Hi, guys

I'm stuck with a protected App called "PlanningPME"
(Link deleted by Kayaker, and moved from "Advanced Reversing and Programming"

i've found the 30 uses limit an bypassed it, but there is a date limit to use this prog ( 2003 december 31) and i can't find how to do.

I'm not requesting a crack, i want only to learn this kind of protection and how to find the good place in the proggy to solve this problem !

If somebody can help, please PM me for the link to Download this App and i'll tell you what i've found !

Thank's

what about "GetSystemDate" or "GetSystemTime" -API? but i don't know

Yes, tryed them but there is too much calls to these Functions ! unable to locate anything

Thank's

Are all the calls coming from your APP?
If you have some stuff in the system tray, like real player, schedulling apps, some FireWall apps etc, they all fire GetSystemTime constantly, and you miss the call from your app.

Try dead listing your app. Look for the time-related functions and the context they are used.
Just a suggestion.

Thank's for your Help, but i'm sure these API calls are done in my App (checked under SoftIce), and no App running else.
This App is a planning one, then calling times Api seem to be a normal thing.
It seem to be hard to find an entry to learn this protection.

You can find this APP at h**p://www.planningpme.com, or PM me for a direct link !
Thank's

Oh well. I am not going to D/L the 10 Mb this app brings on, but I am going to continue my favorite pass-time: come up with outlandish strategies for difficult problems: I do this for a living in Real Life.

Bet you most of the time API calls the app makes come from the same area in the code: Perhaps a message handler. Filter it out. Make the BPX GetSystemTime IF ESP != [The address of the code that calls GetSystemTime relentlessly]

This way only when the Time API is called from somewhere else Sice breaks, decreasing your false call rate.

what about using nag screens? what kind of message would you get if you advance the clock to beyond the time limit?
Even if it quits silently you may break on PostQuitMessage API.

The idea is very simple.

In order for the program to note that dates are being changed, it has to store the date somewhere. There are only 4 candidates possible:

1. Mucking around in the registry (favourite)
2. Mucking around in the files (next best-of-line)
3. Modifying the binary or its dependents (dlls) somewhere.
4. Modifying certain HDD sectors.

For each, find the solution:

1. Regmon
2. Filemon
3. FC /B (binary mode)
4. WHoops.

Chances are, 98% of the time, it will be the first two options.

BTW, just because the key accessed in the Regmon is CLSID, does not mean that the date will not be stored there

Have Phun

And, I almost forgot...

Here's a small trick if you are running Windows XP to ensure that you are not coming under a really commercial protection.

1. Before installation of app, create a system restore point (learn it if you do not in the windows XP documentation)
2. Install the application
3. Muck it up
4. Uninstall the application
5. Restore the system restore point
6. Re-install the application

If the application works after re-installation again, then you know for SURE that the protection is either 1 or 2.

Have Phun

Hi,
Thank's Aimless and Naides for your Help
I've tryed your tips and i can't found anything interesting.
Traced this App with Bounchecker and the only thing i can locate is a whole sequence of :
GetMessage
PeekMessage

just before the App exit !

I don't know how to use these infos, if somebody can help ?

Many thank's Naides for your help !
PM sent

This app had yet another place to store the time limit (12/31/03): It was hard coded in the program!
if current year > x07D3h (2003 ) then quit.

Who would think of such a thing?