Comments on: R4ndom’s Tutorial #18: Time Trials and Memory Breakpoints

By: 10G

10G — Tue, 30 Apr 2013 20:48:31 +0000

I have an app I am trying to evaluate which limits trial tries to 30. I have tried capturing where it writes the counter. I ysed regshot to do a registry diff, wireshark to capture network packets, file diffs, but cannot find where this counter data is held. ANy clues where?

By: Anonymous

Anonymous — Fri, 01 Feb 2013 14:59:59 +0000

It also seems to use “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Windows Data Count\data” when running it from within OllyDbg.

By: Anonymous

Anonymous — Fri, 01 Feb 2013 14:44:41 +0000

The registry key was located at “HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Windows Data Count\data” on my machine.

By: sheisgoingnuts

sheisgoingnuts — Wed, 30 Jan 2013 00:10:13 +0000

Hi there, u all. I would like to know if this kind of settle will work on those trial software that works with a database server like SQL. I’m working around with a F* guy that just won’t break…
Thxs

By: Anonymous

Anonymous — Wed, 30 Jan 2013 00:09:44 +0000

By: ap0g

ap0g — Wed, 28 Nov 2012 04:45:27 +0000

Nvm I switched over to your version (not 2.0) and I can see it just fine I think I am going to stick with this version unless I need to switch back for some reason.

By: ap0g

ap0g — Wed, 28 Nov 2012 04:38:25 +0000

I’m using Olly 2.0 and the string that you reference with the message that says something like “you have X amount of tries left” does not show up in the referenced string search list for me. I can see the registry string you mentioned just fine but not this one Why might this be?

By: R4ndom

R4ndom — Mon, 03 Sep 2012 16:34:35 +0000

Yeah, this happens a lot. This is why I stress the importance of knowing other tricks besides searching for strings. String obfuscation is the first thing any author worth their salt uses to protect their app.

By: Juan

Juan — Sun, 02 Sep 2012 19:09:46 +0000

great tutorial. unfortunately for the app i was trying to use this on it didnt work. couldnt find the text string stating the invalid serial or that the trial was expired nor could i find any registry strings.

By: flatline

flatline — Thu, 30 Aug 2012 20:22:16 +0000

Interesting

According to a quick check I’ve done the checks at 405B08 seems like return value checks (error handling). However 405AA5 is much more interesting. 0×140 seems like the magic value which will be placed after successful registration. The registration validation happens around 406FE2 and by nopping 406FEE I was able to register my software with your magic numbers 12121212.

Thanks again for the great job.