Hey Olipro (Olly Professional? ;)),
Nice findings! Didn’t know there are also functions like ExGetLicenseTamperStat and ExSetLicenseTamperState to determine if someone is trying to circumvent the license checks. Maybe it’s possible to set a breakpoint in the ExSetLicenseTamperState function and watch in the Call Stack where it does some check before the TamperState is set using IDA Pro or Syser Debugger (successor of SoftICE) but there is also a possibility your system locks-up. Then I think you should use the Windows kernel debugger but I don’t have any experience with that.
Will take a look at this again when I have some more time.
Thanks for the info you provided! 🙂