Pushing the Envelope with HASP
De-Hasping, zip cracking and other marvels

Advanced essays
20 January 1998
by Quine
Courtesy of Fravia's page of reverse engineering
Spectacular essay. I'm republishing it after having read it three times. Among many other things you'll find here a lesson about zip cracking techniques... but that's only an example: you wont believe how many hints you'll find inside this essay. Here an 'appetizer' for you:
A regular breakpoint won't fire because they've re-routed 
the interrupt.  No problem.  This has always seemed more of 
a minor nuisance than anything else because all you have to 
do is set a debug register breakpoint.  
So, 'bpmb CallHasp x' does the trick.  The x indicates that 
it will break if the execution reaches that address.  
In other words, it's functionally equivalent to a regular 
bpx, but invisible to any anti-SoftICE tricks.  
Of course, you only get four debug register bps at a time, 
but I've always found that to be plenty.
I'm not going to comment this essay: Quine is a Master Cracker, and this essay is far more than advanced, it's expert stuff. I have not only learned a lot myself (this I do every time I get a good essay from all +friends) but I have learned things I did not ever suppose!
For sure I understand now the curiosity that +ORC himself has repeatedly manifested for Quine (after having read Quine's first essay on IDA +he ordered me to pass him at once all emails from Quine).
This is definitely NOT FOR BEGINNERS! You better leave this alone if you're not an advanced cracker yourself (or a very 'steady' beginner cracker, prepared to invest A LOT of time and fatigue on your own advancing)... anyway, whoever you are... you better read (and follow) this essay MORE than a couple of times, believe me it is worth any minute you'll invest on it: you'll gain a WEALTH of incredible information!
My respects and unconditional admiration to +Quine!
Also in:


Dongles


Packers & Unp
Related:


Our tools


Programmers
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner ( )Intermediate (x)Advanced (x)Expert
NO beginners

An overly long and long overdue essay about how to break the 'envelope' PE encryption scheme used by HASP dongles. May be of general interest for cracking code encryption routines (which seem to be all the rage now).
Oh, and I put a code snippets section at the end of the article with links to it throughout.
Pushing the Envelope with HASP
De-Hasping, zip cracking and other marvels
Written by Quine

Introduction

I'm a fan of good digital audio software. SoundForge is a nice example of such software, but it's been cracked black and blue. However, SoundForge takes plugins and there are some great plugins for it out there, most notably, those made by the waves corporation under the name Native Power Pack. The folks at waves have a demo version on their web site, but they also have an update to version 2.3. I thought I'd get the update and see how hard it would be to make it work. This was done as a casual thing. Little did I know what would come of it.

Well, the interesting thing here is that we're not actually going to crack this target. It would be very time consuming, it turns out, without the dongle (and what I hope to show in this essay is that there is a lot more cracking that can be done without a dongle than people think). The dongle used by waves is a HASP dongle (a MemoHASP in particular) and I recommend taking a look at the essay by zafer on these dongles as well as getting some info from HASP's ftp site, which I'll explain in a moment. Rather than cracking this target, we're going to learn a lot about how HASP implements various aspects of their protection scheme and how, in particular, to break their envelope protection scheme, which is a full blown exe encryptor for Win32 that relies on the dongle for the decryption codes. The accomplishment of this essay will ultimately be a decryptor that works for *most* envelope protected files. The target itself, Native Power Pack (NPP), has already been cracked by one of those "warez" groups that call themselves Radium. They have done a good job, but they had the dongle (that takes away all of the fun....). However, having their crack enabled me to verify some hypotheses that otherwise would have been quite tedious to test. In no way have I copied their crack nor has it really even been relevant to what I'm doing here. The only thing I benefitted from in having their version was the ability to compare the encrypted code with the unecrypted code to see if I was getting it right. I'll point out where this happens along the way (actually, reading over this, I realize that I won't, but you can figure it out). If you're looking for Radium's version, well, don't ask me (or fravia+) but it's not that hard to find.



Tools required

IDA Pro 3.7 (of course)
SoftICE 3.22 for NT (any 3.0+ will do)
HexWorkshop32 (or any hex editor with good copy+paste functions)
PkCrack v1.2 - http://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html
A lot of stuff from ftp://ftp.hasp.com/pub/hasp
W32Dasm (yes, our old friend is still handy every once in a while :-)
Spy++ from Win32 SDK (or any other prog for spying on windows and, most importantly, for getting thread IDs, but only if you're using Windows NT)
SoftDump95 or SoftDumpNT (written by me! - source code included)
Letter Opener - the hasp envelope decryptor
(again written by me with source code included)

Target's URL/FTP

Alledged Target:
Waves Native Power Pack Update v. 2.3
Actual Target:
HASP's Envelope protector: w32hinst.exe (see HASP link above)

Essay

INSTALLATION

I think that takes care of the preliminaries, so let's start cracking. The NPP update is an InstallShield packaged for the web file. Running it you either get the message that you don't have the dongle installed or that you don't have the dongle drivers installed (you should download the drivers from waves' site and install them). Getting the installation to run successfully is not that hard and involves techniques that have been discussed extensively on this site, so I'll be brief. The trick is to find where the message box with the bad guy message comes from. One might guess that it's in the InstallShield script file, setup.ins (on this topic see the absolutely spectacular essay by natzgul on decompiling InstallShield scripts), but a quick search through that file doesn't turn up anything....

REMOVED ON QUINE's REQUEST:

You'll probably be able to find this spectacular essay nevertheless. The name on my site until 12 May 1998 was quine_h1.htm It has been removed on Quine's request. Point.
A very crossed fravia+, 12 May 1998.

...That ought to do it. Now the moment of truth. Double-click on your newly patched w32hinst.exe. It works. That's it.

(of course, there's not much you can do with it - you don't have a hasp)

Final Notes

Well, Waves Native Power Pack would take a long time to crack without the dongle, but this may have just been dumb luck on their part. On the other hand, I got a lot farther cracking dongle protection without having the dongle than I thought possible. That was all I wanted anyway. I should mention now that there is still more work to be done with hasp envelope protection. I have not even looked at version 5 yet. Perhaps they have increased the length of the key, but I doubt it. Furthermore, it is not absolutely essential that the target link hasp32b.obj. It is possible, although my guess is that it would take a couple of weeks, to determine the key by hand. Between the highly predictable nature of the relocation table, the function names in the import table, the library routines and the fact that the code has to make sense, it would not be too hard (just very time consuming) to reconstruct the key. I suppose it's up to you to decide whether this is worth it. Also, there are three more functions called after the decryption is complete. These deal with fixing the relocation table (this is not necessary if you patch the PE header appropriately) and inserting dongle checks at appropriate places (again, my method wipes these out altogether) among other things. The only thing that's holding me back is that I'm having a hard time getting ahold of any other envelope protected programs. I fanyone knows where to get any on the web, please let me know. I'm dying to see how well the decryptor works. Only one test target is not enough.





Small Add-on

I have been reading about encryption (I realized that I really ought to know something about it) and have discovered that both hasp and +RCG make a well known mistake in their encryption schemes: they repeatedly use an xor key. An encryption scheme along +RCG's lines which did not make this mistake and which manually did the necessary relocations would be crackable in only two ways:

1. find the key (basically impossible)
2. reconstruct the code of the function (much more interesting and more possible, but still very tough as long as a non-trivial function is discovered).

I hope to have an essay about this soon demonstrating how this sort of protection can be done in a high-level language (C/C++) without using VxDs (which I disapprove of for reasons I will give in the essay -- for one thing they don't work in NT) and in such a way that it would possible to create a generic method for applying the protection. The software author wouldn't have to even understand the protection method. It could be packaged up a la TimeLock, etc.
Quine

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse engineering, choose your way out: