Hello.
This is the first time I'm participating in this forum. Sorry for writing in English, I don't know how to write in Russian and didn't want to use Google Translator because it could be worse if you understand what I write already.

I have a copy of a software named Tricalc v7.5, link here: http://rghost.net/8JwXwp2P7
I have used OllyDbg v2.01 for my research. Initially the software was protected with Sentinel dongle, but not very well. It was just a pop-up (MessageBoxA) so I patched that and the dongle is not needed anymore, it works okay it seems.

The problem now is that this software has many "secret" menu options that are hidden and I can't find where they are in the main process or where to patch the code. It is more difficult because strings are not embedded in the main exe, they are loaded from a DLL for translation language file (Tengl754.dll) and that makes it more hard to track down. I have put breakpoints in lots of places but I failed to find it. There is also a demo for the main program that has almost all options and menus, still I wasn't able to find where the menus are set visible or hidden. I am very new to cracking, that's also the problem.

There are 2 EXE files:
- TRICALC.EXE (TRICALC_crack.EXE): This is the main program, but some options and menus are hidden: image1
- demoTricalc.exe: This is a demo (limited) but almost all options are visible: image2

I want to ask you to help me understand how to find the hidden menus and options.
Thank you.

P.S.: If anything is wrong or more details are needed, please say anything.

| Сообщение посчитали полезным:

1)
Is available english version of this software?

2)
Give to people missing std libraries:
- msvcp100.dll
- msvcr100.dll
- mfc100.dll
- vcomp100.dll

3)
Give to people example of project for testing this program.

| Сообщение посчитали полезным:

Thanks for your reply.

1)
There is an English DLL for the software, I forgot to pack it and set to default.

2)
I have uploaded a new zip with old files + the missing std libraries: --> Link <--

3)
Unfortunately I do not have any project for testing. The main problem is finding the missing options and menus which should be inside the TRICALC.EXE but are disabled/hidden. After that I could ask my friend to test the options or set up a project to test if they work as expected.

| Сообщение посчитали полезным:

Ok.

ner0 пишет:
It is more difficult because strings are not embedded in the main exe, they are loaded from a DLL for translation language file (Tengl754.dll)

See, - main menu strings-items loaded NOT from language resource file Txxxx754.dll

--Added--
Sentinel protection not disabled

| Сообщение посчитали полезным:

dosprog writes:
See, - main menu strings-items loaded NOT from language resource file Txxxx754.dll
No? But I found strings are inside DLL file Txxxx754.dll, menu ID 128 (example: POPUP "&Geometry" and "Ribbed-Composite Slab"): ResHacker

dosprog writes:
Sentinel protection not disabled
True, but so far I don't see any problem. Only had the pop-up error MessageBoxA at start, don't know if I need to patch RNBO_ functions. Do you think that these functions are the reason for the missing/hidden options?

| Сообщение посчитали полезным:

Hi,

if it's Sentinel then just patching one MessageBoxA() call wouldn't be enough.

In case you have at least one valid dongle available for the program - you can use available dumpers and emulators for Sentinel, more info and step-by-step guide regarding it you can find here: --> Link <--

Otherwise IMHO if you want analyze protection and remove it completely then a good starting point might be this: --> Link <--

| Сообщение посчитали полезным:

cryptX writes:
if it's Sentinel then just patching one MessageBoxA() call wouldn't be enough.
Maybe not, although I don't yet see any problem by just patching that message box.
And until I find a correlation between Sentinel and the missing menu I am not so sure if it's not enough.

cryptX writes:
In case you have at least one valid dongle available for the program - you can use available dumpers and emulators for Sentinel
For this program version I do not have, but I have for an older version.
I have tried to emulate it with Multikey but did not work, I used multiple dumpers but the result was always the same and got the pop-up error at startup. I used Multikey in the past without problems, but this time the emulated dongle is not recognized by the software as genuine.

cryptX writes:
Otherwise IMHO if you want analyze protection and remove it completely then a good starting point might be this: --> Link <--
Thank you, I will save this information for later because I do not think I am prepared for this level of complexity just yet.

| Сообщение посчитали полезным:

ner0 writes:
No? But I found strings are inside DLL file Txxxx754.dll, menu ID 128 (example: POPUP "&Geometry" and "Ribbed-Composite Slab"): ResHacker

Then try do so:
1) rename or delete file Tport754.dll, - then used Tengl754.dll. But menus items anyway in portugal language
2) try to find main menu items strings (in portugal language) in used file Tengl754.dll. Its missing.



| Сообщение посчитали полезным:

In:> FindFirstUnit DeveloperId=8941 (0x22ED)
Out:> FindFirstUnit DeveloperId=8941 (0x22ED) -> Status=0x3

-----
...или ты работаешь хорошо, или ты работаешь много...

| Сообщение посчитали полезным:

dosprog writes:
Then try do so:
1) rename or delete file Tport754.dll, - then used Tengl754.dll. But menus items anyway in portugal language
2) try to find main menu items strings (in portugal language) in used file Tengl754.dll. Its missing.
Yes, this is weird, you are right and I have had this issue before but did not understand why it happened.
But if I change the original strings from the DLL Txxxx754.dll and reload the language file (by changing languages and coming back to the same again) then it loads the changes. Another thing I noticed is that if I try to delete "Arktec.tnt" file it says that it is being used by the process "System"!??

In your opinion, where is it storing the strings, in memory or packed in the main EXE?
If I delete all the language DLL the program will refuse to load.

| Сообщение посчитали полезным:

BfoX writes:
Status=0x3

Yes, But its only begining..


ner0 writes:
In your opinion, where is it storing the strings, in memory or packed in the main EXE?
If I delete all the language DLL the program will refuse to load.

I don't know:/

) bfoX likes this dongles - he offers makeing emulation

| Сообщение посчитали полезным:

BfoX writes:
In:> FindFirstUnit DeveloperId=8941 (0x22ED)
Out:> FindFirstUnit DeveloperId=8941 (0x22ED) -> Status=0x3
I have never used Toro Monitor before, now I have.
Should I change the status code to something else than 3? Should be 0 (JNZ) maybe?

| Сообщение посчитали полезным:

ner0 writes:
Should I change the status code to something else than 3? Should be 0 (JNZ) maybe?

it's not enough.



| Сообщение посчитали полезным:

dosprog writes:
it's not enough.
Understood. I guess the 0x3 is SP_UNIT_NOT_FOUND
Also main problem now seems I would need a real dongle to know the correct values to feed to the program so that it would behave correctly. That's not possible, I do not have the dongle. Unfortunately I thought it would be easier, like changing some jumps or patching a few calls, but it is too complex for my level experience. I will try to learn more about the subject. Thank you.

| Сообщение посчитали полезным:

ner0 writes:
That's not possible, I do not have the dongle.

Then you should study as program works with menu, imho

--Added--
.. Ye, with original dongle there was easier ..

| Сообщение посчитали полезным: