Timer Functions

[bedrock]

I'm debugging an demo version of an application that terminates after 1 hour, with the intention of trying to find the timer, and kill it so the application will run continuously.

I have been looking at various time related API's, but i haven't found how it checks if the hour is up yet.

Does anyone have any more API's i could look at, or a list of windows timer related API's, so far i have looked for:

SetTimer
KillTimer
GetTickCount
GetSystemTime
GetLocalTime

Or any general advice on how to seek and kill time trial based software

Thanks in advance

--
bedrock

Very strange. I cant think any other way. A possibility is (although very rare) to read the time via WMI calls. But that makes the application compatible only with XP/2K, since the WMI is available to Win98 only if the WMI Core is installed. Have you checked if it reads the time of system files, maybe via GetFileTime? Have you done the test to set the clock forward to see if detects it and kills the app? If yes, then the trial system is time comparable. If not, then its sounds like timer (GetTickCount).

Why you dont share with us the name of the application?

[Polaris]

Are you sure that the time is read through an API? There are a thousands of ways in which one can get the current time...

[bedrock]

Polaris, this is my point, i dont know it is an API, i have tried the ones i can think of to check, but i dont know all these other ways to get current time, maybe if there is 1000's of way then i will not learn them all, but any pointers?

--
bedrock

[Jay]

recently came across an time limited app using the timer functions in winmm.dll.

[JMI]

Have you considered the possibility that it might not check the "time" at all, that, perhaps it simply loads a counter of some form and just "counts" it down to zero and unloads.

Regards,

[Naides]

One app I reversed a long time ago learned the time by creating a dummy file and then reading the time stamp of the file (Then it erased it) so a run with filemon and api like FileTimeToSystemTime and the like might give you something.

On the other hand, one sure thing that happens after an hour is that the app QUITS.

What about looking for API that close an app? PostQuitMessage for instance.

Finally, the use of a good api monitor like APISPY may help you find your guilty API sooner.

[goggles99]

I'm afraid to say that the best bet you may have is to fun a trace on the program and let it sit for a while... overnight possibly.
Since it may be a different thread that kills the program or provides a callback to another thread, the best way to start is to place a bp on all termination function calls and determine which thread closes the app and where.

When you run your trace (on the thread with the terminator) let it run untill it hits that last api (the one that kills that app), then look back and see what comparison and jump was taken, or not taken to wind up there.

BTW, you should be putting BP on the return of api's becasue some apps emulate the first few instructions of them and then jump into the center of them. Many Api's are just wrappers for other API's in the nt.dll, find out if any of the api's you are calling end up there. This program may be calling the nt.dll's functions directly.

If the Application is using some kind of internal countdown timer (as JMI suggested), perhaps you could use a memory searcher like T-search and do a search for an unknown integer, wait a few seconds and do a second search for a integer value that has decreased. A few of these and you will find the value (in memory) that is counting down. Attach a debugger and place a memory write bp on that address to see what is modifying it...
nop or modify that code.

What is the Demo App called??? I'll have a look at it.

[TQN]

Another two API functions used to get time are: GetProcessTimes in kernel32.dll and timeGetTime in winmm.dll.
Regards,

[bedrock]

Well it seems this particular target used a WaitForSingleObject call with a timeout value, and then a loop with a couter, seems to run for longer than an hour now

thanks for all the ideas

--
bedrock