Results 1 to 2 of 2

Thread: win16 soft over nt

  1. #1

    win16 soft over nt

    Hi.. first excuse me for my english. I hope that you can read this correctly.

    I'm studying a soft developed to win16. That soft was protected with hasp3 dongle and envelope. When w2000/XP come out the company give us a recompiled version (still in win16) but using Nt drivers of hasp (hdd32).

    i'm looking around, reading tutos and documents about hasp3, but (perhaps cose i'm a begginer) nothing help me. For example, casmate runs over hasp3 and win16, but the drivers for it are 16bits, or other studies talks about win32 progs with win32 drivers...

    I tried to trace the program, but i'm very frustrated becouse i'm not able to put a breakpoint that let me in it. I supouse that win16 calls not works in XP thanks to ntvdm / wowexec.

    In a "no useful" dissasemblig over the soft i see about 53 CS (could be the called "mod" of hasp envelope?) and a ┐EP?... but i can't see how to bp the process.

    If that wasn't enought, the soft (although the SI was not loaded) don't starts (remains on memory together ntvdm loading the CPU process up to 99%)... the soft with the IceExt loaded into SI, don't start but don't remains on memory... I think the hasp3 envelope has any trick here... but with IceExt either....┐?┐?

    Too long, i know.... sorry . Anyone have info/docs or can help me?... I forget to say that i have the original dongle.. hasp3..... but in the disassemblig code I saw the string "hardlock.vxd".. strange┐?

    Thanks a lot.
    Potros.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    I have been seeking a bit more, and i find a tip.. to use WinDbg... Seems to work well loading win16 programs under XP... (Wldr didn't load the program). Now i can get me in with SI

    Now i have entered in and saw a little more. Lot of Ki calls... until a sysenter command, after that the program is loaded (well.. not at all, didn't load cose SI is loaded i think). At this point the trace is unusable becouse when trace a command the next line change, line after line, the code goes changing itself. I can see 3 threads. Can i supouse that one thread is decrypting/unpaking the other code?

    I found a post in with there is talking about change SYSENTER/SYSCALL instruction with INT 0x2e. I don't understant it very well, but i need to do that to trace into changed sysenter command? I understant sysenter goes into ring 0 (kernel mode) and int 0x2E into ring 3 (user mode)?

    See you.
    Potros

    PD: Excuse the replicate of the post... seems to have a problem with forum yesterday.... fixed it.
    Last edited by potros; September 24th, 2005 at 16:35.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. One soft protect by crypkey.
    By banch in forum The Newbie Forum
    Replies: 10
    Last Post: June 7th, 2013, 06:11
  2. newnie want ollydebug soft
    By ugam in forum OllyDbg Support Forums
    Replies: 2
    Last Post: January 6th, 2006, 08:14
  3. Reversing win16 applications???
    By BobRock in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: June 22nd, 2002, 05:19
  4. Armadillo protected soft
    By LaptoniC in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: May 7th, 2001, 06:57
  5. Advice about win16 apps
    By allan in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: January 25th, 2001, 16:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •