Page 1 of 2 12 LastLast
Results 1 to 15 of 23

Thread: For CrackZ/HypnoticZ/TNT the hasp prot prog

  1. #1
    hack3r2k
    Guest

    Question Hasp protected program (CrackZ/HypnoticZ/TNT need more help)

    Hey !

    Things that i found till now :

    pass1 - 2b83 (can i do anything with it ?)
    pass2 - 618f (idem)
    seed - 0 ??? kinda impossible
    port - 0 ??? this one too

    It uses hasp api cause i found HASPDOSDRV string inside the program.
    Seems to be a TimeHasp or Hasp - Time because it uses function 47.

    Offcourse that i tried to crack it !

    All i did it was to reverse some jumps after some checkings before the dialogbox to show(MessagePopup api), but why i reopened this subject is because the program seems not to work how it should.

    So all i'm asking is to help me crack it right.

    Best regards,
    .:hack3r2k:.

    file (2.55MB)

    ://sagemboard.web1000.com/telech.zip

    best regards,
    hack3r2k
    Last edited by hack3r2k; June 11th, 2002 at 22:11.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    goatass
    Guest
    Just changing jumps as to avoid a message box will not correctly crack the program. Many times the program reads stuff from the dongle and uses it for something, if the correct bytes are not read then the program doesn't run right.

    Try to find the Hasp APIs and emulate them so they will return the correct values.

    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    hack3r2k
    Guest

    Angry Emulation routine more details !

    Hey !

    I started to write an emulation routine for the prog above(it uses services 1, 5 and 71).

    ;GetTime -=function 71=- emulation
    sub esp, sizeof(SYSTEMTIME)
    push esp
    call GetLocalTime
    xor eax, eax
    xor ebx, ebx
    xor edx, edx
    mov ax, word ptr [esp+SYSTEMTIME.wSecond] ;second
    mov bx, word ptr [esp+SYSTEMTIME.wMinute] ;minute
    mov dx, word ptr [esp+SYSTEMTIME.wHour] ;hour
    xor ecx, ecx ;all things went ok !
    add esp, sizeof(SYSTEMTIME)

    Is this ok for 71 ?

    1 and 5 code i will not post because it easy to emulate ...

    The problem is tha i dont know for sure if i must redirect all 'call _hasp' to 'call _emurutine' ...

    And its another problem... if i put this code is some dll will work ?

    I mean instead of call _hasp to do a call to the emulation routine from the dll.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Hiya,

    My findings seem to disagree (a little) with yours.

    I found it calls IsHasp(), HaspStatus() and then HaspID(), services 1, 5 & 4Eh respectively. Actually you may be right that it calls other TimeHASP related services after this or 47h if you change the HaspStatus() return to TimeHASP-4 (didn't actually experiment with that), since I got some annoying message box about missing files when my drivers emulated the first 3 services.

    PWD1 = 2B83
    PWD2 = 618F (we agree).

    Remember, the seed is only relevant to a handful of HASP() functions.

    The HASP() routine is inside telechtest.exe (4065A0) & telechomm.dll (1000322C).

    Your emulation routine looks OK to me, I don't know why you don't use the shorter movzx overrides though when accessing the SYSTEMTIME structure, rather than zero'ing EAX/EBX/EDX and then moving ;-).

    This program uses basic HASP API so patching an emulation routine in the aforementioned places should be sufficient.

    Regards

    CrackZ.

  5. #5
    hack3r2k
    Guest

    Talking Hey !

    I forgot to tell you that telechtest.exe must be executed from command line.

    ex. telechtest some_file.bis ? ? and other 2 params that seems not to work respectively com port nr and baud rate.

    Anyway you didnt told me if i must redirect all call _hasp to my emulated routine ...

    I'll post here my full emulation it's ready...

    Do you have a email where i can contact you (hotmail ?/if so maybe we can meet on msn messenger to talk more)

    best regards,
    .:hack3r2k:.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    goatass
    Guest
    it is recommended that you redirect all call_hasp routines to your emulation routine, this way you can manipulate the return values of any of the services. Say you run the program and find out that after an hour it calls a service that was not emulated. It would be easier to go directly to your code and emulate this service. Just as a good measure you want to be able to say that you covered all your bases.

    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    hack3r2k
    Guest

    Question Almost there ??? Ummm...or maybe not !

    Yo !

    Thank you for helping me CrackZ and goatass !

    This is my full emulated routine but it's something wrong with it !!!

    ;92 bytes emulation rutine

    cmp bh, 1h ;IsHasp()
    jnz next_1 ;ummm nope
    xor eax, eax ;make it 00000000h
    ret ;return after call hasp
    next_1: ;Let's try something else
    cmp bh, 5h ;HaspStatus()
    jnz next_2 ;ummm nope
    mov eax, 0h ;Other hasp ...
    mov ebx, 3h ;I think ... TimeHasp
    mov ecx, 1h ;Port number
    ret
    next_2:
    cmp bh, 47h ;GetTime()
    jnz next_3
    sub esp, 10h
    push esp
    db 255, 15h, 1Ch, 70h, 44h, 00h
    ;alias call dword ptr [0044701Ch] section
    ;.import from telechtest.exe/GetLocalTime api
    ;it's fu**in' hard to fit the code to your
    ;needs but not impossible
    movzx eax, word ptr [esp+0Ch] ;second
    movzx ebx, word ptr [esp+0Ah] ;minute
    movzx edx, word ptr [esp+08h] ;hour
    xor ecx, ecx ;all things went ok !
    add esp, 10h
    ret
    next_3:
    cmp bh, 4Eh ;HaspID()
    jnz next_0
    mov eax, 0h
    mov ebx, 0h
    xor ecx, ecx ;Yeah we have hasp v0.0 !!!
    ret
    next_0:
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    xor edx, edx
    ret

    I added this routine in the .hasp (section added) section of the telechtest.exe and it uses the GetLocalTime api added in .import section of the .exe.

    After i redirected all 11 calls to my emulated routine i discovered when i executed the exe the same fucking, stupid message box !!!

    Ummm...i said to me, i think that i forgot to emulate somethin', so i did a break in my emu routine and i discovered that 'bh' had value 20H but i didn't find any info in my haspman about how can i emulate it...

    Maybe somethin in my emu routine is WRONG emulated ???

    The emu routine is OK ???

    I attached here the pathed exe and the binary form of my hasp routine !

    All i can say now is ... HELP !!!!!!!!
    new section added to telechtest.exe

    .imports -> GetLocalTime api added
    .hasp -> The emulation routine

    best regards,
    .:hack3r2k:.

    http://sagemboard.web1000.com/Telech+hasp_emu.zip (click on the bottom link) -> Contains the patched exe and hasp emu in binary form
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    ZenLoren
    Guest
    Hi

    cmp bh, 1h ;IsHasp()
    jnz next_1 ;ummm nope
    xor eax, eax ;make it 00000000h
    ret ;return after call hasp

    IsHasp () should return 1 not 0
    try rectify it & check.

    Regards
    zenloren
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    hack3r2k
    Guest

    Talking LOL ! Silly mistake, but the problem still remains the same !

    Hi ! (thanx ZenLoren)

    I repatched the program so it could return 1 at IsHasp() call but it still doesn't work !

    http://sagemboard.web1000.com/Telech+hasp_emu.zip (click on the bottom link) -> Contains the patched exe and hasp emu in binary form

    CrackZ don't let me down know !!!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10

    to hacker2k

    see your PM

    regards HypnoticZ

  11. #11
    Bah!.

    I got screwed by the msgboard here and logged out automatically, reply lost ;-).

    Anyway, the gist of what I said, was something like make sure you redirect the call haspreg() to your new code (address 4065D6), it sounded to me like you were redirecting at the xref level and hence BH wasn't getting the service code loaded.

    The emulation routine was fine, IsHasp() does clear EBX/ECX/EDX and ECX's return for HaspStatus() should be 66h (EDX=driver version), but 1 shouldn't make much difference. Also, general point, avoid sending back 0:0 for HaspID if you can, some programs do not like it ;-).

    Regards and contact me if you want any further assistance.

    CrackZ.

  12. #12
    hack3r2k
    Guest

    Talking Hey HASP are u sura that u deserve the rating 6/10 ??? (LOL)

    Hi there HypnoticZ/TNT/CrackZ !

    I wrote a function called HaspServicesSpy that called instead of haspreg() its able to display in a message box what service tried the program to execute.

    so i discovered that the program executes the following services:

    1h
    5h
    47h
    4eh
    49h
    4dh
    4ch

    I inserted the emu routine all funtions work ok, less WriteBlock/ReadBlock that i don't know for sure how to emulate so it gives "locked key" and that because i dont know how much mem (bytes) requires !!!

    BTW the dongle used by this prog is fuckin' strange cause it uses services from TimeHasp and MemoHasp can someone explain me how it's possible ??

    best regards,
    .:hack3r2k:.

    thanx CrackZ, HypnoticZ/TNT (Yep ! that was my problem ! now works)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    goatass
    Guest
    The dongle is a TimeHasp dongle, this dongle has both time and memo hasp routines in it just like the NetHasp has net and memo routines in it.
    To emulate the read and write calls you need to do something like this:

    push ebp
    call eip+5
    pop ebp ;get delta offset into ebp
    add ebp, 20h ;puts you at the start of your dongle data(number varies)
    mov ecx, esi ;puts length of block in ecx
    lea esi, [ebp+eax] ;address to your dongle data, eax=cell#
    repz movsw ;edi is the return buffer
    pop ebp
    db 0000 1111 2222 3333 4444

    something along these lines, you have to play with it a bit to get it to work for you correctly
    To emulate the write routine just to switch the read and write buffers.

    p.s. TimeHasp has 512bytes of memory

    hope that helps.


    goatass
    Last edited by goatass; June 14th, 2002 at 23:22.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    hack3r2k
    Guest

    Wink Didn't helped much ... i need to understand first how it works

    Now i need some more info about ReadBlock !!!

    Let's supose that hasp emu mem is like this :

    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    ---------------------------------------------------------------
    BH -> 77
    DI -> 7;start address ?? what does this mean regarding hasp mem above ??
    SI ->2;block length ?? this means that it want to read 2 bytes ??
    AX ->F918;buffer offset ?? what this ??? like start reading position ??? isn't too big for a timehasp with 512 bytes of mem ???

    btw , edi it's an pointer to a buffer that contains the values readed or it contains the values (like 00000000h after reading 2 bytes ??)

    Can u explain how does this function works ???

    Hey CrackZ/goatass please explain me !!! (i can't code if i don't understand how it works ....)

    best regards,
    .:hack3r2k:.
    Last edited by hack3r2k; June 17th, 2002 at 12:14.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    hack3r2k
    Guest

    Unhappy Sorry for disturbing ... again

    Can anyone answer to my question above ?(the one abou ReadBlock stuff)

    Anyone knows what service 68 does ?? I didn't found any info in hasp manuals !


    best regards,
    .:hack3r2k:.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. new type of hasp ?
    By saber in forum The Newbie Forum
    Replies: 4
    Last Post: May 23rd, 2006, 09:25
  2. hasp crack plz help me
    By shark in forum The Newbie Forum
    Replies: 2
    Last Post: December 14th, 2005, 19:08
  3. for hasp emulation
    By saber in forum The Newbie Forum
    Replies: 3
    Last Post: August 22nd, 2005, 09:49
  4. Problem with "Dongle" prot. App...
    By cHeCksUm in forum The Newbie Forum
    Replies: 5
    Last Post: September 24th, 2002, 19:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •