Posted by evilTeach on 1/20/2000, 3:32 pm
216.67.65.164
Well, the registry entry for the date (found in Reverb/Cross) is created at the time of installation. It is based on the GetSystemTimeAsFileTime function... A quick glance at the Win32 help files (available on +Sandman's site) shows that this function takes a FILETIME structure as a parameter, and after the call this function contains the current date/time as a 64-bit value. This value contains the number of 100ns intervals since Jan 1, 1601 (a VERY LARGE number).
This value is stored in the FILETIME structure as 2 32-bit values. After playing around with the function for a few minutes I was able to realize that the lower 32-bits are changing too fast to be of any importance. Thus, I paid attention to the upper 32-bits. I created a simple program that displays the FILETIME in hex and decimal format with the press of a button. I found that the first several digits of the current time were the same as the number stored in the registry...interesting.
As it turns out, that's all that the program is doing. At the time of install the program creates the Reverb/Cross entry and writes the upper 32 bits of the install time to the registry. This is why the evaluation counter doesn't roll over at midnight.
A difference of 1 between any two times corresponds to about 7min 9.5sec. The date check routine subtracts the current time from the install time, and then divides by 0xCA (202 decimal). Why 202? Well, if we take 7 minutes 9.5 seconds and convert this to seconds we get 429.5 seconds per click of the clock. Multiply this by 202 and we get 86759 seconds. Divide this by 3600 (3600 seconds in an hour) and we get 24.099222....just slightly more than 24 hours. So, this is how the program is calculating how many days have passed. It takes the difference in the times and then divides by 202 clock ticks (which corresponds to 24.099222... hours).
Simple, no?
Why is this an important task for us to explore?
Any time we're looking at a program that does a days elapsed check, we can quickly scan all relevant registry entries looking for a value that begins 01bf****. There is a high probability that this is the install date!
More on the other tasks later.