I know, I have post this before. But I still have not got a answer.

Im workíng on a crack protected by keylib16.dll.
I have tried to load this 16-bit DLL into SI. I have tried everything I know but nothing works.

the software can be found at: h**p://www.performancetrends.com/programs/DyDM-w95.exe

The function I want to debug is the function pp_tcode, but I cant set a bpx on it. (Symbol not defined)

I have done som testing with w32dasm to see what is done inside the function. I belive that the function only is returning an interger that tells if the key is valid. I belive that a 0 is anvalid, but what number vill open up the software???? (1-50)
To understand that I think I need to understand more about the "trigger code" procedure.
Another way of solving this is to crack the pp_tcode function with alot of NOPs and set the value to 1-50 and try,change value, try,change value ....

description of the function can be found at h**p://www.softwarekey.com/helpdesk/plusman/keylib/pp_tcode.htm

I hope this is the key to my success. If not I have to try another idea. To test some other idea I need to get breakpoints inside keylib16.dll

Regards JohnnyBoy

If this dll is not packed, try inserting an INT 3(opcode is 0xCC) into the function of pp_code, then set a BPINT3 in SoftICE.

... and you loaded the dll with SI Symbol Loader (File\Load Exports) before starting the target ??? as well as using a resource editor /wdasm etc to see the export function names
so you can BPX on ???

I know sometimes a dll refuses to play with SI. Maybe try TRW2000 as this loads ALL api functions automagicdynamically. No need to use the Load Exports or add them to winice.dat.

16bit targets are bastardos :-( good luck.

+Spl/\j

I started SI Loader
File/Open module => C:\WINDOWS\SYSTEM\Keylib16.dll opened successfully
File/Load Export => Error: Unknown error

hmmm!

try Edit->SoftIce Initialization Settings->Export tab->Add->add your .dll

if you have a symbol file for the .dll you can load that under the symbols tab


reboot

your .dll should now be loaded


(The File/Open Module would be to load your target program, which you can tell symbol loader to break at entry point)

Start with w32dasm and find the pp_tcode at 0001.7da3 offset 0008463.
Went in Hex Workshop and whent to that 00008463. Looked at the code and compared it with the w32dasm window. Im on the right spot
Inserted the int3 code to be executed first in the function.
Save the file and made a bakupfile of the original.

Tried w32dasm on the changed file to see if I added the Int 3 on the right place. Everything looks fine.

Lets try the software.

The software tells me that the licence file is corrupted and that some files is unreadable.

At least the bastard is shaked, but not stired, yet

The Int3 thing do not seam to work. The software must check the size of the keylib16.dll file or its CRC. I will try to add just a NOP and se if its still get BAZOKA.

Best try so far!!!! Thanks alot