Greeting dear reservers
I'm stucked with a wiseinstaller target which asks for productID and registeration number,wise calls some security functions from a dll in temp dir
[Hmi32.dll] which is very confusing
I bmsg on registeration form and after searching memory for what i have enterd and finding thier address i simply put a bpm on them but it is all so confusing,and it never does a clear cmp or lstrcmp.
as far as i have gone the respective dll function is _hmrvalidp@32 which calls hmr3valid after it passed some parameters[name,city....,productID,regnum]
I have cracked the installer password itself and extract all the files and i knew where to copy them and i also dumped wise memory.I found all of the filenames and their destination in it and after that i also found the registry structure (which have to be made) exists in the memory(dumped) but some of them are hard to simulate like {SOFTWARE\HaestadMethods\%APPNAME%\%VERSION% %BUILD% Build}
Here is my question:
Can i simulate windows reg from this dumped data[hmi.txt]?Or can anyone help me to find the serial itself or any brute way to disable these dll calls?

Attachment deleted...

It sounds to me like that called dll function might do all the tests and then return a simple boolean (like for example 1 or 0), have you tried to analyze and patch the return value of that dll?

Well i don't know why they deleted the attachments,I haven't asked for crack
there was a text file in the attachemtns with the dumped memory.i thought that could help. the dll retuns something like :
--------------------------------------------------------------------------
%TEMP%\HMI32.dll _HmR3Validp@32 211960
40COMPANY
40CITY
40STATE
40PRODUCT
40VERSION
40PRODUCTID
40REGNUM 1VALIDREG  VALIDREG 1 f16 0VALIDREGTRUE
f16 0VALIDREGFALSE  %TEMP%\HMI32.dll _HmCRCCheckp@8 211960
40PRODUCTID 1VALIDPRODUCTID  VALIDPRODUCTID 1 f16 0VALIDPRODUCTIDTRUE
f16 0VALIDPRODUCTIDFALSE   VALIDREG TRUE  VALIDPRODUCTID TRUE f16 0VALIDREGDATATRUE
f16 0VALIDREGDATAFALSE 
f16 0VALIDREGDATAFALSE   VALIDREGDATA TRUE %TEMP%\HMI32.dll _HmR2Lp@8 211960
40REGNUM 2LC %TEMP%\HMI32.dll _HmR2Sp@8 211960
40REGNUM 2SL  SL 0 f16 0SL99   PRODUCT FMW f16 0SL0 
دظb
×غb
¨ DISPLAY Error  INSTALLCOUNT %LC% f16 0LC ×غb
8قb
* DISPLAY License Enforcer  

%NAME% f16 0OPTIONS/skipdisk   f31 3DIRECTIONDISPLAY91012632256232566321280633562Enter User Name CMDLINE /HMISuperUser 1Display ReadMe CMDLINE /HMISuperUser 0Select Destination DirectoryStart Installation >c
c
a DISPLAY Enter User Name c
c
r DISPLAY Display ReadMe f16 24ALREADYAGREE%RESPONSE% c
نc
آ DISPLAY Select Destination Directory
--------------------------------------------------------------------------
i guess if i enter the right pass then the prog show this message:
Select Destination DirectoryStart
can i some how bpm on this to find out the right program flow?

I have cracked the prog by patching the dll return calls[quite interesting]
and i have wrote a patch like this in dll
orginal:
--------------------------------------------------------------------------
sub aaaa
push.....
.
.
.
call sub x
bbbb: pop eax
.
.
.
ret
--------------------------------------------------------------------------
patched:
--------------------------------------------------------------------------
sub aaaa
push....
.
.
.
jmp xxxx [some where at the end of .rdata]
pop eax
.
.
.
ret
--------------------------------------------------------------------------
.
.
.
xxxx push esp
push eax
mov eax,yyyy
mov ds:[nnnn],eax
pop eax
pop esp
call sub x
jmp bbbb (next offset after call sub x in sub aaaa)
--------------------------------------------------------------------------
It works fine in win98 but in winxp it crashes,i wonder why?
unfortunatly i couldn't configured sice to work in winxp and so i can't debugg!
any tips?

what about relocations? did you fix that too?

if all the code you pasted is stuff you added, then you should consider what happens when the code is loaded at a different imageBase than the prefered one.

That is exactly what i have thought of,the program saves the address in edi somewhere but i couldn't find out where. probably it is something like: mov edi,[ebp+x].
you are absolutly right,the memory address which i patched is somewhere in wiseinstaller itself(it stores dll return data there) well i have to trace more!
thank you very much