Return
to Time Trialshttp://www.revelation.com
- Webpage.
ftp://ftp.revelation.com
- vipdx25e.zip - (8.96Mb).
Welcome once again. In Revelation we have another *Cinderella* protection, perhaps better known as a 30-day trial. With the benefit of hindsight, reversers may well find these type of programs easier by not triggering the nag immediately. However, this was the first thing I chose to do. Launching the program now presents us with the expected friendly message box, you should easily locate this inside vip.exe with a bpx MessageBoxA.
Turning our attentions to W32Dasm, disassembling vip.exe produces the following clean code.
:004027D1 JNZ 004027DE <-- The key conditional jump.
:004027D7 MOV [EBP-04], 00000001 <-- Bad flag.
:004027DE CMP DWORD PTR [EBP-04], 00000000 <-- Check flag.
:004027E2 JZ 00402803 <-- Jump_over_message_box.
:004027E8 PUSH 00000030 <-- Start parameter pushing.
:004027EA PUSH 004121CC <-- "Evaluation Expired".
:004027EF PUSH 004121E4 <-- "More of the nag text".
:004027F4 PUSH 00000000
:004027F6 [USER32!.MessageBoxA] <-- Display message box.
There's a lot here we need to observe. Firstly the short JZ 00402803 which takes us just beyond the message box. This conditional jump depends solely upon the value of the flag [EBP-04], from this small snippet it can be deduced that [EBP-04] must be 0. We can therefore conclude that the instruction 004027D7 where [EBP-04] is flagged to 1 must be bad, this flag *setting* as opposed to straight comparing implies that up until this point [EBP-04] is 0 (good guy). So quick patchers could settle for just moving [EBP-04] to 0 and the program would start.
However lets trace the code a little higher because astute readers willl have noticed that there are 2 other jumps that need to be investigated.
:00402773 PUSH 004121A0 <-- "LoadLibraryFailed".
:00402778 PUSH 00000000
:0040277A [USER32!.MessageBoxA] <-- Message box - missing vrvtbn20.dll.
:00402780 MOV [EBP-04], 00000001 <-- Our bad flag again.
:00402787 JMP 004027DE <-- Jump unconditionally and check the
flag.
:0040278C PUSH 004121B4 <-- "OkToRun" - duh!.
:00402795 [KERNEL32!.GetProcAddress] <-- Safe to leave.
:0040279B MOV DWORD PTR [EBP+FFFFFF14], EAX
:004027A1 CMP DWORD PTR [EBP+FFFFFF14], 00000000 <-- Flag should
be != 0.
:004027A8 JNZ 004027BA <-- Good_jump.
:004027AE MOV [EBP-04], 00000001 <-- Bad flag yet again.
:004027B5 JMP 004027DE <-- End of program.
Looking higher you should see that the LoadLibraryFailed error is called when the program is unable to find the file vrvtbn20.dll for LoadLibraryA. So our quick patch earlier would fall foul of the protection if this dll got deleted because of the dependence upon [EBP-04]. The GetProcAddress call however is pretty safe, I suspect in this case that its being used to get the address of an exported function from vrvtbn20.dll.
Your attention should therefore be drawn to this final snippet.
:004027BA PUSH 0000001E <-- 1Eh = 30 *smile* maybe.
:004027BC PUSH 004121BC <-- "2.5".
:004027C1 PUSH 004121C0 <-- "RevVipEval".
:004027C6 CALL DWORD PTR [EBP+FFFFFF14] <-- Needs to return
EAX != 0.
:004027CC ADD ESP, 0C <-- Stack correct.
:004027CF TEST EAX,EAX <-- The inevitable test.
:004027D1 JNZ 004027DE <-- Followed by the good jump.
Tracing inside the CALL we note the module changes to vrvtbn20.dll and a few steps away is our call to GetSystemTime and a conditional jump which XOR's EAX if it doesn't happen. Tracing further on down we find checks for the year (before 1994 is bad) and our famous 1E check. I'd suggest that patching the above TEST EAX,EAX, JNZ sequence is probably the easiest way to permanently beat this trial, however below you'll find some interesting snippets from vrvtbn20.dll.
:1000107F CMP WORD PTR [10004010],CX <-- Bad CX=BB8h
(3000 dec).
:10001086 JNZ 10001094 <-- Jump_good.
:10001099 CMP WORD PTR [10004000],AX <-- 1994.
:100010A0 JA 10001116 <-- Bad_jump_for_date_cheaters.
:100010A7 CMP WORD PTR [10004000],AX <-- Check against [ESP+14].
:100010AE JA 10001116 <-- You'd_really_have_to_be_crazy_to_fail_this.
:100010DC CMP ECX, DWORD PTR [ESP+A4] <-- Check against 1E.
:100010E3 JG 100010FE <-- Bad_jump.
:100010E9 CMP DWORD PTR [ESP+10], EAX
:100010ED JL 100010FE <-- Bad_jump.
:100010EF MOV EAX,FFFFFFFF <-- Et voila,
EAX=-1 and return the function.
Note all 5 of these checks, you only really need brute force 3 of them taking account most people won't have their BIOS clocks set to before 1994 or above 3000. Recall that patching the application side by moving the flag has actually shown itself to be a safe option because the time-trial check is performed inside the very dll we were concerned about deleting.
Return
to Time Trials