Aimless
October 10th, 2005, 08:02
Not so trival a protection actually
Instead of trying to dechiper the data packet OR trying to reverse engineer where it is in the registry/HDD sectors that the original installation data is stored, you can try this:
1. Trace the data packet in your program to see where it is being store. Possibly, it will be a pointer type of variable. Immaterial. What is important is sooner or later, this pointer variable will be moved to a register. Mostly EAX or ECX for comparision purposes.
2. The existing original installation date (very well hidden, i might add, don't waste time trying to find it) will also be loaded via pointers into a register for comparision.
3. The moment! There will be a comparision, either DIV EAX/ECX or SUB EAX, ECX or many other such combinations. The point is after tracing through a debugger, the result will always tell you how many days or hours or minutes you have left.
4. Once you find that comparision, DON'T try to find the conditional jump that will kill the protection, instead make both mnemonics the same! So for example, if you find that your comparision happens via DIV EAX, ECX, then change the code to DIV EAX, EAX or DIV ECX, ECX. This will ensure that you always get the good guy.
A caveat: It is next to impossible to determine HOW the program is internally created. So don't take my example as gospel truth, but yet another way in which you may want to look at it.
The idea is ANY method you choose, whether disk locational, packet cracking or check disabling, everything WILL work. The difference is in knowing which one is more easy to find. Cracking will NOT take time. FINDING where that damned check is (and worse! are there MULTIPLE checks?) is what is difficult in cracking.
Have Phun,
