Object Oriented Protecting: the case of the tl32v20.dll
(Timelock vagaries inside DisKeeper Trial 3.0 for NT Workstation)

by BlueMan

(12 December 1997, slightly edited by fravia+) timelock
Timelock
Courtesy of fravia's page of reverse engineering
Well, its 'Time-lock' once more :-)
You'll read here about a natural, I would say 'darwinian' matter of fact, my friends... if we practicize our "Objected oriented cracking", and modify the *.dll(s) in order to defeat protections, the next step was obvious: Protection schemes that use bogus *.dll(s)... Oh my! We better begin gathering 'sound' copies of the main *.dll(s) just in case!
A dll-battle! Who would have thought of this development only a coupel of years ago? One year, on the web, is a whole AERA!
Enjoy!






 Object Oriented Protecting: the case of the tl32v20.dll 

      (Timelock vagaries inside DisKeeper Trial 3.0 for NT Workstation)

   ====================================================



Target: us_dkwstr_i.zip (length: 1,854,701 bytes , Build 176t)

        A defragment tools for Windows NT 4.0 Workstation



Tools:

      1.) SoftIce for NT

      2.) W32Dasm  (Windows disassembler)  

 :bpx getwindowtexta if (bpcount == 3)



You will see the following Softice's message:



 Break due to BPX USER32!GetWindowTextA  IF (BPCount==3) 

(ET=16.54 seconds)



Just type F12 to return to the caller (tl32v20.dll) and look:





 :10003EC8  6A31                PUSH    31

 :10003ECA  68A0440110          PUSH    100144A0

 :10003ECF  50                  PUSH    EAX

 :10003ED0  FF15DC630110        CALL    [USER32!GetWindowTextA]

 :10003ED6  8D45D8              LEA     EAX,[EBP-28]

 :10003ED9  50                  PUSH    EAX

 :10003EDA  E885E9FFFF          CALL    10002864

 :10003EDF  83C404              ADD     ESP,04

 :10003EE2  8D45EC              LEA     EAX,[EBP-14]

 :10003EE5  8D4DD8              LEA     ECX,[EBP-28]    <-- After executing "call 10002864"

          						 the correct unlock code is at [ebp-28]

 :10003EE8  50                  PUSH    EAX



type following command from softice to get a dump of the correct unlock code

  :d [ebp-28]



b.) Let's crack another part of the protection inside our target

----------------------------------------------------------------

  Now run the program again, it terminates abnormally, it seem that

the program has another protection scheme. So we copy the original

"dknt.tsf" back. (Don't forget to save the cracked "dknt.tsf" to

another file.)



  After replacing dknt.tsf with the original one, we need to get the

  exporting function of tl32v20.dll from softIce symbol loader. 

After loding the exporting information of tl32v20.dll, press Ctrl-D to 

switch to softice, type



 :exp   

Press the down arrow key until you see the following inside 

SoftIce's command window,



 tl32v20

 :10003E05 verifyTimeLock32

 :1000386A getUserName32

 :1000397F getUserState

 :10003843 getRegNum32

 :100038D0 getUserNumExecutions

 :10003B9D showMainDialog

 :10003C92 showMainDialogEx

 :10003DE6 trialEnvironmentOpen

 :10003DB6 trialEnvironmentClose

 :1000390A getUserNumMinutesUsed

 :100039B1 invokeTimeLock32

 :1000389E _getUserNumDaysLeft@4



Switch to Softice, type

 :bpx ShowMainDialog      

(c)  BlueMan  All rights reversed


You are deep inside fravia's page of reverse engineering, choose your way out:

timelock
Back to the Timelock project
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redjavascripts redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?