anyone taken a swing at accware? I'm not begging for free reg codes, I just want to know if someone is familiar with how it's protected and how to defeat it. So far my attempts don't seem to be like any of the tutorials I've walked through before.
-B

OK, here's what I've got so far...

Near as I can tell, the registration has different "levels." I suppose this is for different user licenses (5-user, 10-user, whatever). You enter a serial # and an auth code. With SI, I did a bpx hmemcpy and it broke on the auth code. I set a bpr on where it was being copied to (something like bpr 30:xxx segment) and this is where I start to get confused. I'm trying to avoid tracing calls all day. Twice I get a bpr where I can look at the ds:si and see my auth code. Other times it'll bpr and I can't seem to see my auth code in any of the regular registers (si,di,ax,bx...and so on). Could someone help me along, please?

Nose diving into tracing and chasing a serial into the memory woods, may work sometimes, but it is easy to miss the forest by paying too much attention to the trees.
Consider alternative approaches:

Dissasemble the code.
Look for the nag screens or the texts that tell you, "unregistered" or "registered under such and such limitations". and so on. The processing and checking of the serial already took place, but by studying the code around those texts you may be able to find the critical decision jumps that take you to the code that produces the nag screen, and also the identfy the calls that do the checking that decide the call.

I mean the Jump.

OK. I disassembled it with w32dasm. I know that the rejection message is "unauthorize registration..." Couldn't find it with a text search in the disassembly. hmm...looked for it in the exe with just a hex editor: bingo! found the offset (0x002B454E), and just a few bytes before it is "Company successfuly registered" This looks promising. What I don't get is why the text didn't show up in the disassembly search. Guess I shouldn't fret over that too much. The next question for me is: how can I exploit this? Is there a way to watch if the text at that offset in the file are read? I'm not sure how to do that in SI, but I figure it'll get me closer to the test and jmp routines I'm trying to find. Or would this be another wild goose chase?
-B

Now that you know the offset of the message search where the program PUSHs it. Im not sure about it, but as the offset is 2B454E, I think it will be 6B4E452B , 6B is push. 6A is push also. Play with this. Im sure you will find it =] Try also without reversing the order of the bytes.
Peace.

Good luck

Well....
I did a BPR on the "unauthorized" text and worked backwards through the jump. I did a bpx hmemcpy at the point of entering the guessed auth code and worked forward. When I met in the middle, I was happy because I figured I was REALLY close. After that things got confusing. Near as I can tell there are 3 CMP/TEST points before it starts the routine that pulls up the "unauthorized" stuff. First one tests if a register equals 0008h and then jumps over a call. So does the second one, but tests for 8000h. Then it does a bunch of move operations (about 10) and does another test. This test jumps over a call and then heads on to the "you're a bad person" routine (at least I think it does). I decided to change the JNZ to a JZ at the first test so I could trace into that call. That's when things got confusing. Could I email or post the code to have someone look at it? I'm obviously not seeing something here and I hope someone could help me along. I sure wish I could just have an experience person over my shoulder sometimes.
-B

Bear,

Your E-mail does not work

Sorry, I goofed on my login. Try blanstengern@hotmail.com. That should work. BTW, thanks.
-B

OK, here's the approach I've taken. Let me know if there's a better way or if I'm missing something. By now it should be obvious I'm a total newbie. Anyways...

I'll start up the target program and get to the registration screen. I fill in some info and then position my mouse over the "OK" button. At this point I CTRL-D into softice and set a bpx on hmemcpy. I flip back to the prog and click OK. When it breaks, I'll F10 a few times until I see something like:
REPZ MOVSD
POP ECX
AND ECX,3
REPZ MOVSB

At the REPZ MOVSB I'll type 'd ds:si' to see the validation code I typed. Same with 'd es:di'. I'll see that the di is at segffset, so I'll type 'page segffset'. (Whatever set and offset showed up from es:di)
I'll take the value reported at 'Linear' (usually in the 80xxxxxx area of memory) and bpr on it. Something like 'bpr 30:80234A38 30:80234A38+12'. I'll clear the breakpoint on hmemcpy and go on with the bpr. When it breaks, I'm in USER! code, so I'll F12 back until I'm in accware code. I'll see something like this:

2B77:E342 CALL USER!CALLWINDOWPROC
2B77:E347 POP DI <---WHERE I LAND IN THE ACCWARE CODE
2B77:E348 POP SI
2B77:E349 LEA SP,[BP-02]
2B77:E34C POP DS
2B77:E34D POP BP
2B77:E34E DEC BP
2B77:E34F RETF 000A ---> Goes to USER!BEAR498+016F

(I F12 a couple of times to come back to accware code)

2B77:ACF3 CALL USER!SETWINDOWTEXT
2B77:ACF8 POP DI <---WHERE I LAND AFTER USER!BEAR498
2B77:ACF9 POP SI
2B77:ACFA LEAVE
2B77:ACFB RETF --->This bounces to another location still in accware code

2B5F:0975 MOV DI,[4088] <---Where I land from the previous RETF
2B5F:0979 MOV DI,[4092]
2B5F:097D TEST WORD PTR[DI],8000
2B5F:0981 JZ 0988
2B5F:0983 CALL 2B1F:1744
2B5F:0988 TEST WORD PTR[40A2],0008
2B5F:098E JZ 0995
2B5F:0990 CALL 2B1F:09E6
2B5F:0995 MOV BX,[DI+02]
2B5F:0998 MOV [4092],BX
2B5F:099C MOV AX,[BX+12]
2B5F:099F MOV [409E],AX
2B5F:09A2 MOV AX,[BX+10]
2B5F:09A5 MOV [40A2],AX
2B5F:09A8 SUB AX,AX
2B5F:09AA MOV AL,[BX+04]
2B5F:09AD MOV [4098],AX
2B5F:09B0 MOV AL,[BX+05]
2B5F:09B3 MOV [409A],AX
2B5F:09B6 MOV AX,[BX+18]
2B5F:09B9 MOV [4096],AX
2B5F:09BC MOV AX,[BX+1A]
2B5F:09BF MOV [4094],AX
2B5F:09C2 SUB DI,0E
2B5F:09C5 TEST WORD PTR[4034],FFFF
2B5F:09CB JZ 09D2
2B5F:09CD CALL 2B27:2F62
2B5F:09D2 POP ES
2B5F:09D3 MOV AX,[4264]
2B5F:09D6 MOV CX,0000
2B5F:09D9 CALL 0685
2B5F:09DC RET <---RETURNS TO 2B5F:03EB


2B5F:03EB XOR AX,AX <---I've been able to backtrack to this point*

* using the other method listed in this thread, where I bpx getversion and look for the "unauthorize" text, then bpr on the location of the text and try to trace back. I've tried to look at the code above this line and bpx in there, but I seem to be having trouble with Softice. when I try to set another breakpoint and CTRL-D out to test it, everything locks up or moves really slow.

I could be wrong, but I suspect that the rest of the code carries out the "bad registration" routine. This makes me believe that the above code is the area to focus on. I'm a newbie, so I may have missed something important. One of my fears is that I'm totally off the mark.
Anyways, that's what I have so far.