Sometimes TS is bad implemented through the hook thats talks to the main app, i mean some developers left the front door opened
S0lidw0rks by DSS is already a relevant example.
Last time i have mentioned about some weak point. Well, the weakest point of libFNP ASR-based activation is the a Trusted Storage itself. There is an assumption, if something is put into TS it becomes trusted. So, if you inject a tampered ASR into TS via the cracked libFNP library, the original library will treat it as legal.
It is also possible to inject a tampered ASR without any memory or static patches, all that you need is to kill some exceptions with VEH during ASR processing call.
Then you have to write your own routine to obtain the context of trusted storage and make a call to _flxActAddSpecifiedASR with VEH handler set on the custom handler.
Obviously this hacking works for client TS-based activation, the Server TS activation checks SIGN apparently, so it is useless to do the hack, anyway you have to patch ECC check.
Good luck