Posted by Eternal Bliss on 1/21/2000, 11:32 pm
194.69.99.18
hiya
I tried to delete every thing in the "HKCU\\Software\\Acon AS" key but still get the expired message. Deleting each key on its own does not help as well. So, I re-delete the whole key and then reinstalled the program to see what happens.
Well, "HKEY_CURRENT_USER\\Software\\Acon AS\\Acoustica\\2.0\\General\\C" appears with a
hex value of 00024BCB. When I run the program, it shows me 0 days usage again... Bingo. 8)
"Cross" value is now created and stored while "C" is changed to another value to show that the program had been run after it has been installed. This explains why deleting anything will not work.I went back to the disassembled program and checked out "C" in the SDR. Found two instances.
Newbies, to find the two instances, double click on the "C" SDR once, you will go to the first instance. Double click it again, you will get to the 2nd one.Below is the piece of code of interest...
:00446BBC 55 push ebp
:00446BBD 8BEC mov ebp, esp
:00446BBF 83C4F0 add esp, FFFFFFF0
:00446BC2 6A00 push 00000000
:00446BC4 8D45F4 lea eax, dword ptr [ebp-0C]
:00446BC7 50 push eax* Possible StringData Ref from Data Obj ->"C"
First Instance of "C"
|
:00446BC8 68B49F4900 push 00499FB4* Possible StringData Ref from Data Obj ->"General"
|
:00446BCD 68AC9F4900 push 00499FAC
:00446BD2 8B15E68B4A00 mov edx, dword ptr [004A8BE6]
:00446BD8 52 push edx
:00446BD9 E8FACEFCFF call 00413AD8
Follow into this call and you will come across a RegQueryValueExA.
That will get the value of "C" which is in the key "General"
:00446BDE 83C414 add esp, 00000014
:00446BE1 6A00 push 00000000
:00446BE3 8D4DF0 lea ecx, dword ptr [ebp-10]
:00446BE6 51 push ecx* Possible StringData Ref from Data Obj ->"Cross"
|
:00446BE7 68BD9F4900 push 00499FBD* Possible StringData Ref from Data Obj ->"Reverb"
|
:00446BEC 68B69F4900 push 00499FB6
:00446BF1 A1E68B4A00 mov eax, dword ptr [004A8BE6]
:00446BF6 50 push eax
:00446BF7 E8DCCEFCFF call 00413AD8
Same call again. Getting value of "Cross"
:00446BFC 83C414 add esp, 00000014
:00446BFF 8D55F8 lea edx, dword ptr [ebp-08]
:00446C02 52 push edx* Reference To: KERNEL32.GetSystemTimeAsFileTime, Ord:0000h
GetSystemTimeAsFileTime to be explained later
|
:00446C03 E8EA440400 Call 0048B0F2
:00446C08 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00446C0B 81F9CB4B0200 cmp ecx, 00024BCB
00024BCB is the original value of "C" on a "clean" install
like I said at the start
:00446C11 754E jne 00446C61
jump if not equal. ie. not "clean" install (our case)
00446C13 to 00446C5F stores "Cross" value and changes "C" value
:00446C13 8B45F0 mov eax, dword ptr [ebp-10]
:00446C16 85C0 test eax, eax
:00446C18 7547 jne 00446C61
:00446C1A E851EB0300 call 00485770
:00446C1F B930750000 mov ecx, 00007530
:00446C24 99 cdq
:00446C25 F7F9 idiv ecx
:00446C27 52 push edx* Possible StringData Ref from Data Obj ->"C"
|
:00446C28 68CB9F4900 push 00499FCB* Possible StringData Ref from Data Obj ->"General"
|
:00446C2D 68C39F4900 push 00499FC3
:00446C32 A1E68B4A00 mov eax, dword ptr [004A8BE6]
:00446C37 50 push eax
:00446C38 E84BD0FCFF call 00413C88
:00446C3D 83C410 add esp, 00000010
:00446C40 8B55FC mov edx, dword ptr [ebp-04]
:00446C43 52 push edx* Possible StringData Ref from Data Obj ->"Cross"
|
:00446C44 68D49F4900 push 00499FD4* Possible StringData Ref from Data Obj ->"Reverb"
|
:00446C49 68CD9F4900 push 00499FCD
:00446C4E 8B0DE68B4A00 mov ecx, dword ptr [004A8BE6]
:00446C54 51 push ecx
:00446C55 E82ED0FCFF call 00413C88
:00446C5A 83C410 add esp, 00000010
:00446C5D B001 mov al, 01
:00446C5F EB22 jmp 00446C83* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00446C11(C), :00446C18(C)
|
:00446C61 8B45FC mov eax, dword ptr [ebp-04]
:00446C64 8B55F0 mov edx, dword ptr [ebp-10]
:00446C67 2BC2 sub eax, edx
Loaded SICE and bpx on GetSystemTimeAsFileTime
and traced through here to find out what is eax and what is edx
and why there is a subtraction.
edx is the value stored in "Cross" and eax is the value the program gotten
when it called GetSystemTimeAsFileTime. Thus, the newer value is subtracted
by the older value to see what is left* Possible Reference to Dialog: DialogID_0072, CONTROL_ID:00CA, ""
|* Possible Reference to String Resource ID=00202: "Analyses selection containing
pure noise"
|
:00446C69 B9CA000000 mov ecx, 000000CA
:00446C6E 33D2 xor edx, edx
:00446C70 F7F1 div ecx
Some calculations to convert it to days left. Answer is in eax
:00446C72 8BC8 mov ecx, eax
Days left stored in ecx
:00446C74 890DF68D4A00 mov dword ptr [004A8DF6], ecx
:00446C7A 83F91E cmp ecx, 0000001E
1E is the hex for 30 in decimal.
To find out, type "? 1E" without quote in SICE
and you will see 00000030. So days left (value of ecx) is compared to 30
:00446C7D 0F9EC0 setle al
:00446C80 83E001 and eax, 00000001* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00446C5F(U)
|
:00446C83 8BE5 mov esp, ebp
:00446C85 5D pop ebp
:00446C86 C3 retUsing MSDN or Win32 Programmer's Reference (win32.hlp), I got this information.
The GetSystemTimeAsFileTime function obtains the current system date and time. The information is in Coordinated Universal Time (UTC) format.
lpSystemTimeAsFileTime
Pointer to a FILETIME structure to receive the current system date and time in UTC format.The FILETIME structure is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601.
dwLowDateTime
Specifies the low-order 32 bits of the file time.
dwHighDateTime
Specifies the high-order 32 bits of the file time.Summary
Ok. This sounds rubbish to me. But what it means is that the program uses this API to get the date and time is a format everytime. The first value is stored in "Cross" and the program knows that it should store instead of reading the value is because of the value in "C" (00024BCB). After that, value of "C" is changed and subsequently, the program will only read from "Cross" and not store values to it. When the program runs, the date and time is retrieved again and subtracted by the value of "Cross". Conversion is done to get it to Days left. Then, days left is compared to 1Eh.There are a few places to patch in this piece of code that will render the program to function forever...
Regards