Page 1 of 3 123 LastLast
Results 1 to 15 of 39

Thread: time trials

  1. #1
    qweasdzxc
    Guest

    time trials

    I have looked far and wide, but still haven't found anything describing this problem.

    I am trying to kill a timer in my target. I have killed a nag screen and the 30 day limit so far, But when you execute the prog you are limited to 4 minutes of runtime...

    I have looked for settimer, killtimer, getsystemtime, and ofcourse the milliseconds (240000), and the HEX equivalent (3A980)... I have also set a break for the 4 minute nag screen, but I got trapped in USER32.dll

    The timer does not use the system time. I can start the app, then change my system time and the app always runs for 4 minutes.

    My guess is that the app sets it's own independant timer, I have no experience with that yet. Can someone point me to a good tutorial? or offer any relevant advice?

    Ida reports that the app is coded in C++, Is there a trick with some C++ library that I'm missing?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    You tried gettickcount?

    And about the time... No smart coder would use exactly 4 mins, since it will be easy to find. (Though I agree, this is quite common... So coders are not that smart, then... :P)

    There are many other apis to get time too...

    Hope someone will help you with the question about timers.

    /Manko

  3. #3
    qweasdzxc
    Guest
    No, I haven't tried Gettickcount. didn't know about it...
    I know I need to read more, but I don't feel like I learn by reading, I like to learn by hands on methods, this way what I learn seems to stick around a little better.

    I have a feeling that I am right ontop of the section I need to be in, I keep narrowing down and I have a couple of screens of interesting code. I have identified the VU Meter in the app, and I have a jmp out of that code into a rather large loop with SEVERAL calls. I am close, but I still cant see it. I can't find anything I recognize from any tuts I've read.

    I have timed this with a stopwatch, it is 4 minutes!! I wasn't too suprised by that,

    I will check for a reference to Gettickcount in Wdasm and see what I come up with.

    Thanks!!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    qweasdzxc
    Guest
    I didn't find Gettickcount...

    I think it might be time to try a different debugger.... Or maybe put this to the side for now, I've been stuck on it for almost a month.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    A generic trick that might sometimes work surprisingly good in these situations is to search for the constant of the time limit. In your case I would try to search the entire deadlisting for the constant 240 (4 minutes in seconds) and 240000 (4 minutes in milliseconds). Check the code around the places where they will possibly occur. If you see a compare with these constants, try to track the compared data backwards and you might very well end up at the time-sample function (not that you would really need it once you have found the location of the compare, but anyway, for academical interest ).

    This is the reason why "clever programmers" might choose a constant that is a little bit off (e.g. 240345 milliseconds, or 239 seconds), like Manko mentions above.

    dELTA

  6. #6
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    why not make a program to keep readprocessmemory'ing your app's process space, take a snapshot every few seconds, and then compare the snapshots to see what area of memory has a variable that keeps incrementing

    there might even be some game trainers out there that do this automatically

  7. #7
    banshee
    Guest
    Just a thought:
    There is rdtsc command that return number of ticks since your PC started. You can use it combined with processor MHz information to determine how much time lasted since the last call. (Think API GetTickCount uses that command) Try to search for that command in your disassembly listing.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    tgodd
    Guest
    It could be possible that they are accessing the Clock using direct IO via a device driver.

    I have seen many an exe with an embedded driver which they load to do direct IO, then unload when finished.

    Just a small possibility.

    Regards,

    tgodd
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Another thing - did you only check the Imports for GetTickCount or did you also check strings table? Because it could be a dynamic import.

    If you are using SI, another thing you could do is set a Breakpoint on a window message. You'll have to grab the softice manual to know what I'm talking about ...if you installed D.S 2.7 you will have that.

    Anyway, get the window's handle and then do a breakpoint on WM_TIMER and see if anything comes thru or not...

    It could be that any DLL that the program uses could actually do the counting, etc, etc.. so if it's using DLLs look at those too.


    -nt20

  10. #10
    To crash or not to crash
    Join Date
    Dec 2001
    Posts
    120
    Don't know about you but I'am getting interested in which program you try to get to work.

  11. #11
    qweasdzxc
    Guest
    I have been using Ollydbg since I cant get softice to run on my machine. (problem with video card + drivers) I tried to search the dead listing I got from Wdasm and I finally found settimer, and Killtimer. Why wouldn't they show up in Olly?

    The program is GuitarFX 2.6 .... it is a true demo prog. I found a reference to a serial number, just no place to input one in the demo.
    This demo is limited by the number of days, time limit of effects processing, time limit of recording, you can't import wave files for playback during record, and ofcourse nag screens.

    It looks like USER32.dll is keeping track of time, I guess I finally caught a break here!

    Thanks everyone.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Kilby
    Guest
    Please excuse me if I appear to critisize as that is not the intention.

    You folks are really going about this the hard way

    I blame this on the fact that reversing these days is almost completely baised around breakpointing on API calls, unpacking, and finding where the serial number is compared.

    ATM you are guessing which API is used and attempting to work from there, disavowed is on the right track but reinventing the wheel

    You are curently suggesting bruteforce, this is acceptable, but wernt computers built to do the bruteforce work for us humans

    Go and find yourself a nice game training tool (gamehack being one of them), and use that to find the counter. Let your PC do the work ! From there you can find the right piece of code easily.

    It's lazy, easy and saves a lot of wasted effort when you can put the effort into something else more deserving.

    If I appear patronising then I apologise, but I feel that the breadth of knowledge in todays scene is starting to constrict.

    So much time is spent thinking about how things are done via the OS, between unpacking, decryption and the like.

    Simplicity works learn to use it.

    Try to lose thinking about the complexity of modern operating systems, think about what you want to do, then hit the right piece of code first time.

    I think I will put somthing into the off topic section about this as I think there is quaite a lot to say about this.

    Regards,

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I'm sorry to say this after your long lecture and everything Kilby , but in my opinion it is most likely that there is no "counter" at all. There simply isn't a good reason why it would be saved.

    My guess is a timer procedure looking something like this:

    Code:
    //This is the only data saved in the data segment
    int calculated_limit_time; //This will never be changed,
                               //only calculated once at program startup
    
    //This is the checking procedure
    void TimerProc(void)
    {
       if (sample_time() > calculated_limit_time)
       {
          exit_program_or_whatever();
       }
    }
    This means that the sampled time will be at the best saved on the stack (also possibly only in a register), which means you can never find it with a mem-compare-tool program.

    Or even easier, the timer itself might be set to 4 minutes, and then just call exit_program_or_whatever() immediately in the TimerProc. In neither of the cases there will be any data so perform "differential analysis" on.

    Also, in my opinion trying to figure out the workings of the program is always better than bruteforcing it. Bruteforcing only works for certain stupid protections, while "guessing" (or rather concluding/zenning) will always work. This also makes you smarter and more experienced each time, which in turn makes it even easier to predict the workings of the next program.

    dELTA

  14. #14
    tgodd
    Guest
    Extremely well put delta.

    I'm in agreement with everything you have outlined.

    Having a deep understanding of how these things work
    is essential to reverse engineering.

    If you are using a tools which do most of the work for you, then
    you are not truely reversing.

    It is one thing to use the tools, when you understand how these things work.
    It is completely something else when you rely on those tools, due to a lack of understanding of how things work.

    I always suggest to Windoz "experts", whom I have been aquainted with, to learn Doz to expand on there abilities and understanding of the OS.

    This is simply put, "Getting your hands dirty".

    You can not fix a car if you are afraid, or incapable of touching an oily nut or bolt.

    Get down and dirty folks.

    Regards,

    tgodd
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Kilby
    Guest
    This is split into two replys.

    This is the civil and measured, as was the maposting it is in reply to

    Delta:

    No lecture intended just wanted to say that it can be much easier when you apply lessons elsewhere. Even if you are unsuccessful, atleast there is something to remove from the list of possibles.

    As you say it depends on how it is implemented.

    All too often things are implemented badly and timers are very prone to this (you would be surprised to see the number of apps that do exactly this).

    I most certainly am not zen like (I wish I was but I'm way too up tight), but a couple of minutes testing for holes & general stupidity yields many dividends.

    Learning to ignore the spurious noise within windoze enables you to discover what is really happening. Though possibly I just suffer from a low bordom threshold.

    BTW: The most likely way for me to have a go at such a timer is:

    1: Check what timer apis are in the import table

    2: Check for counters

    3: Log calls to getprocaddress for that task to see if anything is resolved at runtime (write a logger for this).

    4: Use an API logger to log what timer calls are used by the app in question (write your own for this too).

    5: Start monitoring any suspect memory addresses of API calls

    6: How it exits (thats always useful)

    It's sorting the wheat from the chaff, and only takes a couple of minutes and can save hours of wasted effort.
    To me the bruteforce method is sticking breakpoints on every time related API and waiting for the right call, then nopping the following conditional jmp

    I work from one side (excluding things) and other people work from the other end looking for things to include it's all personal pereference.

    I simply feel that too much of what people call reversing in windoze is purely hoping to bpx on the right API. I have in the past made 1000s of calls to particular APIs just to annoy the people who rely on this technique. It really is funny

    Anyway I hope you understand where I am coming from.

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. What are you doing guy of your IDLE CPU time?
    By Orkblutt in forum Off Topic
    Replies: 12
    Last Post: August 15th, 2011, 14:33
  2. Hi all, it's time for a new interesting tutorial, this time SSlEvIN took time for a j
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 5th, 2010, 15:58
  3. so its now time to greet
    By blabberer in forum Off Topic
    Replies: 22
    Last Post: January 1st, 2008, 23:52
  4. File time
    By crUsAdEr in forum The Newbie Forum
    Replies: 19
    Last Post: May 22nd, 2004, 08:14
  5. New UDD file every time???
    By psyCK0 in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 14th, 2003, 07:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •