riptide
February 2nd, 2007, 16:44
My head hurts 
So, I have an application which is a 30 day trial. Setting the date on my system forward disables the application (no notification before it exits) and setting the date back allows it to run again. Simple so far.
Tracing through the application with Olly I find that there is a byte in memory that gets set to 01h when it determines the 30 day trial is up. Then doing a break on memory write for that offset I find a jz instruction jumping to the mov that sets that byte... ok, so I nop the jump and the program runs w/o exiting -- great!
Not quite... I can't exit the program at all now
. So I look back at the code, and see that the cmp before our nop'd jump is comparing the resulting message from a peekmessage to 12h -- WM_QUIT. So this code is used to exit the application for all of the methods of exiting the program.
Now I break on all send/post message and postquitmessage calls in the application to try and find one that queries the system date before it or something similar only to find that nothing sends WM_QUIT from the application's code. The message is coming from elsewhere... (system libraries?) but I am a bit confused and stuck.
Can anyone who has seen anything like this before point me in the right direction?
Any help much appreciated.
(wasn't sure if this should go here or in advanced, but it just doesn't seem very advanced, and I don't feel like I'm that good when I can't do this)
So, I have an application which is a 30 day trial. Setting the date on my system forward disables the application (no notification before it exits) and setting the date back allows it to run again. Simple so far.
Tracing through the application with Olly I find that there is a byte in memory that gets set to 01h when it determines the 30 day trial is up. Then doing a break on memory write for that offset I find a jz instruction jumping to the mov that sets that byte... ok, so I nop the jump and the program runs w/o exiting -- great!
Not quite... I can't exit the program at all now
. So I look back at the code, and see that the cmp before our nop'd jump is comparing the resulting message from a peekmessage to 12h -- WM_QUIT. So this code is used to exit the application for all of the methods of exiting the program.Now I break on all send/post message and postquitmessage calls in the application to try and find one that queries the system date before it or something similar only to find that nothing sends WM_QUIT from the application's code. The message is coming from elsewhere... (system libraries?) but I am a bit confused and stuck.
Can anyone who has seen anything like this before point me in the right direction?
Any help much appreciated.
(wasn't sure if this should go here or in advanced, but it just doesn't seem very advanced, and I don't feel like I'm that good when I can't do this)