haec_est
May 27th, 2002, 10:27
Hi, i have a little problem with a proggy that use a hasp4 m1 key; is turned out
that it use PCS, so in the image i found where the PCS_Masterlist is located :
:s 400000 L ffffffff "SCP@PSAH"
Pattern found at 001B:0088627B (0048627B)
0023:0088627A 40 53 43 50 40 50 53 41-48 40 00 00 00 00 00 00 @SCP@PSAH@......
0023:0088628A 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:0088629A 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862AA 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862BA 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862CA 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862DA 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862EA 0A 00 23 00 66 83 BD FF-01 00 00 28 75 01 C3 66 ..#.f......(u..f
0023:008862FA FF B5 FF 01 00 00 66 FF-B5 D1 01 00 00 66 FF B5 ......f......f..
0023:0088630A 60 02 00 00 66 FF B5 62-02 00 00 66 FF B5 9B 02 `...f..b...f....
0023:0088631A 00 00 66 FF B5 FA 01 00-00 FF B5 22 0D 00 00 1E ..f........"....
0023:0088632A 06 57 56 52 51 53 50 66-8B 85 01 0D 00 00 66 89 .WVRQSPf......f.
...
but when i searched for the PCS structures i found no _PCSPattern on the image,
nor in the loaded PE :
:s 400000 L ffffffff "$HASP$PCS$"
Pattern found at 001B:8162A583 (8122A583) <-- mirror of search string
then i bpmw on word following PCS_Masterlist signature (num of pcs struct.)
to see if it was filled at runtime but it was always 0x0000.
So i compiled a PCS demo that was available at hasp site (some month ago), and i
searched for the pattern "$HASP$PCS$", it was there, nothing strange.
Next i compared 0x500 bytes from the proggy and the demo, starting at PCS
masterlist signature, and winhex said:
"Search for differences
1. pcs.dat: 1,280 bytes
2. pcs_demo.dat: 1,280 bytes
AB: 22 1C
...
868 difference(s) found."
thus the first 0xAA bytes are the same, and the others looks very similar,
(kindly a newer version of PCS).
Now i'm a little bit confused... can anyone tellme what's going on ???
May be programmers forgot to put PCS structures in the file or
it is a PCS upgrade ? And so, where i soulhd look to find PCS structures ?
thanks in advance,
ps: sorry for my bad english
that it use PCS, so in the image i found where the PCS_Masterlist is located :
:s 400000 L ffffffff "SCP@PSAH"
Pattern found at 001B:0088627B (0048627B)
0023:0088627A 40 53 43 50 40 50 53 41-48 40 00 00 00 00 00 00 @SCP@PSAH@......
0023:0088628A 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:0088629A 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862AA 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862BA 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862CA 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862DA 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0023:008862EA 0A 00 23 00 66 83 BD FF-01 00 00 28 75 01 C3 66 ..#.f......(u..f
0023:008862FA FF B5 FF 01 00 00 66 FF-B5 D1 01 00 00 66 FF B5 ......f......f..
0023:0088630A 60 02 00 00 66 FF B5 62-02 00 00 66 FF B5 9B 02 `...f..b...f....
0023:0088631A 00 00 66 FF B5 FA 01 00-00 FF B5 22 0D 00 00 1E ..f........"....
0023:0088632A 06 57 56 52 51 53 50 66-8B 85 01 0D 00 00 66 89 .WVRQSPf......f.
...
but when i searched for the PCS structures i found no _PCSPattern on the image,
nor in the loaded PE :
:s 400000 L ffffffff "$HASP$PCS$"
Pattern found at 001B:8162A583 (8122A583) <-- mirror of search string
then i bpmw on word following PCS_Masterlist signature (num of pcs struct.)
to see if it was filled at runtime but it was always 0x0000.
So i compiled a PCS demo that was available at hasp site (some month ago), and i
searched for the pattern "$HASP$PCS$", it was there, nothing strange.
Next i compared 0x500 bytes from the proggy and the demo, starting at PCS
masterlist signature, and winhex said:
"Search for differences
1. pcs.dat: 1,280 bytes
2. pcs_demo.dat: 1,280 bytes
AB: 22 1C
...
868 difference(s) found."
thus the first 0xAA bytes are the same, and the others looks very similar,
(kindly a newer version of PCS).
Now i'm a little bit confused... can anyone tellme what's going on ???
May be programmers forgot to put PCS structures in the file or
it is a PCS upgrade ? And so, where i soulhd look to find PCS structures ?
thanks in advance,
ps: sorry for my bad english
