Target: T y p e Ed E d i t 4 . 3 protected with HASP HL. Dongle passwords for this soft are: 50DB and 5EFA. 1. D u m p d o n g l e k ey e y . Tools needed: o r i g i n a l d o n g l e , h 5 d m p . e x e . Two files are generated: hasp.dmp hhl_mem.dmp. • •
2. M a k i n g l o g . Tools needed: o r i g i n a l d o n g l e , Sataron h a S p l o G e r . Work with the protected program (all options, all menus) with the o r i g i n a l d o n g l e a t t a c h ed e d and make log. Work long time is better. Save this log in a file. You need this file only if you need to make tables. 3. Co n v e r t d u m p t o r e g . Tools needed: H A S P H L _ M U L T I K EY EY . e x e . Need to provide to this tool the earlier obtained files: hasp.dmp and hhl_mem.dmp. You obtain reg file for Multikey (without tables). Import this into registry. Until this point I have this reg file: REGEDIT4 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Multikey\Dumps\50DB5EFA] "Name"="" "DongleType"=dword:00000001 "Created"="19/02/2011 13:48:49" "SN"=dword:12345678 "Type"=dword:000000EA "Memory"=dword:00000001 "SecTable"=hex:0B,85,E6,E4,6D,E5,E4,E4 "NetMemory"=hex:00,00,00,00,00,00,00,00,00,00,FF,F F "Option"=hex:00,01,02,4A,1F,01,13,01,0B,01,0C,31,06,00 "Data"=hex:\ 20,20,03,00,03,04,02,C0,00,00,D9,D3,F4,DB,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,06,BC,01,00,00,00,D1,22,D8,09,36,20,55,6B,\ 9E,12,F0,44,8A,66,FE,AF,4D,4F,1D,2D,00,00,00,00,\ 76,5D,5E,42,00,00,00,00,00,00,04,00,00,00,00,82,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 57,42,50,54,01,00,00,00,10,00,00,00,00,00,28,B1,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "ColumnMask"=dword:000000CB "CryptInitVect"=dword:0000001F
4. I n s t a l l Mu M u l t i K e y emulator (for HL is enough version 18.x.x). From v19.x.x you need to have license for each dongle used (for HL is free but for SRM is not). Restart required. 5. R u n p r o t e c t e d p r o g r a m without original dongle. If you see a message „ Er r o r 1 0 3 1 : En En v e l o p e u n k n o w n e r r o r ” you need to make pairs tables.
6. M a k i n g t a b l e s . Tools needed: PETools, HEX editor, editor , LogsToTables.exe. LogsToTables.exe. Run protected program. After you see „Error 1031: Envelope unknown error”, start PETools. You need to find the main .exe program. In some cases you need to find another related .dll files. In this example I need to make tables first from g m . d l l and then from D A O . e x e . Dump from memory gm.dll. Right-Click on g m . d l l line and choose „Dump Full…” and save th em. I saved this with Dumped1.dll name.
From Narciszu © 2011
Point on this line
Open Dumped1.dll with HexEdit and Search for the G e t T i c k C o u n t string. Your first block of 4096 bytes long begins a f t e r GetThickCount string plus another 8 bytes. Your selection must have exactly 4096 bytes long.
Save this selection in a file called b l o c k 1 . b i n . Notice and remember that this block begin with 7C9D . Continue to search for another appearance of the G e t T i c k C o u n t string. If you not find, open b l o c k 1 . b i n with LogToTables.exe (FileTypes need to be Bi n f i l es ( * .b i n ) )
From Narciszu © 2011
In Settings ensure you selected Type Table
MultiKey 18.1
Save this in a file or press CTRL-A to select all and CTRL-C to copy into the clipboard. Open your regfile and append these lines at the end. Don’t forget to replace XXXXXXXX from this line [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\ XXXXXXXX\DTable]
with your password dongle. In this case: 50DB5EFA. Your regfile look like this (I cut some lines to limit the length of this tutorial. First part of this is the same like above and the end part must contain all line with pairs found): REGEDIT4 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Multikey\Dumps\50DB5EFA] "Name"="" "DongleType"=dword:00000001 . . . "Data"=hex:\ 20,20,03,00,03,04,02,C0,00,00,D9,D3,F4,DB,00,00,\ . . . 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "ColumnMask"=dword:000000CB "CryptInitVect"=dword:0000001F [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\ 50DB5EFA\DTable] "10:0293A7C64F8F9F3A5E6A13AE4A77A7B9"=hex:C7,27,D1,DB,B1,65,F4,D6,85,B8,25,20,46,80,59,D0 . . . "10:FACC788B4356B121EA4DA32EFC9E403D"=hex:ED,51,87,2C,A4,38,69,BD,B5,9C,E1,68,07,AC,3E,83 "10:FC9CE26463C5FAF254CDC209CD950222"=hex:2C,D2,22,49,FE,DC,D5,21,22,E3,75,68,96,FE,91,1B
Now, import them into registry and restart MultiKey (restart.cmd). If you see again „Error 1031: Envelope unknown error”, repeat all this step (6). Start your application, start PETools, dump from memory gm.dll… From Narciszu © 2011
Search GetTickCount. Notice first 4 bytes of the block need to be selected. If this are the same with the previous one (7C9D ) continue to search GetTickCount string. You could find something like this:
GetTickCount with other clear texts. This is not good. You need to continue search. And voila:
This block begins with other bytes: 2 A 4 9 . Select 4096 bytes long block, open with LogsToTables.exe and make another pairs. Append at the end of the reg file, import into registry, restart MultiKey and restart you app. If your applications work, this step is over. If you see again „Error 1031: Envelope unknown error”, repeat this step. If you don’t find different blocks, need to find in other related files. In this case, you need to dump DAO.exe with PETools and repeat twice thi s step. In total you will find in this case, 4 blocks with pairs. Two in gm.dll and two in DAO.exe. You need to do this until you don’t find any new block of 4096 bytes long. Your pairs could be 10, 20 or 30 long. This 4096 bytes long blocks contain only the 10 long like this: "10:0293A7C64F8F9F3A5E6A13AE4A77A7B9"=hex:C7,27,D1,DB,B1,65,F4,D6,85,B8,25,20,46,80,59,D0
For other ones with 20 and 30 long you need to work with log file made in step 2 with Sataron h a S p l o G e r . Open this log file with the LogsToTables.exe. This time Filetype need to be F i l e s L o g ( * .t x t , * .l og )
From Narciszu © 2011
The result contains many pairs but we are interested in those with 20 and 30 long. All 10 long that are important for us, are already in the reg file.
Select all of them and append at the end of your reg file, import in your registry, restart MK … After that, your application needs to work … if you are lucky!
P.S. All the tools used could be finding easy and are free. Many thanks for the guys who give us this tools and opportunity to make ourselves one step forward. Maybe, in one day, we could do this with HASP SRM. Thanks again.
From Narciszu © 2011