Hello people

I had a little chit chat with Kayaker lately... and well this made me come up with a little
project... To start off: I'm sorry that it is a 5MB download... But I'm hanging at a 56K
line too and I just received it by mail - had my fun and decided to upload it to angelfire for a
project... As you can see I just dl'ed it and uploaded it (together 10 MB) just for you ;D

To raise your interest:

* The program itself is called "WinVCR" which is a recorder for movies on your TV card.
(I don't have a TV card either - and w/o a TV card some options are greyed out, but that's
not the point here )
* Unfortunately the exe itself is only 260kb
(I uploaded it too if you want to try it without the proggy)
* You can read the file like a book
* No unpacking
* Funny patching

Your expected goals are:

--- Get rid of the 30 days time limit.
--- Get rid of the splash / or / reduce the counter which keeps the nag alive to minimum
--- Get rid of the Buy or Continue Dialog

Possible Goals:

If you don't have a TV card:
--- Try to find the 10 minutes minimum recording time && explain why you think it's probably at that/these place(s).
If you have a TV card..
--- Kill the 10 minutes minimum recording time. (haven't tried that - my record button is greyed out)


SideNotes:
I've choosen version 2.0 because I thought we wouldn't hurt the programmer team from
WinVCR too much this way...

The links is: (angelfire doesn't like links being accessed from outside)
http://www.angelfire.com/rpg/screendudes/index.html
and click on :
Angelfire - Free Home Pages* -> For the 5MB File which is the whole Program
Free Web Building Help*orig* -> For the exe itself (will be harder tho)

And I hope you don't feel underestimated

Hi JimmyClif,

Thanks for this project.
I managed to patch the program so it never expires by changing one jump (jl => jmp).
I don't know if I should post how I found the right place to patch - I am sure other newbies are working on it.

Cya
janek

Hi Janek...

No need to post the answer yet... I guess where you're at

But before the congrats, let's do a little bit of backchecking ;D

Try to answer these questions for task n° 1:

* Did you find out where it saves your expiration details? (registry, file etc..)
* Can you receive another 30 days w/o patching the target?
* What API did you try breaking on first?
* Is there something which could get dangerous later, regarding the timelimit?
(pretty close to where you're at) Have a look at the flow.. any other
conditional jumps leading to the bad boy routine?
* What were the tools you used?

Until later...
JimmyC

Hi JimmyC

Well, I did not have too much luck with the additional questions. Maybe you can guide me in the right direction:

1. I am not sure where it saves expiration details - after reinstaling the proggie ( and cleaning the registry from all winvcr entries I could find) it still displays the same number of days left as before, so I guess it is probably stored somewhere in windows directory. I couldn´t find the exact place though.

2. Maybe manually editing the place where it stores reg. data would do?

3. I tried to brake on GetLocalTime and GetSystemTimeAsFileTime first, but sice kept on poping and I could not get to the winvcr code. Then I noticed CompareFileTime in w32dasm, checked it out in my API ref. and it looked ok so I tried this one and it worked.

4. Something dangerous - hm, patched program works ok, the only thing is when I passed 30 days it starts to show trial days as negative numbers in the initial nag, but even if I set the time 1 year ahead it still works, just saying "you are on day -366 of your trial period" or sth like this.
There is also a check if the system time (clock)has been tampered with, but it is activated only when you set the time back, not ahead. It can be disabled I guess, and then one may get additional days by setting the system date e.g. 30 days backwards (I have not tried this yet).

5. My tools were: w32dasm, s-ice, hiew. I also tried regmon and filemon, but without too much success.

If you have time I would appreciate if you can post few words about locating the place where reg. info, number of days etc. are stored.

Thanks
JaneK

Hi Janek.

I'll do my best getting you on track

1. The expiration details:

You should always take your time looking at every String Reference you got (big hint)
The more you should have another try with reg and filemon. Start RegMon and immediately
start WinVCR. Once the nag displays the days, you know it had to read them somewhere,
you can stop RegMon capturing data. Now you have a nice "hopefully" not to long list to
browse thru... Anything looking TopSecret there ?

2. When you found the data... imagine this ;D
IF Key==Present
...Call LocalTime
...Compare Time with Time in Registry
......IF LocalTime>=RegistryTime+30
........display "DOH"
......ELSE
........go on as usual
......ENDIF
ELSE ;(Key!=Present)
...Assume it is the first time he started
ENDIF

3. Yup... it's always good to check out the Imported Addresses

4. Yes, you found the place I spotted as "dangerous"; well.. the "normal" User probably never gets to this jump, but I kinda lived already weeks in 2002 as sometimes I forget to set my sytem time back again *g* Imagine you just installed it... and then you realize that your time is wrong.. you set it correctly and "doh" you can't ever use that prog again...
(And besides that: Patching is fun, so why not close every possible door?)

5. Good choice in tools... I went for the 'double whopper' IDA & Wdasm analizis, If you downloaded IDA already somewhere take a look at the same part of code where you patched the time check. This will get you a pleasant surprise... ( talking about a book ;D )

Once you got yourself familiar with reg and filemon... and a little bit of IDA... we can go on to the splash screen...

JimmyC

BTW: I just went to Angelfire and saw that there were 31 visitors...
Let's take away me 3 times... Twice for checking if the links worked and once now.

Who else did download WinVCR? Any lurkers around?

Hi JimmyC,

I had another look at the registry with regmon and this time I found the topsecret place

I also looked at both nags and I think I found the calls creating each of them, updating the first one with version number and numbers of days left etc.

Is it possible just to nop them? (it is crashing the prog as I do it).

JaneK

Hi Janek...

Great you found the two spots for them... I assume the call you mean is at 0041A324.
This is actually only the call to display it... but if you see the code afterwards... there
is still a lot happening with it... Nop-ing this one out results in a crash

Ergo,

I don't see no easy solution for the first nag... at least not without opening the
"JimmyClif's Infamous WinAPI Surprise Box". (I'll surpise you later )

That's why I primarly decided only to reduce the minimum time shown... and then we get "rid"
of it ... To make this easier we divide the Splash-Nag and the DialogBox into Task 1 and
Task 2..

Task 1:
Try to find the place where it keeps the nag alive using a counter.

One solution to get there is:
UpdateWindow and ShowWindow are some of the more known breakpoints and then you
would start tracing. (Some counters are created using GetTickCount too)
Another one (my favorite) is:
You wait until the nag is displayed but before the Dialog shows and hit CTRL-D.
Then you need to find your way back to the code and find the suspicious place where
it keeps counting.

Task 2:
Try to find the call which has entirely to do with the dialog. ( i guess you found this one)

Alright, once you got them write their Offsets (maybe a code snippet too) here...
so that I'll see where you're at =) and then we go for the action.

Happy F8'ing ;D
JimmyClif

Heya Janek...

I haven't heard anything from you in quite awhile, so I guess you might be stuck || bored with WinVCR.. who knows ?
Anyway... Here's the solution for the remaining tasks:

The Splash Nag:

First I started WinVCR and before the Purchase Dialog poped up but while it was displaying the Splash I hit CTRL-D. A few F12's were leading me back into it's code and I got to this point:

0041A4D1 call esi ; timeGetTime ; Get system time, in milliseconds
0041A4D3 sub eax, ebx
0041A4D5 cmp eax, 0BB8h
0041A4DA jb short loc_41A4D1

Pretty self-explanatory what to do at this point... We nop out the jump and the Splash pops up and we see immediately the Purchase Box...

So.. but how to get rid of the Splash for good?

I then had another go with it and put a breakpoint at "UpdateWindow"...
Which brought me upon this point:

0041A30F push 92h
0041A314 push 0D4h
0041A319 mov ecx, edi
0041A31B call sub_401540
0041A320 push 1 ; <- 1 == Visible // 0 == Invisible
0041A322 mov ecx, edi
0041A324 call j_?ShowWindow@CWnd@@QAEHH@Z ; CWnd::ShowWindow(int)
0041A329 mov ecx, [edi+20h]
0041A32C push ecx
0041A32D call ds:UpdateWindow
0041A333 mov edx, [edi+20h] <-I landed here

Being in SoftIce I set a breakpoint a few calls above to find out where the nag got generated... Here it's clear to see that it will be the call @ 0041324 (ShowWindow)

This made me get out my Win32API reference to have a look at ShowWindow:

BOOL ShowWindow(
HWND hWnd, // handle of window
int nCmdShow // show state of window
);

So, well.. no hwnd push? MFC's way are strange...So I assumed the push 1 would be the push for the Show State of the Splash.. I replaced this with a push 0 then. And voila.. God bless the API Guide... The Splash is gone.. (Basically it's still there but at least we won't see it anymore..)

-----------------------------------------------------------------------------------------
Getting rid of the Purchase Dialog:

We know that immediately after the Splash the Dialog pops up.. so we can just continue tracing using F10 until that Dialog pops up.. And this will happen at this call:

0041A519 mov ecx, esi
0041A51B mov [esp+7DCh+var_5C], 2
0041A523 call dword ptr [edx+0C0h] <-- HERE
0041A529 cmp eax, 1
0041A52C jnz short loc_41A57E

Lucky we are.. We stepped over the call using F10.. SoftIce made a little rest to let us push the Continue button and we land exactly a line after the call on cmp eax,1

Checking our registers tells us that only eax got changed after this call. (Well eip too, but that's another story )

Eax has as value 2 now... Instead of nop-ing out the call (which is not always the way top go because of the pushes which may preceede a call (every push needs a pop) - but here there are no pushes before.. that's good) So.. instead of nop-ing out the call we can replace the whole call with a mov eax,2 (which is the correct value upon return and it will jump to the right place... You'll see the bytes fit exactly in

So.. that's been it.. You found already the Time Check... no more need to tell this..
Finally I can delete this useless tool from my HD... (or should I go and buy a TV card?)

JimmyClif

& How do these bloody <pre> tags work?

Hi JimmyC,

I am still interested and still have plans to look more into this prog. I am so loaded with work I just did not have any time to sit down in peace and investigate further on. When I'm done, I'll post something here (or shall I mail you?) and hope to have your comments, so don't delete winvcr yet!!!

JaneK

Hi JimmyC,

All clear now!
I also, same as you, tried to get rid of the 1st nag by modifying the pushes before the call at 41a324, however I have wrongly assumed it's CreateWindowExA (I used w32dasm so I could not see it is ShowWindow). CreateWindowExA also seemed to be a nicely working bpx so I was also mislead by this.

The "purchase" nag (at 41a523) - this one I just noped and it works fine. Changing "call xxxxxxxx" to "nop" would crash the prog, but substituting call's hex notation by 909090909090 solves the problem.

For me it was an interesting project - thanks for your time.

Cya
JaneK

P.S. Now you can delete this crap from your disk

Heya JaneK,

Sorry for pushing you a bit with the Project.. I'm just traveling pretty soon and I was in fear of not being able to finish it and to help you with any questions, while I'm sunbathing at +/- 90 °F *hehehe*

I hope you saw the difference between IDA and Wdasm... It's simply incredible what IDA can do... Even tho that I prefer the way Wdasm handles the String References. That's why I always go for the double whopper

For the Call xxxxxx to a single nop ? Oh Lord, You learned that you need to replace all the bytes (as you nicely said "substituing the hex notation" ) If you use Hiew you could have tried replacing the call xxxxxx with mov eax,2 and you would have seen how it fit in there.

Oh well... T'was a pleasure... Take care and don't give up on it...

JimmyClif

PS :So.. you think it's a crappy prog too? *hehehe* I love to hear this