Results 1 to 11 of 11

Thread: Stuck with an App

  1. #1

    Stuck with an App

    Hi, guys

    I'm stuck with a protected App called "PlanningPME"
    (Link deleted by Kayaker, and moved from "Advanced Reversing and Programming")

    i've found the 30 uses limit an bypassed it, but there is a date limit to use this prog ( 2003 december 31) and i can't find how to do.

    I'm not requesting a crack, i want only to learn this kind of protection and how to find the good place in the proggy to solve this problem !

    If somebody can help, please PM me for the link to Download this App and i'll tell you what i've found !

    Thank's

  2. #2
    what about "GetSystemDate" or "GetSystemTime" -API? but i don't know

  3. #3

    APIs

    Yes, tryed them but there is too much calls to these Functions ! unable to locate anything

    Thank's

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by LOUZEW
    Yes, tryed them but there is too much calls to these Functions ! unable to locate anything

    Thank's
    Are all the calls coming from your APP?
    If you have some stuff in the system tray, like real player, schedulling apps, some FireWall apps etc, they all fire GetSystemTime constantly, and you miss the call from your app.

    Try dead listing your app. Look for the time-related functions and the context they are used.
    Just a suggestion.

  5. #5
    Thank's for your Help, but i'm sure these API calls are done in my App (checked under SoftIce), and no App running else.
    This App is a planning one, then calling times Api seem to be a normal thing.
    It seem to be hard to find an entry to learn this protection.

    You can find this APP at h**p://www.planningpme.com, or PM me for a direct link !
    Thank's

    Quote Originally Posted by naides
    Are all the calls coming from your APP?
    If you have some stuff in the system tray, like real player, schedulling apps, some FireWall apps etc, they all fire GetSystemTime constantly, and you miss the call from your app.

    Try dead listing your app. Look for the time-related functions and the context they are used.
    Just a suggestion.

  6. #6
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by LOUZEW
    Thank's for your Help, but i'm sure these API calls are done in my App (checked under SoftIce), and no App running else.
    This App is a planning one, then calling times Api seem to be a normal thing.
    It seem to be hard to find an entry to learn this protection.

    You can find this APP at h**p://www.planningpme.com, or PM me for a direct link !
    Thank's
    Oh well. I am not going to D/L the 10 Mb this app brings on, but I am going to continue my favorite pass-time: come up with outlandish strategies for difficult problems: I do this for a living in Real Life.

    Bet you most of the time API calls the app makes come from the same area in the code: Perhaps a message handler. Filter it out. Make the BPX GetSystemTime IF ESP != [The address of the code that calls GetSystemTime relentlessly]

    This way only when the Time API is called from somewhere else Sice breaks, decreasing your false call rate.

    what about using nag screens? what kind of message would you get if you advance the clock to beyond the time limit?
    Even if it quits silently you may break on PostQuitMessage API.

  7. #7

    As Above

    The idea is very simple.

    In order for the program to note that dates are being changed, it has to store the date somewhere. There are only 4 candidates possible:

    1. Mucking around in the registry (favourite)
    2. Mucking around in the files (next best-of-line)
    3. Modifying the binary or its dependents (dlls) somewhere.
    4. Modifying certain HDD sectors.

    For each, find the solution:

    1. Regmon
    2. Filemon
    3. FC /B (binary mode)
    4. WHoops.

    Chances are, 98% of the time, it will be the first two options.

    BTW, just because the key accessed in the Regmon is CLSID, does not mean that the date will not be stored there

    Have Phun
    Blame Microsoft, get l337 !!

  8. #8

    As above

    And, I almost forgot...

    Here's a small trick if you are running Windows XP to ensure that you are not coming under a really commercial protection.

    1. Before installation of app, create a system restore point (learn it if you do not in the windows XP documentation)
    2. Install the application
    3. Muck it up
    4. Uninstall the application
    5. Restore the system restore point
    6. Re-install the application

    If the application works after re-installation again, then you know for SURE that the protection is either 1 or 2.

    Have Phun
    Blame Microsoft, get l337 !!

  9. #9

    Allways stuck

    Hi,
    Thank's Aimless and Naides for your Help
    I've tryed your tips and i can't found anything interesting.
    Traced this App with Bounchecker and the only thing i can locate is a whole sequence of :
    GetMessage
    PeekMessage

    just before the App exit !

    I don't know how to use these infos, if somebody can help ?

  10. #10

    Thank's

    Many thank's Naides for your help !
    PM sent

  11. #11
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by Aimless
    The idea is very simple.

    In order for the program to note that dates are being changed, it has to store the date somewhere. There are only 4 candidates possible:

    1. Mucking around in the registry (favourite)
    2. Mucking around in the files (next best-of-line)
    3. Modifying the binary or its dependents (dlls) somewhere.
    4. Modifying certain HDD sectors.

    For each, find the solution:

    1. Regmon
    2. Filemon
    3. FC /B (binary mode)
    4. WHoops.

    Chances are, 98% of the time, it will be the first two options.

    BTW, just because the key accessed in the Regmon is CLSID, does not mean that the date will not be stored there

    Have Phun

    This app had yet another place to store the time limit (12/31/03): It was hard coded in the program!
    if current year > x07D3h (2003 ) then quit.

    Who would think of such a thing?

Similar Threads

  1. Stuck with CRC or similar check..
    By swifty in forum The Newbie Forum
    Replies: 12
    Last Post: July 4th, 2007, 02:10
  2. Stuck on dongle emulation
    By sal in forum The Newbie Forum
    Replies: 3
    Last Post: May 26th, 2007, 01:41
  3. Stuck with registry query
    By toones in forum The Newbie Forum
    Replies: 1
    Last Post: January 1st, 2005, 15:48
  4. Stuck on aspr
    By fALC0N in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: April 6th, 2002, 12:36
  5. Stuck with MosASCII
    By RenHoek in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: March 4th, 2002, 00:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •