Return to Main Index,
Time Trials.
http://www.virtus.com - Webpage.
Setup File: 17.3Mb's.
I wan't to use this tutorial to discuss another important technique that many reversers overlook, that of "profiling". I think many of us are all too keen to fire up SoftICE and start trying to analyse large chunks of code (I'm very guilty of this), when dealing with time-trials it can be very tempting to trigger the time-out and then crack from there, in most cases this will work and you'll play the "reverse the jump" game for a long time without really understanding the "snap".
Lets get to the target here, so install it :), now how many of you monitored that installation? (I'll bet it wasn't many). If you had monitored then you might have noticed the file OSZLIB.dll, that might or might not be worth a look. Lets analyse the program by running it with FileMon & RegMon active (its worth filtering out explorer). Now you've got a lot of information but basic Windows knowledge ought to enable you to filter out the majority (this programs extensive use of the DirectDraw interface doesn't help here).
A slow browse with selective filtering reveals nothing really interesting, RegMon is also tricky but you should find just 1 thing of interest, a key below HKEY_LOCAL_MACHINE/SOFTWARE/Virtus/ is accessed, something called 'IS' with a value of 927201476. We'll now profile a disassembly of author.exe and see if we can find this IS key as a StringRef. You'll find it easily in W32Dasm surrounded by a lot of MFC42.Ordinal's, trace it higher to address 004251E1, this is where the registry key is first referenced. As we've got MFC42.dll imports we'll move to IDA which offers recognition of these functions. After several string operations we'll reach this (note that we have yet to fire SoftICE).
:00425211 CALL 0044A190 <-- Query Registry Key.
:00425216 TEST AL,AL <-- Obviously controls function return.
:00425218 JZ 0042527F <-- This shouldn't jump.
:00425223 PUSH 00516CA4 <-- "Critical"
:0042522D CALL 0044A360 <-- Query Registry Key.
:00425232 TEST AL,AL <-- As before but 2 queries.
:00425234 JZ 0042527F <-- Jump.
I'll pause here, CALL 0044A360 seems to check for the initial part of the
registry key 'HKEY_LOCAL_MACHINE/Virtus', obviously we know this exists, we
could also guess that 'Critical' must be a key of some description. As 'Criticial'
doesn't exist the function returns AL=0 via BL, keep this in mind.
:00425298 CALL 004E022C <-- MFC42.CString
:0042529D PUSH 00516C94 <-- "\svtftjml.dat"
:0042531B CALL 004E0B3E <-- MFC42.Open@CFile
:00425320 TEST EAX,EAX <-- Could the file be opened.
:00425322 JZ 004253A2 <-- It doesn't exist so this should jump.
Another pause, before 00425298 the program retrieved a pointer to the Windows
directory using GetWindowsDirectoryA, next we try and open the file svtftjml.dat
which doesn't exist at the moment :), maybe its created when the program
expires - if so there must be a routine to do that. We continue, at 004253A7
the program calls MFC42.GetTickCount@CTime, this probably works the same as
the API GetTickCount which gets the amount of time Windows has been running
i.e. a useful source of a random number. Take a look at this following code:
:004253BF MOV [ESP+60], 1 <-- Day perhaps.
:004253C7 MOV [ESP+64], 7 <-- Month perhaps.
:004253CF MOV [ESP+68], 63 <-- 63h = 99 decimal (Year).
:004253D7 CALL MSVCRT.mktime
:004253F5 CALL 00425650 <-- This looks very interesting.
:004253FA CMP EAX,EBX <-- EBX we can see was probably 0.
:004253FC JZ 00425484 <-- Looks like good jump.
CALL 00425650 is worth examining.
:00425650 MOV ECX, [ECX] <-- What value is this.
:00425652 MOV EDX, [ESP+04] <-- & this.
:00425656 XOR EAX,EAX <-- Clear EAX.
:00425658 CMP ECX,EDX <-- This looks important.
:0042565A SETLE AL <-- Determine AL 0 or 1.
This looks intriguing, obviously one of the first things we'll examine in
SoftICE are these 2 values (you can do that now or follow me a little longer
with this disassembly profile), my guess is that these values come from mktime
which is a MSVC function (I'd probably elect to trace that). If you think in
programmer terms you'll probably see that CALL 00425650 is an IF statement,
so the code we are interested in may look like this (I added the declarations
purely to illustrate the function, they are evidently passed as arguments
instead):
int IsNastyDateReached() {
bool outcome; // the flag
outcome = false; // set it false by default
int date_has_expired; // the programmers 2nd time-out date
int current_date; // current date
if (current_date <= date_has_expired) outcome = true; // set the flag if need be
}
Lets follow a little more code.
:004254CF PUSH 1E <-- 30 decimal.
:004254D1 PUSH 00516CC4 <-- "IS".
:004254DB CALL 0044A260 <-- MSVCRT.time, atoi, difftime.
:004254E0 TEST AL,AL
:004254E2 JZ 0042558E <-- Good jump.
You can now just trace this code slowly, the interesting operations are
performed using the FPU immediately after the call to MSVCRT.difftime at
0044A31E (our key 'IS' is pushed to it as a parameter). Fixing the check at
0044A348 ought to be a priority. After all of this analysis we'll trigger
the time-out and verify our theories. Sure enough the deciding check is
indeed at 0044A348 (we can assume that the registry key "Critical" and the
file svtftjml.dat will only be created if this fails - you can verify see this
by looking at CALL 00424F80), you should also fix the SETLE @ 0042565A which
I think times the demo out on the 1st July 1999.
So there you have it, the authors were evidently more concerned about BIOS cheaters than they were reversers undertaking an analysis of their program before the time-trial triggered :), in fact the "secret" markings probably wouldn't have been too hard to remove anyhow. You might like to try getting rid of the "TestDrive" string from the About & main title bar menu, decompiling virprloc.dll with a resource editor (say BRW) seems the way to go (STRINGTABLE 453), however saving the changes gave me errors in MFC42.dll, I think maybe you'll have to live with the strings unless you are prepared to hack a little with your HEX editor (remember how resource text is spaced with 00 and also try not to hack out the About Resource *smirk*).
Return to Main Index,
Time Trials.