Hello friends,
i have searched the board a little bit, asked some people few questions, and as i have managed for now, i came to this :
The program (8mb heavy), it asks for the dongle after the instalation. It has one exe and few xml files for the gui.
I have found the CALLs for the cases (it has 15-20 functions which accept some paramaters from the dongle like time, serial, computer id, data block ...), and i have managed to kill the "no dongle" error code, as the other case functions are not called after the program is started.
The problem > depending on where i push the parameter which is asking for the dongle, i get mem errors.
I understand reversing, but i'm still somehow new to this, and with asm it gets really hard with this things for someone who only knows c & c++.
Where should i go from here ? Is it good to kill all the case functions or ... ?
I could put some scr shots from olly and hiew.

thanks!

Hi martinz.
Welcome to the board.
If you put a excerpt of the code before and afte3r you attempted your modification to "kill" the error code, someone may give you some guidance about how to do it correctly. From the little info you provide I would venture to guess that you are having problems with the balancing of the stack. When you prevent a call to happen, parameters got pushed that the function itself was in charge of poping. . . some thing in that line of thought . . .

http://img413.imageshack.us/img413/3049/dc2ft.jpg ("http://img413.imageshack.us/img413/3049/dc2ft.jpg")
http://img155.imageshack.us/img155/7330/dc6.jpg ("http://img155.imageshack.us/img155/7330/dc6.jpg")
http://img413.imageshack.us/img413/3049/dc2ft.jpg ("http://img413.imageshack.us/img413/3049/dc2ft.jpg")

Which part of the code should i put ?

may be simply to upload the target software?

https://www.yousendit.com/transfer.php?action=batch_download&batch_id=bFFNdFdhUENlM1JjR0E9PQ

When its installed, the last program from the list asks for the dongle.
I think that the main switch/case loop is at the address 0059C300.
Any help would be appreciated!

Hm. Well, it's a pretty big file, so it would take a long time to download it here at my office.

From the screenshots, though, I think I get the general idea. IMHO, it usually works best not to mess with the switch structure at all. I'd back up even further and see where EAX is being set just before entering the switch (which according to Olly starts at 0059C4FA). Probably EAX is the return value from a call to some function that does the dongle-checking magic. If you patch that function so that it always returns the "good boy" value for EAX, it will fall through the switch/case structure to the success branches all on its own.

As well, the function that checks the dongle may do some additional initialization based on what it finds on the dongle. For instance, it might copy the serial number or other registration data into a structure in memory somewhere. If that code never runs because there is no dongle attached and you've merely skipped over the "dongle not found" stuff, other code later in the program (like in the switch structure) may crash the program when they try to operate on uninitialized memory, etc.

So it might do something like this:

ReadDongle function:

1. Check if the dongle is present. If it's not, return immediately with EAX = DONGLE_NOT_FOUND
2. If the dongle is there, read in the serial, etc. and store somewhere in memory
3. Check the serial/registration data to see if it's valid. If so, exit with EAX = GOOD_BOY.
4. Else exit with EAX = BAD_BOY

Main startup routine:

5. Call regState = ReadDongle();
6. switch regState:
7. case DONGLE_NOT_FOUND: display "not found" error
8. case BAD_BOY: display "bad dongle data" error, etc. (there are probably actually multiple "bad boy" codes for registration expired, invalid registration, and so forth)
9. case GOOD_BOY: load registration information from memory (put there by ReadDongle) and store it in the About/Registration dialog box; display success message

So you can see that if you just tweak the jump statements in the switch to skip straight down to the GOOD_BOY case, it can still crash the program when it tries to operate on data that should be there if dongle check actually succeeded. It may also crash if you just naively modify the dongle checking function to always return the GOOD_BOY value. You probably need to dig a little deeper and fully emulate what would actually happen if you had a good dongle attached.

I wonder why those returned values are always masculine. Couldn't it be GOOD_GIRL?

I think it's time for the RCE community to stop this sexist approach and start to review their terminology to include some ostensibly innocuous alternatives like GOOD_PERSON.

It's the time for affirmative action! Let's wipe out all the pejorative connotations in our glossary.

If it's any consolation, my computers are always "shes". Like boats!

At the address > 0059C30E i have changed the jne command, when it starts it gets an stack overflow error or does nothing.
On the other part > 0059C4FA, it says CMP EAX,19. What does 19 holds for ?
Is it smart to say IF the dongle is not here JUMP to the place where u should when the dongle is here ?

@martinz: setup is first stage of war =) all exectable also have part of dinkey api inside...

Do you think i can do something with their dongle driver ?

@martinz: you have a two way - make the patch for all exectable with part of the dinkey api inside or make the dinkey dongle emulator...

Is there any place where i can find the DDAdd ?

from the developer only...
other way - change the dongle memory

after few months of doing nothing with this, i started again to break the cr*p !
What have i managed to find now is the return adress of the good boy/girl function. Its at the begin of the function, where the ddmb structure is called.
When i make it 0, t goes directly to the success msg (the software also gives Ok msg when the dongle is on and working, after which it opens the program), but the thing that happens later is that the program brakes down again (turns on just for 1 sec). What to do now, to find if the same return value is called once more with the default error value, after the program is executed, or what ?
I could provide you with codes on how the dongle is protected (all the var`s and functions) if it helps giving me some hints.
anyone ?