Results 1 to 3 of 3

Thread: Unpacking HASP HL 2.x

  1. #1

    Unpacking HASP HL 2.x

    I have a program that is packed using HASP-HL 2.x envelope. I have successfully extracted the key from dongle and emulated it using Multikey (with help from some good folks at So emulation is *NOT* an issue.

    Since I have some time on hand, I want to get rid of the HASP envelope altogether. I have not been successful so far and would appreciate some pointers. Here is what I have till now,

    1. Hardened the OllyDbg by renaming OllyDBG exe and also changing references inside it. Installed Phantom & Anti-debugger detection plugins.
    2. Ensured the protected app runs perfectly under debugger
    3. Extracted OEP. Confirmed using ImpRec that the IAT is being redirected.
    4. Patched a specific 'JE' instruction in the .protect section to disable IAT redirection
    5. Rerun app & confirm using ImpRec that IAT redirection is disabled now. Around 200+ functions are properly detected.
    6. Dump exe & fix IAT. The dumped exe works but only with the dongle connected. Iam unable to remove the .protect section. If removed, the dumped exe does not start.

    As is obvious, now I have a dumped exe with an actual entry point in .text section of my exe instead of the .protect section. But apparently it still tries to do HASP calls. I tracked this using a HASP logger. My attempts to trace this call (for example the HASP init/login) in the code section is taking me in circles and am finding it very hard to pin-point the exact calls. Also, calls are being made into a specific address in .protect section from several locations in the .text section. Again tracing these calls are proving to be difficult. A simple 'RETN' assembled at the specific address in .protect section crashes the application with 'invalid memory access' error.

    Please refer to the attached pix. It shows my application stopped at the OEP (0079E716) and the code that I modified at 00AE909D in the main window and the IAT table as read by ImpRec. As can be seen, only one address 00AE91B7, as a part of kernel32.dll remains unresolved. This address is in the .protect section and is the same address referred to in the last but one para of my original post. Iam guessing that this a second type of redirection. But I have been unable to prevent/correct this redirection or get any clues by monitoring write to the VA (0087B304) in the IAT containing 00AE91B7.

    Does anyone have any suggestions on way forward?

    PS: I have followed a couple of tutorials claiming unpack for HASP-HL v1.x. But they don't seem to work in my case.
    1. HASP HL Envelope 1.x (Unpacking)
    2. Cracking HASP By Koudelka
    Attached Images Attached Images    
    Last edited by merags; April 26th, 2011 at 16:49.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    As Above

    Am I correct in assuming you wish to figure out which exported API in kernel32.dll this unresolved address in ImpRec refers to?

    If, you are NOT looking for this, then perhaps you could clarify a bit more on what you want, as I could have possibly missed it.

    Have Phun
    Blame Microsoft, get l337 !!

  3. #3
    Never mind..looks like it is too complicated..Thanks for taking time to go through my long post!

    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. HASP HL
    By jorono in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: March 2nd, 2005, 01:01
  2. help on HASP PCS
    By haec_est in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 29th, 2002, 07:04
  3. Help on HASP ID
    By cah in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 13th, 2002, 05:15
  4. How to use UCL HASP Emulator?
    By cah in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: September 13th, 2001, 04:35
  5. Need help with HASP
    By meRlin in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: January 15th, 2001, 21:12

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts