Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #21  
Old 10-10-2009, 07:35 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,749
Default

sungog - that is the worst quoting I have ever seen and totally unncecessary. Everybody can see the original message so there is no need to repeat it here. I have edited your post.

Quote:
Originally Posted by SonofabiT View Post
This is the answer that i want.
Yes, but look back at your long post, and you will see that you did not ask that question.

N=0x10 for all Q/A is ONLY true for the 4096 byte Envelope blocks. You can NOT make that assumption when hasphl_encrypt is used from the API inside the program. The programmer can encrypt or decrypt any length string (s)he likes. The API splits it into lumps of 16, 32 or 48 bytes.

So :

Envelope : N=0x10=16, and Q/A pairs appear in groups of 128 pairs. 128 * (16 + 16) = 4096 bytes. The envelope can be applied up to 5 times consequetively.

API : N=0x10=16 or 0x20=32 or 0x30=48 and can appear in isolation or groups anywhere in the program.

A program can have API ed/decryption calls AND then finally have the Envelope applied from 1 to 5 times.

Git
Reply With Quote
  #22  
Old 10-10-2009, 07:50 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

Quote:
Originally Posted by Git View Post
Yes, but look back at your long post, and you will see that you did not ask that question.
@Git - I think you did read my description carefuly. Read back my problem description on the
paragraph-3 and Question number-1.

Quote:
Originally Posted by Git View Post
API : N=0x10=16 or 0x20=32 or 0x30=48 and can appear in isolation or groups anywhere in the program.
Thank's for your aditional prespective.
Are these groups parts the Input-Output of hasp Decrypt or hasp Encrypt which usualy apears on both Xyrurg&Sataron HaspLoger1.71 and Toro HaspMonitor32 ?

Last edited by SonofabiT : 10-10-2009 at 08:13 AM.
Reply With Quote
  #23  
Old 10-10-2009, 01:04 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,749
Default

I'm happy to admit when I'm wrong (well, happyish...) but I just read it again and I cannot see anything that asks about the length. I did see something about "splitting into 0x10 lines..." which is worrying - you now know that is wrong I hope?. You cannot split queries, ever.

Quote:
Are these groups parts the Input-Output of hasp Decrypt or hasp Encrypt which usualy apears on both Xyrurg&Sataron HaspLoger1.71 and Toro HaspMonitor32 ?
The logger will show any and all instances of hasp_encrypt or hasp_decrypt. The logger has no knowledge of how they were created, as part of the Envelope or as a random API call. The only thing you can infer when looking at the log is that if there are less than 128 consequetive calls to hasp_decrypt then those calls did NOT originate from an Envelope.

Most dongles have these two ways of being used, and in most cases the two ways can be used separately or together.

i) Envelope/Shell. This is the idiots "press a button to protect your program" button. Clcik one button and the dongle programmers toolkit will take your exe, pack it or encryp it or both, and store information about how to unpack/decrypt it inside the modified exe. In a way, the program is wrapped in an envelope or a shell. Often, this envelope/shell is applied multiple times, like putting a letter in an envelope, then putting that envelope inside another bigger envelope and so on. For the Hasp HL this happens a maximum of 5 times. Each time 128 Queries and 128 Answers are stored, each is 16 bytes long.

ii) API. Anybody who is more serious about protecting their program knows the envelope is not enough. The API allows calls to encrypt or decrypt strings or blocks of data. The data or string can be up to 1024 bytes long. To decrypt the string the application must make a call to the dongle and this will be caught and displayed by the logger. The toolkit also allows the programmer to encrypt strings outside of the program, so the encrypted value is then used in the program and can be drypted by a call to the dongle and compared to the known correct value. So things like passwords etc can be stored in encrypted form inside the program and only encrypted to the correct value if the dongle is fitted. Note that the dongle will both encrypt and decrypt. This type of use of the API can be done in many ways and spread around the whole program. A good example of this is DecoStudio. Not only the main application exe but also about 10 DLL's all have the envelope fully applied. Not only that, but extensive use of the API is made by both program and DLL's. A full reg file to emulate that set of applications is several MB I believe.

One last thing worth knowing is that the AES encryption used by HL and many dongles is symmetrical. If you encrypt "John Doe" and get "DJ8d*^nj&h", then feeding "DJ8d*^nj&h" to the decyption function will give you the original "John H Doe".

Git
Reply With Quote
  #24  
Old 10-11-2009, 03:43 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

@Git - Many Thank's. That was wonderfull post !!! People like you realy make this kind of forum grow up as should be ...
Quote:
Originally Posted by Git View Post
Not only the main application exe but also about 10 DLL's all have the envelope fully applied.
btw, I 've used Envelope File Finder feature of Toro HaspMon32 and i saw there were so many .dll file in the list. Could anyone hint me how to ovecome the .dll files which had enveloped ?
Reply With Quote
  #25  
Old 10-11-2009, 07:55 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,749
Default

Same method for DLL as for Exe. OllyDbg has a tool to enable it to load DLL's and you can use OllyDump plugin to make the required Dump. or you can use LordPE. Select the Exe in the top list. LordPE then shows a list of all DLL's used by that Exe in the bottom list. Select the DLL you want and choose Full Dump from the popup menu.

I had not seen that feature of Toro's logger. The clue that it has an Aladdin Envelope is the presense of a section named ".protect". The clue for Sentinel dongles is all the sections being renamed to .00000001, .00000002 etc. That said, there's nothing to stop somebody from renaming the sections to anything they like after applying the envelope. A favourite trick is to rename the .vmp1, .vmp2 sections of a VMProtected program .UPX1, .UPX2 so you think the target is only UPX packed.

Git

Last edited by Git : 10-11-2009 at 08:03 AM.
Reply With Quote
  #26  
Old 10-11-2009, 08:30 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

On the window of "Enveloped Files Finder & Loaders" of Toro's haspmon32, i saw a "LoadBatch" button.
Could anyone please explain about the use of "LoadBatch" feature ?

Last edited by SonofabiT : 10-11-2009 at 11:19 PM.
Reply With Quote
  #27  
Old 10-18-2009, 01:13 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

Quote:
Originally Posted by Git View Post
And a third entry with

Code:
N = 32
Q = 55,00,A9,34,CD,E5,D7,B6,19,56,85,15,F7,4D,32,36,95,EC,75,E8,C4,8F,6B,5D,98,80,F6,A8,8B,25,1C,48
A = 4F,8A,A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,34,FD,B7,BD,6F,B0,4E,E3,AD,73,51,C3,D9,13,0B,7F,0E,32
in this case, we have the full Query, but only first 16 bytes of Answer :

Code:
"20:5500A934CDE5D7B619568515F74D323695EC75E8C48F6B5D9880F6A88B251C48"=hex:4F,8A,A7,A1,26,55,61,B3,1A,77,B4,A2,19,B3,34,FD
So now we put it together :
I have a little problem with my hasplog.txt. Let says that Toro Hasp Monitor 3.2 show the logs like below :
Code:
HaspHL In:> Hasphl_decrypt, Length=32
Data:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

Hasp Out:> HaspStatus Status=0 (0x0)  P1=4 P2=1

HaspHL In:> Hasphl_decrypt, Length=32
Data:
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

HaspHL Out:> Hasphl_decrypt Status=0 (0x0)
Response:
22222222222222222222222222222222
Defaultly, Log2Tables v2.0.3.4 give me reg-entries which consist of 2 rows of pair. But Queries have been copied to 0x10 bytes long meanwhile Reponses copied to "empty Responses" separated by comma, like below :
Code:
"10:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"=hex:,,,,,,,,,,,,,,,
"10:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"=hex:,,,,,,,,,,,,,,,
1. Should i accept the above output for merging into my reg ?
2. If no, i should not. Then how to write the proper DTable entries for this case?

BR
SonofabiT

Last edited by SonofabiT : 10-18-2009 at 09:08 AM.
Reply With Quote
  #28  
Old 10-18-2009, 06:42 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,749
Default

No, it is definitely wrong to my mind, unless the author has done some very strange trick, but I don't think the operating system will read ",,,,,,,,,,,,,," when it is expecting several hex numbers.

I can't tell you what should be there because the log shows 32 byte input and only 16 byte output.

That said, the guy who wrote the emulator says use only the first 16 bytes of the response so you had better do what he says. Personally, I can't see how that can work but I can't remember the full details of Hasp HL query lengths, other than it is a much more complex subject than it should be. So follow the 18.1.0 manual which has notes on the changes he made to handling of queries longer than 16 bytes. You will have to translate from Russian.

The vital part is this :

Quote:
Если в протоколе встречается одиночный запрос длиной в 32 (20h) байта, за которым сразу нет запроса длиной 48 (30h) байт (или если сказать по другому, в котором вторые 16 байт запроса НЕ РАВНЫ вторым 16 байт ответа) , то такой запрос необходимо сохранять в таблицу как два запроса по 16 (10h) байт
We really need a translation by a native Russian speaker. Systran thinks it says this :

Quote:
If before the protocol is encountered single query by length beside 32 (20h) the byte, above which immediately there is no query with length 48 (30h) of bytes (or if we say on other, before which the second 16 bytes of the query ARE NOT EQUAL to the second 16 bytes of answer), then this query must be preserved beside the table as two queries on 16 (10h) byte
Git
Reply With Quote
  #29  
Old 10-18-2009, 07:10 AM
SonofabiT SonofabiT is offline
Senior Member
 
Join Date: Dec 2008
Posts: 351
Default

Quote:
Originally Posted by Git View Post
I can't tell you what should be there because the log shows 32 byte input and only 16 byte output.
LogToTables.exe only read and convert the input which have been given by Toro's hasplog.txt. For this case, i am trying to make sure my self and i 've been wondered that my pair entries will be consist of 0x20 bytes query and 0x10 bytes response.

Since there are no response in the first 0x20 bytes hasplog.txt then i 've preassumed that the responses for the first hasphl decrypt function will be 0x10 bytes long with all the data =0x00. Meanwhile the second one will be 0x10bytes long with all the data =0x22. Refers to my Toro's hasplog.txt, i 've been managed the pairs manualy like below :
Code:
20:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
20:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"=hex:22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22
Could anyone please correct me if have been totaly wrong about this and how these pairs should be wrote ?
Reply With Quote
  #30  
Old 10-18-2009, 07:23 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,749
Default

Yes, BUT the proviso that he has added for 18.1.0 is very important. My best translation of it;s meaning is this :

Code:
IF(we have single 32 byte Query) AND
(
(Previous Query is NOT 48 bytes) OR ( (Second 16 bytes of previous Query) NOT EQUAL TO (Second 16 bytes of previous Answer) )
)
THEN
(the 32 byte Query is entered in table as two 16 byte Queries)
Git
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.