1 The HASP-HL Crack Solution
HASP-HL is the current protection hardware by Aladdin Knowledge Systems. This document explains how to crack and bypass the curity of HASP-HL – “their so-called Next Generation of Software Protection”.
2 HASP-HL Envelope
The envelope encryption is done via a graphical ur interface as shown in Figure 1. The encryption options are t by default to provide a high level of curity. The lection of additional options (more encryption
/anti debug modules, detection of ur mode and system mode debuggers) has no influence on the analysis and mainly increas the size of the resulting executable and the startup time. Within the analysis there are no noticeable effects of the additional ttings.鸵鸟交配
Figure 1 Automatic encryption window of HASP-HL
The Encryption itlf encrypts code and data. Resources are not encrypted even if the resource ction is included in the list of ctions to be encrypted. The Import Address Table (IAT) is encrypted and some APIs are redirected to the curity engine (e also the detailed list of the redirected 633 APIs in the appendix). For the runtime check a parate thread is initiated. Anti debugging measures are in place which are mainly active at program startup time. Once the Security engine has decrypted the program it can be dumped to disk. After the IAT of the dump is restored and the program is ret to the Original Entry Point (OEP) the executable can be run without the HASP-HL.
2.1 Locating the Original Entry Point (OEP)
The OEP can be located using the standard hacker tool OllyDbg. Due to anti-debug measures some hardening of the debugger is required.
包公鱼2.1.1 Installing OllyDbg and the necessary plugins
OllyDbg is copied into a parate directory. There is no dedicated installation necessary. OllyDbg can be obtained from various websites including the homepage of OllyDbg:
www.ollydbg.de/
The current version 1.10 is the preferred version.
To analyze HASP-HL it is necessary to install two plugins into OllyDbg: IsDebuggerPrent and OllyDump. The plugins are available from:
/stuph/
The plugins are simply copied into the same directory as OllyDbg.
2.1.2 Hardening OllyDbg
乐山旅游攻略
OllyDbg will be recognized by one of the veral text references to OllyDbg inside the code. The usual way to evade this kind of debugger detection is to replace all occurrences of the string OllyDbg inside the executable to something el with the same length. Also the filename of the executable should be changed to this alternate name. Due to the structure of the plugins it is necessary to keep an original copy of OllyDbg in the same directory as the modified version. The string replacement can be done with any usual hex-editor.
2.1.3 Setting the options
Start the hardened OllyDbg (here for simplicity still referenced as OllyDbg) and choo from the menu Options / Debugging Options. In the options dialog lect the SFX-tab and lect “Extend code ction to include extractor”, “Stop at entry of lf-extractor”, and “Pass exceptions to SFX extractor” as shown in Figure 2.
含天地的成语
Figure 2: OllyDbg SFX Dialog
As shown in Figure 3, in the tab Exceptions lect mostly everything that can be lected. This will disarm some anti-debugging involving illegal opcodes, illegal memory access, and some more.
Figure 3: OllyDbg Exceptions Dialog
2.1.4 Tracing the OEP度人经原文
Now load the protected application into the debugger using the File / Open from the menu. Be sure to have the original HASP-HL dongle attached to the computer when loading the program. After a short analysis and two warnings about encrypted programs etc. the debugger should halt on the entry point of the application. Turn on the debugger hiding by lecting “Plugins / IsDebuggerPrent / Hide”. Alternatively you can t the “autohide” in Options Menu of the IsDebuggerPrent plugin. Switch to the hexdump ction and go to the address of “ExitProcess” in Kernel32. To go to this Address u “<Ctrl> G” or the context menu. The entered Address is ca nsitive. Select left topmost byte with the left mou button. Then t a hardware breakpoint by clicking right, choosing “Breakpoint / Hardware on write / Byte”. Now run the program using <F9> until it hits the breakpoint. Switch to the memory window by hitting “<Alt> M” or lection “View / Memory” from the menu and highlight the code ction (usually named “text”) of the protected program by left clicking it. Set a breakpoint on the ction with <F2>. Your screen should look somewhat like Figure 4.
夏日星空
Figure 4: OllyDbg with Breakpoint on code ction
If you <F9> (Run) now the Debugger will put the program at the Original Entry Point (OEP). To get the relative entry point from the module start the module ba (address of PE header) from the “Memory” window has to be subtracted. In this ca 1,000,000. This OEP is needed in the next steps. Plea leave the window open as it is still needed for the dump.
2.2 Dumping the Executable
Once the program is halted at the Original Entry Point (OEP) the program can be dumped to disk. To do this click right into the disasmbler window and lect “Dump debugged process”. A dialog pops up in which you can save the program to disk. Plea uncheck the “Rebuild Import” checkbox as this will not work correctly in this ca. The entry point should be t automatically to the correct OEP. Otherwi plea correct. The other tting should not be changed from the default values.
2.3 Rebuilding the Executable
To rebuild the executable it is necessary to create a new Import Address Table (IAT). The original table has been destroyed by the encryptor and the links are rebuilt in real-time by the startup code of the protection engine. The rebuilding process can be managed using another standard hacker tool (Import Reconstructor, ImpRec).
2.3.1 Installing ImpRec
ImpRec can be obtained from a number of pages including
/mackt/projects/imprec/ucfir16f.zip
ImpRec does not require a dedicated installation. To install it copy it into an appropriate directory.
Be sure to lect the Option “Fix EP to OEP” in the options menu (Figure 5)
Figure 5: ImRec Options Menu
2.3.2 Rebuilding the IAT
Start the protected application. Once it is running start ImpRec. If ImpRec is running at program startup it will be detected as a Debugger. Do not forget to connect the dongle.
Attach ImpRec to the running process by lecting the correct entry in the drop down list.
Enter the OEP calculated above and hit the button “IAT AutoSearch”. The button “Get Imports” delivers the list of imported APIs with still some entries invalid. To e the invalid entries hit the button “Show Invalid”. This should result in a list similar to the list below (Figure 6) with some entries (in this ca 74) are highlighted. As the following process might involve some iterations hit the “Save Tree” and store the results found so far in a text file. After restarting ImpRec and re-attaching to the executable this file can be loaded using “Load Tree”.
Figure 6: ImpRec invalid entries
Now right click on an invalid API and lect “Trace Level3 (Trap Flag)”. ImpRec should now resolve the invalid APIs one by one. Eventually the protected application will terminate or ImpRec is “unable to initialize the tracer”. In this ca save the tree again, exit ImpRec, restart the application, restart ImpRec, Attach to the process, load the tree, hit “Show Invalid”, and manually delect the first invalid entry (<Ctrl> <left click>) to stop ImpRec from resolving this entry again. If you have to restart multiply, you should successively delect all problematic entries. With HASP-HL 1.20 there should be a maximum of 3 different problematic entries (out of veral hundred redirected entries). The problematic entries are:
1.GetVersion
防水电视2.GetProcAddress赵尚志
