Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 74

Thread: 30 day trial license

  1. #31
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    KS: The point of this excercise is to introduce you (An other newbies that may read this ) to RCE.
    At this point you are not closing into the protection. That is OK. I told you it was not a trivial protection.

    The area of code you are tracing is NOT the center of the protection.
    Let us give two steps backward and examine the big picture.

    If you start the app after monkeying around with the date, you are greeted witn a MESSAGEBOX, that tells you 'No license has been found. . . '

    If you look for this message 'No license has been found. . . ' you will find no less that 13 instances of 'Possible reference to . . .'., The majority of them are false positive.

    As it happens, the identifier of this string 'No license has been found. . . ' is 0x110 whch is also a very common windows message ID, therefore that ocde is probably involved in message handling, not producing the nag. So who can we find the code that indeed displays the nag?

    If you place a breakpoint to MessageBoxW, right when the app starts, you will break at the piece of code that generates the 'No license has been found. . . ' nag

    at 62439700 it calls MessageBoxW (W means it is using Unicode strings).
    A few lines above you see that the app
    push 110 so this is where the nag is generated. . .

    if you scroll above this piece of code, you see that here the program is going through a long 'case' structure that determines what nag to display. The proection is not here. If you change jumps above this MessageBoxW piece of code you only change the message displayed, not the behavoir of the program.

    But if you find the call that called this code, either by looking in the call stack or by keep tracing until the ret instruction,

    you get to code address 62438978.

    Scroll up into this piece of code, and you will see that this code at 6243890B, checks the time,

    Then calls some function
    then checks a flag

    6243892A . 66:83BF BC0100>CMP WORD PTR DS:[EDI+1BC],2
    two times

    Depending on the state of that flag jumps to the instruction that shows the nag, otherwise keeps going

    Right here is where the protection is making the key decisions.

    Learn its behavoir.
    Look at what conditional jumps are taken when the program is OK and compare at what jumps are taken when the program is expired. either force the jumps or find out who controls the flags that direct those jumps...
    Last edited by naides; January 15th, 2006 at 11:43.

  2. #32
    ksbrace
    Guest
    I found your post very informative and interesting. Is that SOP to a breakpoint at MessageBoxW?
    Also, I'm not quite sure I'm viewing the call stack window correctly or maybe I don't have the settings correct. I would have thought every call would be listed there, am I doing something wrong? Usually in java/c++ when debugging and using an IDE, I can see every call being made/was made. It seems when it's all done, all I see is the ntdll,msvcrt, and kernel32 calls.

    Ok, so, for some reason, I can't seem to get rid of everything from the registry and so I was getting the "invalid license due to clock tampering".
    I **think** I 'patched' that at address 6243962C, by changing the 0F85 to an 0F84. It now goes directly to "Your trial has now ended."
    I guess I'm not sure if I killed the messenger or not.

    So, I'm trying to work my way through the jumps that occur from address 6243892A, as you suggested.
    I changed the jump at 62438932 to the following and watched whether it jumped or not, but I still get the "Your trial has now ended." nag screen no matter what I set that to.
    70 - j0 didn't jump
    71 - jn0 jumped
    72 - jb jumped
    73 - jnb didn't jump
    74 - je didn't jump
    75 - jnz jumped
    76 - jbe jumped
    77 - ja didn't jump
    78 - js jumped
    79 - jns didn't jump
    7F - jg didn't jump
    7E - jle jumped
    7D - jge didn't jump
    7C - jl jumped
    7B - jp0 didn't jump
    7A - jpe jumped

    I'm not sure if that is what you wanted me to test or not, but that is what I did. On top of that, I wasn't sure if the 'clock tampering' issue was
    causing this nag to appear or not. my other box took a big crap on Sunday and I need to get a new hard drive before I can have 2 machines back up.
    Although, I thought about installing a vmware os just to test. Any help is always greatly appreciated. Thanks,
    Last edited by ksbrace; January 17th, 2006 at 14:14.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #33
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    This may be a different approach, rather than changing jumps and seeing what the effect is - set a bp at 6243892A run olly - it should break, use F8 to step thru the code - you should arrive at a call, (to a subroutine which is a jump to the nag), that when executed brings up the nag, look above in the code for a jump past that call, you can try forcing the jump past or modifying what it's testing to make the jump execute - see what happens.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  4. #34
    ksbrace
    Guest
    Ok, this is what I have discovered:
    I put a break on 6243892A and F8 my way down to 624389DA calls 62405BDC which delivers the nag by calling 6243DA7F.

    But there is a jump that skips over that section at 624389B1 if I change the z-flag and jumps to 62438AD3. From there, I F8 down and at 62438B44 there
    is a je to 62438D1B and it doesn't jump. The next line is a cmp dword ptr ds: [edi+154],ebx. Then on the next line, there is a jnz to the 62438D1B (Same as 2 lines above) and it DOES jump.
    I F8 my way down to 62438D5C and there is a jmp to 62438D9F and it does jump. From there, I keep F8'ng my way and I come to 62439CC9 adn there is a JNZ to 62439CE3 and it does jump.
    I eventually come to another jump at 62439DE8 and it doesn't jump.
    I eventually stop at 62439E10:
    Warning:

    The product is not licensed for this system. The application will not start. (picture of usb/parallel dongles).

    Now, I don't know if I'm going forward or backwards as far as debugging this app goes.
    Thanks again.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #35
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    You are definitely moving forward - before that jump is a test eax,eax if eax=0 then the jump will be taken, put a break on test eax,eax - you can change the eax value by clicking on it in the register window - run from that point and see what happens, if that works think of ways to change that value so that it will pass the test.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #36
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    You are very close.
    The only hurdle left to bypass is that last nag screen.
    if you look at the code right above that call 62439E10 you will see a JGE. if you force it to jump, so the nag is not displayed, the program runs (at least in my box) and you are done.


    NOW:

    The hardest part was locating the protection.
    just changing a few jumps you can make the program be an eternal demo.
    Can you make it registered??
    That is more challenging, but not impossible. Just locate and analyze.
    Find the text that says thank you or something like that.

    How does it feel?
    Last edited by naides; January 17th, 2006 at 20:08.

  7. #37
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Hmmmm,

    I just realized I hadn't expired the program - sooooooo - previous info deleted.

    A word of caution this prog is sensitive to it's own name don't change it.

    AND to clean it up a little simply change the read-only attribute in the <target>.ui file and remove the word Trial.

    SiGiNT
    Last edited by SiGiNT; January 17th, 2006 at 21:19.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  8. #38
    Howdy,

    I would LOVE to see a final report on this from ksbrace.
    I could not be more happy about the fact that a few of you select people have taken the time to teach someone who has the basic skills .

    This is what the newbie forum should be about .

    Best regards, Woodmann

  9. #39
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Well,

    Success, kinda! I think the clock setback is screwing everything up, I'm looking for a solution to that, with the setback patched and the xor eax.eax at 624389AF and with naides JGE patched the app runs but some features are missing - analyze brings up the unlicensed feature screen.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  10. #40
    ksbrace
    Guest
    Ok, I was about to pop the champagne last night and toast everyone here for their help and their time. When I made the last (at least I thought it was) patch last night and started the program, I also noticed what sigint33 already posted.

    I'm getting a license error via an embedded html page( or at least it has the look and feel to an html page). When I click on the Analyzer icon/button, I'm missing all of the analyzation tools. It DOES playback video files under the Player icon/button.

    I got my other box up and running thanks to a new hard drive and installed the app on there and I haven't toyed with expiring the clock because I wanted to have a working version to compare the differences.

    Now, I have only made three mods to the exe:
    1. 6243962C changed it from 0F87 to 0F84 (time tamper)
    2. 624389B1 changed it from 0F84 to 0F85 (expired)
    3. 62439DE8 changed it from 7D to 7C (dongle)

    Looking back on this process, it reminds me of debugging any kind of app of a decent size. I have been working with an open source app called uPortal for the university I work for and the first time I took a look at it I was like "I'm never going find my way around." But as time went by, you get involved in the app and you know where to go and what to look for and actually know how to make changes correctly and even submit a couple changes back to the open source community. Very similar to this. So, I should have just been a bit more patient and tried to get my head wrapped around the app. Instead, I acted like a freshman taking their first programming course and just asking for too much help as soon as they get an error. I'm obviously not as comfortable with asm, so that in and of itself causes panic mode to set in early. I should have taken some more asm courses at school.

    I think one of the biggest obstacles is learning a new IDE. This is the first time using a live debugger for asm, I have only previously used W32DASM and HIEW. Those that use it all of the time find it invaluable....and it is. Those who have never used it, find any IDE hard to use, hard to find things, etc...
    Just like when you switch jobs or courses. One place may be a big .NET shop and you have to learn visual studio, then you get a new job and it's a java
    shop and you are dealt with Eclipse or Intelli J or whatever flavor of IDE they are using. In fact, I'm still not sure how to PERMANENTLY edit the exe
    file. I ended up opening HIEW and edit the lines in there. While I'm talking about the IDE, here's a funny/quirky situation. On my one box, I set some
    breakpoints and when I reload(Ctrl-F2) the app, the breakpoints are there. On my other machine, everytime I reload, I have to reset the breakpoints. I have checked and double checked the settings and they appear to be identical. Is there a setting to save the breakpoints or is one of my machines not acting correctly? I also still don't think that the call stack and trace windows are giving me the info that I want to see. I'm not seeing every call made nor am I seeing anything in the run trace window. But, I've only been working with this IDE for a few days, so I just may be overlooking a setting or something.

    I think the hardest part of this exercise was finding the protection scheme(s). Learning about putting a bp on MessageBox was an important learning tip and makes complete sense. Being patient and just stepping through the code is also a necessity.

    Thanks for your help and I would like to continue on and get this to work 100%. Meanwhile, the champagne is on ice! Thanks again.
    Last edited by ksbrace; January 19th, 2006 at 11:35.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #41
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Well, I most confess that I never ran the program much more than a few initial commands, so I did not notice the limited functionality because of the invalid license situation until SigInt pointed it out.
    Weeelll, I myself ended out shooting the message and thinking that the bad news were going to go away.

    Back to the drawing board.
    KS: You have some idea where the license is being evaluated. around that 3. 64439DE8 changed it from 7D to 7C (dongle) . See where the code gets its good boy or bad boy information.

    Also trace the app in a virgin box (or a VMware machine) and see how the "temporariy" valid license status is evaluated/read and you may open the bubbly soon thereafter

  12. #42
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    naides,

    I installed it fresh on a different machine last night - installwatch says it installs an incredible number of files outside the prog dir. and registry entries number in the hundreds - so killing the clock turned back may not be feasible. But the interesting thing is with the trial valid it bypasses the code at 643892A, so the decision may be made farther up in the code as to expired or not - I won't have time to play with it today, but maybe tomorrow - ksbrace - I patched the clock set back nag at a different place than you indicate, I can't find a 0F 85 at the address you list it's an 0F 87 and the nag appears before that address is reached - typo????

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  13. #43
    ksbrace
    Guest
    sigint33,
    Yes, it was a typo, it was 0F87..Now, I"m thinking that I should have maybe set it to OF86 instead of 0F84. If it doesn't jump with 0F87, then I should have set it to 0F86. 0F87 is jump if above. 0F86 is jump if below or equal, which would make more sense, right? I'm going to install it again and see if I can find anything.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #44
    ksbrace
    Guest
    Sigint33,
    I overlooked part of your last comment. I made the change at 6243962C and I don't get the time tamper error. Where did you make your change that avoids the time tamper clock error?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #45
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I am at work and don't have it installed on my laptop, but the jump I modified was the second jump below CMP eax,59 - I tried it 2 ways I modified CMP eax, 59 to CMP eax, 58 that will do it also, but I finally chose to just modify the second jump down. Since you are unfamiliar with olly you should be able to find the spot easily by making the cpu window active hit CTL F and enter CMP eax,59.

    SiGiNT

    Tip: on a jump near (0F8x), you can force a jump by changing it to 90E9, as on a jump short (7x), you can change it to EB.

    Interesting side note I believe that second jump down is after a cmp ptr DS:xxxxxxxx, 0 - I changed cmp to mov and re-entered the jump that got blown away as a jmp not jcc and I ended up with a completely different reg screen - you had a choice of registering over the internet or not, if you choose not automatically you get a different serial number screen - one with the serial displayed and an activation code required - probably the same screen you would get if you fished the initial serial - good place for fishing.

    test changed to CMP
    Last edited by SiGiNT; January 18th, 2006 at 20:05.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

Similar Threads

  1. 30 day trial -- WM_QUIT
    By riptide in forum The Newbie Forum
    Replies: 1
    Last Post: February 2nd, 2007, 17:56
  2. trial protection
    By _d_ in forum Off Topic
    Replies: 3
    Last Post: June 22nd, 2005, 07:26
  3. minute trial
    By TrainingDay in forum The Newbie Forum
    Replies: 6
    Last Post: April 22nd, 2004, 15:45
  4. 30 day trial
    By erty in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 26th, 2001, 00:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •