Need help with a program that can only be used x amount of times. After tracing through olly for weeks now, I still can't find the area or code where it checks how many times you have used it. Would it be held in a reg key? Or would it be held in a user key? I just can't seem to find where it does the check. Maybe a push in the right direction would help.

Do you get a nag screen saying something like "Sorry, you have used this program x times??"

Or the program only refuses to run?


In both cases start from there. Find the nag screen or find the program quit API/routine.
work backwards to see when the decision to nag/quit is taken, then find out how is such decision made.

Another brutal force attack is to run the program in parallel in two virtual machines: one has the lapsed program, the other a fresh functional one Trace from the beginning going back and forth until the program path diverges. Find out why it diverges, and you have your answer.

A more sophisticated approach is to use one of the code coverage tools available in the repository. Compare code coverage in the normal program versus the lapsed program, and find the wrong fork in the program flow.

Find a tutorial in the old repositories with a title "how to defeat 95% of time trial protections" and get some inspiration there.

Other things to try:

If the times used info is held in a file, the program has to open it and read it, so look at file management APIs (CreateFileA ReadFile, etc). If the info is in the registry, try registry APIs (RegCreateKeyEx, RegQueryValueEx, etc).
Additionally, RegMon and/or FileMon from SysInternals might come in handy.

It has a nag screen, but after tracing for two weeks i cannot find the call to the nag or where it is held (in dll etc). In ollydb is there a way to save the trace file so i can compare the two?

Look for a tool called Dede. It breaks up Delphi/C++ Builder apps and lets you see the forms, and procedures associated with them. It'll also give you the start addresses for those procedures as well.

I have tried to use DeDe but after processing no forms show up just Classes & Units no Forms or Processes.

No other thoughts on this matter?