i need help reverse engineering a dll.. i've done the usual things like bypassing jumps and such, but even though the license.exe (that calls the dll) says the program is activated/registered, it still runs in demo mode.. this is my first attempt at anything other than crackme's, and so far it isn't going good.. i think i bit off more than i can chew! but i've racked my brains, and can't give up now.. please help me understand what i've missed..

here's what i've done so far:

if you search the substrings, you'll find 'Code Successful!'.. above that in the code is a test function followed by a jump.. i've changed the test function, changed the jump, even NOP'ed the test and jump.. everything gives me the 'Code Successful!' window, but the program still operates in demo mode..

any help greatly appreciated.. i have to say i've been getting great help so far from the Lockless 2K forum and their crackers over there..

-ET

How do you know that the program runs in demo mode ? You've got to find something like "I'm running in demo mode" in the program itself. Then trace the code backward and find out why it makes such a stupid decision, correct it and everything will be OK.

Hi ET,

I've taken a quick look at it
Check where the call (Not the Ordinal call ) will go after the "Code Successfull".
There you'll see it'll search for a file called "ffx2.lic" dunno if you already have that or that it exists or something
It also opens Registry keys here and there
so there are probably more checks to see if your really Registered or not
Hope this helps.

Cya...

CoDe_InSiDe

thank you very much for looking at this!

how do i know this is still operating in demo mode? this is a dll to an image filter, and in demo mode it has a red X over the image..

i can't find any ffx2.lic files on my system, unless it creates them on the fly.. i do have a ffx2.dll and ffx2dlg.dll.. regardless, i removed the call to ffx2.lic, but still a no go.. big red X..

i also removed the call to the environment variables, but it still operates in Demo mode.. i can see in the registration information it generates a 'fingerprint' number of your system. i assume a keygen is really what i need, but that's above my head..

any other pointers? please help me figure this out! if you want the complete program this dll goes with, it's BigFX FilmFX 2.32.. you can downloadl it here:

http://www.bigfx.com

-ET

Instead of searching for the switch between full and demo mode, you might want to consider searching for the code, that smothers the image with that big red X. I think one or two of Orcs docs cover the issue, and Fravia's site has some texts on the issue. It might be worth the trouble (since some dumbass programmers leave very obvious marks in the code, clearly showing where they smother the image).

Blue skies
Fake

ahh, good idea.. i'll start a search immediately.. thanx!

-ET

*sigh* with my meager skills, i couldn't locate where the code put the red X over the image.. i would very much appreciate any help in decyphering this puzzle, i'm very eager to learn what i'm doing wrong..

-ET

anybody?

-ET

I haven't actually checked the program, but here's a few ideas.

it's looking for the .lic file.....It will check for this at program start too, and who knows how many other places. Create the file. Download Regmon and Filemon from sysinternals.com and find out what reg keys it's checking & what bytes in the file it's checking.

Between those 2 programs and BPX'ing a few API's that access/read from/write to files (check your API reference, get one if you don't have one). You should be able to create a license file from the ground up.

You may be right though, it may be more than you can chew at this time......but don't let that stop you from giving it the ol' college try! ;-)

i got those two programs (thank you very much, good stuff) and used them.. at no time during the licensing program did i see the mysterious ffx2.lic file show up as being called in Filemon.. i did use regmon to open the regedit locations called by the licensing program, but most of the locations were empty when i went there.. does it create these on the fly? perhaps i'm not looking for the right thing..



i'm not sure i understand what BPXing is (bypassing?)..



i'm sure now i've got a mouthful of code i can't chew! definitely over my head, but i'm learning tons fast.. PLEASE keep looking at this and pointing me in the right direction.. i'm very eager to figure this out, and gratefull for the help i've received..

although i'm sure i'm coming across as an annoying college idiot, i haven't been in college for 12 years! bear with me.. this is exciting!

-ET

Instead of looking into patching this you should rather try keygenning it. Why? Simply because it's easier. I broke this program so time ago so lemme see if I can refresh my memory.

The license file you are all talking about is created during the installation. It is containing some system infomation and a time stamp if I remember correct. This is nothing to worry about.

You should try to enter a fake code into the license manager program and follow it. If I remember correct it will be directly compared byte for byte with the real serial. Atleast I remember that the real serial gets calculated in memory and if you enter that one then you get success.

So how to keygen this? The code in the dll uses that license file like you guys wrote and does all other good stuff in order to make a real serial. What I did was instead of letting the compare happen then I would return the serial and actually changing the parameter list of the function.
In C syntax I modified it to something like

char *(cannot remember the name of the export) (char *prollyname, and whatever goes there)

(the important part is the char * at the front instead of void or bool which was there originally)

Then I made sure the address of the string which holds the serial after the generation gets returned in eax so the above syntax will be used.

Keygenning this was actually the easiest part. Instead of ripping out the code I just called the dll and grabbed the serial out on return.
Now there are no more worries. The license file created during installation will be used and a code generated for you.

Just as a test. If you choose to make this keygen. Try first to generate a key on a clean computer just before the installation of the program. Next try to generate again when asked for it from the program. Those generated keys will not be the same.

My point of all this is that why waste time on ripping code/patching when the auther kindly gave you most of the needed to make a keygen.

Hope this is helpful to you.

// CyberHeg

Hi ET,

I think i came by a similar problem 2 years ago with a plugin for lightwave and Photoshop.
I remember that removing the license check or even generating one was very tiresome. So, I opted for removing the red 'X' mark.
How I did it? Well, first i rendered an image with a default resolution first and I then looked at the dimensions of the X. Then I searched the code for those numbers and violla. I cought it. There were two calls to the the big red 'X' routine. Actually, there were 2 different functions that handle the 'X' drawing.
I cant remember but what i said. Sorry. Hopefully, Itll give you an idea.

Morlac.

PS - When looking at the 'X', try measuring its height and width.

morlac,

this seems like the easiest fix (in light of how hard it is to patch the dll).. but the X is dynamic in size, not fixed.. i've used it on movies as little as 280x160 and as big as film res (4096x2024).. always there, covering the whole image from corner to corner.. because of this, i can't find any reference or obviosity as to where the X is actually calculated.. i DO know which program part it's in.. the program comes with a few dlls, one EXE for licensing, and two After Effects filters (one film grain, one film color).. it's the film color filter that puts the X on the image.. i've decompiled it, but again, with my meager skills i'm obviously missing the right code.. perhaps if someone else took a peek..?





i have assumed from the beginning this would be the final route taken..



how exactly do you follow/trace the comparison? softice? i haven't used it much so far, just w32dasm and hex editors (and now filemon/regmon)..



ok, i'm lost.. logically, i completely understand what you're saying.. i just don't know how to implement it.. if you return the serial# into eax, how do you retrieve it?



YES, this is exactly what i'd like to do..



you're saying read the eax register before installing/licensing, then read it again after? if i modify the code to put the correct serial into eax, how do i read eax?



thank you very much, this is very helpful! i'll start researching these strategies immediately.. i'm a little shakey on how to change the code to push the correct serial into eax, then read it back at the right time, so i'm sure i'll be asking more questions..

this would make a great tutorial if anybody would look at the code!

-ET

Without trying to sound negative........

ET, You have been given many ways to complete your task. If you really want it you will do it, no matter how long it takes.
Then, you write the tutorial.

Peace, Woodmann

yes, i know.. i don't take offense to what you're saying.. at the same time, i've explained i'm new to this and am very willing to learn.. i've been given many pointers from people that i have pursued to the best of my abilities.. but if nobody else ever looks at the code, i only seem to be getting more confused as to the best direction to take.. with all due respect, i've been told 4 exact things to look for (not necessarily on this board) that just aren't there.. i've exasperated my limited knowledge, and as the title says, i'm asking for 'help' so that i can learn..

sorry if i've asked too many questions..

-ET

Questions are fine. I dont think you will be able to convince anyone to look at the code for you.

I want you to be able to do this for yourself. If you have to take a few steps backwards then thats what you have to do.
Your patience is important at this point, Relax and try a little "zen". It is at this time where you will make your best progress.

Peace, Woodmann

Are you sure the code in question is not using the "Overlay" function of an ImageList control. The overlay function is specifically designed to do what you are seeing. It actually merges one picture with another; it may be that your program is merging an "X" with the original picture. Either find the "X" image and make it blank (thus the overlay will mix "nothing" with the original picture = original picture), or
disable/bypass the overlay command code.

PS. Due to my inexperience, this got posted twice! Sorry, all!