Need to see UsbTrace log

my dongle is srm 3.25 and only have 1 feature, it's possible reverse apis to work as a normal hasp hl.


SRM 3.25 / 1 feature : Not important for reversing, the same for all features / all firmware versions.

For reversing APIs refer to SRM API reference Manual. you just need to find which APIs are called and reverse all.

robin1044
You can be more specific, I'm not programer but I liked to do it my self.
please guide me, what tools I need.
thanks
bolota

@slayerns

Solution is possible for both HASP types: physical and software.

@bolota

more specific:
Are you dealing with SRM/HL envelope or just API ?
For SRM/HL envelope, unpacking tutorials are already in forum (need some modification for different SRM envelope versions )

For APIs, Use IDA+Tyrus Signature+SRM Manual, if any problem, I would guide :)

robin1044 is proffesional with hasp srm unpacking and patch!
I've patched a hasp hl api protected application following his guide.
Thank you robin1044.

@robin1044

thanks for your interest in help me.
I think is just API, but I don't have any experience to do it, for this, any help would be great.

Obs: I try make it because I work with one program in my work, and need sometimes advance the work at home, and now when I try open a file make in the new version program (old version is protected with hasp4,and the great tools shared here I could emulate), I can't.
Excuse my english
bolota

I think is just API, but I don't have any experience to do it, for this,


1- Check with PEID to get sure it is only API.

2- Check http://localhost:1947/_int_/features.html and run App. to see if any feature is logged ( if any feature logged you are dealing with SRM if not HL )

3- Load in IDA, Apply Signature, Find HaspHL/SRM APIs

4- Load in ollydbg bp on APIs to see what APIs are called.

5- reverse APIs one by one.

@robin1044

Thanks, I will try but not easy for me, because they never did it.
But I need make the program work.

bolota

edit:

It's very hard for me, unfortunately I don't have knowledge to do that.

Hello.

I have a software which connects to an interface, and this software is protected with Sentinel HASP HL (AKS HASP HL 3.25). Previous version had the simpler version, where application would run without dongle inserted in the USB port.

Software has been dumped successfully - I forced HASP to rebuild its IAT, replaced the fake entries in IAT tree - all the god damn 0xFFFFFFFF entries spread across entire lib trees - and skipped the excluded critical APIs, 7 or so. Removed .protect section, rebuilt PE header and attached the corrected IAT. Software RUNS, but doesn't activate. The moment I plug in the USB, bam, it starts.

Based on robin1044's suggestions, I got the IDA signatures (after, of course, applying the common programming language ones software was built with - BC++) for HASP SRM.

I've ran the link on the host computer and I have this result:
- HASP HL Pro;
- runs locally on an USB hub;
- the Products tab doesn't show anything;
- Features though shows only 1 feature locked by a certain vendor ID, with a certain HASP Key ID, feature ID being 0;

Considering dongle is only used to RUN the application - I tested functionality and USBTrace doesn't return responses for application's features, only when it initializes - I am left with simply figuring out which HASP APIs are used and reverse them.

After applying IDA signatures, I have this list:

005263C7 hasp_login
00526437 hasp_login_port
005264C7 hasp_logout
00526547 hasp_enable_trace
00526697 _hasp_free
00526C07 hasp_get_sessioninfo
00526DF7 hasp_get_trace
00526E57 hasp_datetime_to_hasptime
005270C7 hasp_get_rtc
00527257 hasp_login_ex
00527277 hasp_login_scope
00527EC7 hasp_legacy_encrypt
00527F57 hasp_legacy_decrypt
00527FE7 hasp_legacy_set_idletime
00528C57 hasp_legacy_set_rtc

Breaking each entry returns only 2 results (expected, of course): hasp_login and hasp_logout. Now, basing myself on what robin1044 implies, I have to reverse these function to do what?

To sum it up, there's only one function that encompasses the 2 APIs:

http://i54.tinypic.com/242bvw3.jpg

I'm guess what you see there to the right is the authorization key? :-)

All I know is that these APIs have to return 0 (tracing inside the function shows that when dongle is connected, return response is 0; when dongle is in use or disconnected, response is 0x07000070). If I patch them to return 0, application still doesn't initialize. Digging further inside the functions revealed that both APIs use wsock32.recvfrom, which is practically the same idea USBTracer uses to trap the buffers sent/received.

Any pointers towards the SRM API reference or anything useful? I'm with this app for a week now and I'm not planning to give up. I will share my findings later ;-)

Cheers,
Sun

P.S.: Yes, that SunBeam :D

EDIT:

Quoting from SafeNet:

"Once you have logged into a HASP HL key and established a session, there is a wide range of HASP HL API functions that you can utilize in building a solid protection scheme. For more about the HASP HL API refer to the “HASP HL Software Protection and Licensing” Guide."

Therefore, I assume the APIs robin1404 refers to are the ones you have to figure out AFTER you log into a key? o_O

@Tyrus (or anyone who knows the answer, please!)

I've tested your Hasp SRM Dumper 1.5 and it told me that my dongle has 2 features (1).

What does the number inside brackets mean??

Regards.

It means all the functions (in your case, 2) are tied to 1 feature. More like, in reverser terms, there are X stolen functions (replaced with JMPs to default case) which are ran once decrypted, after hasp_login succeeds.

In my case, I got: Dongle has 11 (1) features

Run this on your Internet Explorer: http://localhost:1947/_int_/features.html

Leolo
This means that your dongle has 1 user-defined feature (default feature id = 0).

@SunBeam: Good Job man, congratulation...



- Features though shows only 1 feature locked by a certain vendor ID, with a certain HASP Key ID, feature ID being 0;


1- If your feature is active when you run software. It means hasp_get_sessioninfo is called too ...
This API is called after Hasp_Login and before other APIs

2- If There is no active session in features link (when you run software), your software may be using HaspHL APIs instead.

It means you need to consider the possibility of using HaspHL/HaspSRM APIs after unpacking.

Hi, robin. Thanks for replying.

1- I've checked Features link, it shows only one feature, with ID 0, locked. Using Tyrus' signatures, only hasp_login and hasp_logout of the found hasp APIs break. hasp_get_sessioninfo doesn't break.

2- When I run software and refresh Features page, I got no result under Sessions column in that table. Same thing when I go to Sessions tab, nothing there as well. All it says is (table is empty)

EDIT #1: When breaking on hasp_logout in Olly, I checked Admin panel. Funky:

1 / http://i56.tinypic.com/mls11v.png

2 / http://i51.tinypic.com/314rzow.png

3 / http://i54.tinypic.com/sngbaw.png

Ok, started to read HASP manuals on its APIs and from the looks of it:

printf("login to program number 42 : ");

/* search for local and remote HASP HL key */

status = hasp_login(42 | HASP_PROGNUM_FEATURETYPE,
(hasp_vendor_code_t *)vendor_code,
&handle);
In my case, I got this in stack:

$ ==> > 0044FC31 RETURN to slave.sub_44FBF4+3D from <slave.hasp_login>
$+4 > 00000000
$+8 > 0185C954 ASCII "JadCovffEbiw5Ns/J5G1yMqgwnj6g4IHhuIc7KfKq+H1DS56WOakWPIZsijnu2dYY7 AgW6jsK9OTJuPUtYbKoQGkNCFag0DMmQPTdfZlDCwNiFkV3ohk l7ArtCdlUGMrPO14agnidAzaeGqCwenMc5S+evOgXpmM06gboi mQlyavvDN8gGPwLZvnilRqVk35GHcC4zu/e/auxfyrn/pwyhVSVl+uGmSItuYpZsXGtKuAX"...
$+C > 7FF5B494

- first parameter of the function is at ESP+4, therefore, I assume program it tries to login to is number 0, although I don't see HASP_PROGNUM_FEATURETYPE anywhere (should be 0xFFFF0000);
- ESP+8 contains a pointer, address 185C954, which supposedly holds the vendor code;
- ESP+C holds the connection handle;

So far so good.

Next up I tried to figure out where the session is being created. To remind you all, this is how the login function looks like:

http://i54.tinypic.com/242bvw3.jpg

So, hasp_login is called at 44FC2C, with aforementioned parameters. If dongle is inserted, function returns HASP_STATUS_OK (eax == 0). If dongle is not present, it (usually) returns 0x7, meaning HASP_CONTAINER_NOT_FOUND.

So, tracing code led me to this function, inside hasp_login:

00533723 |. 66:C74424 38 3412 MOV WORD PTR SS:[ESP+38],1234
0053372A |. 66:C74424 3A 0100 MOV WORD PTR SS:[ESP+3A],1
00533731 |. 895C24 48 MOV DWORD PTR SS:[ESP+48],EBX
00533735 |. C74424 44 11270000 MOV DWORD PTR SS:[ESP+44],2711
0053373D |. E8 05050200 CALL 00553C47

Went in, tracing code. I noticed I have to be fast so the connection is made. If I trace with F7, I believe there's a timeout that kicks in and that connection is never made - hasp_login exits with code 0x21 (HASP_INV_UPDATE_CNTR = 21 -> update counter set incorrectly).

I know it's working when GetSessionID breaks (a function I got at where VendorID is retrieved, as well as HASPKeyID).

So, managed to work my way up to this call:

00553D5C |. 8B3E |MOV EDI,DWORD PTR DS:[ESI]
00553D5E |. 83EF 18 |SUB EDI,18
00553D61 |. 50 |PUSH EAX
00553D62 |. E8 10FDFFFF |CALL 00553A77

After I execute it, I see Sessions -> 1 in Admin panel ;-)

I checked the connection buffer and all I could see in plain text was the user and host names. The rest was undecipherable.

I noticed the timeout is set to 12h, and refresh is done every 3 seconds on that Sessions page.

Awaiting more instructions, please.

Regards,
SunBeam

EDIT #2: robin, isn't 5265F7 hasp_get_sessioninfo by any chance? Cuz from the logic pattern, it looks so: login, getinfo, logout..

Hi all
I've been following this thread. can't understand much of the stuff. was able to dump my dongle using srmdumper1.4. v1.5 of the same didn't work for me. tried to dump using h6api or h6dmp but i think passwords should be entered. i don't know how to get pw1 and pw2 for my dongle. can someone guide plz. also is there any difference between dump created using tyrus's srmdumper 1.4 and h6api

also after i get the dump. i believe i have to unpack my exe and do something to make it work. this is definitely rocket science for me. i watched the video links but they are not very helpful. can someone plz guide about any easier way to get my program running without dongle after successfully obtaining the dump

will be extremely grateful for any advise

Videos are for show. They show the author can do it, nothing else. I've tested 5-6 targets already. Given the dynamics of the envelopes, you can't freakin' come up with something like an unpacker. It simply isn't possible and I can show why.. Also, some of the videos and articles show what to do with HASP, not Sentinel. IAT approach is different in Sentinel. Will post a script soon. Working on it.. After all my assumptions, Defiance is kinda dead.. For now..

keep up the good work bro and u'll find the right path. waiting anxiously for any easier solution

Very inspirational, but.. no :) Other systems offer ONLY software-based protection which is far way stronger than Sentinel will ever be.

Anybody has hasp srm v4.0 above envelope crackme that don't need dongle? Please upload if you have.
I want to try to unpack it.
Thanks.

this my target :

http://www.megaupload.com/?d=HU9Q1VD3
Plz help me a solution.

old nupas work with hasp hl, imho

@tranthihongvan

Need dongle to unpack it.

Hello there,

well, I do also need some help for getting a software to run without the dongle.

To give you some information, the "HASP SRM Dumper 1.5" (dumper_info.txt) from Tyrus says this about the dongle:

Found HASP SRM dongle #1

Aladdin USB Key
Hasp type: 0xFA (Time HASP)
Model: Hasp HL Time
Dongle has 26 (15) features

I checked http://localhost:1947/_int_/features.html and features are logged, so I am dealing with SRM.

I also logged a little while with the "HASP SRM Raw Logger v1.0" by TORO. Well, and there I got a lot of "VendorRequests" and "ControlTransfers". Maybe I will need this later ...

I also installed "USBTrace" and looked at the logs. But I'm not sure what to do with this now.

I read in the forum that it's now important to check if I am dealing with SRM/HL envelope or just API - I don't know how to check that and what the consequences would be for me.

So, maybe I could get some more guidance from any of you please? That would be very nice. What should I do next? What does "Check with PEID" mean? Is it a software that I need?

Greetings,
JimKnopf

---- Edit 2011/09/21 ----

Okay, I did some more research, I downloaded PEid v0.95.

I scanned the whole directory and there is only this one exe-File, which is protected by:

HASP HL Protection V1.X -> Aladdin *

Okay, I think the next step will be for me to "unpack this enveloped file".

For that I watched the HaspSrmWin32EnvelopeUnpackingVideo.swf by www.lostdongle.com.

So I downloaded OllyDbg v1.10, loaded the exe-File and started to play around with Memory Maps, Entrypoints and IATs ... this is really rocket science.

For example I wondered why do I have to get the OEP (=Entrypoint?) via this manual calculation (subtraction) seen in the HaspSrmWin32EnvelopeUnpackingVideo.swf? I thought PEiD and also ImportREC gets this Entrypoint automatically ...

Some suggestions maybe?

Cheers ...

For example I wondered why do I have to get the OEP (=Entrypoint?) via this manual calculation (subtraction) seen in the HaspSrmWin32EnvelopeUnpackingVideo.swf? I thought PEiD and also ImportREC gets this Entrypoint automatically ...
No no - PEiD can show you only EP - not OEP!

I read in the forum that it's now important to check if I am dealing with SRM/HL envelope or just API - I don't know how to check
Your dongle it is 100% SRM and your protection it is Hasp envelope + Hasp api

Hello again,

I tried to do the same as is done in the unpacking tutorial from lostdongle.com:

I change to memory map and set a Breakpoint at .rdata - I run the program with F9 - but it then stops at 00CCDC01 telling something like: "Access violation when reading [0000001E]"

The thing is: The program stops at 00CCDC01 also when I don't set a breakpoint at all or set one at .data or .rdata. It makes no difference.

This morning I had a theory! :) I need the dongle plugged in to do the unpacking - is this right? This would mean for me that I can't to this at home ... because here I don't have access to the dongle ...

Greetings.

[Please DO NOT quote whole messages, it is unnecessary]

This download link isnt working. Does someone have an alternative?

[Please DO NOT quote whole messages, it is unnecessary]

This is due to SmartScreen Filter of Internet Explorer (this is a fake warning)
Click "More Information" and click "Disregard and continue"