Hi all,

I wonder if it would be appropriate for me to ask for a little bit of guidance…

I’m extremely new to all this, and desperately want to achieve my goal with the program in question.

The program I’m looking into isn’t very modern, and I wouldn’t imagine has a lot of ‘old ways’ in its design. Its not popular at all, so I’m unable to successfully find any information regarding it.

Ideally, what I’d like to get from this, would be if someone is reading this with a little bit of spare time, and a decent level of experience, would you at all be interested in PM-ing me so I can provide you with the source, and if you could take a quick look around it.. and then come back to me saying “research how to do this….” Or possibly provide good sources of the information in need to look into, also just general advice as towards something like “that’s going to be really really hard mate” or… “lol, you should be able to do this quite quickly”

I’m afraid I’m slightly lost, and would greatly appreciated it if someone on here could give me nudges in the right direction.

Why don't you provide us the details here itself [barring the program's name, of course]. You can also tell us WHAT YOU have done so far and where you are stuck... We would be very interested in understanding your theories [does not matter right or wrong -- having a theory tells us you are atleast trying] and you should get "nudges in the right direction" right here...

Have Phun

Hey,

Sure, I'll do my best!

When you launch the program for the first time your asked to enter the licence file (Browse for its location) or create a 30day trail.

I've never seen a licence file for this product, I have no clue what file type or how complex it might be.

My current trends of thinking are firstly, when I create a free trail, do the program create a temporary licence for me that I need to locate, or does it run 2 systems side by side, A licensing system for those that have one, and some form of other 30day trail technique for those taking this option.

As a first time olly user, I was hoping to be able to track all created and modified files and registry entries. I put olly into debug mode and launched the exe. I tried to have a dig around but felt very lost and confused that I might have been waiting my time chasing the wrong thing, or looking through the wrong things within olly.

I played around and poked around, but became concerned that now all my further poking is being done after the 30day trail activation, and I might be wasting my time poking around at the wrong moments in time if I need to specifically capture the activity occurring when I ask it to allow me to use a 30day trail.

So I poked around on the net, and seemed to end up on utube watching some olly demonstrations, I found these tricky due to the poor quality, and not being able to see whats really going on in the ones I found.

Via my utube travels I came across another video using the runasdate program, I thought it was worth a try and gave it a shot. It failed.

So I'm now left with a different task to firstly tackle, maybe you might advise against me wasting my time with this...

I'm now at a stalemate as I'm once again locked out from using the software. I've tried on previous occasions to uninstall it, and dig through files and registry's to try and remove anything that I can see related to the software left behind. But haven’t yet succeeded to do a full 'uninstall' to allow me to try again! I'm guessing it probably has a dll somewhere that essentially has a true of false flag that I need to find?

Knowing I'd come across this issue, I tackling all this via a vmware guest so I can keep things isolated, not be concerned about poking in places I might not be to comfortable poking in... and ultimately allowing me to reinstall the OS to get a 2nd, 3rd... shot at it. I also tried creating a full manual restore point and reloading from that, but unfortunately that was to easy and also failed.

If someone could advise me as what I should do from this point that would be helpful, just drop the OS or can I use olly to try and help me locate whats 'blocking' me at this point?

well some hints
you ASSUME or THEORIZE there MIGHT be a file involved

so there SHOULD be some @#%t functions for doing file related work

lets gooog

Results 1 - 10 of about 8,270,000 for file functions. (0.21 seconds)

second hit is windoze authorized msdn hit

File Management Functions (Windows)The following functions are used to manage files. ... The following callback functions are used in file I/O. Function, Description ...
msdn.microsoft.com/en-us/library/aa364232(VS.85).aspx - 51k - Cached - Similar pages

checking it you SHOULD find all these functions deal with your SUPPOSED file



now what next
you have this thing called ollydbg with you WILL it or CAN it find some functions

lets gooog again

Results 1 - 10 of about 12,700 for function names ollydbg. (0.18 seconds)

fortunately or unfortunately you land on this forum in first hit



spidering through the links you SHOULD learn that ollydbg IS ABLE find the names

now applying the NEW FOUND knowledge CAN you find some file apis in the local file


breaking on them MUST be the NEXT POSSIBLE or PROBABLE path

assuming some file function breaks can you find if this file is the file that you are looking for

assuming you cant find the function or if doesnt break can we trap all the file functions globally a nd see if some api breaks

if it broke is the underlying file the file you are looking for

if it didnt break still next way MIGHT be some external monitors , spiers , hookers
lets goog

Results 1 - 10 of about 6,380,000 for file monitor. (0.20 seconds)



hits look promising and reading around about this filemon the capabilities sound promising

downloading and running that filemon should indicate file activity if there are some in your exe

some where down this rabbithole of codecobwebs you can FIRMLY COME TO THE CONCLUSION that THERE IS A FILE INVOLVED
and next probable solution is to hunt it down somehow
or conclude there is no file involved scratch this path from your many probable ways
and start afresh
may be taking registry as your target this time

hope i pushed you instead of nudging

well first step would (for me anyway) be scanning the exe with some protection detection program (some are in the cretl), so that (if one detects it) you might at least get a good indication about what protection is 'in store for you'... then begin researching

Also, get familiar with the concept of virtual Machines: VMware, Microsoft virtual PC, others. You can install a whole operating system in there, clone it, install your program and let it expire! You will learn a lot from tracing the expired program: What files does it look for? (Filemon), what nag screens does it show? then you have another point of attack: Not getting a licensed program but the second best, an eternal trial.

Thanks for all your help.

Blabberer, I’m very grateful for your post, I really appreciated you pointing me at the right things. I’m afraid I’m having a terrible day today, after going over your suggestions, and trying to understand the steps and tasks I’m required to do I seem a bit muddled and confused about it all and really feel as though I’m totally failing on the ollydbg aspects. It all seems a bit of a mush in my head at the moment; I think I’m out of my depth!

After deciding the confusion wasn’t providing me with much progress I tried file monitor, launching the program (in an expired state) gave me 500 entries to sort through in filemon. I didn’t see anything obvious standing out at me at all that I needed to investigate.

I also tried Process Monitor to check for registry found within the Library here as it also monitors Registry and process / thread activity. This provided me with 997 entries to sort through. I looked at a couple of items but overall failed to indentify anything valuable, there was some OLE activation reads which jumped out at me, but after checking out OLE, Object Linking and Embedding I didnt feel like this was what I was hoping it to be.

Evlncrn8, thanks, I tried to run Protection iD on this software but it failed to find any protection in place

Naides, Yes, I feel virtual machines are very handy for this kind of task, as I stated in an earlier post I’m doing all this within an XP guest OS inside VMware. I’m afraid as I just mentioned I failed to identify the file within filemon. I’m not really presented with a nag screen, upon launch of the program a small window opens, with the ability to ‘browse’ for a licence file, click ok, or close. When the trail is open, we just click ok, when the trail expire ‘ok’ becomes inaccessible and our only option is to browse or close.

I’m not sure if I’m completely failing to absorb this today, or if this is just far to much for me. This software was created in the bottom of someone’s garden in his shed, I hoped it might have been quite obvious to progress with this, but I’m now feeling I’m biting off more than I can chew, and in turn wasting your time.

An easy route would be to place a breakpoint on the EnableWindow function before starting the program. Then launch the program and see if the breakpoint gets hit - more specifically, gets hit with the bEnable parameter equal to 0 (false). If you find such a hit you can try changing the parameter to 1 (true) and see if that enables the OK button again. If it does, you will need to see where that EnableWindow was called from and find out which code decided to pass 0 to it (or call the function at all). Look for conditional jumps.

An alternative is attacking the license file. "Browse for file" windows are typically created with the GetOpenFileNameA function. If you place a breakpoint on this function, it should hit when you click the "Browse" button. Create some dummy license file, use Olly's continue-to-ret (Ctrl-F9) and select the file you created in the browse window - once you press Open, Olly will pop back up. From there you can trace back out of comdlg32.dll (which contains GetOpenFileName) into the program's code, and see what it does with the file name it just received from the browse window. (Likely open it and read it, then do verification on it)

Don't forget to disassemble your target with IDA Pro. It will recognize statically linked library functions like fopen(), fread(), ... which is very useful. You can even input the names of the functions it found in Olly by producing a MAP file (File menu) in IDA and using the MapConv plugin in Olly. Alternatively you can use IDA itself to debug your target instead of Olly. (I just prefer Olly myself)