Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #141  
Old 06-18-2011, 06:22 AM
bolota bolota is offline
Senior Member
 
Join Date: May 2008
Posts: 128
Default

@robin1044

thanks for your interest in help me.
I think is just API, but I don't have any experience to do it, for this, any help would be great.

Obs: I try make it because I work with one program in my work, and need sometimes advance the work at home, and now when I try open a file make in the new version program (old version is protected with hasp4,and the great tools shared here I could emulate), I can't.
Excuse my english
bolota

Last edited by bolota : 06-18-2011 at 06:32 AM.
Reply With Quote
  #142  
Old 06-18-2011, 07:53 AM
robin1044 robin1044 is offline
Senior Member
 
Join Date: Mar 2008
Posts: 189
Default

Quote:
Originally Posted by bolota View Post
I think is just API, but I don't have any experience to do it, for this,
1- Check with PEID to get sure it is only API.

2- Check http://localhost:1947/_int_/features.html and run App. to see if any feature is logged ( if any feature logged you are dealing with SRM if not HL )

3- Load in IDA, Apply Signature, Find HaspHL/SRM APIs

4- Load in ollydbg bp on APIs to see what APIs are called.

5- reverse APIs one by one.
Reply With Quote
  #143  
Old 06-18-2011, 10:19 AM
bolota bolota is offline
Senior Member
 
Join Date: May 2008
Posts: 128
Default

@robin1044

Thanks, I will try but not easy for me, because they never did it.
But I need make the program work.

bolota

edit:

It's very hard for me, unfortunately I don't have knowledge to do that.

Last edited by bolota : 06-18-2011 at 05:22 PM.
Reply With Quote
  #144  
Old 06-21-2011, 10:21 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Talking

Hello.

I have a software which connects to an interface, and this software is protected with Sentinel HASP HL (AKS HASP HL 3.25). Previous version had the simpler version, where application would run without dongle inserted in the USB port.

Software has been dumped successfully - I forced HASP to rebuild its IAT, replaced the fake entries in IAT tree - all the god damn 0xFFFFFFFF entries spread across entire lib trees - and skipped the excluded critical APIs, 7 or so. Removed .protect section, rebuilt PE header and attached the corrected IAT. Software RUNS, but doesn't activate. The moment I plug in the USB, bam, it starts.

Based on robin1044's suggestions, I got the IDA signatures (after, of course, applying the common programming language ones software was built with - BC++) for HASP SRM.

I've ran the link on the host computer and I have this result:
- HASP HL Pro;
- runs locally on an USB hub;
- the Products tab doesn't show anything;
- Features though shows only 1 feature locked by a certain vendor ID, with a certain HASP Key ID, feature ID being 0;

Considering dongle is only used to RUN the application - I tested functionality and USBTrace doesn't return responses for application's features, only when it initializes - I am left with simply figuring out which HASP APIs are used and reverse them.

After applying IDA signatures, I have this list:

005263C7 hasp_login
00526437 hasp_login_port
005264C7 hasp_logout
00526547 hasp_enable_trace
00526697 _hasp_free
00526C07 hasp_get_sessioninfo
00526DF7 hasp_get_trace
00526E57 hasp_datetime_to_hasptime
005270C7 hasp_get_rtc
00527257 hasp_login_ex
00527277 hasp_login_scope
00527EC7 hasp_legacy_encrypt
00527F57 hasp_legacy_decrypt
00527FE7 hasp_legacy_set_idletime
00528C57 hasp_legacy_set_rtc

Breaking each entry returns only 2 results (expected, of course): hasp_login and hasp_logout. Now, basing myself on what robin1044 implies, I have to reverse these function to do what?

To sum it up, there's only one function that encompasses the 2 APIs:



I'm guess what you see there to the right is the authorization key? :-)

All I know is that these APIs have to return 0 (tracing inside the function shows that when dongle is connected, return response is 0; when dongle is in use or disconnected, response is 0x07000070). If I patch them to return 0, application still doesn't initialize. Digging further inside the functions revealed that both APIs use wsock32.recvfrom, which is practically the same idea USBTracer uses to trap the buffers sent/received.

Any pointers towards the SRM API reference or anything useful? I'm with this app for a week now and I'm not planning to give up. I will share my findings later ;-)

Cheers,
Sun

P.S.: Yes, that SunBeam

EDIT:

Quoting from SafeNet:

"Once you have logged into a HASP HL key and established a session, there is a wide range of HASP HL API functions that you can utilize in building a solid protection scheme. For more about the HASP HL API refer to the “HASP HL Software Protection and Licensing” Guide."

Therefore, I assume the APIs robin1404 refers to are the ones you have to figure out AFTER you log into a key? o_O

Last edited by SunBeam : 06-22-2011 at 02:35 AM.
Reply With Quote
  #145  
Old 06-21-2011, 05:54 PM
Leolo Leolo is offline
Member
 
Join Date: Oct 2009
Posts: 42
Default

@Tyrus (or anyone who knows the answer, please!)

I've tested your Hasp SRM Dumper 1.5 and it told me that my dongle has 2 features (1).

What does the number inside brackets mean??

Regards.
Reply With Quote
  #146  
Old 06-21-2011, 06:50 PM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

It means all the functions (in your case, 2) are tied to 1 feature. More like, in reverser terms, there are X stolen functions (replaced with JMPs to default case) which are ran once decrypted, after hasp_login succeeds.

In my case, I got: Dongle has 11 (1) features

Run this on your Internet Explorer: http://localhost:1947/_int_/features.html

Last edited by SunBeam : 06-21-2011 at 06:52 PM.
Reply With Quote
  #147  
Old 06-22-2011, 01:18 AM
Tyrus Tyrus is offline
Senior Member
 
Join Date: Dec 2007
Posts: 60
Default

Leolo
This means that your dongle has 1 user-defined feature (default feature id = 0).
Reply With Quote
  #148  
Old 06-22-2011, 01:53 AM
robin1044 robin1044 is offline
Senior Member
 
Join Date: Mar 2008
Posts: 189
Default

@SunBeam: Good Job man, congratulation...

Quote:
Originally Posted by SunBeam View Post

- Features though shows only 1 feature locked by a certain vendor ID, with a certain HASP Key ID, feature ID being 0;
1- If your feature is active when you run software. It means hasp_get_sessioninfo is called too ...
This API is called after Hasp_Login and before other APIs

2- If There is no active session in features link (when you run software), your software may be using HaspHL APIs instead.

It means you need to consider the possibility of using HaspHL/HaspSRM APIs after unpacking.
Reply With Quote
  #149  
Old 06-22-2011, 03:31 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Lightbulb

Hi, robin. Thanks for replying.

1- I've checked Features link, it shows only one feature, with ID 0, locked. Using Tyrus' signatures, only hasp_login and hasp_logout of the found hasp APIs break. hasp_get_sessioninfo doesn't break.

2- When I run software and refresh Features page, I got no result under Sessions column in that table. Same thing when I go to Sessions tab, nothing there as well. All it says is (table is empty)

EDIT #1: When breaking on hasp_logout in Olly, I checked Admin panel. Funky:

1 / http://i56.tinypic.com/mls11v.png

2 / http://i51.tinypic.com/314rzow.png

3 / http://i54.tinypic.com/sngbaw.png

Ok, started to read HASP manuals on its APIs and from the looks of it:

Quote:
printf("login to program number 42 : ");

/* search for local and remote HASP HL key */

status = hasp_login(42 | HASP_PROGNUM_FEATURETYPE,
(hasp_vendor_code_t *)vendor_code,
&handle);
In my case, I got this in stack:

$ ==> > 0044FC31 RETURN to slave.sub_44FBF4+3D from <slave.hasp_login>
$+4 > 00000000
$+8 > 0185C954 ASCII "JadCovffEbiw5Ns/J5G1yMqgwnj6g4IHhuIc7KfKq+H1DS56WOakWPIZsijnu2dYY7 AgW6jsK9OTJuPUtYbKoQGkNCFag0DMmQPTdfZlDCwNiFkV3ohk l7ArtCdlUGMrPO14agnidAzaeGqCwenMc5S+evOgXpmM06gboi mQlyavvDN8gGPwLZvnilRqVk35GHcC4zu/e/auxfyrn/pwyhVSVl+uGmSItuYpZsXGtKuAX"...
$+C > 7FF5B494

- first parameter of the function is at ESP+4, therefore, I assume program it tries to login to is number 0, although I don't see HASP_PROGNUM_FEATURETYPE anywhere (should be 0xFFFF0000);
- ESP+8 contains a pointer, address 185C954, which supposedly holds the vendor code;
- ESP+C holds the connection handle;

So far so good.

Next up I tried to figure out where the session is being created. To remind you all, this is how the login function looks like:



So, hasp_login is called at 44FC2C, with aforementioned parameters. If dongle is inserted, function returns HASP_STATUS_OK (eax == 0). If dongle is not present, it (usually) returns 0x7, meaning HASP_CONTAINER_NOT_FOUND.

So, tracing code led me to this function, inside hasp_login:

Quote:
00533723 |. 66:C74424 38 3412 MOV WORD PTR SS:[ESP+38],1234
0053372A |. 66:C74424 3A 0100 MOV WORD PTR SS:[ESP+3A],1
00533731 |. 895C24 48 MOV DWORD PTR SS:[ESP+48],EBX
00533735 |. C74424 44 11270000 MOV DWORD PTR SS:[ESP+44],2711
0053373D |. E8 05050200 CALL 00553C47
Went in, tracing code. I noticed I have to be fast so the connection is made. If I trace with F7, I believe there's a timeout that kicks in and that connection is never made - hasp_login exits with code 0x21 (HASP_INV_UPDATE_CNTR = 21 -> update counter set incorrectly).

I know it's working when GetSessionID breaks (a function I got at where VendorID is retrieved, as well as HASPKeyID).

So, managed to work my way up to this call:

Quote:
00553D5C |. 8B3E |MOV EDI,DWORD PTR DS:[ESI]
00553D5E |. 83EF 18 |SUB EDI,18
00553D61 |. 50 |PUSH EAX
00553D62 |. E8 10FDFFFF |CALL 00553A77
After I execute it, I see Sessions -> 1 in Admin panel ;-)

I checked the connection buffer and all I could see in plain text was the user and host names. The rest was undecipherable.

I noticed the timeout is set to 12h, and refresh is done every 3 seconds on that Sessions page.

Awaiting more instructions, please.

Regards,
SunBeam

EDIT #2: robin, isn't 5265F7 hasp_get_sessioninfo by any chance? Cuz from the logic pattern, it looks so: login, getinfo, logout..

Last edited by SunBeam : 06-22-2011 at 05:45 AM.
Reply With Quote
  #150  
Old 07-12-2011, 01:53 PM
xs2smith xs2smith is offline
Junior Member
 
Join Date: Nov 2009
Posts: 3
Default

Hi all
I've been following this thread. can't understand much of the stuff. was able to dump my dongle using srmdumper1.4. v1.5 of the same didn't work for me. tried to dump using h6api or h6dmp but i think passwords should be entered. i don't know how to get pw1 and pw2 for my dongle. can someone guide plz. also is there any difference between dump created using tyrus's srmdumper 1.4 and h6api

also after i get the dump. i believe i have to unpack my exe and do something to make it work. this is definitely rocket science for me. i watched the video links but they are not very helpful. can someone plz guide about any easier way to get my program running without dongle after successfully obtaining the dump

will be extremely grateful for any advise
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.