Page 3 of 3 FirstFirst 123
Results 31 to 39 of 39

Thread: time trials

  1. #31
    qweasdzxc
    Guest
    Disavowed, I agree with you that the memory dump/compair is the easy way to do this, I have been trying to trace the code, and figure it out for myself, the hard way, (so I can better understand the OS, and what protection schemes really do, plus learn some more assembly). According to your post, I am in the right area of code though. ....
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #32
    qweasdzxc:

    Let me encourage you to maintain that attitude. Learning to understand the Code is the essence of what you need to advance your skills at RCE. Patching without knowledge is not a learning experience you can generally apply on other software. If you improve your level of understanding, you will be able to carry this forward when you begin to examine your next target.

    Regards.
    JMI

  3. #33
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    Guitar FX BOX 2.6

    :0041A384 C1E005 shl eax, 05 <-- 05? maybe 4.59 Min.
    :0041A387 03C2 add eax, edx
    :0041A389 F6401001 test [eax+10], 01 <-- press Start
    :0041A38D 7428 je 0041A3B7
    :0041A38F 8B0DC8C75500 mov ecx, dword ptr [0055C7C8]
    :0041A395 E876FBFFFF call 00419F10 <-- continue process
    :0041A39A A1C8C75500 mov eax, dword ptr [0055C7C8]
    :0041A39F 40 inc eax
    :0041A3A0 99 cdq

    once we're on 00419F10 there's alot of piece of code which i think
    it handles the sounds process... please correct me anytime if i'm
    mistaken.. i'm here to learn more and correct my mistakes...

    continuing..

    check a little the big piece code.. and go down until you get to

    * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
    |:0041A0AD(C), :0041A0DB(U), :0041A124(U), :0041A16A(U)
    |
    :0041A17D 8B4DF8 mov ecx, dword ptr [ebp-08]
    :0041A180 E80BF5FFFF call 00419690 <- let's go here

    on 00419690 continue reading the sound process and there alittle cmp
    which compares a virtual (rva) location with 05 which mean our target
    dosen't read 4 minutes exactly as it says.. i think it reads 4.59 minutes... go to 00419690 and read a little until you see this:

    :00419713 890DD4C75500 mov dword ptr [0055C7D4], ecx

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004196F6(C)
    |
    :00419719 833DD4C7550005 cmp dword ptr [0055C7D4], 00000005 <<-- compare minutes here
    :00419720 7C51 jl 00419773 <-- if 5 minutes passed jumps-|
    :00419722 C705506D550001000000 mov dword ptr [00556D50], 00000001 |
    :0041972C 833D6CC7550000 cmp dword ptr [0055C76C], 00000000 |
    :00419733 740D je 00419742 |
    :00419735 8B0D94C75500 mov ecx, dword ptr [0055C794] |
    :0041973B E8E02DFFFF call 0040C520 |
    :00419740 EB12 jmp 00419754 |
    |
    * Referenced by a (U)nconditional or (C)onditional Jump at Address: |
    |:00419733(C) |
    | |
    :00419742 8B1588645500 mov edx, dword ptr [00556488] |
    :00419748 8B02 mov eax, dword ptr [edx] |
    :0041974A 8B0D88645500 mov ecx, dword ptr [00556488] |
    :00419750 51 push ecx |
    :00419751 FF5048 call [eax+48] |
    |
    * Referenced by a (U)nconditional or (C)onditional Jump at Address: |
    |:00419740(U) |
    | |
    :00419754 8B1518C75500 mov edx, dword ptr [0055C718] <----------- jumps here
    :0041975A 8955EC mov dword ptr [ebp-14], edx
    :0041975D 6A00 push 00000000
    :0041975F 6A00 push 00000000
    :00419761 6865040000 push 00000465
    :00419766 8B45EC mov eax, dword ptr [ebp-14]
    :00419769 8B481C mov ecx, dword ptr [eax+1C]
    :0041976C 51 push ecx

    * Reference To: USER32.PostMessageA, Ord:01DEh
    |
    :0041976D FF15D0D44400 Call dword ptr [0044D4D0] <-- our nag message comes here

    if we make jmp on 00419720 you'll note if won't give any nag and will keep working but somehow it will stop and you'll note the level meter will stop and will give you a bluescreen fatal error after 2 or 3 more minutes , the system says to pressed any key and bye bye program.. i wonder if there's still another check for this maybe a cmp? because i also have tried all time related possible solutions and still not luck

    the only possible compare i found for this is the above one but i guess there's something more
    somewhere... i'll hope i'm missing something. another thing is that the nag about the 4 minutes limit looks like a messageboxa.. if you do bpx messageboxa sice will break when the 4.. minutes are over.. the messageboxa comes from 0041FF74 i don't see there any cmp or way to skip it it looks that first call USER32.PostMessageA while tracing a little just before the limit is over
    and exactly the message comes from 0041976D then the messageboxa shows up .

    i got this code where the messageboxa comes from :

    :0041FF6D 8D05C0E94100 lea eax, dword ptr [0041E9C0] <-- read here, there's a C3 only
    :0041FF73 50 push eax
    :0041FF74 FF2538545500 jmp dword ptr [00555438] <<--- Messageboxa here
    :0041FF7A 5F pop edi
    :0041FF7B 5E pop esi
    :0041FF7C 5B pop ebx
    :0041FF7D 8BE5 mov esp, ebp
    :0041FF7F 5D pop ebp
    :0041FF80 C20800 ret 0008

    to skip the nag message i did change push (55) for C3 at the begin of that piece of code on
    0041FEB0, but it won't make any change.. it only remove the messageboxa

    if i increment value on cmp dword ptr [0055C7D4], 00000005 for
    cmp dword ptr [0055C7D4], 00000009 i guess it should read 9 = minutes in this case ?

    while tracing alittle bit more.. while the program process the sounds looks it read locations
    between 0041BFDC & 0041BED7 there's a loop and i think that maybe there's the function where it stops the sound processing. "i'm not sure" i wonder what exactly KERNEL32.SleepEx does
    because there are many references about it there..

    is there a way to make it loop so we won't have to press manually start each time 4 minutes has passed ? like simule we have pressed "Start" after 4 minutes has passed. any ideas which bpx should i set to catch where exactly the sound processing stops?.. you can note it when the level meter stops responding.. that's a good sign. i tried closehandle but nothing happends.

    Any tips, complaints or possible help is welcome to resolve the time limit mistery of this program.

  4. #34
    qweasdzxc
    Guest
    The SleepEx function causes the current thread to enter a wait state until the specified interval of time has passed, or until an I/O completion callback function is called.

    This function is available only in the Win32 API.

    DWORD SleepEx(

    DWORD dwTimeout, // time-out interval in milliseconds
    BOOL fAlertable // early completion flag
    );

    Parameters

    dwTimeout

    Specifies the time, in milliseconds, that the delay is to occur. A value of zero causes the function to return immediately. A value of INFINITE causes an infinite delay.

    fAlertable

    Specifies whether the function may terminate early due to an I/O completion callback function. If fAlertable is FALSE, the function does not return until the time-out period has elapsed. If an I/O completion callback occurs, the function does not return and the I/O completion function is not executed.
    If fAlertable is TRUE and the thread that called this function is the same thread that called the extended I/O function (
    ReadFileEx or WriteFileEx), the function returns when either the time-out period has elapsed or when an I/O completion callback function occurs. If an I/O completion callback occurs, the I/O completion function is executed.


    its a fancy wait command... IN this program I think it has to do mainly with sound latency, the coder probably used this for faster code, while still being able to pause a thread...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #35

    timer(s)

    It is easy to get THAT counter:

    004196EF cmp dword ptr [0055C7D8], 00000000
    004196F6 jne 00419719
    004196F8 mov edx, dword ptr [0055C7D4] ;get minutes
    004196FE mov eax, dword ptr [0055C7D4] ;ditto
    00419703 mov dword ptr [4*edx+00554364], eax ;store it elsewhere...
    0041970A mov ecx, dword ptr [0055C7D4]
    00419710 add ecx, 00000001 ;increment minutes!!!
    00419713 mov dword ptr [0055C7D4], ecx
    00419719 cmp dword ptr [0055C7D4], 00000005 ;cmp time with limit
    00419720 jl 00419773 ;not yet 4+1, continue
    ...
    shortly after comes the routine to increase minutes:

    00419773 mov ecx, dword ptr [0055C7D8] ;
    00419779 add ecx, dword ptr [ebp-18] ;x80
    0041977C mov eax, dword ptr [0045CCFC] ;22050 (Hz?)
    00419781 cdq
    00419782 and edx, 0000007F
    00419785 add eax, edx
    00419787 mov esi, eax
    00419789 sar esi, 07
    0041978C imul esi, 0000003C ;60 (second)
    0041978F shl esi, 07
    00419792 mov eax, ecx
    00419794 cdq
    00419795 idiv esi ;when edx=0, 1 min elapsed!
    00419797 mov dword ptr [0055C7D8], edx ; <<<

    Thus, by putting 0 into edx/[55C7D8] a few times, one can trigger the '4 mins limit reached' condition, rather than physicaly waiting out the 4 minutes So it's possible to make it 'faster', but unfortunately won't work the opposite way - 'fixing' this counter (say by changing the increment to 0 at 419710) later still results in a blue screen.
    How it does that, I still don't know, but I doubt if uses any patch/integrity check. I reckon rather it is some buffer or stack overrun causes the blue screen.

    A time check not necessarily requires a windows timer. For example, with a sound sample rate of 22050 Hz, when processed say 11025 samples then 11025/22050 = 0.5 second has elapsed. One can just count how many times were sound buffers filled... etc. and derive the duration. In fact, there are quite a few other 'counters' (using floating pont numbers) related to sound processing. Yet, I feel the solution is not with those FP values. How do I reckon?

    Previously I eliminated all limitations from 2 older (2,1, 2.5) versions, but when tried the usual fixes on this version (maybe in July last year) failed with the 4 mins limit. If there is no another 'time check' then sure has some 'screw-it-up' routine. It may be just writing memory/buffers eg. [offset+counter x constant] which eventually kills Windoze, unless stopped in good time (bit over 5 mins). This surprise is surely absent from the older versions. Since the major difference is in multithread use in v2.6, I guess that's the suspicious part to deserve extra attention. For example, there is another (faster) 'counter' at [0055C7EC], related both to the common minute counter and also to thread activation.

    In any case, this is a real bitch, a good protection.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #36
    qweasdzxc
    Guest
    Almos,

    Your right about making the timer faster, I managed to get the 4 minute nag in about 30 seconds of runtime!! But I didn't manage to slow it down yet.

    I suspect that there is a second check elsewhere. I have found several references to killtimer since I decided to use Wdasm to look at the code. I set breakpoints on two of them and let the app run out the 4 min. I didn't hit either brp. I also checked the 20 second recording limit with the same brp's, and failed to break on either. So, I am going to back trace the code to see what calls the two killtimer's. I have a feeling that it will be a second "security" timer.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #37
    tgodd
    Guest
    I have personally written code which requires that the counter continue to count.

    If the counter is stalled or advanced the program crashes.

    Do not always rely on being able to stop or advance the counter.

    The values will be referenced more than likely within another
    thread.

    You may want to focus there!!

    Just a point to take into consideration.

    regards,

    tgodd
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #38
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    i got the idea.... this program always read the system time.. because how it knows 4 minutes has passed? sure is reading system time clock somehow.. if we reverse this to fool it and skip reading the system time clock.. this is just a suggestion.. btw i think all wee need is to find the right place to patch , i would not consider this a good protection.. other thing it is possible the code to process the sound it's done to stop right away after 4 minutes and there's now way back, no loop or C3. so forcing it to continue it will just crash.. why bluescreen? maybe takes too much memory,while doing nothing after 4 minutes "Not sure". or maybe we're missing the part of this code where the program could have a loop to keep processing. it is possible it has an internal counter that counts appart from the system clock?.. i don't think this is done with killtimer.. SICE will break right away before the little nag..in this case don't break anywhere..

  9. #39
    qweasdzxc
    Guest
    Tgodd might be right.. the program does setup a new thread after startup. And I do think there is a second counter somewhere. I set olly for just in time debugging, to check the program crash after 4 minutes and when I broke, I was dumped into a real mess. instructions overlapping blocks, unknown commands, and illegal procedures.

    Crk you might want to look at getsystemtime as filetime, this just occured to me. I will check on that too. But you can start the program and get into the 4 minute loop, then change the system time with out the nag appearing. At any rate, I've been too busy to look at it much.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. What are you doing guy of your IDLE CPU time?
    By Orkblutt in forum Off Topic
    Replies: 12
    Last Post: August 15th, 2011, 14:33
  2. Hi all, it's time for a new interesting tutorial, this time SSlEvIN took time for a j
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 5th, 2010, 15:58
  3. so its now time to greet
    By blabberer in forum Off Topic
    Replies: 22
    Last Post: January 1st, 2008, 23:52
  4. File time
    By crUsAdEr in forum The Newbie Forum
    Replies: 19
    Last Post: May 22nd, 2004, 08:14
  5. New UDD file every time???
    By psyCK0 in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 14th, 2003, 07:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •