Hi, I am a newbie to reverese engineering and cracking. I read a lot of tuts last 2 weeks on RE and softice. I got many the tools needed to crack 'regular' software. I did crack some of them following many great tuts over the internet.

Now I have that software, that calls alot of dll and runs under java.
After installing, when I start the program, there is a window titled "Expired" that mention that this is a demo version, etc. My only option is to press the "X" button to close the window and the program closes automaticaly. This program was supposed to be a 30 day evaluation trial. I downloaded this software from the compagny ftp site about a year ago. Now (one year later the download), when I try to reinstall the software on a different computer, the software disply the "Expired" windows again.

I tried to use softice to get a bpx on that window, but no function seems to work. The software runs under java, so I think that it might be more complicated that I think ? THe only bpx that works is GetLocalTime. When I step into calls I find lines of code were it tell the program to set registery to 1970-1-1. Then Systemtimetofile time. I changed the registry, I chaged the code... always this 'Expired' window.

So this is where I need a hint ? My guesses are that there is a protection associated with the installer, that remembers when I downloaded it ? Help would be appreciated !

Thanks in advance

It may not remember when you downloaded, but it may have an upper time limit. Let me explain:

If (time since install > 30 days) OR (current date later than December 31, 2004)

expired = true;


Try setting back the time in the new computer to some time last year, then install the program in that clean, living in the past computer. Bet you it will run.

It may also be reading the date form some file in the system, so setting the CMOS time back may not do the trick.

Reverse, man, Reverse. Java can be reversed.

Just as a small tip - I've never worked on Java but using that break point either trace into by hand first until you reach the nag then look above that spot for a jump past where the nag is generated - you can try to just jump past it but nowadays that seldom works - there are usually multiple checks - look for a variable test or comparison such as Test eax.eax followed by the jump or cmp dword ptr(followed by address or variable), 1Eh (or 0), and try to set the value to one that will trigger the jmp past the nag but much earlier in the program flow - IDA subview - graphs can help.

SiGiNT

Just something I remembered later, of course it happened to me when I wanted to share a demo with a friend, a small percentage of demos require you to download a license file - that lic. is only good for XX days from when it was sent to you. Could be another reason why it installed expired.

To elaborate a bit on the point made by Naides: you need to figure out how the app determines what the time and date is. It can do this in different ways, for instance using api's to determine system time (you need to get the win32api help file or the windows platform sdk - search the net, try win32asm.cjn.net for a link to the first, and microsoft for the second), or perhaps determining the time from system files (like system.dat or something). There are many possibilities, and you need to figure out which one it uses (and perhaps it uses more than one). A tool that might help you is filemon - you can try and see if it tries to get the date from system files, or other files (perhaps when you downloaded it, a given file was created just then, and it checks for the time and date of this file).

Fake

First, thanks for advices !

naides: Seems a good idea, i'll try it as soon as I will have access to a "new" computer. Maybe programmers are that lazy when comes the time to protect their valuable software !
sigint33:I already tried to start from the nag, but I don't know how. I reversed the DLL file that call the GetLocalTime fuction (see attachement). At a certain point, a specific call launches the software (java initiation ?) and I cannot control the progress by SI anymore.
New observation : I made a Properties on the setup file and the date is 27 jully 2004. I'll try to modife my system clock to that particular time befoer installing it (on a new computer). Is there any ways to modify the date associated with the file ? Is this date the one when I downloaded it or when I burned it on a CD ?
I'll try a couple of things from your advices and maybe try to learn some java programming, reverse the java code and trying understand what's happenning in there. Since there, if the file give you other clues that I missed, could you please let me know.

Thanks !

Well like I said I've never run into a Java app. before - and the example I gave you is a very simplified example that seldom works these days, (similar to what you'll find in tuts, I swear a lot of the tuts are based on as simple a program the author could find), but sometimes you may be surprised. Learning how everything works leading up to that point is very usefull. As for modifying the file date properties almost any hex editor Winhex, Hackman etal will do that for you, its a quick process to give it a try, but I really doubt that will change anything, why not get a new version demo? or is the Co. out of business,

SiGiNT33

Explore a little about virtual machines, VMWARE. you do not need a new computer each time, you can install a VM in your very own computer, keep a "virgin" clone set asside and you have a fresh new system for you experiments, as often as needed.

Take a look at my comments in the file attached. I think you are close . . .


ADD on:

Without tracing the program live, my GUESS:

The program keeps the current date and time in a quad word EDX:EAX. It appears to compute it as the number of seconds since Jan 1 1970 at 00:00:00. or some variation on the theme.

That quad gets stored in the global variables [068c7b20] and [068c7b24].

Someone else reads it and makes sure every thing is Kosher, settting or returning "good boy" flags.

Place BPMD on [068c7b20] and [068c7b24] and see who reads them.

Using DOS kernal:
Int 21 Function 5705 - Set Last Access Date and Time
Int 21 Function 5708 - Set Creation Date and Time

Using Win32 API:
SetFileTime()

You could write a little utility that uses those syscalls, or BPX on GetFileTime.

No one has mentioned that java decompiles very easily! Go to google and type in java decompiler, and I bet you get 1000 hits. I've fixed some java apps, and I found that decompiling them was always the starting point. (Even if they are obfuscated, you could still possibly single step them in a java development environment, and see what does what.)

I fixed a farking PowerBuilder app that way. (ripped out snippets of code, and put them in my own project in PB, and single stepped them to watch what it did).

Just wanna thank you all for tips. For now, I just can't get over it (
Lack of knowledge and time. This project is certainly not dead. Go to learn for now !

'Later !