Thread: Where do programs store the check against Volume ID (HWID, Volume Serial, etc.)?
View Single Post
  #10  
Old 11-16-2019, 04:35
binarylaw binarylaw is offline
Friend
  
Join Date: Jul 2019
Posts: 39
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 396
Thanks Rcvd at 10 Times in 7 Posts
binarylaw Reputation: 0
Quote:
Originally Posted by ionioni View Post
Code:
[HKEY_CURRENT_USER\Software\Microsoft\Notepad]
"Integration"=dword:xxxxyyyy
xxxx = usage days (different consecutive days)
yyyy = install date (days since 1900)
"Integration"=dword:0015a99b = 21 days, installed on 15 nov. 2018

didn't stay on it too much, so other things might be there
Very interesting, thanks! Can I ask how you figured that out? Like what tools you used and methodology. I can see it now in Process Monitor (in hindsight), but I wouldn't have seen or realized that on my own, or known how to figure out that it was calculating anything based off that.

Quote:
Originally Posted by DavidXanatos View Post
I find it strange that the trail period locally depends on the HWID.
I mean if I save a date some ware some how and than find it I use it.
I wouldn't assume any legit trail case where a customer would have a machine with the date set but a changed HWID.

Are you sure the tool is not communicating over the internet with its mothership and checking with them if for this machien with this HWID the trail period is not expired?
All I know is that when I changed the volume ID of the drive, on next launch or install of AceText, it suddenly sees it as a new machine. I agree with you though, but I can't find where it saves the volume ID. It must save it somehow somewhere to be able to know when there's suddenly a new volume ID.

As for the internet, I'm positive. I've had it's network comms completely locked out, and even run it in a networkless VM too. Your thought makes sense though, I would think the same thing myself.

Quote:
Originally Posted by mr.exodia View Post
Check GetVolumeInformationW
Thanks. Are you suggesting this generally (it being the API to get such information), or have you analyzed this program specifically to see that it does this?

I'm stuck trying to figure this out with my limited ability. I can see that it requests volume information in Process Monitor and API Monitor, but I don't know where to go from there, like finding out where it's storing the registration information.

If you can recommend any tools in particular necessary for this process or tutorials, I'd appreciate it. I probably have the tools already, I'm just not well versed in what to do next to go deeper on something like this.
Last edited by binarylaw; 11-16-2019 at 04:41.
Reply With Quote