PDA

View Full Version : Hasp Envelope help please


LaptoniC
June 20th, 2001, 12:59
I am working on program which uses HASP Envelope. I saw that it only uses service 1 and service 2 I have used Crackz Haspcode addon and found return codes I have put this values after hasp rutine but it gives error saying that cant load ..... some unreadble charecters.Here is what I have found.


0167:007ABADE 8B45B0 MOV EAX,[EBP-50]
0167:007ABAE1 50 PUSH EAX
0167:007ABAE2 6A00 PUSH 00
0167:007ABAE4 6A01 PUSH 01 ;service 1
0167:007ABAE6 E8661F0000 CALL 007ADA51


0167:007ABC8B 8B45B0 MOV EAX,[EBP-50]
0167:007ABC8E 50 PUSH EAX
0167:007ABC92 8B4D0C MOV ECX,[EBP+0C]
0167:007ABC95 33D2 XOR EDX,EDX
0167:007ABC97 668B544162 MOV DX,[EAX*2+ECX+62]
0167:007ABC9C 52 PUSH EDX
0167:007ABC9D 6A02 PUSH 02 ;Service 2
0167:007ABC9F E8AD1D0000 CALL 007ADA51

At this point
Pass2=7729
Pass1=771D
Seed=FC0
So with the help of haspcode addon
Part1 0000C1BB
Part2 0000D69F
Part3 0000EA59
Part4 00005FF5

Program breaked two more times for hasp again but this time service was again 2 but it doesnt pushed directly as push 2 instead moving to eax then push eax.I have filled registers with above ones but it didnt worked.I utilize haspcode command at 7ADACD where return codes put.Could you give me hints to reverse this program.You can download it from http://www.ideyapi.com.tr/download/down/guncelleme/idestids.exe It needs hasp95dl.vxd and Csh.dll which I have attached.Thanks.

CrackZ
June 20th, 2001, 17:28
Briefly :

See your e-mail for a reply.

Use the /HASPCODE switch at address 7ADAC7, thats where it needs to fill EAX->EDX with the response codes to a given seed, note the parameters 2 lines before (push ebp). First seed used is FC0 then 5FF5.

That takes care of the decryption, however a HASP API is decrypted at 664534 and you need to force service 5 & 33 to good to make the program start.

Regards

CrackZ.

LaptoniC
June 22nd, 2001, 14:03
I have managed to run it.However after it runs it crashes immediatiely after I choose any function like new open etc.
Here is how I came to this point
bpx on freeenvironmnentstringsa

Because it is protected with envelope, I couldnt put my emulation code and redirect to that location.However I have done this.
I have assembled below emulation code and put this to 7CB318 (3CA318h). When it first breaks which is service 1 I have changed eax to 1 and changed call at 7ADAC8 to call 7CB318. Envelope unpacked and program stopped again which is service 5 I have changed eax ebx and ecx to 1 and changed hasp api call at 664535 to 7CB318.Program starts how ever when I try to hit New button program firstly executes service 32 then service 5 and it crashes. My only guess is I missed some services ? or some wrong code in emulation.However, what ever I try for service 32 it crashes at same location of Mfc32.dll and same values of registers.

1) I want to unpack it after decrypting envelope how can i find OEP and unpack it? I tried to bpr 401000 401000+27B86D which range of first section.My computer just hangs.I have used tracex but it couldnt found it also.
2) Is there any error in my emulation or this program needs another dll or something? Thanks

Regards,
LaptoniC

-----------Registers when mfc42.dll crash--------
EAX=9999999a CS=0167 EIP=5f4164fa EFLGS=00000202
EBX=00000001 SS=016f ESP=009ff358 EBP=009ff3bc
ECX=00b85654 DS=016f ESI=00b85654 FS=3ef7
EDX=00688640 ES=016f EDI=00ba2fa0 GS=0000
-----------Registers when mfc42.dll crash--------

--------------Emulation Code---------------
cmp bh,1 ;IsHasp ?
jnz @nextservice
mov eax,1 ;HaspConnected
ret
@nextservice:
cmp bh,2 ;HaspCode
jnz @service5
cmp eax,0FC0h ;Service2 called 3 times 2 times with seed FC0 and once with 5FF5
jnz @itsanother ;Thanks CrackZ for pointing this
mov eax,0C1BBh ;put correct values for this.Use haspcode addon of icedump
mov ebx,0D69Fh
mov ecx,0EA59h
mov edx,05FF5h
ret
@itsanother:
mov eax,03FE9h ;same again response codes for service 2
mov ebx,0DA77h
mov ecx,07BA8h
mov edx,031A7h
ret
@service5:
cmp bh, 5 ;HaspStatus ?
jnz @service33
mov eax,1 ;MemoHasp
mov ebx,eax ;MemoHasp
mov ecx,eax ;Port #
ret
@service33: ;Write Block
cmp bh,32h ;
jz @service32
xor ebx,ebx
xor ecx,ecx
ret
@service32: ;Read Block
xor ebx,ebx
xor ecx,ecx
ret
--------------Emulation Code---------------