#16
|
|||
|
|||
Re: what's next?
Quote:
paul333 |
#17
|
|||
|
|||
No
No, the protected application was allowed to run for one day after which it expired, the snapshot was taken after the first run (before expiry) and the modifications to the reg were removed the next day hoping to get a new day of "trial" yet this didn't happen...
|
#18
|
|||
|
|||
Quote:
Dynio, you state "I've protected executable with Armadillo v3 and successfully cleared registration info" please give us info then. Last edited by gorge; 08-12-2003 at 01:53. |
#19
|
|||
|
|||
Kindergarden? :)
What TEMP dir You're talking about?????????? George, PLEASE!!! Don't make me CRY. Theway I did it was THE SIMPLEST ONE (it always helps). I can't believe You don't know how....
I suppose Wassim is deleting entries from registry by hand. As I said before: IT WON'T HELP. [B]REPLACE WHOLE REGISTRY. ONLY REGISTRY. NOTHING MORE.[B]. The way You should do it on XP is to replace "Software" and "System" files within /Windows/System32/Config directory with stored ones. Huh... Good Luck guys.... try and inform us about further steps . Arrgh....... |
#20
|
||||
|
||||
You can use the ZW functions (eg. zwOpenKey) to set back the date of a Armadillo'd application as long as the IRQL is currently at PASSIVE_LEVEL. You may be able to do it with other functions, but these are the ones I've tried, tested, and succeeded with
Deleting keys at random is just not going to work (even if you have a Regsnap/watch/whatever log before and afterwards) EDIT: This is, of course, assuming a Win2K/XP system (the functions above don't exist on Win98 as far as I'm aware) Last edited by Squidge; 08-13-2003 at 03:15. |
#21
|
|||
|
|||
It is extremely dangerous, slightly stupid, and completely unnecessary to be deleting system files simply to find changes made in the resigtry by the installation of a new program. Following dynio "advise" would be risky at best.
There are many programs which can provide a record of items written to the registry with the installation of a new program. These include several brands of programs which take a snap shot of the registry immediately before and after an installation and permit one to view what has changed. There is also the standard regmon program which can record all reads and writes to the registry, but requires some filtering to find what is needed. A program was released on the RCE Messageboard to do that very thing after I had described reading through 27,000 entries in an effort to find where ASPR was hiding its time trial information on that Board. I definately would not recommend deleting files for replacements unless extreme caution were exercised to make sure that a current copy of ALL the necessary files had been recorded, just before the installation. Otherwise one is courting disaster. One way to solve this problem, for those studying computer science, is to use a "clean" lab machine, use one of the programs to take that snapshot of the registry, install the target, and then make a new snapshot and compare. Then you have no chance of damaging a machine you may depend on for other activities, besides reverse code engineering. The last version of ASPR I actually had time to play with was recording its timelimitation entries into the Registry Keys of OTHER PROGRAMS. I have not had time to play with ARM to see if it might be using the same technique to hide its entries from casual observation. Regards.
__________________
JMI |
#22
|
||||
|
||||
JMI: Good advice. I have an old machine for this very purpose, and since the hardware changes extremely rarely, I also have Ghost CD-Rs which contain standard Win98 and WinXP images, and I can install either OS in a matter of minutes. Should I screw anything up so the OS falls over, a complete newly installed OS is a matter of minutes away.
This is becoming more and more important as more shareware developers (and protectors) are using more low-level routines. The ZW functions, for example, can create and delete registry keys that the normal user-functions can see, but not alter (which includes regedit & regedt32) which makes them prime targets for these protectors/shareware authors. These calls also slip past all current registry monitors. |
#23
|
|||
|
|||
Another useful tool when you want to seriously mess with the registry or system files is Virtual PC 5.2. You can have a new image loaded in a matter of seconds plus you don't risk messing up your machine.
It's also useful when you want to see how a program operates under various OS's and conditions, just load up the image in seconds |
#24
|
|||
|
|||
Re: :s
Quote:
All what you know ist there!? ------------------------------------------------------ Download -> Regmon / Filemon! hxxp://www.sysinternals.com/ntw2k/source/regmon.shtm hxxp://www.sysinternals.com/ntw2k/source/filemon.shtm BUT you must Patched this Tools or Armadillo would check this and HIDE interesting from your eyes. Example what must deleted: [HKEY_CLASSES_ROOT\CLSID\{ED86CA99-271F-13D1-B2E4-0060975B8649} [HKEY_LOCAL_MACHINE\SOFTWARE\Licenses] [HKEY_LOCAL_MACHINE\SOFTWARE\The Silicon Realms Toolworks\Armadillo] In your TEMP Directory (all) -> ?.tmp --------------------------------------------------------- --------------------------------------------------------- thanks Viper.. this is the right info. i was looking for. btw the CLSID key might be different for each winOS or for differents target i just confirmed.. maybe is hardware ID based? anyway i'm tring to find a generic way about how this work.... deleting: [HKEY_LOCAL_MACHINE\Software\Licenses] [HKEY_CURRENT_USER\Software\Licenses] [HKEY_LOCAL_MACHINE\Software\The Silicon Realms Toolworks] [HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks] and the CLSID key that regmonitor shows right after the License.. one... HKEY_CLASSES_ROOT\CLSID\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} the deleting all *.*.tmp files from the TEMP dir. and done! ------------------------------------------------------------------------------------ Tschau Viper Zx |
#25
|
|||
|
|||
use regshot
http://regshot.ist.md |
#26
|
|||
|
|||
Quote:
|
#27
|
|||
|
|||
attachment
|
#28
|
|||
|
|||
Quote:
|
#29
|
|||
|
|||
>>>
Thank U SKAMER, nice tool indeed, I tried it on a program protected with dillo and allowed to run 3 times, tried to get a new 3 times by deleting the entry made by the program and restoring the modified keys to the state they were at in the first run, yet it didn't work....
I'm sure that there is another trick, the registry alone is not enough... btw the runs are counted by the program not by dlls... Thanks for all of those who helped or tried to help, I'll keep on trying however... as for the link for the israeli site, I thought it's related to our thread yet it's not at all, it just tries to justifies the massacres israelis are commiting against palestinian and their children, I have tons of links to sites with similar pics and videos and claiming the exact opposite of ur claims, I can say that this forum is no place to spread sympathy for ur small country lol, man do u take us for fools or what? ur small country has the support of the biggest and strongest military force in the world, I'll post no more comments on this issue and I believe the link should be removed if the administrator would like to keep this forum a "scientific" one... Last edited by wassim_; 08-14-2003 at 14:39. |
#30
|
|||
|
|||
Hello all,
I was following with interest this thread for I just stumbled on a target that is using Armadillo, probably the latest version .. initially I didn't even noticed that the target was packed .. only when I touched a dll this the message "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." pop up and searching I came up with a post on siliconrealms.com site (http://support.siliconrealms.com/index.php?showtopic=1233). Almost all file analyzer don't detect any packing ... only PE-SCAN succeded in finding Armadillo but only on a single dll ... I've used InCtrl5 on the app installation and again on the first run and have seen indeed a lot of keys and values written to the registry: -------- INSTALLATION -------- HKEY_CURRENT_USER\Software\Microsoft\CEStudio HKEY_CURRENT_USER\Software\Microsoft\DevStudio HKEY_CURRENT_USER\Software\Microsoft\Platform Builder HKEY_CURRENT_USER\Software\Whole Tomato HKEY_CLASSES_ROOT\CLSID\{62F53314-142B-11D1-9291-9DE84EB1A651} HKEY_CLASSES_ROOT\Interface\{62F53315-142B-11D1-9291-9DE84EB1A651} HKEY_CLASSES_ROOT\TypeLib\{62F53319-142B-11D1-9291-9DE84EB1A651} HKEY_CLASSES_ROOT\Visual Assist Developer Studio Add-in HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1 HKEY_LOCAL_MACHINE\SOFTWARE\Gentee HKEY_LOCAL_MACHINE\SOFTWARE\Licenses HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Visual Assist 6.0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1 -------- 1ST USE -------- HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\AddIns\VisualAssist.DSAddin.1\Toolbar HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard\Aut HKEY_CLASSES_ROOT\CLSID\{7C0AFA65-A9E6-7204-E2EE-6A144DF5BF7E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSDEV.exe HKEY_CLASSES_ROOT\SDISERVR50.SDIEVENT -------- WRITTEN FILES -------- c:\Program Files\Visual Assist 6.0 c:\Documents and Settings\Administrator\Local Settings\Temp\A2861D1F.TMP A lot of them I remember in older versions of the application, but a lot are also new ... Also, no HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks key was written to the registry .... unfortunately just today I installed Armadillo on the same computer and so I DO now have such a key ... BTW is there a file analyzer around capable of detecting the latest versions of Armadillo (PEiD 0.8 and PE Tools 1.5 failed)???? Regards, yaa Last edited by yaa; 08-14-2003 at 21:40. |
|
|