Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 04-26-2011, 09:53 AM
merags merags is offline
Member
 
Join Date: Mar 2011
Posts: 8
Default Unpacking HASP HL 2.x

Hi all,
I have a program that is packed using HASP-HL 2.x envelope. I have successfully extracted the key from dongle and emulated it using Multikey (with help from narciszu & G3n1us. See hxxp://www.reteam.org/board/showthread.php?t=3626). So emulation is *NOT* an issue.

Since I have some time on hand, I want to get rid of the HASP envelope altogether. I have not been successful so far and would appreciate some pointers. Here is what I have till now,

1. Hardened the OllyDbg by renaming OllyDBG exe and also changing references inside it. Installed Phantom & Anti-debugger detection plugins.
2. Ensured the protected app runs perfectly under debugger
3. Extracted OEP. Confirmed using ImpRec that the IAT is being redirected.
4. Patched a specific 'JE' instruction in the .protect section to disable IAT redirection
5. Rerun app & confirm using ImpRec that IAT redirection is disabled now. Around 200+ functions are properly detected.
6. Dump exe & fix IAT. The dumped exe works but only with the dongle connected. Iam unable to remove the .protect section. If removed, the dumped exe does not start.

As is obvious, now I have a dumped exe with an actual entry point in .text section of my exe instead of the .protect section. But apparently it still tries to do HASP calls. I tracked this using a HASP logger. My attempts to trace this call (for example the HASP init/login) in the code section is taking me in circles and am finding it very hard to pin-point the exact calls.

Also, calls are being made into a specific address in .protect section from several locations in the .text section. Again tracing these calls are proving to be difficult. A simple 'RETN' assembled at the specific address in .protect section crashes the application with 'invalid memory access' error.

Does anyone have any suggestions on way forward?

Cheers
Vijay
PS: I have followed a couple of tutorials claiming unpack for HASP-HL v1.x. But they don't seem to work in my case.
1. HASP HL Envelope 1.x (Unpacking)
2. Cracking HASP By Koudelka

Last edited by merags : 04-26-2011 at 10:12 AM.
Reply With Quote
  #2  
Old 04-26-2011, 12:10 PM
G3n1us G3n1us is offline
Senior Member
 
Join Date: Dec 2010
Posts: 93
Default

Why unpack when you can emulate your dongle i think that is easiest whay

BR
Reply With Quote
  #3  
Old 04-26-2011, 01:11 PM
lostdongle lostdongle is offline
Member
 
Join Date: Apr 2011
Posts: 16
Send a message via MSN to lostdongle Send a message via Skype™ to lostdongle
Default

Quote:
Originally Posted by merags View Post
Does anyone have any suggestions on way forward?
It can help you:
HASP SRM unpacking video
__________________
www.lostdongle.com
Reply With Quote
  #4  
Old 04-26-2011, 03:14 PM
BfoX BfoX is offline
Senior Member
 
Join Date: Aug 2007
Posts: 2,234
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

Quote:
It can help you:
ONLY with the dongle or emulator...
__________________
... Either you work well or you work much ....
Reply With Quote
  #5  
Old 04-26-2011, 05:19 PM
merags merags is offline
Member
 
Join Date: Mar 2011
Posts: 8
Default

G3n1us,
Well, as I said in my post-I had some free time. Also, the Vista x64 environment doesnt allow unsigned multikey drivers. So I have to remember to disable it everytime I start windows. For some reason the alternative "ReadyDriver Plus" does not work on my machine!

lostdongle, I went through the video you suggested. It doesn't seem to help in my case. For e.g. the IAT resolver script for HASP HL that I could find simply says "Signature not found".

Please refer to the attached pix. It shows my application stopped at the OEP (0079E716) and the code that I modified at 00AE909D in the main window and the IAT table as read by ImpRec. As can be seen, only one address 00AE91B7, as a part of kernel32.dll remains unresolved. This address is in the .protect section and is the same address referred to in the last but one para of my original post. Iam guessing that this a second type of redirection. By monitoring write to the VA (0087B304) and call to 'GetProcAddress', I figured out that 00AE91B7 is indeed a redirection for 'GetProcAddress' itself. I dumped the EXE, fixed the IAT and used LordPE to remove the .protect section. Now the exe runs (much faster, I must add) when the dongle is present. When the dongle is removed, the EXE crashes after a call to GetTimeZoneInfo (the LastErr info is "ERROR_INVALID_WINDOW_HANDLE")

Any clues on how to debug this?
Attached Images
File Type: jpg ImpRec.jpg (84.3 KB, 103 views)
File Type: jpg MainWindow.jpg (32.0 KB, 85 views)
File Type: jpg MemoryMap.jpg (38.1 KB, 51 views)

Last edited by merags : 04-26-2011 at 07:26 PM.
Reply With Quote
  #6  
Old 04-27-2011, 06:40 AM
lostdongle lostdongle is offline
Member
 
Join Date: Apr 2011
Posts: 16
Send a message via MSN to lostdongle Send a message via Skype™ to lostdongle
Default

merags
Well. Now HASP envelope removed.
Now you need to find calls to HASP API - use IDA signatures for their detection and patch or emulate these calls.
__________________
www.lostdongle.com
Reply With Quote
  #7  
Old 04-27-2011, 11:38 AM
merags merags is offline
Member
 
Join Date: Mar 2011
Posts: 8
Default

lostdongle,
Any suggestions? The following does not seem to work..

hxxp://www.reteam.org/ID-RIP/database/defiler/haspmark.idc

I suspect the version I have has some self-modifying code which in-turn makes the HASP calls.

Folks,
Never mind..looks like it is too complicated..Thanks for everyone who chipped in..

Cheers

Last edited by Git : 05-10-2011 at 05:16 PM.
Reply With Quote
  #8  
Old 05-10-2011, 03:02 PM
lostdongle lostdongle is offline
Member
 
Join Date: Apr 2011
Posts: 16
Send a message via MSN to lostdongle Send a message via Skype™ to lostdongle
Default

Quote:
Originally Posted by merags View Post
Any suggestions?
Hasp SRM IDA signatures
__________________
www.lostdongle.com
Reply With Quote
  #9  
Old 06-22-2011, 11:06 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

I wouldn't have given up if I were you :-)

Did you know you can make HASP repair its own IAT? Even with the excluded APIs (those that appear as unsolved in your ImpREC window)?

Furthermore, identify if application uses HASP HL or SRM APIs. I can help, if still interested, same as I've been helped earlier by robin1044 with hints and suggestions.

Regards,
Sun
Reply With Quote
  #10  
Old 06-22-2011, 08:41 PM
008348 008348 is offline
Senior Member
 
Join Date: Jun 2010
Posts: 50
Default

You can apply hasp srm sig in IDA, and find the API calls.
Then install the emulator, debug your application in ollydbg.
Set breakpoint at the API calls to find which APIs are called.
Last thing is to patch the called hasp hl APIs, give the number or information the APIs want.
If you have any problem, post your step here, many friends will help you.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.