NamurasPreliminary informationSat Nov 7 15:32:31 1998 Okay, Sandman, I've typed it all out:As a first step, I ran the program. It immediately came upwith a nag screen, reminding me to register within 30 days,and telling me that I was at day 1 of my 30 day evalutationperiod. So there's probably some date functions involved...I fooled around with the date settings, and sure enough,upon restart it said I was on day 5. There is an additional possibility to register via theHelp/About dialog. The registration key is an integer of0-11 numericals. Conjecture: registration key is a (unsigned long) hash value from a free-form registrationname.I then used QuickView on the EXE to have a first impressionof what it does.* From the COFF main and optional headers, we see that there's no debug info, what a surprise 8-). Other information includes size of code and data, which can give a bit of an indication of how much work might lie ahead, should we have to resort to just looking through the code and data fields. Not much interesting stuff, really.* From advapi32.dll, it imports RegQueryValueExA, RegOpenKeyExA, RegCloseKey and a bunch of others. Aha, so there's registry stuff involved.* From kernel32.dll, it imports WritePrivateProfileStringA, so there's probably some kind of UM.INI involved. (See below)* From kernel32.dll, it imports GetLocalTime, probably for the check on how many days I used it. It also imports FileTimeToDosDateTime.* There's some information about where DATA, CODE and BSS sections start. This might be useful later on, when we might have to set access breakpoints on regions, or look for code.The INI file was found easily, UNINSMAN.INI in UM's owndirrectory. There's wasn't much I could tell from the INIfile's fields.After that, I've checked the registry, searching for"Uninstall" and found:"HKEY_CURRENT_USERSoftwareNoktaSoftware", and "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstallUninstall Manager".I then proceeded with simple inspection of the EXE file,with my long-trusted friend, the norton commander's hexviewer. Searching for "NoktaSoftware" (the RegistrationKey), I found a nice string close to a hit : "Thisregistration info is illegal. No need to pirate thissoftware. It is just 10$ to register. Support developingof this software by registering it...".Here's a guy that expects to be cracked. This MAY indicatea strong protection. Then again, he might be totallyfatalistic about it, and not have ANY protection. (Theydo have a point, though; if it really saves me from theM$-caused registry spam and DLL/INI files galore, itshould be worth a coupla bucks... but I digress.)Anyway, I looked in the data area around the"NoktaSoftware" hit, and found "SetKey", "Setkey", "Reg",possibly these are registry entry fields? Also, there wasa registry string to access settings for explorer. Doh.It might be for the online registration, but just maybethey put their registry entries in an inconspicuous placelike with the explorer settings? We'll see later on.Too bad I haven't found the place where "day 1 of theevaluation period" is stored. Maybe the FileTimeToDosDateTime() is used on its own executable?Well, that's about it for the prelimary look without usingany debugging tools, Sandman. There's a lot of speculationhere, I know, but I usually like to keep an open mind atfirst glance. Regards,NamurasRe: Preliminary Information by The Sandman , Sat Nov 7 18:00 Preliminary Information - Not Modified Time by Namuras , Sun Nov 8 07:36 Re: Preliminary information by NIGEL , Sat Nov 7 16:52 Nigel; Missing String References by Jeff , Sat Nov 7 17:51