Page 2 of 5 FirstFirst 12345 LastLast
Results 16 to 30 of 74

Thread: 30 day trial license

  1. #16
    ksbrace
    Guest

    definition

    Code:
    :624378DC E83DC4FCFF call 62403D1E ; this call converts the date ant time 
    into a 64 bit float  real and returns its value at ebp-08
    :624378E1 DD45F8 fld qword ptr [ebp-08]; this isntruction pushes the date and time
    real into the float stack using the MCF float time format
    Ok, this is what I'm thinking is happening for the 62378dc: it calls 62403d1e, which calls 624378ee, which calls the SystemTimeToVariantTime api. What I don't understand, is what does the E83DC4FCFF represent? In dec:997468732671
    bin: 1110100000111101110001001111110011111111

    I am understanding the fld a bit more thanks to:
    http://courses.ece.uiuc.edu/ece390/books/artofasm/CH14/CH14-4.html#HEADING4-5

    I don't understand what the dd45f8 means. Thanks in advance.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #17
    Anon
    Guest
    E83DC4FCFF is the hexadecimal code for "call 62403D1E." Likewise, DD45F8 is the hexadecimal code for "fld qword ptr [ebp-08]."

    A deadlisting shows the offset of the code in the file, the hexadecimal code, and the more human-readable ASM equivalent of that code, usually in that order.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    ksbrace
    Guest
    Ok, when I put a break point at 624378CF (GetLocalTime call.) and I analyze the first time it stops there. The EAX says: 0012FCCC, when I convert that to decimal I get 1244364, ECX: 0012FA60, decimal: 1243744

    EAX: 0012FCCC, decimal: 1244364
    ECX:0012FA60, decimal: 1243744


    When I stop it at the return statement (624378E5):
    EAX: 0012FCDC, decimal: 1244380
    ECX: 0012FC88, 1244296

    Now it stops there several, seemed like hundreds, of times.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #19
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    OK KS.
    Do not panic.
    I agree, catching the program checking the date and time is not going to takes us very far in this case, but you will see its use later.

    I digress:
    The current date and time is returned in a register on top of the the Float stack (not in EAX): in olly, you look at the registers window, you will see a column of registers labeled ST0, ST1....ST7
    ( If it does not, make sure that the registers title bar says "Registers (FPU)" click on it until it does)
    At the moment 624378CF returns, ST0 holds a value like:

    ST0 valid 38729.683402777780430


    valid means it is a valid float format. The integer part, 38729 is today's date, counted in days since 1/1/1900, the begining of time according to Bill Gates.
    The fractional part .683402777780430 is the fraction of a day, which can be converted to hours minutes seconds and miliseconds (0.5 means 12:00:00.000 noon)

    If you fed this number to an excel cell and change the cell format to 'date' or 'time' you will obtain today's date and time. Excel uses the same ctime convention of the MFC

    end digression.

    Well think about this. This program is expired. Very early after you start, the program has to check the date, compare it with the install date, and because the difference is more than 30 days, issue a box saying: your trial period has now ended, then quit.

    The problem is finding an area of the code that checks the time, then spits out the bad boy 'trial ended' message.

    Notice that this actions are not necessarily contiguous, in fact they are not contiguous in the code (because the structure of programs, a call calls a call that calls a call that checks time, then another call makes the comparison, then another call calls a call that places a box saying 'bad boy'.

    Can you find them? (Of course you can!

    look who calls who, trace back in the code. Find the call that says bad boy and figure who calls it. either in deadlisting or during debugging. see who checks the time (remember the push ecx push ecx fstd series of instructions) before deciding to call the bad boy code.

    If you need help, ask again
    Last edited by naides; January 12th, 2006 at 19:48.

  5. #20
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by ksbrace
    Ok, when I put a break point at 624378CF (GetLocalTime call.) and I analyze the first time it stops there. The EAX says: 0012FCCC, when I convert that to decimal I get 1244364, ECX: 0012FA60, decimal: 1243744

    EAX: 0012FCCC, decimal: 1244364
    ECX:0012FA60, decimal: 1243744


    When I stop it at the return statement (624378E5):
    EAX: 0012FCDC, decimal: 1244380
    ECX: 0012FC88, 1244296

    Now it stops there several, seemed like hundreds, of times.

    Sorry, I did not answer your question. Look at the coments.
    The date and time are not returned at EAX, is a little convoluted

    Code:
    624378C5  /> 55             PUSH EBP;  Typical call start frame
    624378C6  |. 8BEC           MOV EBP,ESP
    624378C8  |. 83EC 18        SUB ESP,18  ; opens dec 24 bytes space in the
     stack 
    624378CB  |. 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-18];   load an address of the stack
     in eax, the first time around indeed 0012FCCC 
    this is the address of the buffer that is going to contain the date and time
    624378CE  |. 50             PUSH EAX         ; and pushes the pointer into the stack, 
    so getlocaltime 'knows' where to place the results       ; /pLocaltime
    624378CF  |. FF15 4C065162  CALL DWORD PTR DS:[<&KERNEL32.GetLocalTi>; \GetLocalTime
    624378D5  |. 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-18]; if you look at the ADDRESS
     that was pointed by EAX  0012FCCC
    (right click on the dump window and goto that address)
    you will see what getlocaltime returns starting at 0012FCCC.  
    It is easier to see as word format.
    right click the dump window in olly debug 
    and choose short, decimal or short, hex.
    AT 0012FCCC You will see the year 2006 in dec,or  07D6 in hex, 
    the month 0001, the day of the week, 0005, 
    the day of the month, 000D in hex or 00013 in dec, hour min secs etc  /pLocalTime format
    624378D8  |. 8D4D F8        LEA ECX,DWORD PTR SS:[EBP-8]  Loads the address of a buffer, 
    EBP-8 that is 8 byte long into ECX.  
    This buffer will contain the output of the next call.
    624378DB  |. 50             PUSH EAX ; pushes the address of the date in 
    pLocalTime, the input of the next call 
    624378DC  |. E8 3DC4FCFF    CALL XXXXXX.62403D1E ; Converts pLocaltime format to 
    ctime format (The float we discussed before) and 
    returns that value in EBP-8,  the buffer pointed by ECX
    624378E1  |. DD45 F8        FLD QWORD PTR SS:[EBP-8];  now loads the reformated date
     into the float stack
    624378E4  |. C9             LEAVE clean house dispose the temporary local variables
    624378E5  \. C3             RETN;  Return
    Last edited by naides; January 13th, 2006 at 12:30.

  6. #21
    ksbrace
    Guest
    Ok, I can see the current date at 0012FCCC. 000107D6 and then on the next line
    0012FCD0: 000D0005 and so on for the minutes, seconds, etc.

    Now, where is the date that they are comparing that to? I would think that if I set the compare date to something out into 2010 or later, that it won't expire. Or is there a way to bypass these calls altogether.

    On another note, I installed on another box and set the date to a point where it expired. I got the 'your trial has expired' nag, I then set it back to the correct date and got a 'you have tampered with the date' alert box and then the 'buy a key' nag appeared.

    So, if I fix the trial screen....what happens if I monkey around with the pc date? Would I get the 'you have tampered with the date' alert?

    One more thing and this was somewhat bizarre. After I messed around with the date, I went into the registry and removed all of the app references and reinstalled. When I started it up, I got 'you have 2 days left of your trial' in the nag. So, I set my clock 3 days ahead and restarted teh app. It then said 'you have 364 days left of your trial'. Can you explain the 364 days part? Thanks,
    Last edited by ksbrace; January 13th, 2006 at 13:07.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #22
    On the off-chance that you didn't notice, 364 = -1 (mod 365).

    Seems strange to make such an operation though. Perhaps it's juts a coincidence.

  8. #23
    ksbrace
    Guest
    yeah, I did realize that 364 was -1, but it just seemed odd.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #24
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by ksbrace
    Ok, I can see the current date at 0012FCCC. 000107D6 and then on the next line
    0012FCD0: 000D0005 and so on for the minutes, seconds, etc.

    Now, where is the date that they are comparing that to? I would think that if I set the compare date to something out into 2010 or later, that it won't expire. Or is there a way to bypass these calls altogether.

    To be honest with you, I do not know. Finding out where the program stores the install date was not necessary to defeat the protection, so I did not search for it. The install date could be recorded in a variety of ways: at the registry, as seems to be the case in this program. In a unconspicuous file somewhre in the windows folder. in the time signature of some file. Often, in more than one place at the time. IT can be severly encrypted and unecognizable as a date.

    On another note, I installed on another box and set the date to a point where it expired. I got the 'your trial has expired' nag, I then set it back to the correct date and got a 'you have tampered with the date' alert box and then the 'buy a key' nag appeared.

    Yes. I saw that. If you find the code that generates those nag screens, you will find the heart of the protection

    So, if I fix the trial screen....what happens if I monkey around with the pc date? Would I get the 'you have tampered with the date' alert?

    The nag screens are the weakest link of the protection. Before deciding to show a nag, the program has to find out if the user is good or bad boy. That is what I used to defeat this particular protection. Preventing the program from showing the nag screen would be only 'shooting the messenger'. But if you know who the messanger is, you can backtrace who sent the 'bad boy message', and cahnge its behavoir.

    One more thing and this was somewhat bizarre. After I messed around with the date, I went into the registry and removed all of the app references and reinstalled. When I started it up, I got 'you have 2 days left of your trial' in the nag. So, I set my clock 3 days ahead and restarted teh app. It then said 'you have 364 days left of your trial'. Can you explain the 364 days
    part? Thanks,

    No I can not explain it without performing some in depth analysis. You are playing the black box game. You change things around the program (registry keys) and observe the consequences in the program behavoir. IT is a valid approach, but I, personally would open the black box and find out where and how, the program calculates the 364 days in your trial message. Look up the API taht are used to read keys in the registry, and the registry ID that the program is reading. Lookup and download RegMon, and you will catch the program reading the registry.
    As a bove in blue
    Last edited by naides; January 13th, 2006 at 22:05.

  10. #25
    ksbrace
    Guest
    Ok, when I set the clock on my pc to be beyond the trial, I set a break at :62480CBD.
    Code:
    * Possible Reference to Dialog: DialogID_007B, CONTROL_ID:016C, "To continue using this software you must"
                                      |
    :62480CAD 686C010000              push 0000016C
    :62480CB2 FF7604                  push [esi+04]
    :62480CB5 FFD7                    call edi
    :62480CB7 8D8E74010000            lea ecx, dword ptr [esi+00000174]
    :62480CBD 85C9                    test ecx, ecx
    :62480CBF 7403                    je 62480CC4
    :62480CC1 8B4904                  mov ecx, dword ptr [ecx+04]
    when it tests it goes to the next line, but it doesn't jump to 62480CC4.....
    do I want it to jump?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Well KS, there is one way to find out. Make it jump and see what happens.
    test ecx,ecx: if ecx = 00000000 the zero flag is set (equals to 1)
    je 6280CC4 jumps if equal, meaning if the zero flag is 1. If you look at it in the register window, z flag is 0. click on it and force it to 1. the jump WILL be taken.

    But think about this: the code you are tracing constructs the nag screen that says: "you are expired" or something like that the decision to show that nag has been taken BEFORE this code is run. look above in the code, actually the call that calls this code, and you will see where the critical decisions are being made. YOU ARE CLOSE

  12. #27
    ksbrace
    Guest
    I'm at address 62480C79 and there is a test ecx, ecx, when I put a break on that line and then click on the Z in the registers window to make it a 1. I was expecting the next line to jump to 62480C80. It seems no matter what I do, it doesn't jump to 62480C80. This seems to be the case for 62480C9E. I am not sure if I'm doing something wrong (probably) or not, but it just seems like those two tests never jump.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #28
    ksbrace
    Guest
    Ok, I'm not sure what I was doing, but it's jumping now and those aren't making a difference. So, I must not be at the right spot.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #29
    ksbrace
    Guest
    what about this push 1 at 62480CA5 and the push 30 at 62480CA8?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #30
    ksbrace,

    Understand that double-clicking a flag in OllyDbg will invert its status in the processor's context for your thread so that any conditional jump ('Jcc' is the general term, examples being JZ, JNZ, JB, JPO etc.) opcodes that follow will respond accordingly.
    In natural execution, these flags are modified only by certain operations - mainly CMP and TEST (although many others such as XOR will have an effect). It is the next Jcc that 'reads' these flags and jumps or falls through accordingly. So modifying the appropriate flag after a CMP or TEST will change the behaviour of the following Jcc, provided nothing funny happens.

    I'm not sure if you understood this process. If you did, I apologise for patronising you, but if not, it may explain why you were having trouble governing the flow of your target.

    If you still don't understand, trace through your code with F7 & F8, keeping an eye on your EFlags register (and the bits that comprise it) as you step over CMPs and TESTs and watch how certain flags, (in particular the 'Z'ero flag) will change (or not change) according to the result of the comparison. The flag will retain its value until the next Jcc (it usually follows soon) is reached, which will jump accordingly.
    It's also worth noting that some Jccs are synonyms. For example, JE (jump if equal) is identical to JZ (jump if zero). This may sound counterintuitive but it comes down to the fact that the zero flag is used both by TEST to identify zeros and by CMP to test equality.

    So if I've said nothing else, I'll say that you should be inverting the value of the flag /after/ the TEST or CMP but before the Jcc, nowhere else.

    Regards
    Admiral

Similar Threads

  1. 30 day trial -- WM_QUIT
    By riptide in forum The Newbie Forum
    Replies: 1
    Last Post: February 2nd, 2007, 17:56
  2. trial protection
    By _d_ in forum Off Topic
    Replies: 3
    Last Post: June 22nd, 2005, 07:26
  3. minute trial
    By TrainingDay in forum The Newbie Forum
    Replies: 6
    Last Post: April 22nd, 2004, 15:45
  4. 30 day trial
    By erty in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 26th, 2001, 00:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •