You are on page 1of 5

Target: TypeEdit 4.3 protected with HASP HL.

Dongle passwords for this soft are: 50DB and 5EFA. 1. Dump dongle key. Tools needed: original dongle, h5dmp.exe. Two files are generated: hasp.dmp hhl_mem.dmp. 2. Making log. Tools needed: original dongle, Sataron haSploGer. Work with the protected program (all options, all menus) with the original dongle attached and make log. Work long time is better. Save this log in a file. You need this file only if you need to make tables. 3. Convert dump to reg. Tools needed: HASPHL_MULTIKEY.exe. Need to provide to this tool the earlier obtained files: hasp.dmp and hhl_mem.dmp. You obtain reg file for Multikey (without tables). Import this into registry. Until this point I have this reg file:
REGEDIT4 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Multikey\Dumps\50DB5EFA] "Name"="" "DongleType"=dword:00000001 "Created"="19/02/2011 13:48:49" "SN"=dword:12345678 "Type"=dword:000000EA "Memory"=dword:00000001 "SecTable"=hex:0B,85,E6,E4,6D,E5,E4,E4 "NetMemory"=hex:00,00,00,00,00,00,00,00,00,00,FF,F F "Option"=hex:00,01,02,4A,1F,01,13,01,0B,01,0C,31,06,00 "Data"=hex:\ 20,20,03,00,03,04,02,C0,00,00,D9,D3,F4,DB,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,06,BC,01,00,00,00,D1,22,D8,09,36,20,55,6B,\ 9E,12,F0,44,8A,66,FE,AF,4D,4F,1D,2D,00,00,00,00,\ 76,5D,5E,42,00,00,00,00,00,00,04,00,00,00,00,82,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 57,42,50,54,01,00,00,00,10,00,00,00,00,00,28,B1,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "ColumnMask"=dword:000000CB "CryptInitVect"=dword:0000001F

4. Install MultiKey emulator (for HL is enough version 18.x.x). From v19.x.x you need to have license for each dongle used (for HL is free but for SRM is not). Restart required. 5. Run protected program without original dongle. If you see a message Error 1031: Envelope unknown error you need to make pairs tables.

6. Making tables. Tools needed: PETools, HEX editor, LogsToTables.exe. Run protected program. After you see Error 1031: Envelope unknown error, start PETools. You need to find the main .exe program. In some cases you need to find another related .dll files. In this example I need to make tables first from gm.dll and then from DAO.exe. Dump from memory gm.dll. Right-Click on gm.dll line and choose Dump Full and save them. I saved this with Dumped1.dll name.

From Narciszu 2011

Point on this line

Open Dumped1.dll with HexEdit and Search for the GetTickCount string. Your first block of 4096 bytes long begins after GetThickCount string plus another 8 bytes. Your selection must have exactly 4096 bytes long.

Save this selection in a file called block1.bin. Notice and remember that this block begin with 7C9D. Continue to search for another appearance of the GetTickCount string. If you not find, open block1.bin with LogToTables.exe (FileTypes need to be Bin files (*.bin))

From Narciszu 2011

In Settings ensure you selected Type Table MultiKey 18.1

Save this in a file or press CTRL-A to select all and CTRL-C to copy into the clipboard. Open your regfile and append these lines at the end. Dont forget to replace XXXXXXXX from this line [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\XXXXXXXX\DTable] with your password dongle. In this case: 50DB5EFA. Your regfile look like this (I cut some lines to limit the length of this tutorial. First part of this is the same like above and the end part must contain all line with pairs found):
REGEDIT4 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Multikey\Dumps\50DB5EFA] "Name"="" "DongleType"=dword:00000001 . . . "Data"=hex:\ 20,20,03,00,03,04,02,C0,00,00,D9,D3,F4,DB,00,00,\ . . . 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "ColumnMask"=dword:000000CB "CryptInitVect"=dword:0000001F [HKEY_LOCAL_MACHINE\System\CurrentControlSet\MultiKey\Dumps\50DB5EFA\DTable] "10:0293A7C64F8F9F3A5E6A13AE4A77A7B9"=hex:C7,27,D1,DB,B1,65,F4,D6,85,B8,25,20,46,80,59,D0 . . . "10:FACC788B4356B121EA4DA32EFC9E403D"=hex:ED,51,87,2C,A4,38,69,BD,B5,9C,E1,68,07,AC,3E,83 "10:FC9CE26463C5FAF254CDC209CD950222"=hex:2C,D2,22,49,FE,DC,D5,21,22,E3,75,68,96,FE,91,1B

Now, import them into registry and restart MultiKey (restart.cmd). If you see again Error 1031: Envelope unknown error, repeat all this step (6). Start your application, start PETools, dump from memory gm.dll

From Narciszu 2011

Search GetTickCount. Notice first 4 bytes of the block need to be selected. If this are the same with the previous one (7C9D) continue to search GetTickCount string. You could find something like this:

GetTickCount with other clear texts. This is not good. You need to continue search. And voila:

This block begins with other bytes: 2A49. Select 4096 bytes long block, open with LogsToTables.exe and make another pairs. Append at the end of the reg file, import into registry, restart MultiKey and restart you app. If your applications work, this step is over. If you see again Error 1031: Envelope unknown error, repeat this step. If you dont find different blocks, need to find in other related files. In this case, you need to dump DAO.exe with PETools and repeat twice this step. In total you will find in this case, 4 blocks with pairs. Two in gm.dll and two in DAO.exe. You need to do this until you dont find any new block of 4096 bytes long. Your pairs could be 10, 20 or 30 long. This 4096 bytes long blocks contain only the 10 long like this:

For other ones with 20 and 30 long you need to work with log file made in step 2 with Sataron haSploGer. Open this log file with the LogsToTables.exe. This time Filetype need to be Files Log (*.txt, *.log)

From Narciszu 2011

The result contains many pairs but we are interested in those with 20 and 30 long. All 10 long that are important for us, are already in the reg file.

Select all of them and append at the end of your reg file, import in your registry, restart MK After that, your application needs to work if you are lucky! P.S. All the tools used could be finding easy and are free. Many thanks for the guys who give us this tools and opportunity to make ourselves one step forward. Maybe, in one day, we could do this with HASP SRM. Thanks again.

From Narciszu 2011