PDA

View Full Version : HASP Protection


octapus
December 9th, 2001, 16:27
I recently downloaded a sort of CAD program to crack. I installed it and to my curiosity i observed some files called hardlock.vxd, hardlock.sys, e.t.c . I saw the version info and i read the name of the company. It was Alladin Systems. Well it is the first time i meet a dongle protection and therefore a HASP also. So I read every document i had about HASP.

Now, the program in protection operates in its full form for about 14 days. After that i haven't tried what happens( i didn't change any date either to see responses ). I checked the exe section ( a very large one ~ 8 MB ) and there was no .protected section. In fact there were the normal sections with their normal names. So for sure the .exe is not envelope wrapped.

I went into ftp.hasm.com and downloaded the directory HASP they had. It was about 180 MB. Read some manuals on what protections are there. From the descriptions inside i believe that my protection must be using a TIMEHASP. Now my problem is how to recognize the _hasp call. I have FLAIR and ran its tools with hasp32b.obj found in ft.hasp.com but the signature file that got out of the process (which i put in SIG directory of IDA) didn't recognized any functions. I believe that may be due to the fact that the .obj file is meant for the latest version of hasp. My hardlock.vxd and hardlock.sys are v2.35.

Can anybody tell me a pratical way to find _hasp. Of course if you could give me an .obj or a ready .sig file which can work with my Demo IDA 4.18 it would be better. Crackz site which closed down could have given me the information i needed probably. Why isn't it put somewhere like Fravia's Mirrors. It doesn't have to be updated ( of course if it updates when something like that happens wouldn't be bad all) .

DakienDX
December 9th, 2001, 16:48
Hello octapus !

Your problem are not wrong HASP signatures. If you've a HARDLOCK.VXD the program is protected by Hardlock. This is a high-budget Dongle from Alladin. There are some documents available at their homepage describing the HL_API very detailed. So if the program is not protected by the wrapper method and does not use online decryption the chances are very high that you don't need the dongle to crack the program. I don't know if there are .SIG files of Hardlock available for IDA, but you should be able to write a demo program yourself which uses the HL_API and create the .SIG files from that demo program.

CrackZ
December 9th, 2001, 20:26
Hiya,

Actually hardlock.vxd on its own isn't indicative of a Hardlock since HASP drivers install it as well ;-).

Since you haven't got a .protect section it would appear you don't have any of the wrappers either of these dongles has the facility to use.

Grab your hex editor :

1. Search for plaintext string 'HASPDOSDRV', if you find it, you've got a HASP.

2. Search for plaintext string '**CPG', theres more on this one, usually the version number, if you find it, you've got Hardlock API.

Anything else, send me the target name or target file and I'll tell you exactly what you've got ;-) (or I'll try too).

Regards

CrackZ.

octapus
December 10th, 2001, 09:11
Thank you for the replies, DakienDX and especially CrackZ

I searched for both cases of plaintext and

1) There was no "HASPDOSDRV" nor small letters neither capitals
2) I found this :

**CPG_HK_AK_HV_MAZ_GBS_TS*15-Nov-1995*V3.50**  UWVRQS_fC


It seems that the program is protected with Hardlock API v3.5

Well this program is about 40 MB of download in compressed form.
If CrackZ would be kind enough to try it i can send the URL.

For the moment since it is sure that we are dealing with Hardlock, my
only problem is the lack of tutorials on this protection. I have only one.
Well, i noticed something while i did a search on "dongles" generally on
the web :

I found few spanish sites ( anyway non-english ) that contained a lot of CrackZ
tutorials, maybe all. But i found no english language site. My only option would be
to try those automated machine translators but the words they leave out are a lot.


To DakienDX:

Lets suppose that i write a demo program of mine which uses HL_API. I haven't checked
what i have downloaded about HL_API( i don't have them on this computer ) but in order to
call those hardlock APIs shouldn't I have some declarations which calls them
from a dll or something that should be linked when i compile?

If they are called from a hardlock DLL file, i should probably unpack the DLL.
If it is the latter occasion than there should be again a .lib or .obj file.

NOTE : My target file in it's IMPORT Section calls only one DLL ( except for the Windows DLLs)
And that .dll has program functions inside. In fact it exports 854 functions( all of the them
with names and sometimes parameters ).

I don't understand what is the difference between the process that i followed to create .sig and the one i would follow if i did my own program using HL_API.

DakienDX
December 10th, 2001, 12:16
Hello octapus !

The Hardlock API uses .LIB and .OBJ files. This means they're linked into the program at link-time. An archive called API.ZIP should be available at Alladin (1.6MB) as well as some more examples. I would suggest the ASM.ZIP (75KB), too. It is only for DOS real and protected mode, but you see the implementation of the API (also HLOCKAPI.ZIP, 100KB) the easiest way in my opinion. You can also read MAN_?.ZIP, where '?' is the language you need (should be on their FTP). The API manual gives good information about the names of the linked functions and their parameters.

Sorry if I said that this must be Hardlock, but I've never done anything with HASP and the drivers say that they're for Hardlock. The diagnostics program supports HASP, but I didn't know that this is done through the same drivers.

MTB
December 10th, 2001, 20:53
Octapus
Since you state, the program was for download, please post the location, I will give it a quick look.

If it has an easy implementation, I will give it a go with you. Note most implementations of dongles are lame and lamer. I actually find it harder to reverse shareware stuff! This targe probably is easy especially if it let's you run for 14 days before it even looks for it.

I suggest you try finding a document by "Frog's Print" named "Dongle Bashing end of an Era". It's been out for a long time and not much changes.

MTB

MTB
December 10th, 2001, 20:55
Octapus
Since you state, the program was for download, please post the location, I will give it a quick look.

If it has an easy implementation, I will give it a go with you. Note most implementations of dongles are lame and lamer. I actually find it harder to reverse shareware stuff! This targe probably is easy especially if it let's you run for 14 days before it even looks for it.

MTB

octapus
December 11th, 2001, 04:55
The URL is www.liftdesigner.com

Now yesterday before DakienDX replies i did a check on the Internet for Hardlock. I found this site :

ftp://ftp.aladdin.de/pub/hardlock/

And I download c.zip ( larger than 1 MB ) since my program is made in c++. I dind't had the chance to get asm.zip cause the connection was closed ( i know it was very small file). But i found
hlw32_mc.lib (for Microsoft Visual c++) and
hlvdd.lib

I made signature files out of them but they didn't recognize any function. I also searched for text "hlvdd" and "hardlock.vxd" inside with IDA but didn't find any thing. In fact i didn't let it finish because it was at the end almost and hadn't found anything.

Since i too thought that there must be mush easier than what its protectioon implies, i did a little work. I found the messageboxa which says something like "Hardlock not found". it's not exactly the same. If i went above about 100 lines a found a jne which passes this call which has inside messageboxa but instead a dialog shows up asking for some password,seed , i don't even remember.

And something strange, the messageboxa, shows up only once. After that no matter how many times you run it, it doesn't show up. Maybe after all, this is an easy protection. I really don't have mush time this week. But when i find something i will post a reply

cah
December 19th, 2001, 12:01
To
All Dongle reversers

How to duplicate hasp dongle hardware? Did any stuff available on this subjet?

thanks in advance

cah...

lixus
December 20th, 2001, 21:12
Hey octapus.

I had a quick look at the target and found some things that may be of some importance.

This program uses hardlock api as a part of the protection scheme.
I found that the following three hardlock high level apis are used.

HL_LOGIN : address 00401328
HL_CODE : address 004012E1
HL_LOGOUT : address 00401027

With these parameters:

HL_LOGIN(28305, 1 (LOCAL_DEVICE) , nothing, nothing)
With nothing I mean 8 zero bytes.
If REFKEY and VERKEY is zeroed they are not used.

HL_CODE("LIFTHDLK", 1)

HL_LOGOUT()

All three used in a function at address: 006B9000

If these three hardlock API calls returns eax = 0
you will pass this call. If not you get the "No Hardlock found" message.

So, to make this work without a dongle, just make those calls return eax = 0.
If you pass, a little dialog show up. I think this was the dialog to witch you refered
with the "seed" codes or whatever...

It has three edit boxes.

Serial number:
Expiration:
Authorization code:

It allso has a label with the text "Hardlock NO: xxxxxxxx"
And the ok button is disabled if the "right" values are not entered.

If the dialog box refuse to show up then try deleting the last lines in the ld30.ini file and restart the app.
In my ini file they look something like this:

[AUTORxxxxxxxxxxx]
SOme value:Some value= Some text

Anyway, I found some values that made the ok button enabled, but when I clicked it
a message box came up with some text like "Bad authorization code".
I didn't have any time to reverse this further, so I decided to stop there, sorry.
All I can say is that I think that the values supposed to be written in those edit
boxes has something to do with the validation of the program modules, because I tried
to set the expiration to zero and then all the modules became invalid

About the HL_CODE call..
The 8 bytes "LIFTHDLK" are supposed to be crypted with this call.
I couldn't find any check on those bytes close to this call.
And i haven't really tried to find out wether the rest of the protection code uses the
crypted return bytes from this call. I patched the modid in the exe to fit a hardlock dongle of mine.
Then I let the program run, and the
little dialog asking for some values showed up.
So it worked that far. Maybe the crypted bytes is used later in the code that checks if the
authorization code is correct, I don't know yet. Anyhow, good luck with this target.

I hope this information will help you.

/lixus

lixus
December 20th, 2001, 22:10
The returned crypted bytes is used to produce the number displayed as the
"hardlock no:" in the serial/expiration/auth code dialog.

.text:006B90CA lea eax, [esp+1E0h+var_1C0] ; Address to buffer to be crypted
.text:006B90CE push 1 ; Indicates that only one 8 byte block
.text:006B90D0 push eax ; is to be crypted from the buffer
.text:006B90D1 xor esi, esi
.text:006B90D3 call HL_CODE
.text:006B90D8 add esp, 8
.text:006B90DB test ax, ax ; If ax = 0 then everything is fine
.text:006B90DE jz short loc_6B910E ; Next HL_LOGOUT

.....

.text:006B911D mov edx, [esp+1E0h+var_1C0+3] ; Now crypted bytes
.text:006B9121 mov eax, [esp+1E0h+var_1C0+2] ; ..
.text:006B9125 mov ecx, [esp+1E0h+var_1C0+1] ; ..
.text:006B9129 and edx, 0FFh
.text:006B912F push edx
.text:006B9130 mov edx, [esp+1E4h+var_1C0] ; ..
.text:006B9134 and eax, 0FFh
.text:006B9139 push eax
.text:006B913A and ecx, 0FFh
.text:006B9140 push ecx
.text:006B9141 and edx, 0FFh
.text:006B9147 push edx

.text:006B9148 push offset aDDDD ; "%d%d%d%d"
.text:006B914D push offset unk_93BF50
.text:006B9152 call _sprintf

As you can see here, the first 4 crypted bytes in the 8 byte buffer are converted
to dec. This decimal value stored at offset 0093BF50 is the hardlock no.
It's later used in the code that checks the dialog input.

/ lixus

octapus
December 21st, 2001, 16:54
Thank you for your truly helpful comments on this target LIXUS.

LYOKO
February 12th, 2008, 22:32
Dear sirs

I used olly to dump the hasp protected dll file
(already used studPe to change it to exe file)
But after I dump it and used imprect to rebuild IAT, imprec can not get import due to the origin file after finish,it auto shutdown process so that I can not do anything with Imprec

Can anybody give me hands

Thanks in advances

JMI
February 13th, 2008, 00:56
Why are you dragging up this 7 year old Thread when YOU clearly haven't actually READ THE FRIGGIN FAQ!!!

Go Read the FAQ, then YOU tell us what searching, both here and on the net you have done to try to solve YOUR problem.

For example, have you done any searching on "why" Imprect might shut down the process? Have you done ANY researchon WHY Imprect might have problems with a hasp protected dll, or you just want someone here to hand you the answer to your problem?????

Regards,