Without the dongle, this application functions in a Demo mode. I quickly discovered the place where it calls SC16W.DLL, which reads the dongle data. Moving into AX the proper bytes after the call enabled me to print data (This seemed to change the way menus in the program appear). When I try to open a file or save a file, I can't. The application only checks for the dongle when the program is initialized, so my guess is that if the proper dongle is found, it writes something to memory which it checks later on when you want to open a file. Any help regarding writing and reading from memory, or any other suggestions would be appreciated.
Once I can beat this dongle on the applicatioin side, I hope to learn how to re-write the dll that calls the dongle, but I need to learn a little more assembler. Playing with a 32 bit version of a cracked calling dll and inserting the data from my dongle and renaming the procedures didn't work.

Does this target has an URL??

meRlin

Unfortunately the target is not available from a URL. It is a specialized CAD program.

Spiv (04-01-2001 22:18):
Without the dongle, this application functions in a Demo mode. I quickly discovered the place where it calls SC16W.DLL, which reads the dongle data.

What functions are exported from SC16W.DLL?
If the number is small enough try to identify the one that provides the bytes for EAX.

Moving into AX the

(How do you know the proper bytes?, can you trace where they came from?)


proper bytes after the call enabled me to print data (This seemed to change the way menus in the program appear). When I try to open a file or save a file, I can't.


The application only checks for the dongle when the program is initialized


(Are you sure, did you BPIO -h 278 R,BPIO -h 378 R )

so my guess is that if the proper dongle is found, it writes something to memory which it checks later on when you want to open a file. Any help regarding writing and reading from memory, or any other suggestions would be appreciated.


IF your hypothesis is correct the flag that says "dongle present" should be in a global variable in the main .exe program or in a static variable within the SC16W.DLL. Both global and static variables are read like this:


mov EAX,[00456328]

of course EAX and the address are illustrations, but constructions like this, containing the characters ,[ are usual in accessing global variables. Of course the flag may be addressed indirectly, which would create code which is more difficult to spot, like

mov EAX, dword ptr [EBP-14]

but it is worth trying.



Once I can beat this dongle on the applicatioin side, I hope to learn how to re-write the dll that calls the dongle, but I need to learn a little more assembler. Playing with a 32 bit version of a cracked calling dll and inserting the data from my dongle and renaming the procedures didn't work.[/QUOTE]

First let me thank you NOBODY for your input.

SC16W exports the functions SCREAD and SCINIT. Other exported functions are either not called, or called after the dongle's presence is confirmed. I have tried step by step tracing after these calls, but there is so much code to wade through and nothing jumped out at me like "here is the write to memory to indicate that the dongle is present."

The proper bytes were determined both by a simple or ax,ax jne and a cmp ax, 2239 jne. I also have the dongle in my posession, so I can break at these points and compare the results with and without the dongle. I suppose having the dongle in my posession should make this exercise a lot easier, but . . .

A BPIO -h 278 R, yielded no breaks, and a BPIO -h 378 R broke in SC16W.

The program is filled with indirect addressing so it is difficult to find the key spot.


A Few New Questions regarding Softice:

Is it possible to run a section of the program with and without the dongle, where Softice saves the tracing of the code into a file, and then comparing the two files? I am trying to find a tutorial on the back trace history buffer, but have yet to find the right one.

Is it possible to have the program executing with Softice in another window tracing through the code, or are the T, P and F12 commands the only way?

How does one begin to trace after choosing a menu item with the mouse. Now I try and hit the mouse and CTRL-D a fraction of a second later, but I am sure there has to be a better way.

excuse the uppercase, it is diffcult to intercalate comentaries in this board

Look also:

http://www.idca.com/~thesandman/si-ug-chapter09.txt

I just received the new version of my application. This is completely re-written for Windows and bears little resemblance to what I have been working on. As much as I would like to continue, I may as well work on the new version.

The dongle calls are in a new dll (criter.dll) so it is back to the drawing board for me. I do not believe that this is Rainbow’s, but written by the software vendor. A cursory glance at it shows tests for CPLUS, PRO and SPRO so it should be interesting to work on and learn on.

It is puzzling that I do not get a break from bpio –h 378 r, nor from 278 nor from 3BC. Are there any other parallel port interrupts to break on?

I’ve learned much thanks to the input from this board, and still being a newbie expect I will be back for some more tips. Thanks again.

Hi

>It is puzzling that I do not get a break from bpio –h 378 r, nor from 278 nor
>from 3BC. Are there any other parallel port interrupts to break on?

Do remember that each printer port is 3 consecutive addresses. The base address is the data port (I think, it is a while since I dealt with them). You may well find that the dongle is actually being accessed through the handshake lines, using software generated serial.

Another possibility is that anti-softice code detects you are trying to BPX on a port, and so branches the code out (in the DLL) so it always takes the demo route as though the dongle is not there.

Thanks to a tutorial by ACiD BuRN I learned that you can break on DeviceIOControl which worked in this new application. My application uses the SENTNEL.VXD virtual device driver.

I have found a result code for the dongle not being found which can be bypassed (JNE to JMP)(even though there are about 30 places where this is set in the dll and 30 places where it is compared in the application, but I'll trace which ones are called)but this causes a General Protection Error later on when the program tries to reference memory using EAX and ECX. So I guess I'll find the values these have to be and try to find where they are set.