A crippled tl32v20.dll protection scheme: diskeeper

(Cracking efficiently)

by as65pp

(12 October 1997, slightly edited by fravia+)

---

Courtesy of fravia's page of reverse engineering

Well, another very interesting essay from a "new" collaborator... Timelock protection scheme, once more... this new "breed" of tl32v20.dll protection (timelock) must have been created as a consequence of our own work on these pages, which is pretty interesting... not all shareware authors have the courtesy of telling us that they learned from our site :-)

- "Fooling" Diskeeper -

-----------------------



Diskeeper from Executive Software is a defragmentation 

tool for Windows NT, it can handle NTFS- and 

FAT-Partitions and comes in two flavours: a 

'lite'-version (free of charge) and a 'pro'-version 

(prices from around $200 to $1500 for the NT-Server 

version), the main difference being that the 

pro-version can defrag in the background. 

Now guess which version I wanted to use :)

A free 30-day-demo of the pro-version can be downloaded 

from their website at www.execsoft.com. 

As I fetched and installed it, I saw that one of the files 

copied was named tl32v20.dll :)))

Great, I thougt, this will be dead in two minutes. 

(See Xoanon's essay on how to crack this lame 

protection). I didn't plan to patch the whole dll, I 

just wanted to use SoftICE to sniff the correct 

'unlock-code' from memory, as I had done many times 

before. Generally I prefer not to change too much of 

the code, if I can avoid it. So I started Diskeeper and 

up comes the familiar Nagscreen with it's three 

buttons... But hey, where is the infamous 'Purchase' 

button gone? Nothing there just 'OK' & 'Cancel'! The 

Nag-Text says something about contacting 

Executive-Software by phone if you would like to spend 

big bucks for their efforts (Ha!), but there is no 

option to 'Register by phone', as there normally would. 



What's going on here? In my opinion, the people at 

Executive-Software had read Xoanon's essay too (grin) 

and decided to be clever: 

"Let's disable the 'purchase' option, so bad, bad cracker 

gets no chance to sniff our unlock-code". 

By looking a bit deeper on 'tl32v20.dll' you can see that 

it has a different size than usual (86.528 bytes to 91.648 

bytes for the regular version). 

So what do we have here? A crippled protection scheme! 

Nice one, this.



Think a (tiny) bit about it all:



-  tl32v20.dll has to be called by the main module (DkWork.exe)

-  there are two copys of the dll installed by the program, one in 

   the main program directory and another one in the \defrag subdir

	IMPORTANT: If you haven't installed any Timelock-software before, 

        it is possible that another copy will be installed in the \WINNT 

        directory. 

        This wasn't the case on my machine, as I already had a 'uncrippled' 

        tl32v20.dll (91.648 bytes) from an earlier Timelock-protected 

        software (Boundschecker 5.0).

-  most likely, 'dkwork.exe' will call 'tl32v20.dll' only by it's name 

   no size-checking)

-  the whole point of the missing 'Purchase' option is that, if you enter 

   the correct code, it will modify an existing '*.tsf' - file (different 

   for each product) and put the correct code in there. 

   If 'tl32v20.dll' is called the next time (by 'DkWork.exe') it will in 

   turn look for the '*.tsf' - file, check the code in it, and won't pop-up 

   anymore if the code is right.



Got it ?! Exactly! We just have to replace the crippled 

version of 'tl32v20.dll' with the uncrippled one (both 

copyes of it must be replaced), run the app (Now the 

purchase-button is right there where it should be, 

fine), sniff the correct code with SoftICE and Bang!: 							

Thank you for your purchase!



For some reason, after you've done all this and let 

Diskeeper defrag for the first time, it will pop up 

with a "copy protect violation". You are then again 

presented with the Nagscreen - dont worry! Just enter 

the sniffed code for a second time and you'll be safe, 

it won't bother you again. I suppose this has something 

to do with the second copy of 'tl32v20.dll' in the 

\defrag - subdir, but that's only a guess.

As you see there are three things needed to crack 

Diskeeper: 

- SoftICE for NT (3.0 or higher) to sniff the code 

  (you'll find it everywhere on the Net) 

- Xoanons essay about cracking the Timelock scheme 

  (read the others timelock essays too) 

- an 'uncrippled' copy of the Timelock-dll 

  (peruse your old "magazines" CD-roms or download any Timelock-protected 

  software (GeoBoy, Boundschecker, etc.) 

Small hint if you follow Xoanons essay: 'task' & 'hwnd' won't work in NT 

(error: no LDT), so a reverse engineer has to use 'bpx getwindowtexta' instead.



Conclusion: Well, nothing special really, except that 

it is possible to crack without knowing much about 

Assembler and without risking to get lost in the dark 

codewoods - just by using your brain and trying to 

understand the protectionist's reasons. 

In a quite similar way I managed to avoid the whole checksum-stuff 

(far too complicated!) when cracking SoftICE 3.01 for NT, but that's a 

different story (and maybe not that interesting anymore since v3.20 is 

already out).



That's all folks - bye for now!



-- as65pp  

homepage links anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering legal?