Log in

View Full Version : +Tsehp - Cbuilder 4 essay question


vgb
January 25th, 2001, 00:05
+Tsehp - Been trying to follow your essay on CB4 and apply it to CB5. Getting confused by your references to Boundschecker. You mention using BC and then show a listing that looks like IDA. I can follow what's happening in your listing (sort of :-D) but I can't quite see how to locate it in BCB5. I guess I'm looking for a shortcut provided by Boundschecker - probably should step thru in sice until I see some code that's familiar?

Thanx,

vgb

tsehp
January 25th, 2001, 19:43
hi,
can you paste here the part where you have the problem ?
I'll take a look after. mail me when you have done it please.

regards,

+Tsehp

Nolan Blender
January 26th, 2001, 00:44
I think CyberHeg address some things with CBuilder 5 in one of his essays too.

--nb.

NeO'X'QuiCk
January 26th, 2001, 01:19
Can you post Url of those tuts??vgb

vgb
January 26th, 2001, 02:07
Quote:
+Tsehp (01-25-2001 08:43):
hi,
can you paste here the part where you have the problem ?
I'll take a look after. mail me when you have done it please.

regards,

+Tsehp



This is the part that has me confused.

After I saw what's going on I decided to emulate inputs. The delete approach is effective but not elegant. Stop, I found timefix.exe.

***Where is timefix.exe???


Sweet - references to HKLM\SOFTWARE\Ntpad\HELPMENU\tin and some more... Try now run the trial with Boundschecker. Sysprst,.... GetLocalTime!! 0x00d217d =0x004d217d

**How to get this info from Boundschecker? When I run the trial and try to get info by clicking on an event, bc aborts. How does the sysprs7.dll ( bcb5 version) figure in this? I RTFM on Boundschecker but I don't see the answer.

Finally, the code below is found in what file? The bcb.exe, a dll,??

Let's see:

_0000010:004D6900 sub esp, 0CCh
_0000010:004D6906 lea eax, [esp+0CCh+var_BC]
_0000010:004D690A push esi
_0000010:004D690B push eax
_0000010:004D690C call ds:GetLocalTime



Thanx for the help,

vgb

vgb
January 26th, 2001, 02:09
Quote:
NeO'X'QuiCk (01-25-2001 14:19):
Can you post Url of those tuts??vgb


NeO'X'QuiCk -

They're all on +Tsehp's excellent Fravia Mirror. I believe the link is at the top of this MB.

vgb

tsehp
January 26th, 2001, 17:36
vgb (01-25-2001 15:07):
[QUOTE]+Tsehp (01-25-2001 08:43):

**How to get this info from Boundschecker? When I run the trial and try to get info by clicking on an event, bc aborts. How does the sysprs7.dll ( bcb5 version) figure in this? I RTFM on Boundschecker but I don't see the answer.

Finally, the code below is found in what file? The bcb.exe, a dll,??

Let's see:

_0000010:004D6900 sub esp, 0CCh
_0000010:004D6906 lea eax, [esp+0CCh+var_BC]
_0000010:004D690A push esi
_0000010:004D690B push eax
_0000010:004D690C call ds:GetLocalTime



Thanx for the help,

vgb

Ok I understand wher the problem is, you didn't saw the line on my essay : copied from macillaci's essay
So you cannot find timefix because his essay was on another sentinel
target.

Lets get to it, it's very simple if you know that a time based protection
needs to have the number of days spent since the first install.
So you start the target with boundschecker, using the main exe,
then after it was loaded, look at the log file and you will locate all
the getlocaltime / getsystemtime used by the target before it decided
to load, the job is to locate the good one by tracing further in the
code.

On the listing you pasted, you must look after how the target uses
the values given by the getlocaltime function, then you emulate inputs
meaning you patch the code the force the registers to always contain
legal time values, calculated while you were into the trial period :
_0000010:004DBD76 mov esi, 38820632h
_0000010:004DBD7B mov edx, 0BC2C84B2h
_0000010:004DBD80 nop

those values comes from softice, still on the time trial period, so your target runs forever.

vgb
January 26th, 2001, 19:06
OK - I see it now. I don't use Boundschecker much so I was a little lost. One thing I still don't follow - did you get the address of the getLocalTime function from Boundschecker or from a xrf in IDA or SICE? I can think of several ways to do it but hte essay implies that the ogffset is shown in boundschecker and I don't see that. I'll check the manual and listings to see if I'm missing something.

BTW, how do you get the emoticon graphics *inside* the message? tried cut/paste from the legend but didn't work.

Thanx agaion for the help,

vgb

tsehp
January 27th, 2001, 02:53
hi,
first question :
when in boundschecker you select the right line, corresponding to the
api, if I remember well you've got the address of the caller at the
right top of your monitor , ex caller : bcb + $1524 , meaning bcb base
address + offset 1524.

second question, when you write your post, just click the link at your left, called emotions legend , you do the smiling face like this ,
: + ) without space or + sign.

vgb
January 27th, 2001, 21:37
OK, I got it now. Finally solved my problem with the tut. Boy, am I embarrassed. I was using HIEW to assemble the code to insert in the various files. Wasn't paying attention - MOV edx,12345678 assembled as 66 ba 78 56 34 12 rather than ba 78 56 34 12. Of course after substituting, nothing worked!:-D -

Anyhow, I got the trial cracked but most important, got more familiar with IDA and boundschecker. Thank you very much for the help - I know you're busy with the revirgin project and it's tough to go back to something you did a year ago.

I included some smileys in the post - let's see if they show as graphics.

vgb

macilaci
February 1st, 2001, 03:31
Hi vgb,
I know I'm a bit late, but still here... The time/date checking subroutine returns an encrpted or coded time structure inside eax (32bit). When you need emulate inputs (date is still the same), you need to replace the result of this subroutine by a constant. Of course the target one version higher and you need check many other things (improved protection! - don't forget that). Don't forget to delete the sysprt and other files and registry entries otherwise the target won't work. After patching it creates these entries. You can leisurely reinstall the patched target without deleting these newly created 'protection files and registy entries'.

regards
macilaci

vgb
February 1st, 2001, 11:36
Hello Macilaci -

Thanx for the additional input. It took a while but I have the target patched and functioning. There were 10 files that needed the patch along with the registry entries and other files to be deleted. I found that the install magic number is constant for each machine, different, but constant.

Thanx,

vgb