Unpacking hasp envelope

Hello. I've spent several months learning about hasp and trying to remove the envelope. I am very close now. I am having trouble finding the magic jump. I have looked at a video on removing the envelope and fixing IAT, it helped a lot but the part that confuses me is finding that exact spot. How much do the iat redirection change between versions? Do the envelopes all have JE for the jump? Or could it be a different conditional jump like a JNE. My version is later then the video (although not whitebox) and I have found the right section of code but not the right line.

Also, in the hasp IAT fixer script, is the pointer section that you have to change based on the envelope version, supposed to be the magic jump? Or is it something else? I am not sure if it's the right spot or not.

on what kind of windows have you done debugging? and with which tools?

Well I have tried many different tools. At the moment I am using Windows 7 x32 in VirtualBox. Ollydbg 2. Program will load up fine in Olly and run. I've tried a couple different versions of Olly. I tried to get it working under IDA and used a plugin to help hide the debug settings but couldn't get it working. At least not yet. Mainly focusing on the IAT at the moment.

[You must be registered and logged in to see this link.]

That's the tutorial I was following. It's been helpful but I am still not sure on where the jump might be.

The pass?

finn wrote:The pass?

tuts4you

thanks

Can somebody at least tell me if the pointer section in the scripts to fix the IAT are the same as that magic jump you need to find?


@end_point:
find prtc_sec, #FFFF82D18BE55DC3#    // #66C1E7??5E5B8BE566C1E6??5DC3#
mov endp, $RESULT
add endp, 4
bphws endp, "x"


I need to change the prtc_sec but don't know if it is that conditional JE jump I need to find.

You don’t need a script. What’s your target, I can help you. Send me a msg....

post here for us unpacking target complete, for Aladdin HL 1.x envelope.
if not get lost.

Thank you prenumele. I had some of it but others helped point me in the right direction. I have studied the script and just about got it working. I have found the pointer section finally. The script runs but it doesn't go to the fix section. I am thinking the sysmod is incorrect. I have on the memory map mfc100 and msvcr100. I have tried the PE header address for both but no luck. The video I watched used hnetcfg and my program is c++ I believe. What should I use for the sysmod line?

Well I have just about got it. I have rebuilt the IAT on the first file and the second file is almost done. The last part is figuring out the emulated IAT entries. I have 4 that I need to enter. I found a list of 5 entries manual fix iat
GetCommandLineA
GetStartupInfoA
GetCurrentProcess
GetCurrentProcessId
GetProcAddress

Can anyone point me in the right direction for figuring out the best way to resolve this? I tried doing a hardware breakpoint on execution but I couldn't find anything that stood out