i would like any good information about the above subject....i want to know how really this system time checks armadillo does with the clock works.. because i have searched all over to look for possible fake files or registry entries to compare system times.. but i haven't got still luck.. i'll hope some expert will arrive here and explain me a little about it.. maybe an ArmKiller ?

"Your System clock was changed back possible to defeat the security of this program.. please contact the author..... or Reboot..."

Nothing happend after reboot... it keeps reading somewhere... it looks armadillo in some ways is good but you guys know.. if it runs it can be defeated!

is it possible it could be using a similar method as cryptkey does? for time limit/runs...

i haven't done any research on armadillo, but it could be checking file creation/modification times

maybe LunarDust would help me to explain how to find this or how this time checks armadillo does works..?? my intention is to learn.... any help or tips?

... u try find and patch this?..or find that the program run? .. u try delete :


HKEY_LOCAL_MACHINE\SOFTWARE\The Silicon Realms Toolworks


This chain checks the installation ... delete this and again run the application

If this fails erases the chains of the program and uninstall and reinstall again


Best Regards

Ajo,

Didn't study it but some time ago i ran into a nice feature which was baked into the armadillo-ed prog itself.
Thought it was called " fixclock" .
It's a feature which will reset the starting day of your evaluation. I'am not sure but i think this sits in every armadillo-ed prog.
When you study this you should discover all!
I ran into it when i was trying to break on the day's check.

Succes,

Spekk

It could also be writing to a sector on ur HD like SafeCast, then a DiskMonitor would help.


JohnWho.

I've also tried to find out where Armadillo is able to detect date changes. The clues I've got so far is:

The pagefile.sys file is referenced from armadillo code so it might compare date with the date of pagefile somehow.

The timecheck doesn't work in XP when logged in as a restricted user. (haven't validated this myself, read it on the admarillo forum I think)

/seacow

deleting HKEY_LOCAL_MACHINE\SOFTWARE\The Silicon Realms Toolworks won't make any change.. that was the first thing i looked and tried long time ago.. also i think there's a new one called HKEY_LOCAL_MACHINE\SOFTWARE\License .... that some program use it. deleting also won't make any change but i found out that it use it somehow. i got a program blocked with this system time checks and i decided to email the author to solve this problem as armadillo message says. :P the author send me the command + key to run the fix clock stuff that the program has.. then i monitored that it writes some hex data in that key when fixing the clock.. that was all i could find. i wonder how this really works? i think from many experts that has this board someone most know exaclty where to find and manually remove this... if someone don't want to tell me here then use PM. why this information is so hard to find.. looks some of the Armadillo Protection system is unbeatable ? or some people is afraid that the armadillo author might be reading this .... ?

Download -> Regmon / Filemon!

http://www.sysinternals.com/ntw2k/source/regmon.shtml

http://www.sysinternals.com/ntw2k/source/filemon.shtml

BUT you must Patched this Tools or Armadillo would check this and HIDE interesting from your eyes.



Example what must deleted:

[HKEY_CLASSES_ROOT\CLSID\{ED86CA99-271F-13D1-B2E4-0060975B8649}

[HKEY_LOCAL_MACHINE\SOFTWARE\Licenses]

[HKEY_LOCAL_MACHINE\SOFTWARE\The Silicon Realms Toolworks\Armadillo]


In your TEMP Directory (all) -> ?.tmp



Sorry for my bad English!



Bye


Viper Zx

thanks Viper.. this is the right info. i was looking for. btw the CLSID key might be different for each winOS or for differents target i just confirmed.. maybe is hardware ID based? anyway i'm tring to find a generic way about how this work....

deleting:

[HKEY_LOCAL_MACHINE\Software\Licenses]

[HKEY_CURRENT_USER\Software\Licenses]

[HKEY_LOCAL_MACHINE\Software\The Silicon Realms Toolworks]

[HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks]

and the CLSID key that regmonitor shows right after the License.. one...

HKEY_CLASSES_ROOT\CLSID\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

the deleting all *.*.tmp files from the TEMP dir. and done!

but i'm still having a problem under winXP also in win9x i can't make regmonitor to work out... it is showing everything but the CLSID key that most be found to remove the time check is not there i did everything i could to patch regmonitor.. i removed all text caption but still dosen't work.. would you give me an advice how to patch it correctly and exactly what to patch?

i only could found the CLSID key using WinSteal that thas a regmonitor included .also RegistryMonitor98 (PRUDENS INC.) and i didn't have to patch anything on them to get the key, but this tools only works under win9x/ME i need to learn how to patch regmonitor correctly.. the one from system internals in order to catch the key i need to find under WINXp.

i did search about patching and hiding regmonitor but those tricks i guess don't work with armadillo... could be that system internals's regmonitor is not so good at all?? please.. any advices.. are welcome... also complaints if desire

It is probably using the caption and classname to check if regmon is available. Change the classname and caption and it should work

Hi!

Sometimes when things have been patched for detection, the "magic" in PE-Header have also been changed...

Dunno what this is, and why it needs to be altered,
but maybe this is the case here too?

/Manko

gorge would you explain how to do it?? if you see i'm here is to learn and get information about it..... i still can't make it work.. i changed all the caption but how to remove the classname??

cRk: Search for "class" in the exe of Regmon, you'll most like find things like "RegMonClass". Rename these.

As for the magic in PE files, this should never be altered, as it's one of the values Windows uses to verify it's a valid file.

all i could found was an api: RegisterClassA and : Unknown Info Class , \\REGISTRY\MACHINE\SOFTWARE\CLASSES this is with the newest Registry Monitor..... any tips, ideas??

if anyone is interested to test this to verify it.. get latest Blaze Media Pro 4.01 to play for a while and confirm i'm right...

also take a look at Winsteal.. you can grab it from : hxxp://212.14.34.87/~devon/down/uzytki/ws.zip in case you don't have it.. is old, obsolete and only works in win9x but its regmonitor included works like a charm... it is sad it does not work in WInxp. about the one from system internals.. maybe the armadillo author work with them combined and that's the reason don't read the key armadillo target make/read in the Root/CLSid registry part.. just a comment! lol

sample key for most armadilled targets that use the system time clock implemented with armadillo:

[HKEY_CLASSES_ROOT\CLSID\{B9A1B7AE-0E0F-13D1-B2E4-0060975B8649}]
"0"=hex:70,9c,25,c3,dc,72,48,9d,d1,8b,f9,ef,94,b0,4d,0c,cf,59,c3,d5,96,6e,2f,\
db,78,ba,6c

[HKEY_CLASSES_ROOT\CLSID\{B9A1B7AE-0E0F-13D1-B2E4-0060975B8649}\Version]
@="1.0"

but also i found out that some targets write to:

[HKEY_CURRENT_USER\Software\Classes....

Sample:
[HKEY_CURRENT_USER\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649}]
"0"=hex:9f,11,b0,7a,24,bf,30,6b,e1,e5,47,ae,94,f0,09,bc,9b,80,6b,03,c7,a4,07,\
b1,d9,8a,f1

[HKEY_CURRENT_USER\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649}\Version]
@="1.0"

on "0"=hex....... store the time check with encrypted hex data

i still need to find out how to make regmonitor from system internals to work out... i can't think that the most famous regmonitor don't work with this.. in that case should i called this a bug? umhhhh.. i would like to try an older version ..anyone have an old version to try out?.. i'm still waiting for Viper.. comments about this.. how did you make it?


Results with WinSteal :

CreateKey CURRENT\Software\Microsoft\Windows\CurrentVersion\
Bmp CreateKey
Bmp OpenKey LOCAL\Software\Microsoft\Windows\CurrentVersion SUCCESS hKey: 0xC2A20A90
Bmp QueryValueEx LOCAL\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber SUCCESS
Bmp CloseKey LOCAL\Software\Microsoft\Windows\CurrentVersion SUCCESS
Bmp OpenKey LOCAL\Software\Microsoft\Windows\CurrentVersion SUCCESS hKey: 0xC2A20A90
Bmp QueryValueEx LOCAL\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber SUCCESS
Bmp CloseKey LOCAL\Software\Microsoft\Windows\CurrentVersion SUCCESS
Bmp OpenKey LOCAL\Software\The Silicon Realms Toolworks\Armadillo SUCCESS hKey: 0xC2A20A90
Bmp CloseKey LOCAL\Software\The Silicon Realms Toolworks\Armadillo SUCCESS
Bmp OpenKey LOCAL\Software\The Silicon Realms Toolworks\Armadillo SUCCESS hKey: 0xC2A20A90
Bmp QueryValueEx LOCAL\Software\The Silicon Realms Toolworks\Armadillo\{071BD7C95D8CDD898} SUCCESS
Bmp CloseKey LOCAL\Software\The Silicon Realms Toolworks\Armadillo SUCCESS
Bmp OpenKey ROOT\CLSID\{B9A1B7AE-0E0F-13D1-B2E4-0060975B8649} NOTFOUND
Bmp OpenKey CURRENT\Software\The Silicon Realms Toolworks\Armadillo NOTFOUND
Bmp OpenKey CURRENT\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649} NOTFOUND
Bmp OpenKey LOCAL\Software\The Silicon Realms Toolworks\Armadillo SUCCESS hKey: 0xC2A20A90
Bmp QueryValueEx LOCAL\Software\The Silicon Realms Toolworks\Armadillo\{D8CDD89871BD7C95} NOTFOUND
Bmp CloseKey LOCAL\Software\The Silicon Realms Toolworks\Armadillo SUCCESS
Bmp OpenKey LOCAL\Software\The Silicon Realms Toolworks\Armadillo SUCCESS hKey: 0xC2A20A90
Bmp QueryValueEx LOCAL\Software\The Silicon Realms Toolworks\Armadillo\{71BD7C95D8CDD899} NOTFOUND
Bmp CloseKey LOCAL\Software\The Silicon Realms Toolworks\Armadillo SUCCESS
Bmp OpenKey LOCAL\System\CurrentControlSet\Control\CommAlias NOTFOUND
Bmp QueryValueEx 0xC2A100A0\PORTNAME SUCCESS "COM1"
Bmp QueryValueEx 0xC2A100A0\FRIENDLYNAME SUCCESS "Communications Port (COM1)"
Bmp QueryValueEx 0xC2A20750\PORTNAME SUCCESS "LPT1"
Bmp QueryValueEx 0xC2A20750\FRIENDLYNAME SUCCESS "ECP Printer Port (LPT1)"
Bmp QueryValueEx 0xC29FF130\PORTNAME SUCCESS "COM4"
Bmp QueryValueEx 0xC29FF130\FRIENDLYNAME SUCCESS "HSP56 MR"
Bmp OpenKey LOCAL\System\CurrentControlSet\Control\SessionManager\KnownVxDs NOTFOUND
Bmp OpenKey LOCAL\System\CurrentControlSet\Control\CommAlias NOTFOUND
Bmp QueryValueEx 0xC2A100A0\PORTNAME SUCCESS "COM1"
Bmp QueryValueEx 0xC2A100A0\FRIENDLYNAME SUCCESS "Communications Port (COM1)"
Bmp QueryValueEx 0xC2A20750\PORTNAME SUCCESS "LPT1"
Bmp QueryValueEx 0xC2A20750\FRIENDLYNAME SUCCESS "ECP Printer Port (LPT1)"
Bmp QueryValueEx 0xC29FF130\PORTNAME SUCCESS "COM4"
Bmp QueryValueEx 0xC29FF130\FRIENDLYNAME SUCCESS "HSP56 MR"
Bmp OpenKey LOCAL\System\CurrentControlSet\Control\SessionManager\KnownVxDs NOTFOUND
Bmp QueryValueEx 0xC2A20750\FRIENDLYNAME SUCCESS "ECP Printer Port (LPT1)"
Bmp QueryValueEx 0xC29FF130\PORTNAME SUCCESS "COM4"
Bmp QueryValueEx 0xC29FF130\FRIENDLYNAME SUCCESS "HSP56 MR"
Bmp OpenKey LOCAL\System\CurrentControlSet\Control\SessionManager\KnownVxDs NOTFOUND
Bmp OpenKey LOCAL\Software\Microsoft\Windows\CurrentVersion SUCCESS hKey: 0xC2A20A90
Bmp QueryValueEx LOCAL\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber SUCCESS
Bmp CloseKey LOCAL\Software\Microsoft\Windows\CurrentVersion SUCCESS
Bmp CloseKey LOCAL\Software\The Silicon Realms Toolworks\Armadillo SUCCESS
Bmp OpenKey ROOT\CLSID\{B9A1B7AE-0E0F-13D1-B2E4-0060975B8649} NOTFOUND
Bmp CreateKey ROOT\CLSID\{B9A1B7AE-0E0F-13D1-B2E4-0060975B8649} SUCCESS hKey: 0xC2A20A90
Bmp SetValueEx ROOT\CLSID\{B9A1B7AE-0E0F-13D1-B2E4-0060975B8649}\0 SUCCESS 70 9C 19 C3 DC 72 3C 91 ...
Bmp OpenKey ROOT\CLSID\{B9A1B7AE-0E0F-13D1-B2E4-0060975B8649}\Version NOTFOUND
Bmp CreateKey ROOT\CLSID\{B9A1B7AE-0E0F-13D1-B2E4-0060975B8649}\Version SUCCESS hKey: 0xC2A206F0
Bmp SetValueEx ROOT\CLSID\{B9A1B7AE-0E0F-13D1-B2E4-0060975B8649}\Version SUCCESS

Bmp OpenKey CURRENT\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649} NOTFOUND
Bmp CreateKey CURRENT\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649} SUCCESS hKey: 0xC2A20A90
Bmp SetValueEx CURRENT\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649}\0 SUCCESS 9F 11 8C 7A 24 BF 44 67 ...
Bmp OpenKey CURRENT\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649}\Version NOTFOUND
Bmp CreateKey CURRENT\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649}\Version SUCCESS hKey: 0xC2A206F0
Bmp SetValueEx CURRENT\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649}\Version SUCCESS "1.0"
Bmp CloseKey CURRENT\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649}\Version SUCCESS
Bmp CloseKey CURRENT\Software\Classes\{4B7BEAFF-A184-13D1-B2E4-0060975B8649} SUCCESS
Bmp QueryValueEx 0xC189CD70\MSVBVM60 NOTFOUND

You can change class by finding string %d-%d in exe. Change it to, lets say %f:%f, or anything else you can think of (this is parameter for the sprintf function). This should be enough I think.

This is it!


Tschau

Viper Zx

Great!!!!!!! i feel like learning something new every day.. thanks for all your help and replies guys!

I find this specific key (HCR\CLSID\..... / "0"=hex:....) in registry and delete it. Also delete

[HKEY_LOCAL_MACHINE\Software\Licenses]

[HKEY_CURRENT_USER\Software\Licenses]

[HKEY_LOCAL_MACHINE\Software\The Silicon Realms Toolworks]

[HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks]

In my TEMP Directory (all) -> ?.tmp

Inspite of doing all this, I get the same system time change error. Kindly give me some help in solving this issue.

Thanks in advance.

I don't think anyone has mentioned the method used frquently, most notably by FlexLM, it checks what I'm assuming is the FAT sector for file dates later than the present clock date - an easy fix is to change the date attributes on the files or write a new file of any sort to any folders with a date later than the current machine date. If you reach the point of total frustration and have nowhere else to look - use EVA 2.17 - it will show you the keys and values - there also is at least 1 file that will be in doc's and settings folder.

SiGiNT

GEESH!

I've got to remember to always post after I drink my first cup of coffee and after I've completely read the thread - maybe the info I posted will be usefull to someone

OMG this thread was over 2 years old :P

Yeah!

I kinda noticed that too late!

SiGiNT