View Full Version : Help with Delphi (Timers)

November 19th, 2008, 16:00
Hey guys,

I'm looking at a multimedia program that only allows you to play audio files for 15mins before it stops playback and shows a nag screen telling you that it is a demo version and this behaviour should be expected.

I _think_ it is using SimpleTimer (a component of CoolTrayIcon ("http://subsimple.com/delphi.asp")). I can find several SimpleTimer::Stop and SimpleTimer::Starts in the code but I can't find anything that matches the documentation (eg SimpleTimer::CreateEx) to find the code that would be called in the event the timer fires. (The only OnTimer event I can find doesn't seem to work - but that could be me)

What I have found is what appears to be a message handling routine of some description which looks like this :

006268E5 > . 66:8378 3A 00 CMP WORD PTR DS:[EAX+3A],0
006268EA . 74 0A JE SHORT APPNAME.006268F6
006268F0 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
006268F3 > . FF53 38 CALL DWORD PTR DS:[EBX+38]
006268F6 > 5B POP EBX
006268F7 . C3 RETN

Depending on EAX+3A and EAX+3C it defines what happens next.

Literally HOURS of watching this code to see what happens when the 'nag' is fired leads me to this :
[From my notes]

Conditional logs on 6268E5 and 6268F3 show that it is some kind of message handling loop. Normally EAX+3A should be 41 but in the event of the demo time limit expiring the value is

42 : before going to the 'stop' command to stop playback
42 : before going to the nag screen

42 is also valid value for scroll bar moving so a simple check for 42 may be no good. 423194 is the address called when the slider is used. 414fD8 is the address used for the 'Stop' command. 421098 is the address for the nag screen.

Address checked with EAX+2A is :

127c33A was used for the expired nag call.
127EB52 was used for slider

Call for any sidebar motion always triggers this :

Log data, item 44
Message=COND: New Jump Address = 00423194

but using the stop button causes a different arrangement. Clicking the stop button does not cause a call [EBX+38] to 414FD8 so ....

Use code cave to check :

EBX+38 != 414fd8 then continue else JMP to 6268f6
EBX+38 != 421908 as above?

which would be

JE 06268F6
CMP DWORD PTR [EBX+38], 0421908
JE 06268F6
JMP 006268F3

[/my notes]

The reason I jump back to the POP EBX is by waiting for the 'nag' to fire in Olly using conditional BPs and then just setting 'New Origin Here' under Olly seems to continue the playback just fine.

I popped the above code into the code where the nag occurs, figuring it would never be called in the new arrangement. However it does cause an access violation once the 15 mins is up.

For the timers I have tried to follow SimpleTimer but with no joy, I have checked all calls to GetTickCount again with no joy. I've even tried using a game cheat engine to look for increasing and decreasing memory values but the didn't work either.

DeDe seems to decompile most of it OK, though I can find no references to SimpleTimer. 'DE Compiler' just hangs.

So ... can anyone suggest a way forward from here?

Many thanks in advance

November 19th, 2008, 16:11
Maybe a small hint:
Timers usually work with the api SetTimer and KillTimer. I don't think GetTickCount is used.

November 20th, 2008, 04:14
Always the simple solution isn't it

Thanks - I'll look into that and see how I get on - I can see several instances that could be promising and I'll report back how things go.

Thanks again

Update : Yes - thank you, worked fine. Now I'm listening to music without any silly interruptions. Well not until the new uElapse of -1 expires