This section will concentrate on bypassing all nag screens, i.e. the "Browser" Window, which is generated when the application first starts up, and later on after the application exits, you are presented once again with a "Reminder" Window or "Expiration" Window. There is a very comprehensive Windows creation and message processing logic built into creating the HTML, java enabled Browser splash screens that ActiveMARK generates for most applications. The solution that follows may be the best approach.

Note: If you can live with the annoyance of a nag screen, then proceed to Section III.

If we were to restart our application and enable (apply) the patches from Section I, we would be presented with the “Browser” window. If we go into Olly and set BP’s on all Calls to PostMessageA shown below:

Figure 32.

And DestroyWindow...

Figure 33.

Restart the target and click on the “Start Free Trial” link on the Browser screen, we would eventually land here:

Figure 34.

The Stack pane would show the following:

Figure 35.

MSG(B039) is what’s generated (associated) if we click the “Start Free Trial” link on the Browser screen.

Run (F9) the target again and we land here:

Figure 36.

We could force this process sooner in code and the program’s message processing loop would destroy the window for us. But there is a better way! Find the code below in Olly:

Figure 37.

This code (functionality) is integrated with the Window (Browser) creation process in ActiveMARK. If you were to set a BP on the first line highlighted above, you would see this procedure called. We are going to bypass this procedure, which will eliminate the generation of any Browser windows. Make the following change as shown below:

Figure 38.

This simple jump will take us to the end of the routine, thus bypassing the main logic. We are done with this section.

This section shows how ActiveMARK records our Trial Time usage within an application and how we can bypass it.

The following code snippet is for INFORMATIONAL purposes only!! We are not changing any code here!!

For this target, the SETTIMER API is visible in Olly’s “Found Intermodular Calls” window. This is not always the case due to obfuscated code and how Olly's analyzer perceives it. Also, for obvious reasons, the procedure that contains this API and it’s counterpart CreateWindowExA for the “Fake Window” that anchors it, are buried in obfuscated code and not easily detected. I present the procedural code below (taken from ANOTHER PROGRAM using an earlier version of ActiveMARK) so you can see the full routine below:

005431D3  /.  55               PUSH EBP

005431D4  |.  8BEC             MOV EBP,ESP

005431D6  |.  83EC 34          SUB ESP,34

005431D9  |.  A1 B82E5900      MOV EAX,DWORD PTR DS:[592EB8]

005431DE  |.  53               PUSH EBX

005431DF  |.  56               PUSH ESI

005431E0  |.  57               PUSH EDI

005431E1  |.  33FF             XOR EDI,EDI

005431E3  |.  8BF1             MOV ESI,ECX

005431E5  |.  3BC7             CMP EAX,EDI

005431E7  |.  75 51            JNZ SHORT dumped_.0054323A

005431E9  |.  57               PUSH EDI                            ; /lParam => NULL

005431EA  |.  57               PUSH EDI                            ; |/pModule => NULL

005431EB  |.  FF15 C8915900    CALL DWORD PTR DS:[5991C8]          ; |\GetModuleHandleA

005431F1  |.  50               PUSH EAX                            ; |hInst

005431F2  |.  57               PUSH EDI                            ; |hMenu => NULL

005431F3  |.  B8 00000080      MOV EAX,80000000                    ; |

005431F8  |.  57               PUSH EDI                            ; |hParent => NULL

005431F9  |.  50               PUSH EAX                            ; |Height => 80000000 (-2147483648.)

005431FA  |.  50               PUSH EAX                            ; |Width => 80000000 (-2147483648.)

005431FB  |.  50               PUSH EAX                            ; |Y => 80000000 (-2147483648.)

005431FC  |.  50               PUSH EAX                            ; |X => 80000000 (-2147483648.)

005431FD  |.  68 0000CF00      PUSH 0CF0000                        ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|WS_CAPTION

00543202  |.  68 080A4700      PUSH dumped_.00470A08               ; |WindowName = "FakeWindow"

00543207  |.  68 000A4700      PUSH dumped_.00470A00               ; |Class = "STATIC"

0054320C  |.  57               PUSH EDI                            ; |ExtStyle => 0

0054320D  |.  FF15 A0995900    CALL DWORD PTR DS:[5999A0]          ; \CreateWindowExA

00543213  |.  3BC7             CMP EAX,EDI

00543215  |.  A3 B82E5900      MOV DWORD PTR DS:[592EB8],EAX

0054321A  |.  75 1E            JNZ SHORT dumped_.0054323A

0054321C  |.  6A 01            PUSH 1

0054321E  |.  57               PUSH EDI

0054321F  |.  68 80285900      PUSH dumped_.00592880

00543224  |.  8D4D CC          LEA ECX,DWORD PTR SS:[EBP-34]

00543227  |.  E8 5F000000      CALL dumped_.0054328B

0054322C  |.  8D45 CC          LEA EAX,DWORD PTR SS:[EBP-34]

0054322F  |.  68 70045900      PUSH dumped_.00590470               ; /Arg2 = 00590470

00543234  |.  50               PUSH EAX                            ; |Arg1

00543235  |.  E8 10670300      CALL dumped_.0057994A               ; \dumped_.0057994A

0054323A  |>  8B5D 08          MOV EBX,DWORD PTR SS:[EBP+8]

0054323D  |.  68 B0315400      PUSH dumped_.005431B0               ; /Timerproc = dumped_.005431B0

00543242  |.  8BCB             MOV ECX,EBX                         ; |

00543244  |.  69C9 E8030000    IMUL ECX,ECX,3E8                    ; |

0054324A  |.  51               PUSH ECX                            ; |Timeout

0054324B  |.  56               PUSH ESI                            ; |TimerID

0054324C  |.  50               PUSH EAX                            ; |hWnd

0054324D  |.  FF15 B49A5900    CALL DWORD PTR DS:[599AB4]          ; \SetTimer

00543253  |.  85C0             TEST EAX,EAX

00543255  |.  75 1E            JNZ SHORT dumped_.00543275

00543257  |.  6A 01            PUSH 1

00543259  |.  57               PUSH EDI

0054325A  |.  68 80285900      PUSH dumped_.00592880

0054325F  |.  8D4D CC          LEA ECX,DWORD PTR SS:[EBP-34]

00543262  |.  E8 24000000      CALL dumped_.0054328B

00543267  |.  8D45 CC          LEA EAX,DWORD PTR SS:[EBP-34]

0054326A  |.  68 70045900      PUSH dumped_.00590470               ; /Arg2 = 00590470

0054326F  |.  50               PUSH EAX                            ; |Arg1

00543270  |.  E8 D5660300      CALL dumped_.0057994A               ; \dumped_.0057994A

00543275  |>  8B45 0C          MOV EAX,DWORD PTR SS:[EBP+C]

00543278  |.  895E 04          MOV DWORD PTR DS:[ESI+4],EBX

0054327B  |.  8946 0C          MOV DWORD PTR DS:[ESI+C],EAX

0054327E  |.  8B45 10          MOV EAX,DWORD PTR SS:[EBP+10]

00543281  |.  8946 08          MOV DWORD PTR DS:[ESI+8],EAX

00543284  |.  5F               POP EDI

00543285  |.  5E               POP ESI

00543286  |.  5B               POP EBX

00543287  |.  C9               LEAVE

00543288  \.  C2 0C00          RETN 0C

---

Back to our target.

Note: You can set a BP on SetTimer as shown below to see the following upon reaching our BP:

Figure 39.

The stack pane shows the following values:

Figure 40.

Notice anything special about the timeout value above? Converted = 60 seconds. The Timerproc referenced above Calls a KillTimer routine which will reset our SetTimer proc to launch again, also our registry keys and data files will be read for possible expiration, then updated with a new time (+ 1 minute).

We will make the following change to bypass this functionality in its entirety. Find the following code in Olly:

Figure 41.

You will notice that it looks fairly identical to the previous code for "browser". It's also very near the same code section!! We make the same identical type change as seen below to bypass this functionality:

Figure 42.

That's it. We are done. No more Timer. While we are in this code section, we will make another change that will disable the "time out" feature. You know, the one that tells you your application has expired and now you must buy it. Find the code below in Olly:

Figure 43.

Are you starting to see a pattern here. We will make the following change to bypass the "timeout" expiration routine as seen below:

Figure 44.

We are done!! No more timeout.

Please note that not all programs are "Time Limited" trials. Some are "Execution" based (i.e. number of uses). In order to deal with these programs we can do the following. Find the code below in Olly:

Figure 45.

Every time you run a program, ActiveMARK tracks the number of executions (uses) whether the program uses this limitation or not, it is still there. We can make the following patch below to bypass this functionality:

Figure 46.

We are done!!.

Finally, there is one more area of interest that is not totally clear, but is integrated with the Browser functionality. The "dialog" routine is probably most responsible for the communication layer between ActiveMark (the program) and its localized reference to your computer: amlocalhost (amlocalhost.com) which is your http://127.0.0.1 and also the Trymedia Servers it communications with if you were to buy or reactivate the program. We can bypass (disable) this routine as well since we don't need it. Find the following code in Olly:

Figure 47.

Make the following change to bypass this routine:

Figure 48.

We are done with this section. Please observe your changes and we will continue.

 

This section provides a brief overview on the repository used for Trial protection.

In our previous Tutorial Part I Basic we introduced a tool, Regshot, which can take a before and after snapshot of your registry and, optionally, every file on a designated drive. If you don’t have this utility, you can get it here: http://www.majorgeeks.com/download965.html . There are other similar tools available.

You can use Regmon, etc. Note: Running the program normally, ActiveMARK will detect Regmon so you’ll need to hide it.

We can also find the registry keys by doing the following. Open your target in Olly and set BP’s on every call to RegDeleteKeyExA as shown below:

Figure 49.

Run (F9) the target. We eventually land on the following BP:

Figure 50.

The stack pane shows the following:

Figure 51.

This is one of the (4) main registry keys. Note: ActiveMARK registry and data file keys are unique to the machine. On your machine, this key will be different. The registry keys may not be in ascending order as you cycle through them in your debugger. The registry keys ALL have one thing in common, the subkey “Implemented Categories”. If you were to run ‘Regedit’ and look for your respective key, you would find many subkeys. ActiveMARK apparently clones an existing key in your registry, then appends any additional encrypted subkeys for its own purposes used in storing date/time/usage information.

Repeat the above procedure and you will eventually find the (4) MAIN registry keys.

Another idea suggested is to use a conditional log BP. You can do the following:

Figure 52.

Enter the following or similar in the popup window:

Figure 53.

Note: The value for ESP was taken from the register (FPU) Pane on a BP. Make sure to select the radio buttons for log value, log function arguments, optionally, Pause program (Never). You can view the log later using Olly’s menu “View” and select “log” to see the results.

Note: You should find the (4) main registry keys.

As described in Tutorial Part 1 Basic, you can find the Trymedia data directory in either of (2) places depending on your machine and the version of ActiveMARK:

1. C:\Documents and Settings\All Users\Application Data\Trymedia

2. C:\Program Files\TryMedia\ActiveMark

You can also find the encrypted data files (keys) by setting a BP (from Section 1) on CreateFileA and looking at the path info.

 

This section deals with some TRIAL / EVALUATION mechanisms. Note:  The error / status / conditions and code that follows may or may not be relevant in all cases and depending on whether the application has expired, whether you are using a loader as opposed to unpacking / fixing the target, etc. etc. these changes may not all be mandatory, but it is advised that you consider them when running / testing your application. Please keep this in mind.

1. Your Trial application has expired and you want to reset the Trial / error status for the duration of this execution. With the changes noted above, this indicator is no longer important, but you can change it if you want.

Note: The code below may be difficult to find in actual practice. Your easiest method is your own experience and by doing a conditional breakpoint for the code below on the value: EAX==00000001 (BAD) which is the value if the application has expired. See BP below:

Figure 54.

Make the following patch (in red) below:

Figure 55.

New value of AL will be ‘00’ (GOOD). Note: this code may be executed any number of times depending on the program. The patch above can be applied even if the application has not expired.

2.  My program may or may not be expired, I am sick and tired of those damn ActiveMARK keys and data files. This change is not required, but may give you peace of mind. Also, to maximize your viewing pleasure, you may wish to delete all your old keys and files before running with this patch. We can bypass the routine (procedure) that creates / encrypts the registry and data file keys resulting in ONLY ONE REGISTRY KEY and NO DATA FILES!!

Find the code below:

Figure 56.

The code above is relatively easy to find by doing a “search for”, then “sequence of commands” using Olly’s context menu. We will make the following change to bypass the relevant code of this procedure. See below:

Figure 57.

Note: We are simply jumping to the end of the procedure (address highlighted below):

Figure 58.

If we were to make the change above, the application MIGHT possibly abort and display the “Internal Error” Window and ultimately exit. So we may need to apply the following change. Find the code below and set a BP as shown:

Figure 59.

Note: Once again, the code above may be difficult to find in real practice. Basically we look for the instruction above (There could be many) with the (condition) EAX register having a value = ‘00000000’ (BAD). You can use the conditional BP for finding and determining this code. We change the code as follows:

Figure 60.

EAX = ‘00000001’ (GOOD).

A final status indicator is set upon completion of the registry and data keys processing. The following code is obfuscated so we can either step into it (you can set a BP as I have done) or go directly to the expression (address) shown below:

Figure 61.

The value of the low order byte of the EBX register, BL, should be equal to '01'. If not, we can change the first line above as follows:

Figure 62.

We come back to the following condition again as noted in Figure 59 above. The value in EAX should remain as '00000001' after the instruction on line 00F44162 executes below:

Figure 63.

And here's what your final registry key will look like after you're done:

Figure 64.

We are done!! We can apply all of our changes using Olly's context menu to copy the patches to an executable as shown below:

Figure 65.

Repeat the above for all our changes. When you 'X' out of the "File" Window below (small 'x' on toolbar):

Figure 66.

Olly will prompt you to "Save" the File (see below):

Figure 67.

Press the "Yes" button and give the file a new name (i.e. Rapalx_new.exe or similar). After saving the new file, we can rename our original unpacked file "Rapalx.exe" to "Rapalx_bkup.exe" and rename the new saved file with our patches back to "Rapalx.exe".

Run the new target without your debugger (Olly, etc.) and it should run. Congratulations!

 

This choice is dependent on your ultimate success in unpacking and fixing an application and / or your own personal preferences.

When using a loader keep in mind that your patches MUST be applied prior to the normal application's "Browser" Window displaying. For this reason the (2) attached loaders are designed for this purpose.

1. The Standard Loader utilizes a timing loop to wait for the target to unpack itself and find the relevant code, then apply the patches and exit. This method may be crude, but it is effective.

2. The Debug Loader is more precise in waiting for an event to occur, then applying the patches and depending on your OS, detach from the process and exit. This loader also has built-in code for hiding the debugger and avoiding INT3 tricks.

Both Loaders (standard and debug) are configured to work (hopefully) with any OS. Both have been tested on WinXP machines successfully.

 

With each new release of ActiveMARK we can expect to find some changes. A major new release, Version 6.0 is in Beta and soon to be released. Macrovision® has announced that it is acquiring Trymedia® Systems. This will obviously have some impact on future releases of ActiveMARK.

So until then, have fun!