I am fresh, hello everybody. I am trying to figured out how 30 days time trial work in one of programs. It's for my curiosity. I can get it how program flow works. I am using softice and ollydby. I am studying code with scalpel piece by piece but it is very hard and I never give up.

When you start the program you have to choose a option in dialog and there is a notice how many days or startups you have left. 30 days or 30 startups. If you click working program it let you in, if you click when expired you get dialog that testing are over. I set bpx getlocaltime in softice for working and expired version. I put code in winmerge and compare it. Code is the same until address 77D4871F. DCBAABCD is probably a date string check.
I think it is going like this If the CMP is not equal do a not zero jump in 77D4871F... The problem is how to get to this address. In my PE file I don't have this address. Is this outside call or what? How can I know which file include this adress and where it is? Help please. See bellow for details.

Expired:
001B:005A4B36 POP EDI
001B:005A4B37 POP ESI
001B:005A4B38 POP EBX
001B:005A4B39 LEAVE
001B:005A4B3A RET
001B:005A1A0A CALL 0059E4C0
001B:005A1A0F MOV DWORD PTR [005A6170],00000001
001B:005A1A19 MOV [005A9B74],SI
001B:005A1A20 CALL 005A1E80
001B:005A1A25 MOV [005A6180],EAX
001B:005A1A2A CALL 005A3240
001B:005A1A2F MOV CX,[005A994A]
001B:005A1A36 TEST CL,08
001B:005A1A39 JZ 005A1A83 (JUMP )
001B:005A1A83 CMP DWORD PTR [005A6180],02
001B:005A1A8A JNZ 005A1A9A (JUMP )
001B:005A1A9A TEST CL,08
001B:005A1A9D JZ 005A1DCA (JUMP )
001B:005A1DCA XOR EAX,EAX
001B:005A1DCC POP EBP
001B:005A1DCD POP EDI
001B:005A1DCE POP ESI
001B:005A1DCF POP EBX
001B:005A1DD0 ADD ESP,34
001B:005A1DD3 RET 0010
001B:77D48709 MOV ECX,FS:[00000018]
001B:77D48710 AND BYTE PTR [ECX+00000FB4],00
001B:77D48717 CMP DWORD PTR [ESP+04],DCBAABCD
001B:77D4871F JNZ 77D703B0 (NO JUMP)
001B:77D48725 ADD ESP,08
001B:77D48728 POP EBX
001B:77D48729 POP EDI
001B:77D4872A POP ESI
001B:77D4872B POP EBP
001B:77D4872C RET 0014
001B:77D4D297 MOV [EBP-1C],EAX
001B:77D4D29A LEA EAX,[EBP-28]
001B:77D4D29D PUSH EAX
001B:77D4D29E LEA EAX,[EBP-1C]
001B:77D4D2A1 PUSH EAX
001B:77D4D2A2 PUSH EDI
001B:77D4D2A3 PUSH EBX
001B:77D4D2A4 PUSH DWORD PTR [EBP+14]
001B:77D4D2A7 PUSH DWORD PTR [EBP+10]
001B:77D4D2AA CALL [77DA01CC]


Working:
001B:005A4B36 POP EDI
001B:005A4B37 POP ESI
001B:005A4B38 POP EBX
001B:005A4B39 LEAVE
001B:005A4B3A RET
001B:005A1A0A CALL 0059E4C0
001B:005A1A0F MOV DWORD PTR [005A6170],00000001
001B:005A1A19 MOV [005A9B74],SI
001B:005A1A20 CALL 005A1E80
001B:005A1A25 MOV [005A6180],EAX
001B:005A1A2A CALL 005A3240
001B:005A1A2F MOV CX,[005A994A]
001B:005A1A36 TEST CL,08
001B:005A1A39 JZ 005A1A83 (JUMP )
001B:005A1A83 CMP DWORD PTR [005A6180],02
001B:005A1A8A JNZ 005A1A9A (JUMP )
001B:005A1A9A TEST CL,08
001B:005A1A9D JZ 005A1DCA (JUMP )
001B:005A1DCA XOR EAX,EAX
001B:005A1DCC POP EBP
001B:005A1DCD POP EDI
001B:005A1DCE POP ESI
001B:005A1DCF POP EBX
001B:005A1DD0 ADD ESP,34
001B:005A1DD3 RET 0010
001B:77D48734 MOV ECX,FS:[00000018]
001B:77D4873B AND BYTE PTR [ECX+00000FB4],00
001B:77D48742 CMP DWORD PTR [ESP+04],DCBAABCD
001B:77D4874A JNZ 77D70388 (NO JUMP)
001B:77D48750 ADD ESP,08
001B:77D48753 POP EBX
001B:77D48754 POP EDI
001B:77D48755 POP ESI
001B:77D48756 POP EBP
001B:77D48757 RET 0014
001B:77D4D05B MOV [EBP-1C],EAX
001B:77D4D05E LEA EAX,[EBP-28]
001B:77D4D061 PUSH EAX
001B:77D4D062 LEA EAX,[EBP-1C]
001B:77D4D065 PUSH EAX
001B:77D4D066 PUSH EDI
001B:77D4D067 PUSH EBX
001B:77D4D068 PUSH DWORD PTR [EBP+14]
001B:77D4D06B PUSH DWORD PTR [EBP+10]
001B:77D4D06E CALL [77DA01EC]

Carpe Diem.

Hi Tito:

The code at addresses like

001B:77D48734 MOV ECX,FS:[00000018]

belong to the Operating system DLLs. Those are API calls.

You can figure out what API it is by looking at the memory map in Olly, finding what module that address belongs to. Then look at the names associated with that module, see what API contain that address.

The names of those API's tend to be self explanatory, but they perform generic procedures like compare two strings, or change a number to a string or something like that.

The action is taking place at the


005A1A36 like addresses.

That IS your program code, which execute your program specific actions

Thank you for answer. I don't know how to handle with 005A1A36 TEST command. I used to see TEST EAX, EAX, TEST EAX = 0 etc. on those places but not here. What is this TEST cl register bit 8? Any good clue how to handle will be very helpful.

Look into this old thread

http://71.6.196.237/forum/showthread.php?t=7295&highlight=test+game


For some explanation on the use of test instruction


Technically:

TEST CL, 08 performs a bitwise AND operation between the operands, but do not change the content of the CL operand, as would happen in the instruction AND CL, 08; instead TEST only the sets the flags. Right after the TEST test you see a JZ xxxxx so the program uses the result of the test (stored in the zero flag ) to decide to jump or not.

In simpler terms, lets assume that CL contains the value 0xD3 in hex, to binary

D3 11010011
08 00001000

AND 00000000


In this case the TEST produces a zero: The 4th bit is 0 in 0xD3 and 1 in 0x08 so zero flag is set to 1, then next instruction JZ will jump.

had CL been



AC 10101100
08 00001000

AND 00001000

The TEST will produce something not zero, Z flag will be set to 0 and the next JZ instruction will not jump.

In summary, test is used to check the status of individual bits within a number, using the second operand as a "mask".

Hope it makes sense

...or just look at the pertinent section of the Intel IA-32/64 Reference Manuals (I'm not sure if it is anymore but the hardcopy set was free when I ordered it).

Also, examine the pertinent section in IDA. Much easier to think when you're not under the stress of "debugger rush". And 30 is 1E, look around the code for comparisons with that.