Namuras
Preliminary information
Sat Nov 7 15:32:31 1998


Okay, Sandman, I've typed it all out:

As a first step, I ran the program. It immediately came up
with a nag screen, reminding me to register within 30 days,
and telling me that I was at day 1 of my 30 day evalutation
period. So there's probably some date functions involved...
I fooled around with the date settings, and sure enough,
upon restart it said I was on day 5.

There is an additional possibility to register via the
Help/About dialog. The registration key is an integer of
0-11 numericals. Conjecture: registration key is a
(unsigned long) hash value from a free-form registration
name.

I then used QuickView on the EXE to have a first impression
of what it does.

* From the COFF main and optional headers, we see that
there's no debug info, what a surprise 8-). Other
information includes size of code and data, which can
give a bit of an indication of how much work might lie
ahead, should we have to resort to just looking through
the code and data fields. Not much interesting stuff,
really.

* From advapi32.dll, it imports RegQueryValueExA,
RegOpenKeyExA, RegCloseKey and a bunch of others. Aha,
so there's registry stuff involved.

* From kernel32.dll, it imports WritePrivateProfileStringA,
so there's probably some kind of UM.INI involved. (See
below)

* From kernel32.dll, it imports GetLocalTime, probably
for the check on how many days I used it.
It also imports FileTimeToDosDateTime.

* There's some information about where DATA, CODE and BSS
sections start. This might be useful later on, when we
might have to set access breakpoints on regions, or look
for code.


The INI file was found easily, UNINSMAN.INI in UM's own
dirrectory. There's wasn't much I could tell from the INI
file's fields.

After that, I've checked the registry, searching for
"Uninstall" and found:
"HKEY_CURRENT_USERSoftwareNoktaSoftware", and
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstallUninstall Manager".

I then proceeded with simple inspection of the EXE file,
with my long-trusted friend, the norton commander's hex
viewer. Searching for "NoktaSoftware" (the Registration
Key), I found a nice string close to a hit : "This
registration info is illegal. No need to pirate this
software. It is just 10$ to register. Support developing
of this software by registering it...".

Here's a guy that expects to be cracked. This MAY indicate
a strong protection. Then again, he might be totally
fatalistic about it, and not have ANY protection. (They
do have a point, though; if it really saves me from the
M$-caused registry spam and DLL/INI files galore, it
should be worth a coupla bucks... but I digress.)

Anyway, I looked in the data area around the
"NoktaSoftware" hit, and found "SetKey", "Setkey", "Reg",
possibly these are registry entry fields? Also, there was
a registry string to access settings for explorer. Doh.
It might be for the online registration, but just maybe
they put their registry entries in an inconspicuous place
like with the explorer settings? We'll see later on.

Too bad I haven't found the place where "day 1 of the
evaluation period" is stored. Maybe the FileTimeToDosDateTime() is used on its own executable?

Well, that's about it for the prelimary look without using
any debugging tools, Sandman. There's a lot of speculation
here, I know, but I usually like to keep an open mind at
first glance.

Regards,

Namuras