nobody
November 8th, 2001, 20:52
Hi.
I need some expert guidance with this problem.
I am trying to crack some software. It has a license manager that, as far as I can tell, is designed by the software developers.
The package has several modules (.exe or .dll files), that are loaded when you activate choices in the program menus. So far so good.
I have been able to detect that the program can tell "authorized" or "not authorized" by reading a flag stored in the data segment: something like this:
.
.
.
mov EAX, DWORD PTR [00564560] ; ds:00564560 holds a value of Ox00000001
test EAX,EAX
jz good boy
.
.
.
bad boy
Now. Based on this, someone, somewhere in the program examines the license state and WRITES to the position ds:0056456 the value of the flag: 00000001 bad boy
00000000 good boy.
I want to detect that function to activate all modules at once.
In an attempt to pinpoint the code that sets up the flag at DS:00564560
placed a brake point in softIce like this:
BPR ds:00564560 ds:00564560+4 W.
I was hoping to catch the code that WRITES the value of the flag, to be able to identify the code that validates the license.
The problem is: IT NEVER BREAKS.
I have follwed the ds:00564560 area on the data window from the point the program starts, ( I break with BPX get version) as it loads
Initially, it is filled with question marks ??????, meaning, that area of the memory ha not been mapped yet.
eventually, as the program loads, it becomes full of data, but, despite being targetted with a BPR ( or a BPMB or BPMD etc) SoftIce does not seem to break when this critical(for me) area of memory gets wrritten with the value of the critical flag.
Any Idea why???
Thank you
I need some expert guidance with this problem.
I am trying to crack some software. It has a license manager that, as far as I can tell, is designed by the software developers.
The package has several modules (.exe or .dll files), that are loaded when you activate choices in the program menus. So far so good.
I have been able to detect that the program can tell "authorized" or "not authorized" by reading a flag stored in the data segment: something like this:
.
.
.
mov EAX, DWORD PTR [00564560] ; ds:00564560 holds a value of Ox00000001
test EAX,EAX
jz good boy
.
.
.
bad boy
Now. Based on this, someone, somewhere in the program examines the license state and WRITES to the position ds:0056456 the value of the flag: 00000001 bad boy
00000000 good boy.
I want to detect that function to activate all modules at once.
In an attempt to pinpoint the code that sets up the flag at DS:00564560
placed a brake point in softIce like this:
BPR ds:00564560 ds:00564560+4 W.
I was hoping to catch the code that WRITES the value of the flag, to be able to identify the code that validates the license.
The problem is: IT NEVER BREAKS.
I have follwed the ds:00564560 area on the data window from the point the program starts, ( I break with BPX get version) as it loads
Initially, it is filled with question marks ??????, meaning, that area of the memory ha not been mapped yet.
eventually, as the program loads, it becomes full of data, but, despite being targetted with a BPR ( or a BPMB or BPMD etc) SoftIce does not seem to break when this critical(for me) area of memory gets wrritten with the value of the critical flag.
Any Idea why???
Thank you
