hi, I have a dll (from a big program) and trying to get it run alone without the main program installed, the Id detectors doesn't detect anything but I think is armadillo (and older version is armadillo and the error msgs are the same as armadillo), I tried all the unpackers with no luck at all, with dillodie1.6 I can get a dump but do not work, others crashed or got thread errors.

the dll works for 15 days after installed, when changing the date one month later a nag screen appears, and of course getting the date back the nag continues, but I've set up a windows recovery point before installing and every time I restore and install again I can get the dll working another 15 days.

So where is the date expired stored? not in the registry as I have restore only the registry (manually from the recovery point) and the nag still appears, so there should be a file stored somewhere.

about the date check, the only call seems to be to time() function, I hooked time() to give the same time always, but it didn't work, will try to get all the files opened doing a hook, in filemon I get a lot of garbage it seems

thanks for reading, seeU

Arma, (at least the older versions), store the date info in both the registry and a .tmp file, get a copy of Trial Reset, (hopefully you don't have AVG), and it should show you the info as well as allow you to delete it - aside from using a script to autodelete the entries or a loader to patch in memory, you are best off unpacking it - lots of tuts for older versions around, if you are lazy like me keep trying with DilloDie (1.6), using various combinations of options available - also if you search this board Admiral posted a tool specificall to unpack .dll's called ArmdllStrip.

SiGiNT

thanks DilloDie 1.6 does not work with any combination, but trial reset did!

filemon get lots of garbage but hooking the DLL and deleting the registry keys found by Trial Reset and a temp file in docs and settings folder does the trick partially, there is a strange file opened called
c:\documents and setting\all users\program data\TEMP:XXXX

I cannot get it with explorer, but armadillo founds and open it

btw! cannot find ArmdllStrip here or googling

Well,

Here you go - I've added some notes of my own but that is not the gospel as how it should be used.

SiGiNT

thanks!! , anywy it didn't work , it seems to do nothing without saving any dumped file, I waited long time , maybe the dll has the latest armadillo version with new improvements,

You may want to read about ADS on NTFS file systems Basically, each file can have more than one stream of data inside. Adding a new stream of data is simple, you can even do it on the dos prompt. The fun thing: The file size will always display just the size of the main stream. That way you can hide a 2GB file behind a 20 bytes text file. The only thing that indicates the existence of ADS is the difference between the total sum of file sizes on a partitíon and the amount of free space on it.
Tools are available to browse directories for files with multiple data streams (Windows Explorer Plugin for example) but it's just like always - you need to know where to search

Oh, and for your example above: If TEMP is a directory, it can have ADS as well. Very nasty thing but a cool idea about where to hide your reg info