The program is 16 bit program protected
with C-dillas Safecast, there is no trial, tryout or something...
just you've got to put the unlock code to register the program

I have patched the program (the exe) it wont asking the code and starts with
the list of the cars and etc. but when i'm trying to go to the detailed
description by presing OK or clicking on the car model or engine or ...
the program displays error messagebox, of course i cant take out that
messagebox, but the problem is:
i'm not getting any detailed description, and the toolbar at the top
stays disabled

i've tried everything can't find how to make that toolbars and
detailed description to work ok

i have patched in the past some Safecast protections like
Autodesk Map by reseting license, and have reversed it with no need
of reseting licenses to make it work. But I really really
stuck with this 16bit Autodata program, maybe I am doing something
not in the right way, i've attached screenshots, because the program is
huge can't upload it, anyway any suggestions, other solutions or help would be apreashiated

thanx

Best Regards

Hi

I edited your post slightly on a 'Report this post' request (which are appreciated for any posts people find inappropriate (or more so than usual anyway). The question shouldn't be target specific other than to supply the name of the program IF it's necessary in providing an answer. A general reversing approach to any target is usually the best in any case.

You seem to be approaching this from a patching perspective, so C-Dilla and its registration scheme may or may not be involved. You've got a disabled toolbar and a message box with a GPF address as clues. Usual approach would be - input from the OK button can be traced with button notification messages, and the mouse clicks from a listbox or listview, or whatever Windows control your cars are listed in that you click on are, can (should) also be caught with specific WM_COMMAND or WM_NOTIFY message BMSG breakpoints. Also, during creation of the toolbar there must be a check whether to enable it or not.

Hands on tracing and use of the Softice Backtrace feature if you've got it should narrow down the code somewhat. There are several ways you could get into the code, but the real question here is if you can do this in 16 bit code as easily. The backtrace should work, just pay attention to the segments, but I've not tried BMSG breakpoints in 16 bit code. Just convert to the 16bit API's for whatever ones you might need and you should be able to break in somewhere.

Beyond that, there's not much answer to what the program might be doing until you explore it yourself. A little more detail on what you've tried might help.

Regards,
Kayaker

could also be safecast licence thingie, a kinda hybrid of flexlm that cdilla seem to use.. the disabled toolbad kinda implies that, because if it was normal safecast, once its removed all should work as normal, considering its more or less just exe crypt+api reroute

how do i get rided of that registration form:

loaded the program from the entry point and traced down
i found the call there the registration box outputs and just changed conditional jump, then i found some check whitch are checking to exit or not if that box was not displayed, i made them go to the right way too, the second call was checking is license expired (if registration box not displayed it puts msg that license expired) i made that go the right way too
thats all the main part loaded everything is working engines cars and ... just the toolbar disaibled, i think it must be disaibled in this first stage...
so i tried to see detailed description of cars and boom i got that error msg,
i backtraced it with softice easily by putting bpx on messagebox
found the check where it is jumping to the sendmessage
to display error, and just backtraced back to the call i
found the call like this (dont know how to say it in english so giving you an example, sorry):
call far xxx [bx] - somethng like this
and thats all, i think this call is jumping to the right place if
program licensed if not to that message, but i cant find that place where that license is checking, and putting the right value to make the right call,
oh and i put the preakpoint on that call and i saw that everything goes thru it
it may be that i'm wrong about this call, because inside the function this call calls it is a check to jump thru that messagebox or display it, i've traced down but with no success, i did not made the program to display the toolbar and description right

i hope you understood what i tryed to say here (sorry for my english)

help if you can

Regards

Hi

Might as well continue with this. To start with, offering to upload a 650Mb file so someone else can help you crack it... is a crack request pure and simple (extravagant) and is not tolerated.

But I understand what you've done, and you can go further. You've traced back from the 16bit Messagebox and found an indirect far call referenced by the bx register. Many calls the program uses may funnel through this one call, so what you should be able to find is a table of jump addresses. If there aren't too many of them you may be able to view them in a disassembler and see if one of the procedures looks like the path you want the program to follow. Somewhere in code before the main indirect call will be code which sets the value of bx, seeing how it's set will also give you clues.

You've worked backwards and found what may be a pivotal point in the program, we'll go with that assumption for now. Now you need to work forwards to that same point and understand the code. What I was getting at above is that another approach is to follow the input of the buttons or a left click on a listbox and find the message handling routine for the program. After Windows processes the notification message it will pass it to the handling code if it's been written. In there will be the check of whether to proceed to the Messagebox or elsewhere. It might be a simple flag or it might lead to a full blown registration check.

If you can't set an appropriate BMSG message breakpoint, any one will do to find what is the main message handling routine or you might be able to recognize it in a disassembly if you understand how they are structured. Then you can set a regular breakpoint and figure out which hex number being handled from the stack (i.e. wm_command == 111h) belongs to the message you want to trace further, other parameters indicate the details of the message. If you can find your way through the codewoods this way you'll make progress, good luck.

Kayaker