Results 1 to 6 of 6

Thread: armadillo I think, date check

  1. #1
    drevo
    Guest

    armadillo I think, date check

    hi, I have a dll (from a big program) and trying to get it run alone without the main program installed, the Id detectors doesn't detect anything but I think is armadillo (and older version is armadillo and the error msgs are the same as armadillo), I tried all the unpackers with no luck at all, with dillodie1.6 I can get a dump but do not work, others crashed or got thread errors.

    the dll works for 15 days after installed, when changing the date one month later a nag screen appears, and of course getting the date back the nag continues, but I've set up a windows recovery point before installing and every time I restore and install again I can get the dll working another 15 days.

    So where is the date expired stored? not in the registry as I have restore only the registry (manually from the recovery point) and the nag still appears, so there should be a file stored somewhere.

    about the date check, the only call seems to be to time() function, I hooked time() to give the same time always, but it didn't work, will try to get all the files opened doing a hook, in filemon I get a lot of garbage it seems

    thanks for reading, seeU
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Arma, (at least the older versions), store the date info in both the registry and a .tmp file, get a copy of Trial Reset, (hopefully you don't have AVG), and it should show you the info as well as allow you to delete it - aside from using a script to autodelete the entries or a loader to patch in memory, you are best off unpacking it - lots of tuts for older versions around, if you are lazy like me keep trying with DilloDie (1.6), using various combinations of options available - also if you search this board Admiral posted a tool specificall to unpack .dll's called ArmdllStrip.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  3. #3
    drevo
    Guest
    thanks DilloDie 1.6 does not work with any combination, but trial reset did!

    filemon get lots of garbage but hooking the DLL and deleting the registry keys found by Trial Reset and a temp file in docs and settings folder does the trick partially, there is a strange file opened called
    c:\documents and setting\all users\program data\TEMP:XXXX

    I cannot get it with explorer, but armadillo founds and open it

    btw! cannot find ArmdllStrip here or googling
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Well,

    Here you go - I've added some notes of my own but that is not the gospel as how it should be used.

    SiGiNT
    Attached Files Attached Files
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  5. #5
    drevo
    Guest
    thanks!! , anywy it didn't work , it seems to do nothing without saving any dumped file, I waited long time , maybe the dll has the latest armadillo version with new improvements,
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6

    Cool

    Quote Originally Posted by drevo View Post
    there is a strange file opened called
    c:\documents and setting\all users\program data\TEMP:XXXX

    I cannot get it with explorer, but armadillo founds and open it

    btw! cannot find ArmdllStrip here or googling
    You may want to read about ADS on NTFS file systems Basically, each file can have more than one stream of data inside. Adding a new stream of data is simple, you can even do it on the dos prompt. The fun thing: The file size will always display just the size of the main stream. That way you can hide a 2GB file behind a 20 bytes text file. The only thing that indicates the existence of ADS is the difference between the total sum of file sizes on a partitíon and the amount of free space on it.
    Tools are available to browse directories for files with multiple data streams (Windows Explorer Plugin for example) but it's just like always - you need to know where to search

    Oh, and for your example above: If TEMP is a directory, it can have ADS as well. Very nasty thing but a cool idea about where to hide your reg info
    Double the killers!

Similar Threads

  1. I need help for a hardlock dongle, I cant fix date
    By NONFUN in forum The Newbie Forum
    Replies: 7
    Last Post: June 13th, 2012, 08:51
  2. Timehasp How to change date?
    By thomas279 in forum The Newbie Forum
    Replies: 10
    Last Post: February 5th, 2008, 00:04
  3. Sorry, but license date has expired.
    By Johnny79 in forum The Newbie Forum
    Replies: 11
    Last Post: January 7th, 2006, 10:56
  4. How to delete flexlm license manager date log?
    By winworm in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 24th, 2001, 21:15
  5. trying to find the most up-to-date tutes
    By yobo in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: May 4th, 2001, 09:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •