WinDbg (Debugging Tools for Windows – Microsoft FREE
utility to debug programs)
IDA32 (Interactive Disassembler – to reverse binaries to asm source)
Hiew32 (Hex editor – to change
binaries)
Assembler language knowledge J
I’ll skip all my wrong attempts to find real
initialization/license checking code block (it took almost two days to get to
the right program point to start thinking on) and as usual, its was mostly done by intuition.
After reversing lm70.dll, I get very good source file with excellent function names and some links to interesting string variables, like “Init”, “CheckRWAccess”, etc. After investigation of such string variables, I found a function which makes “current operation” logs with status flag indications, so it was a real debug output (mb developers forgot to remove). The function makes output depending on “debug switch” on/off, so set to “true” to get operations results output in file ("C:\Documents and Settings\<user>\Local Settings\Temp\lm60trc.txt”). The most interesting is – all functions return only error codes (“0” all fine or “<> 0” on error)! Going thru “CheckRWAccess” the functions, I noticed some code sequence which fills some memory block with non-logic data, but before procedure ends, that non-logic block was decoded into different license database files names (cfgamp.dlls). After that I’ve changed my PC timer for 20 days forward. When investigating “Init” function results, I set results to “0”, but LoadRunner tells me “you have last day to evaluate program”. Nice… It was due to cfgamp the license database being encoded with sub-status – “you have one day left”. Finally, determined complete solution with no time restrictions and no message boxes.
Done with LRLauncher,
but when executing LRController – it hangs on user
amount – another procedure another check, so previous lookup method don`t help much.
After that I restored Temporary license to get closer look at LRController work. On user amount > 25 it shows license
warning message box – excellent, lets start from MessageBoxA function. By setting breakpoint on MessageBox I get program point, where this message box
called and un-winded execution until found where is condition checked “licensed
max amount <= current_user_num”. It was single
procedure called from lm70!Test function. After I set
that procedure to return “0 (all fine)” it works with 100 users w/o
problems.
Note: to get more detailed brief you need to
install at least IDA32 or WinDbg.