Quote:
Originally Posted by chessgod101
No. The directory/file creation time is the timestamp since these values don't typically change unless the file or directory is deleted and/or recreated. This information is stored on the disk and is retrieved by the system with this call. It could simply compare that to the current system time to see if it is within the trial days. Though this is a probably a little impractical, I have seen this method used in a program in the past. GetSystemTime or GetLocalTime could be some useful APIs for you to track this type of check.
Please note that I haven't actually analyzed your target application. This is all speculative and is one trick which I have encountered that is hidden from ProcMon.
|
Ah, that makes sense. And it seems you may be right: in its registry settings is a key called "Demo", with values "Date", "Days", and "Msg". Changing these doesn't change anything, however. But maybe like you say, it's just looking at a timestamp and judging the days beyond that, and anything it puts in the registry is merely for reference, not as a variable it checks against.
Theoretically, if that's the case, then if I were to change all the timestamps of its own files/folders, this would bypass the trial limitation, right? Assuming there's no registry trial-finished flag that it's written.
Lastly, when I change the drive's volume ID, the software suddenly starts as if it's a fresh trial. So somehow it's logging somewhere what the current volume ID is. I'm wondering if I can find where it's storing that information. Any thoughts?