A small rant about dongles: the developer who can’t correctly implement a HASP!

Dongles always had something mistique about them. Before this new age of packers, cryptors, etc, they were the top target to beat. In practice, that fame was only real in a reduced set of applications that correctly implemented the dongle. Most dongle-protected software features bad implementations. Developers don’t spend enough time in this area or think that it’s the magic bullet to solve their problems.

This program is another fine example of this problem. I saw this one and decided to give it a look – it had HASP in the request so my curiosity had to be fulfilled. Less than three hours later, I was disappointed! Another crappy and rushed dongle implementation. It is so damn easy that it hurts (picture is for the basic edition, the advanced is one byte away). The full crack is 5 bytes, where 4 are NOPs 😉

I have emailed the developers 5 days ago but received no answer. The auto-reply promises feedback in 24h so they don’t seem to care. Of course I will not publish details about this. It is annoying because it would be a good example of what not to do.

Anyway, if you are a developer implementing a dongle, let me give you this small piece of (important!) advice. Your application should have an healthy dialog with the dongle instead of a “good morning” before starting to work. You can also trust it to keep your secrets instead of storing them in computer’s memory.
Explore the dongle possibilities and think a little about how can you use them. In this case, HASP examples are a bit bad because they are way too simple. Remember that example of the App Store receipt sample code that a lot of developers copied, even when they were warned not to ? Do not do the same 😉

Back to some other projects. My baby girl seems to have inherited her parents strong personality and doesn’t want to come out, so I still have another week of free time 🙂



2 thoughts on “A small rant about dongles: the developer who can’t correctly implement a HASP!

  1. A previous version of hasp had the checks in _hasp_logout:, _hasp_decrypt:, _hasp_encrypt:, _hasp_login:, _hasp_get_sessioninfo: and _hasp_update:

    Is this the same here or is it the implementation of Hasp within this that is the weak point?

    1. The anti-debug checks are called after the import table is resolved. The hasp envelope is still starting when this happens so it’s outside those hasp dongle calls.
      The vulnerability here is the bad implementation of hasp from this developer. But the envelop anti-debug is also weak 🙂
      This is all happening in the new segment implemented by the envelope.

Leave a Reply

Your email address will not be published. Required fields are marked *