|
Armadillo time-based trials
Hello everyone...
What procedure does this protector use to prevent a "protected" program from running beyond a certain date? does it use the registry or another trick? In other words is there a way -beside a full format- to get a new trial period? Thx guys... |
Cool question
Hmm... I dunno why this subjects hasn't been touched earlier... I'll try to find some time at this weekend, then You'll get You ranswer at monday.
Well then... If someone has something interesting in offer (I mean an interesting application - didn't relased to public yet) - I'm open to write an Armadillo time limit cleaner. ;) |
I find it easier to unpack the program from Armadillo rather than to clean the time in the registry.
|
so...
Squidge u r assuming that it uses the registry...
I am not sure about that. I'll wait for dynio or any other reply that confirms this. |
Well, the last program I refreshed the date on was a program protected with Armadillo 2.65, and that used the registry only. I've no idea about later versions, but for these I just remove the armadillo protection from them as I find it easier than searching for the time and means I only ever have to do it once.
|
Armadillo trial checks
Sorry about the delay... (i just forgot)
Squidge is right. So far, Armadillo (including v3.1) uses ONLY registry tricks. If You can't solve it by Yourself, feel free contacting me. I'll go a "little" deeper inside. But, PLEASE - only If You aren't able to force it. Regards. |
Great
Thank u for ur kindness and ur willingness to help...
I'll do my homework first, I'll use the tools of the trade and try with some exe that I'll protect with dillo in a time-based manner. I'll keep u informed of whatever result I get. Thanks again dynio, people like u r very rare btw check ur pm. |
second that
yeah he does seem to be a obliging guy.
|
what's next?
This is the procedure I followed
I protected a .exe using dillo 3.01, it was a time based trial, I took a snapshot of my registry then I ran the exe once and compared the current registry to the snapshot, found several changed values, deleted them all, tried to set the clock back into the time of the trial validity expecting the exe to run again yet ...It didn't work, it's the same message saying that it's expired.... so now what? |
Re: what's next?
Quote:
|
I don't want in any way to compete with Gorge but as I said before: Armadillo (including v3.1) uses only REGISTRY TRICKS. I wouldn't say that if I didn't check it myself. And if I say registry tricks -I mean REGISTRY TRICKS. Not simply storing and querying the values in registry. I could be wrong only if Armadillo uses random techniques during protecting (file, file+reg, reg) - but I don't think so. I've protected executable with Armadillo v3 and successfully cleared registration info. It was placed ONLY IN REGISTRY.
Wassim: I suppose this is Your first approach with "transparent" (I call it that) registry modifying. Try to look a little "deeper" (HexEditor, etc.). Good Luck. Regards. |
hxxp://66.98.132.48/forum/showthread.php?s=&threadid=4672&highlight=armadillo+time
Tschau Viper Zx |
:s
as I can see from the link to RCE, it was discussed there with no solution, the question is still the same...
|
There is no question :)
Wassim: Please read carefully what I wrote. I suppose You've used Advanced Registry Tracer or similar tool. Am I right? Then You won't discover any difference BUT THERE IS FOR SURE. Go and fight! :)
If You fail for sure, then I'll do it for You - send me that app. But I would like to hear the solution from You :). And I still believe You can do it Yourself. Regards. |
Wassim best bet when installing anything like that is to use an install watcher like Easyclean so that when first running the app you have a list of all files ,registry keys ,that the app used when installing.it means youll have a complete regfile that you can just click to remove any changes made....although advenced registry tracer is cool and handy try to get something smaller that watches "realtime" while you run the app on a normal basis ( after installing) that way you can catch any additional changes on the fly no matter how small...a good tool to get is REGSHOT or INCTRL4..
paul333 |
Re: what's next?
Quote:
paul333 |
No
No, the protected application was allowed to run for one day after which it expired, the snapshot was taken after the first run (before expiry) and the modifications to the reg were removed the next day hoping to get a new day of "trial" yet this didn't happen...
|
Quote:
Dynio, you state "I've protected executable with Armadillo v3 and successfully cleared registration info" please give us info then. :p |
Kindergarden? :)
What TEMP dir You're talking about?????????? George, PLEASE!!! :) Don't make me CRY. Theway I did it was THE SIMPLEST ONE (it always helps). I can't believe You don't know how.... ;)
I suppose Wassim is deleting entries from registry by hand. As I said before: IT WON'T HELP. [B]REPLACE WHOLE REGISTRY. ONLY REGISTRY. NOTHING MORE.[B]. The way You should do it on XP is to replace "Software" and "System" files within /Windows/System32/Config directory with stored ones. Huh... Good Luck guys.... try and inform us about further steps :). Arrgh.......;) |
You can use the ZW functions (eg. zwOpenKey) to set back the date of a Armadillo'd application as long as the IRQL is currently at PASSIVE_LEVEL. You may be able to do it with other functions, but these are the ones I've tried, tested, and succeeded with :)
Deleting keys at random is just not going to work (even if you have a Regsnap/watch/whatever log before and afterwards) EDIT: This is, of course, assuming a Win2K/XP system (the functions above don't exist on Win98 as far as I'm aware) |
It is extremely dangerous, slightly stupid, and completely unnecessary to be deleting system files simply to find changes made in the resigtry by the installation of a new program. Following dynio "advise" would be risky at best.
There are many programs which can provide a record of items written to the registry with the installation of a new program. These include several brands of programs which take a snap shot of the registry immediately before and after an installation and permit one to view what has changed. There is also the standard regmon program which can record all reads and writes to the registry, but requires some filtering to find what is needed. A program was released on the RCE Messageboard to do that very thing after I had described reading through 27,000 entries in an effort to find where ASPR was hiding its time trial information on that Board. I definately would not recommend deleting files for replacements unless extreme caution were exercised to make sure that a current copy of ALL the necessary files had been recorded, just before the installation. Otherwise one is courting disaster. One way to solve this problem, for those studying computer science, is to use a "clean" lab machine, use one of the programs to take that snapshot of the registry, install the target, and then make a new snapshot and compare. Then you have no chance of damaging a machine you may depend on for other activities, besides reverse code engineering. The last version of ASPR I actually had time to play with was recording its timelimitation entries into the Registry Keys of OTHER PROGRAMS. I have not had time to play with ARM to see if it might be using the same technique to hide its entries from casual observation. Regards. |
JMI: Good advice. I have an old machine for this very purpose, and since the hardware changes extremely rarely, I also have Ghost CD-Rs which contain standard Win98 and WinXP images, and I can install either OS in a matter of minutes. Should I screw anything up so the OS falls over, a complete newly installed OS is a matter of minutes away.
This is becoming more and more important as more shareware developers (and protectors) are using more low-level routines. The ZW functions, for example, can create and delete registry keys that the normal user-functions can see, but not alter (which includes regedit & regedt32) which makes them prime targets for these protectors/shareware authors. These calls also slip past all current registry monitors. |
Another useful tool when you want to seriously mess with the registry or system files is Virtual PC 5.2. You can have a new image loaded in a matter of seconds plus you don't risk messing up your machine.
It's also useful when you want to see how a program operates under various OS's and conditions, just load up the image in seconds :) |
Re: :s
Quote:
All what you know ist there!? ------------------------------------------------------ Download -> Regmon / Filemon! hxxp://www.sysinternals.com/ntw2k/source/regmon.shtm hxxp://www.sysinternals.com/ntw2k/source/filemon.shtm BUT you must Patched this Tools or Armadillo would check this and HIDE interesting from your eyes. Example what must deleted: [HKEY_CLASSES_ROOT\CLSID\{ED86CA99-271F-13D1-B2E4-0060975B8649} [HKEY_LOCAL_MACHINE\SOFTWARE\Licenses] [HKEY_LOCAL_MACHINE\SOFTWARE\The Silicon Realms Toolworks\Armadillo] In your TEMP Directory (all) -> ?.tmp --------------------------------------------------------- --------------------------------------------------------- thanks Viper.. this is the right info. i was looking for. btw the CLSID key might be different for each winOS or for differents target i just confirmed.. maybe is hardware ID based? anyway i'm tring to find a generic way about how this work.... deleting: [HKEY_LOCAL_MACHINE\Software\Licenses] [HKEY_CURRENT_USER\Software\Licenses] [HKEY_LOCAL_MACHINE\Software\The Silicon Realms Toolworks] [HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks] and the CLSID key that regmonitor shows right after the License.. one... HKEY_CLASSES_ROOT\CLSID\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} the deleting all *.*.tmp files from the TEMP dir. and done! ------------------------------------------------------------------------------------ Tschau Viper Zx |
use regshot
http://regshot.ist.md |
Quote:
|
1 Attachment(s)
attachment
|
1 Attachment(s)
Quote:
|
>>>
Thank U SKAMER, nice tool indeed, I tried it on a program protected with dillo and allowed to run 3 times, tried to get a new 3 times by deleting the entry made by the program and restoring the modified keys to the state they were at in the first run, yet it didn't work....
I'm sure that there is another trick, the registry alone is not enough... btw the runs are counted by the program not by dlls... Thanks for all of those who helped or tried to help, I'll keep on trying however... as for the link for the israeli site, I thought it's related to our thread yet it's not at all, it just tries to justifies the massacres israelis are commiting against palestinian and their children, I have tons of links to sites with similar pics and videos and claiming the exact opposite of ur claims, I can say that this forum is no place to spread sympathy for ur small country lol, man do u take us for fools or what? ur small country has the support of the biggest and strongest military force in the world, I'll post no more comments on this issue and I believe the link should be removed if the administrator would like to keep this forum a "scientific" one... |
Hello all,
I was following with interest this thread for I just stumbled on a target that is using Armadillo, probably the latest version .. initially I didn't even noticed that the target was packed .. only when I touched a dll this the message "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." pop up and searching I came up with a post on siliconrealms.com site (http://support.siliconrealms.com/index.php?showtopic=1233). Almost all file analyzer don't detect any packing ... only PE-SCAN succeded in finding Armadillo but only on a single dll ... I've used InCtrl5 on the app installation and again on the first run and have seen indeed a lot of keys and values written to the registry: -------- INSTALLATION -------- HKEY_CURRENT_USER\Software\Microsoft\CEStudio HKEY_CURRENT_USER\Software\Microsoft\DevStudio HKEY_CURRENT_USER\Software\Microsoft\Platform Builder HKEY_CURRENT_USER\Software\Whole Tomato HKEY_CLASSES_ROOT\CLSID\{62F53314-142B-11D1-9291-9DE84EB1A651} HKEY_CLASSES_ROOT\Interface\{62F53315-142B-11D1-9291-9DE84EB1A651} HKEY_CLASSES_ROOT\TypeLib\{62F53319-142B-11D1-9291-9DE84EB1A651} HKEY_CLASSES_ROOT\Visual Assist Developer Studio Add-in HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1 HKEY_LOCAL_MACHINE\SOFTWARE\Gentee HKEY_LOCAL_MACHINE\SOFTWARE\Licenses HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Visual Assist 6.0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1 -------- 1ST USE -------- HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\AddIns\VisualAssist.DSAddin.1\Toolbar HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard\Aut HKEY_CLASSES_ROOT\CLSID\{7C0AFA65-A9E6-7204-E2EE-6A144DF5BF7E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSDEV.exe HKEY_CLASSES_ROOT\SDISERVR50.SDIEVENT -------- WRITTEN FILES -------- c:\Program Files\Visual Assist 6.0 c:\Documents and Settings\Administrator\Local Settings\Temp\A2861D1F.TMP A lot of them I remember in older versions of the application, but a lot are also new ... Also, no HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks key was written to the registry .... unfortunately just today I installed Armadillo on the same computer and so I DO now have such a key ... :D BTW is there a file analyzer around capable of detecting the latest versions of Armadillo (PEiD 0.8 and PE Tools 1.5 failed)???? Regards, yaa |
| All times are GMT +8. The time now is 23:55. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX