I am working with TARGET NAME DELETED. I have been reading numerous tutorials and have gotten stuck. The program will take any key entered, thank you for registering, write the value to the registry, then ask you to restart. On open (restarting), using regmon I find that it reads the input key from the registry. I suspect that the compare is done then, but have no idea where/how to set the breakpoint in SoftIce since it is done before any dialogs.

In addition to all of that, I find that using W32DASM only shows a details page when opening the exe. If I dissassemble the exe I get all of the code, but can edit/patch the code. I think the program is VB from the DLLs it installs, so it may be a p-code/native issue. Unfortuantely with the tutorials I have read, I can't find anything that identifies how to tell which is used.

If anyone can help, or point me to a tutorial that will "clear things up" for me I would appreciate it.

IF you had actually read the FAQ you would realize that your post is within a hair's breath of violating the Rule which states:

"DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET: this means do not post code that shows where and how to patch/keygen blah blah blah on a specific target. Keep your code snippets as generic as possible while explaining your problem."

While you didn't actually post any "target specific code," you did post the "name of the target" and invite "someone else" to give you the point in the code "for that specific target" where that compare might be done. That is not permitted here. With the name of the "target" deleted, someone can give you "general" concepts on how you might find a compare of the key you entered with one that "works" without violating this Rule. Otherwise your post falls in the nature of a "Crack Request," and would disappear. I hope, for your sake, you understand the difference. If someone responds with questions about the target, such things may be discussed by PM or e-mail only.

By the way, regmon should tell you "where" the program is reading that registry entry. That might not be a bad place to start with your search. That call comes from somewhere "within" the program, and then the program must "do" something with what it has "read" don't you think????? Does that not suggest a breakpoint on the registry read regmon shows you? Doesn't it give you the title of the API????

Regards,