Hi.. I have this software for which i recieved a validation key which has the number of licences encoded in it. An executable is run using this validation key which generates a licence file stored in the system folder in encrypted format. Another executable loads the validation details from the licence files. Can anyone tell me how i could go about altering the licence file so that i can use any number of licences.

You would have to go backwards.
Disassemble the last executable and find strings like ' not enough licences' or so. It might be comparing the licence number to a limit, store into some variable in the memory (lets call it Max_license_Number).
Now track where the contents of that Max_license_Number) is generated, so you can reverse the license file encoding. With this in hand you need to dissemble/debug the executable that generate the licenses from the key and reverse the key generating device.

Lateral solution or lazy boy approach would be just patch the license_limit routine and save yourself a trip in crypto analysis.

All this is easier said than done, but It is the best answer to your less than specific question I could come up with. Ho Ho HOoooh Merry Christmas!!

Hi.. thanks for the reply. The executable that checks for licences loads into memory as a service and then listens to all requests for licences coming from clients. Can anyone tell me what breakpoint i should set on Softice so that i can know what communication is taking place between the licence deamon and the client executable that requests for the licence.

why not disassemble the service, see what imports it uses and then pick which ones to bpx

Hi guys, thats for the replies. I am a newbie so still struggling with this. Here is some details about the Licence Server so i hope someone could give me a clue how to go about it.

Licence Server listens to licence requests issued by running BSHELL's.
When first launched, a bshell issues an initial request to the Licence Server. A TCP socket is created at each request, and deleted when request is served.
These sockets stay in ESTABLISHED status not more than a few microseconds, they then fall into TIME_WAIT status for several minutes.
At initial request, the Licence Server substracts one to the licence counter.
The licence server listens to port 6003 for requests. The licence Server reads all information from an encrypted licence file stored in the system root directory. I have a valid key for 15 users. So obviously it is comparing licence counter with 15.

What break points should i set to know what happens when a licence request is being made or which register is storing this 15 for comparision.

A funny method that might work is to use a game trainer tool on the license server process, tracking the memory address where the number of remaining licenses is stored. Once you track this address (if the program is not protected from such a simple trick, for example by some elementary in-memory encryption, which is of course quite possible) you have several alternatives. You could create an external loader/attacher that patches this address directly in memory (a trick for which there might of course also be countermeasures). An even better approach, although requiring a little more effort, would be to attach to the license server process and put a memory breakpoint on this address, then tracing, analyzing and patching the code that manipulates it, preferably directly in the static exe.

This is of course just a few out of the hundreds of possible methods to proceed, but they are quite straightforward and efficient if they succeed.

It seems to me that if you can follow everything this program is doing you should be able to figure out how to patch it yourself.
Why are you so hung up on a softice breakpoint ? Not everything is as simple as setting a magic BP and getting your answer.
If the routine is encrypted, how will you proceed after you find the magic breakpoint ?

Woodmann

Wood:

He has the secret decoder ring for that.

Regards,

Hi guys

Thanks to all of you guys for the help. Cracked it inside out today. Really made my day. One licence costs a bloddy $3000.

Delta, thanks for your advice. Could get hold of a memory address that easily but managed to get into some other place that really helped.

Wood, didnt find any magical breakpoints but i didnt feel like getting back to the board until i cracked the nut. Thanks for the push.

JMI