Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 39

Thread: time trials

  1. #16
    Kilby
    Guest
    Second post.

    Now I feel that I must be less reserved and civil.

    The following is not supposed to be a flame and it is a bit off topic, but I feel that it is nessicary if you feel it isn't then thats fine.

    If my original posting came across as arrogant, then I must state that wasn't the intention, possibly the posting in the off topic section may clear things up.

    However I do feel that I am responding to arrogance, at least partialy directed towards me, I may be misreading it, or perhaps English is not the native tongue of tgodd, but I still feel that I must respond.

    tgodd:

    I thought, reversing is using whatever tools you have at your disposal, sometimes it's off the shelf, sometimes it's home grown, sometimes the tool is your mind.

    Computers where built to remove repedative operations, and I dunno about anybody else but searching for the right bit of code can in fact be repeditive.

    Once you find the guilty party then it's time to exercise your creativity to do something about it (I hate NOPs with a vengance).

    So it's OK to use SICE (robbed no doubt), or ollydebug but not to use something that looks for changed values ?

    oh dear ! I seem to have got it all wrong sorry !

    Please be careful in what you say and how you say it, there is always somebody out there with a longer list than you and they may have know considerably more than you assume.

    So how low down and dirty should one get ?

    Windoze:
    Hate it, but it's there and I have done way enough to comment within it to comment.

    Dos:
    Been there seen it done it, didn't bother with the Tshirt.
    Redirected calls to mscdex and int 21
    Long before sice was in the background, remember int 13
    Game trainers, tsr's many apps and .sys files tweaked and rewritten

    Amiga Dos:
    Turn off the OS and hit the hardware directly.
    Custom disc loaders, unpacking, 1KB demos
    Code optimization for psygnosis developers
    Using the blitter to help multiply complex numbers
    DTMF decoder
    Where is that T Shirt

    Atari ST:
    Where are those unpackers & disk loaders.
    Oh theyr'e under the T shirt

    Z80, 6502 and 6809 8 bit home machines.
    Where are thise custom tape and disk load/save routines
    The network driver for the BBC micro
    The home designed & built samplers, network interfaces modems, parallel & rs232 ports, etc.
    Mains ring networking.
    Wrote own assemblers and debugging roms
    T Shirts wheren't invented then.

    6800 single board computer.
    No assembler (hand assembled)
    100 bytes of ram, hex keypad, 7 seg led display.
    The only way to save your code was in a notebook using a pen.
    Played tunes in an AM radio using interfearence from the machine, by using times loops

    Hmmm what about building registers on a breadboard using NAND gates.

    I think I still have the furs we cavemen wore in those days.

    Anyway you can stop clapping your flippers like a demented seal that wants a fish from delta.

    Possibly I have misread your post, but I doubt it.

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #17
    tgodd
    Guest
    I did not mean for my response to be offensive.

    As for The list you gave on your experiences.
    Yes I have been there and done that also.
    The 80's were a wonderful time.


    DEC PDP-11's
    RadShack Mod 1, 3, and coco
    Osbourne
    Amiga
    Pet

    I still know all the CP/M fast keycodes.

    I've been there also.

    What does one do when the tool does not give him what he wishes for?

    Pray?

    Give me a break.
    My suggestion was in fact the most rudimentary.
    All requests for the time MUST do IO to the device.

    You find the IO you can backtrack to anywhere.

    Do you disagree with this logic?

    Tools are useless without source or at least an understanding of how they work.

    For praying will not yield much with respect to results.
    The more one knows of inner workings, the less likely the project will be handed over to somebody of greater knowledge.

    I do did not in previous messages try to be arrogant.

    And correct me if I am wrong, but it sounds to me as though you discount the fact that you have had these past experiences.
    Could somebody relatively speaking "new" to this stuff, not benefit from knowing how these things work.

    It's sick to see people having to kiss feet to get answers from people who do have this inner workings knowkledge.

    And as far as Breadboarding descrete gates, I would recommend anybody try it.

    Imagine how clean peoples code would be if they knew
    boolean algebra, and understood Karneu maps.
    I know I proly misspelled Karneu, but this is not a spelling 'B'.


    I am sorry for coming across so agressively, but your message DID warrant a defense.

    regards,

    tgodd
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    "In my day, I hacked the AND gate by crossing the wire directly to the +5V line..and I LIKED IT!"

    And I suppose both of you had to walk uphill both ways to the lab?


    LOL


    -nt20

  4. #19
    tgodd
    Guest
    Bwahahahaha

    Stumbling, every step of the way.
    Go to be that the knees hurt!!!

    tgodd
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5

    Not to mention that most of the time we were completely out of NAND gates, and had to build all our logic by only using OR gates.

  6. #21
    Kilby
    Guest
    Well I'm glad that we all have that sorted out then.

    (it wasn't your io post I was replying to BTW)


    regards,
    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #22
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    i was able to get some info. and practice on this target, actually thanks to a cracker called realisty i was able to get the right places where the limit message comes and the cmp involved on this.... but there's one problem.. the program is crashing with a bluescreen after skeeping this limit.. it looks like i'm missing something or maybe this can't be cracked? because we're missing part of the Code... remember this is a demo....... did you handle to finish it and is working??.. if you want i can paste my research on this here.. just let me know.

  8. #23
    Hi!

    Your thinking is slightly off. If it works during the timelimit, ofcourse it will work after, if you patch it right.

    He is using something to trick you, no doubt...
    ...or maybe...

    How did you patch it?
    And have you looked into the proc, or the instructions
    that create the values that are being compared?
    Maybe he sets some things up...
    Maybe you left the result... and he is using it later?

    /Manko

  9. #24
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    A bluescreen after a patch is typically either a deliberate integrity check by the programmer (which can in that case be removed too), or a bad patch (which can in that case be rethinked and redone in a better and more correct way ).

    dELTA

  10. #25
    Kilby
    Guest
    This comes back to understanding the code.

    90% of the time a simple nop or jmp patch will do the job.

    However every now and then the author will look for such changes, leaving a couple of choices.

    1: Subvert the original protection in a suitably discreet place

    2: Patch all the authors checks

    /Hint on

    My preferred option is 1.
    eg if there is a call to the protection routine, set the appropiate flag at the start of the routine then return early, authors seldom check for patches at the start of a subroutine, usually they check the last few bytes.

    /hints_off

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    qweasdzxc
    Guest
    cRK, I haven't really had time this week, been busy at work. I was planning on going to a party tonight, but work blew that, So, I am going to try this again!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #27
    Haven't played around with this program, but know that there is a partially working crack floating around out there for this version. The person who wrote the crack says that the 4 minute time limit is connected in some way to an "overflow of the level meters," which suggests a possible buffer. He suggests that the only way to prevent it from "overflowing" and stopping the program is starting and stopping the level meters.

    Now I'm not suggesting that anyone use a ready made crack for this program, because you won't learn anything by doing that (and he didn't "solve" this problem any), but his "observation/suggestion" does seem to indicate a good potential point for analysis of the code. Maybe it's not an "overflow" or maybe it is, but it certainly suggests that this might be a very good place to begin the search for the elusive "timer." This is also reported as a truely crippled demo without the code for "input function," which is the only true way to "protect" demo software, but it still can provide a good object for study of the protection system.

    Regards.
    Last edited by JMI; April 18th, 2003 at 19:42.
    JMI

  13. #28
    qweasdzxc
    Guest
    You can turn the VU level meter off... I know that if you pause execution of the program code while the levels are on, you can step right into the level meters! you find a loop... at somepoint a condition is met and you jump into the normal program code, and eventually back into the meters. (didn't spend too much time on this part). By pausing with the meter levels off, you drop into the normal program code and it seems to contain the important code. I'm still looking.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #29
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    well, i finally decided to take a look at this for myself

    i tracked down where the messagebox was coming from, although that wasn't particularly useful. i then decided to look for one of those programs i had mentioned for making game trainers. after 5 minutes of searching with google, i found this, which suited my needs perfectly: http://www.gw32.de/english.html

    it allows you to search for changing values in memory. quite simply, i just watched for areas of memory that kept increasing. the only address of memory like this in the process's address space is: 0x55C7D8 (gamewiz32 will say 0x55C7D9... close enough)

    so, we take a look at 0x55C7D8 with ida. lo and behold, it's initialized to 0 when the thread starts, and it's constantly updated and checked in sub_419690. setting some wise breakpoints with olly lead me to figure out that the '5' in:
    Code:
    .text:00419719                 cmp     dword_55C7D4, 5
    is actually the number of minutes allowed + 1. setting it to 1 will cause it timeout immediately. setting it to 2 will cause it to timeout after 1 minute, whereas originally the 5 causes it to timeout after 4 minutes. anyway, chaning
    Code:
    .text:00419720                 jl      short loc_419773
    to an unconditional 'jmp' instead of a conditional 'jl' gets rid of the timeout.

  15. #30
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    heh, evidently that causes an eventual overflow. the solution would probably be to just prevent the counter from incrementing. i'll leave that as an exercise for the reader, now that you know what sub_ to look in

Similar Threads

  1. What are you doing guy of your IDLE CPU time?
    By Orkblutt in forum Off Topic
    Replies: 12
    Last Post: August 15th, 2011, 14:33
  2. Hi all, it's time for a new interesting tutorial, this time SSlEvIN took time for a j
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 5th, 2010, 15:58
  3. so its now time to greet
    By blabberer in forum Off Topic
    Replies: 22
    Last Post: January 1st, 2008, 23:52
  4. File time
    By crUsAdEr in forum The Newbie Forum
    Replies: 19
    Last Post: May 22nd, 2004, 08:14
  5. New UDD file every time???
    By psyCK0 in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 14th, 2003, 07:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •