Hello,
I do not do much of this so please forgive my skill set. I am working on a target called R2V (raster to vector). It is written by ablesoft.
It is available here:
http://www.ablesw.com/r2v/r2vsetup.exe
The password upon installation is r2v567

The program is designed to run with a dongle.
When I disasm the main exe file with w32dasm, I find the main dongle check at the below location. (sorry if the formatting gets messed up.)
....So, I go to
:00461574 751E jne 00461594 and I just change that to 741E je 00461594 and I get past the dongle check just fine. But then I get some errors when I try to export a file as a vector format.......basically the program thinks it is in demo mode. I suspect that my patch only created more work. Please advise me any way you can. Thanks for the help as always.
Johannes


:00461549 55 push ebp
:0046154A 8BEC mov ebp, esp
:0046154C 6AFF push FFFFFFFF
:0046154E 68DA455200 push 005245DA

:00461553 64A100000000 mov eax, dword ptr fs:[00000000]
:00461559 50 push eax
:0046155A 64892500000000 mov dword ptr fs:[00000000], esp

:00461561 81EC480A0000 sub esp, 00000A48
:00461567 898DB4F5FFFF mov dword ptr [ebp+FFFFF5B4], ecx
:0046156D E874DCFFFF call 0045F1E6
:00461572 85C0 test eax, eax

:00461574 751E jne 00461594
:00461576 8B85B4F5FFFF mov eax, dword ptr [ebp+FFFFF5B4]
:0046157C C7804405000001000000 mov dword ptr [ebx+00000544], 00000001
:00461586 6A00 push 00000000

:00461588 6A00 push 00000000

* Possible StringData Ref from Data Obj - >" Hardware key missing ,export is "
- >" limited to small images."
|
:0046158A 6810E05400 push 0054E010
:0046158F E82FC60A00 call 0050DBC3


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00461574(C)
|

:00461594 8B8DB4F5FFFF mov ecx, dword ptr [ebp+FFFFF5B4]
:0046159A E85B380A00 call 00504DFA
:0046159F 8B4D08 mov ecx, dword ptr [ebp+08]

:004615A2 51 push ecx

Hi.

You already realize that the jump reversing was not enough, and the program checks the dongle in AT LEAST another location. From what you posted you reversed the code that generates the message:" Hardware key missing ,export is " . . . but not all the dongle check.
For starters, I would
1. Trace into :0046156D E874DCFFFF call 0045F1E6, which seems to check for the existance of the dongle and return the answer in EAX. Perhaps reversing the subroutine to AWAYS return something different from 0.
2. In a dissasemble, look where else the subroutine 0045F1E6 is called.

This is just a starting point, it may, or more than likely may not solve your problem.

Regards

Hi Johannes,
Try to figure out what dongle the program is using which would help alot. Look at the imported functions they might sometimes have the names of the dongle APIs, do a string search for HASP or Sentinel (RNBO) in a Hex dump of the executable and in the disassembly that sometimes will tell you which dongle you are dealing with.

Your best bet is to trace into 0046156D E874DCFFFF call 0045F1E6 like nobody said and set a BPX in there that way you can see if it gets called from somewhere else. Also don't forget the usual dongle breakpoints.

BPIO -h 378
BPX FreeEnvironmentStringsA (used in HASP)
BPX DeviceIOControl (used in HASP and SSPro)
BPX CreateFileA (useful to see if a dongle driver is being opened)

read some other dongle papers to get some more ideas on how to identify which dongle is being used.

goatass

Johannes,

:0046156D E874DCFFFF call 0045F1E6 ; call a Function at 0045F1E6
:00461572 85C0 test eax, eax ; test the return value
:00461574 751E jne 00461594 ; if value = 1 then jump

What you need to do, is to go at the Function at 0045F1E6. You can see, that this function is called several Times:

* Referenced by a CALL at Addresses:
|:00448F31 , :00449199 , :0044941B , :00450323 , :004600E5
|:00460669 , :00460863 , :004608E3 , :0046156D , :00461AB8
|:00461DF6
|
:0045F1E6 55 push ebp
:0045F1E7 8BEC mov ebp, esp
:0045F1E9 83EC1C sub esp, 0000001C
:0045F1EC 66C745F4CF18 mov [ebp-0C], 18CF

You can now go to every call and make a JMP, JE out of the following jump or (easier) just modifiy the Function, that it returns always 1:

:0045F1E6 B801000000 mov eax, 00000001
:0045F1F1 C3 ret

And your problems are solved ;-)

Thanks for responding and for helping. I really appreciate you taking the time to try and explain the code. I guess that I do not understand how to read the assembler instructions fully. I have finished the task and the program works beautifully, but I would like to do it a few more ways. What is the point if I am not learning. I like the "global" patch that just returns the right data. I also would like to modify the TEST lines in each location where the sub is called. I just do not know all the syntax......any thoughts?