Hi all ...

http://ccollomb.free.fr/Toshiba-full.rar

I tried to remove serial and other stuffs from this prog ( the serial inside archive is mine so please don't spread it )

The program uses a dll which is crypted and reencrypted after execution, it also uses a system driver spssys.dll

I can't trace with sice but the proggy runs perfectly with sice. Icedump and frogsice didnt help.

Hope you can help me, regarding I plan to remove SDMI limitations afterwards ...

Inside this we can find such code :

mov eax, dr6
or eax, 00002000
mov dr6, eax
mov eax, 00000000
mov dr0, eax
mov dr1, eax
mov dr2, eax
mov dr3, eax
mov eax, dr6
and eax, FFFFDFFF
mov dr6, eax

or this :

CLI
mov EAX,CR0
mov [ebp+0x08],EAX
and EAX,0xFFFEFFFF
mov CR0,EAX
mov EAX,[EBP-0x0C]
mov [ESI],EAX
mov EAX,[EBP-0x08]
mov [ESI+0x04],EAX
mov EAX,[EBP+0x08]
mov CR0,EAX
STI

Hello Nitch !

I looked at the code.

The BD Flag is set. This means that any access (read/write) to a debug register (DR?) will cause an expection.
A move to DR0 causes an expection and the affiliated handler will be called.
The BD Flag is cleared again so an access to any debug register won't ransom an expection any more.
The WP Flag is turned off (Write Protect). I presume that the memory area at [ESI] and [ESI+04h] isn't supposed to be written by the program. So you can guess what it does.
The original value of CR0 is restored.

One more thing is on my mind. Some people here aren't as honest as they appear to be. People from cracking groups are reading this pages just as you. So if you post your serial numbers and full programs here, they're most probably to appear the next day on many warez pages.

Ok I removed the serial, I don't want any lamer to play with it, I just intended to show my purpose was to crack the program and not use it.

About your advices I understand it BUT

1/ I was able to trace between #2 and #3 with sice without any problem

2/ You was right, softice was killed in the ESI writes

Whats shall I do ? What can I do ?

I didn't check, but if this linked to a serial number it's a liability to us. I took the liberty of removing the link. If anyone objects or you want to change the file to get rid of the serial/crack, then just tell me.

PS, just noticed your post Nitch, but had already deleted the link, sorry. If you want to edit your 1st post with the new link then go ahead.

Kayaker

Sorry again, I am a beginner with this forum

SoftICE uses the debug registers itself. So you can trace the code, but the expection which is expected to happen (and probably also needed somehow in the decryption process) will not happen. If the program clears the debug registers you can use BPR to set breakpoints or BPX if no integrity checks are made. If you say SoftICE runs with the program then the values written to [ESI] and [ESI+04h] must be restored somewhere.

The main goal should be to find the place where the serial is checked. Or do you want to run the program without any serial? Finding out how the DLL is decrypted is one goal on the way to the main purpose.

Sorry, I can't give you any more clues at the moment, but I had still no time to check the target.

I understand about sice troubling what happens.

Well, I tried to find where was the serial first because I plan to remove SDMI limitations too.

The problem in the dll is that it is crypted and recrypted after execution.

I really don't know where to start.

Sice is killed when tracing the write on [ESI] I mean sice is disabled and the program continues to run.