New here and very much enjoying reading info and stepping through a few tuts to get my feet wet in this topic which as a long time programmer is very new to me. I am currently playing around on a program that uses protection plus. (4.2) Doesnt appear to be many posts written about this system that I can find. Just wondering if it follows the same licencing/protection system as something with a different name and Im just not seeing it. Was also curious if on a system like this is an approach of writting myself a dll that mimics the keylib32.dll and the return values it creates. (There are many according to the documentation). or would a more productive application of my time be to try and generate/find the correct serial number the application the program requires. Just curious if anyone else has had a play with this protection and any thoughts.

I've messed with it from time to time. It's not used very widely, so it's almost like I get rusty in between tries.

I *JUST* finished a target for a bud that was using their .NET "solution". It was your standard 45 day trial garbage. The weak point in it was that they use their normal .dll, but they have a .NET wrapper that calls all the functions, and acts as just an interface between the client's app, and their .DLL. So, since this guy JUST needed to extend his license, I changed the IL in the wrapper so that when it called the "GetTrialDays" or some such function, I just returned "69" instead of calling the .DLL function to get the RIGHT answer.

Now, in case you haven't been "blessed" with a .NET target, I'll describe what I did on my last one.

YES, there are a TON of functions in the .DLL. BUT! They probably don't use but 1% of them. So, that being the case, you only need to emulate the ones that they call.
So, a few minutes with IDA, and you should have a list of the functions that they call. Then, using the online documentation, you can see what they return, and emulate them.

Overall, this is NOT a tough protection to circumvent, I found it MUCH easier than Flexlm.

Now, GO TRY!

Thank you for the reply. Nows its a weekend time to play again! Being a beginner slow going of course. Well Ive been poking about and found the functions my target is calling in the dll. You were right of course, only calling a handfull (7 in total). Not using the ones to check the dll itself which I suppose is good news. Its not using .net wrapper which is a pity as Ive only coded dll's before using .net myself so kinda stumped for now. Got to learn new language and development tool for coding my fake dll with the few calls it needs. Ah well theres always somethin! Any fake dll coding tips? What dev tool would you use yourself? Thank you for reading.

And learning more than anything else is the reason that I enjoy reversing so much. (Next year will be my 25th anniversary of reversing as a matter of fact).

I use Visual Studio to write my stuff, since the wizards will make the framework that you need to write your .DLL, I HIGHLY recommend it.

If you haven't already, I would also recommend that you search for a trial version of the protection, and download it. It comes with documentation for all of those DLL calls, so you can make sure you are returning the correct value.

Now, as for fixing your target, I bet once you learn what all the functions do that it calls, you'll find a "weak point" (Like GetTrialDays that I mentioned in my previous posting). Once you find that, it may be as simple as just patching THEIR .DLL instead of having to make your own. If time is an issue, I would patch first, and then once the pressure was off to deliver, THEN, you can mess around with making a replacement .DLL. You might find that all that needs to be in the function in the .DLL is to return some magic value. Which would translate into a few bytes changed, and viola!

Done.

Thank you again for the advice. Good fun. Patching the dll might be an option if I could figure out how to unpack it. lol. Interesting trying tho. Im at the point now where I turn the dll into an executable form (lordpe for the bit) and had a look at it in oly. It definitley seems to protect itself form this tho so now lookin for where it check to see if the executable bit has been tampered with. All time consuming especially with my lack of knowledge.

At least the program calling the dll is not packed so I can follow it through with IDA. I can see the functions of the DLL with DLL export viewer and using IDA with the calling program see which few are being called. Mind you. Hmm just found something call chkregauthcode. hmm :-)

Well Ill be darned. First time Ive been able in my life to find a 'relevant' piece of code!! Then patching a 0 to a 1 worked a treat. Maybe just me, but boy, isnt that a satisfying feeling!! Now to study the whole thing a bit more and learn a bit about unpacking. Brill!!!! Even fancy a beer as a wee celebration..!

Most excellent! Congrats!

I can't count the number of "1-bit cracks" I've seen over the years.

Let this be your first step in a long journey of discovery, and as I suspect you'll find that the tougher the target, the greater the sense of accomplishment when you finish it.