Armadillo time-based trials

[bunion]

Quote:

Originally posted by wassim_
This is the procedure I followed

I protected a .exe using dillo 3.01, it was a time based trial, I took a snapshot of my registry then I ran the exe once and compared the current registry to the snapshot, found several changed values, deleted them all, tried to set the clock back into the time of the trial validity expecting the exe to run again yet ...It didn't work, it's the same message saying that it's expired....

so now what?

Are you missing something here Wassim??..Sounds like you program was already expired before you ran the app?..you protected a program with Arma..you took a snapshot of registry....you ran the protected app and noticed some changes...was this ALL on the one day????...you then turned clock BACK??...am i right then that you installed the app whilst you had your clock moved FORWARD?...just checking

paul333

[wassim_]

No, the protected application was allowed to run for one day after which it expired, the snapshot was taken after the first run (before expiry) and the modifications to the reg were removed the next day hoping to get a new day of "trial" yet this didn't happen...

Quote:

Originally posted by dynio
I don't want in any way to compete with Gorge but as I said before: Armadillo (including v3.1) uses only REGISTRY TRICKS. I wouldn't say that if I didn't check it myself. And if I say registry tricks -I mean REGISTRY TRICKS. Not simply storing and querying the values in registry. I could be wrong only if Armadillo uses random techniques during protecting (file, file+reg, reg) - but I don't think so. I've protected executable with Armadillo v3 and successfully cleared registration info. It was placed ONLY IN REGISTRY.

Wassim: I suppose this is Your first approach with "transparent" (I call it that) registry modifying. Try to look a little "deeper" (HexEditor, etc.). Good Luck.

Regards.

it writes information to the TEMP directory

Dynio, you state "I've protected executable with Armadillo v3 and successfully cleared registration info" please give us info then.

What TEMP dir You're talking about?????????? George, PLEASE!!! Don't make me CRY. Theway I did it was THE SIMPLEST ONE (it always helps). I can't believe You don't know how....
I suppose Wassim is deleting entries from registry by hand. As I said before: IT WON'T HELP.
[B]REPLACE WHOLE REGISTRY. ONLY REGISTRY. NOTHING MORE.[B]. The way You should do it on XP is to replace "Software" and "System" files within /Windows/System32/Config directory with stored ones. Huh... Good Luck guys.... try and inform us about further steps . Arrgh.......

[Squidge]

You can use the ZW functions (eg. zwOpenKey) to set back the date of a Armadillo'd application as long as the IRQL is currently at PASSIVE_LEVEL. You may be able to do it with other functions, but these are the ones I've tried, tested, and succeeded with

Deleting keys at random is just not going to work (even if you have a Regsnap/watch/whatever log before and afterwards)

EDIT: This is, of course, assuming a Win2K/XP system (the functions above don't exist on Win98 as far as I'm aware)

[JMI]

It is extremely dangerous, slightly stupid, and completely unnecessary to be deleting system files simply to find changes made in the resigtry by the installation of a new program. Following dynio "advise" would be risky at best.

There are many programs which can provide a record of items written to the registry with the installation of a new program. These include several brands of programs which take a snap shot of the registry immediately before and after an installation and permit one to view what has changed. There is also the standard regmon program which can record all reads and writes to the registry, but requires some filtering to find what is needed. A program was released on the RCE Messageboard to do that very thing after I had described reading through 27,000 entries in an effort to find where ASPR was hiding its time trial information on that Board.

I definately would not recommend deleting files for replacements unless extreme caution were exercised to make sure that a current copy of ALL the necessary files had been recorded, just before the installation. Otherwise one is courting disaster. One way to solve this problem, for those studying computer science, is to use a "clean" lab machine, use one of the programs to take that snapshot of the registry, install the target, and then make a new snapshot and compare. Then you have no chance of damaging a machine you may depend on for other activities, besides reverse code engineering.

The last version of ASPR I actually had time to play with was recording its timelimitation entries into the Registry Keys of OTHER PROGRAMS. I have not had time to play with ARM to see if it might be using the same technique to hide its entries from casual observation.

Regards.

[Squidge]

JMI: Good advice. I have an old machine for this very purpose, and since the hardware changes extremely rarely, I also have Ghost CD-Rs which contain standard Win98 and WinXP images, and I can install either OS in a matter of minutes. Should I screw anything up so the OS falls over, a complete newly installed OS is a matter of minutes away.

This is becoming more and more important as more shareware developers (and protectors) are using more low-level routines. The ZW functions, for example, can create and delete registry keys that the normal user-functions can see, but not alter (which includes regedit & regedt32) which makes them prime targets for these protectors/shareware authors. These calls also slip past all current registry monitors.

Another useful tool when you want to seriously mess with the registry or system files is Virtual PC 5.2. You can have a new image loaded in a matter of seconds plus you don't risk messing up your machine.

It's also useful when you want to see how a program operates under various OS's and conditions, just load up the image in seconds

Quote:

Originally posted by wassim_
as I can see from the link to RCE, it was discussed there with no solution, the question is still the same...

?

All what you know ist there!?


------------------------------------------------------
Download -> Regmon / Filemon!

hxxp://www.sysinternals.com/ntw2k/source/regmon.shtm

hxxp://www.sysinternals.com/ntw2k/source/filemon.shtm

BUT you must Patched this Tools or Armadillo would check this and HIDE interesting from your eyes.



Example what must deleted:

[HKEY_CLASSES_ROOT\CLSID\{ED86CA99-271F-13D1-B2E4-0060975B8649}

[HKEY_LOCAL_MACHINE\SOFTWARE\Licenses]

[HKEY_LOCAL_MACHINE\SOFTWARE\The Silicon Realms Toolworks\Armadillo]


In your TEMP Directory (all) -> ?.tmp

---------------------------------------------------------

---------------------------------------------------------

thanks Viper.. this is the right info. i was looking for. btw the CLSID key might be different for each winOS or for differents target i just confirmed.. maybe is hardware ID based? anyway i'm tring to find a generic way about how this work....

deleting:

[HKEY_LOCAL_MACHINE\Software\Licenses]

[HKEY_CURRENT_USER\Software\Licenses]

[HKEY_LOCAL_MACHINE\Software\The Silicon Realms Toolworks]

[HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks]

and the CLSID key that regmonitor shows right after the License.. one...

HKEY_CLASSES_ROOT\CLSID\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

the deleting all *.*.tmp files from the TEMP dir. and done!


------------------------------------------------------------------------------------









Tschau

Viper Zx

use regshot

http://regshot.ist.md

Quote:

Originally posted by sKAMER
use regshot

hxxp://regshot.ist.md

heheheh

attachment

[alephz]

Quote:

Originally posted by sKAMER
use regshot

Yet another tool (sorry, bit old & lame cracked)

[wassim_]

Thank U SKAMER, nice tool indeed, I tried it on a program protected with dillo and allowed to run 3 times, tried to get a new 3 times by deleting the entry made by the program and restoring the modified keys to the state they were at in the first run, yet it didn't work....

I'm sure that there is another trick, the registry alone is not enough...

btw the runs are counted by the program not by dlls...

Thanks for all of those who helped or tried to help, I'll keep on trying however...

as for the link for the israeli site, I thought it's related to our thread yet it's not at all, it just tries to justifies the massacres israelis are commiting against palestinian and their children, I have tons of links to sites with similar pics and videos and claiming the exact opposite of ur claims, I can say that this forum is no place to spread sympathy for ur small country lol, man do u take us for fools or what? ur small country has the support of the biggest and strongest military force in the world, I'll post no more comments on this issue and I believe the link should be removed if the administrator would like to keep this forum a "scientific" one...

Hello all,

I was following with interest this thread for I just stumbled on a target that is using Armadillo, probably the latest version .. initially I didn't even noticed that the target was packed .. only when I touched a dll this the message "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." pop up and searching I came up with a post on siliconrealms.com site (http://support.siliconrealms.com/index.php?showtopic=1233). Almost all file analyzer don't detect any packing ... only PE-SCAN succeded in finding Armadillo but only on a single dll ... I've used InCtrl5 on the app installation and again on the first run and have seen indeed a lot of keys and values written to the registry:

-------- INSTALLATION --------

HKEY_CURRENT_USER\Software\Microsoft\CEStudio
HKEY_CURRENT_USER\Software\Microsoft\DevStudio
HKEY_CURRENT_USER\Software\Microsoft\Platform Builder
HKEY_CURRENT_USER\Software\Whole Tomato

HKEY_CLASSES_ROOT\CLSID\{62F53314-142B-11D1-9291-9DE84EB1A651}
HKEY_CLASSES_ROOT\Interface\{62F53315-142B-11D1-9291-9DE84EB1A651}
HKEY_CLASSES_ROOT\TypeLib\{62F53319-142B-11D1-9291-9DE84EB1A651}

HKEY_CLASSES_ROOT\Visual Assist Developer Studio Add-in
HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1

HKEY_LOCAL_MACHINE\SOFTWARE\Gentee
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Visual Assist 6.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1

-------- 1ST USE --------

HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\AddIns\VisualAssist.DSAddin.1\Toolbar
HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard
HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard\Aut

HKEY_CLASSES_ROOT\CLSID\{7C0AFA65-A9E6-7204-E2EE-6A144DF5BF7E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSDEV.exe

HKEY_CLASSES_ROOT\SDISERVR50.SDIEVENT

-------- WRITTEN FILES --------

c:\Program Files\Visual Assist 6.0
c:\Documents and Settings\Administrator\Local Settings\Temp\A2861D1F.TMP


A lot of them I remember in older versions of the application, but a lot are also new ...

Also, no HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks key was written to the registry .... unfortunately just today I installed Armadillo on the same computer and so I DO now have such a key ...

BTW is there a file analyzer around capable of detecting the latest versions of Armadillo (PEiD 0.8 and PE Tools 1.5 failed)????


Regards,
yaa