Norton Speed Disk Trial for Windoze NT4 (II)
An Addendum to the no more mysterious IRATRIAL.DLL

by FootSteps
(28 October 1997)


Courtesy of fravia's page of reverse engineering

Well, just read it. You'll find FootSteps' original IRATRIAL.DLL essay here.
BTW, since blackboard's announcement seems to interest many of you (there is a new one right now!) please remember that you must TELL ME whenever you see a "cheap magazine cover" CD-ROM with important tools of the trade (of course not yet cracked) that we may find useful: I'm checking quite a lot of them, yet I cannot cover the whole planet alone :-(




Addendum to :

=============



Norton Speed Disk Trial for Windoze NT4.

IRATRIAL.DLL, or the mysterious called DLL.

(which is not mysterious more now, see below)



Here's the explanation of why this DLL isn't in the exports of SD32.EXE.



I think it was a good essay of the Symantec's guys to hide the protection

scheme, but... they forget the +HCU band!



I wouldn't have worked again on this crack if I haven't seen, yesterday,

the Fravia's Blackboard. Hey, look! PCMAG HS23, with a lot of great 

programming stuff. That's very, very interesting.

Well, I ran buy this magazine, ran away at home, red the magazine in 10

seconds then looked at the CD with more interest. Mmm, the famous Borland

C++ builder. I've already got the C++ 5 of them, let's install this new one.

Pretty interface. I compiled a example. Well, seems the code's a little big.

Then I compiled a C program of mine, which was 48ko ultra-optimized.

When I saw the size of the compiled new code, I didn't believe my eyes. But

I haven't used the optimization. I used it, and for the same program, I obtain

no less than a monstruous 138Ko. I ask again myself what for are these 90Ko

more. To justify the RAM we pay? To make a competition with Micro$oft

products?

:-) Nevertheless, that's seems to be a nice RAD tool.



What was interessting was when I looked in the Help Files that came with

this tool. Plenty of useful documentation I haven't and we all need :

the Isapi reference, Tapi, RPC, Win32 SDK, et caetera, et caetera...

And look : the OLE reference. I thought immediately to the IRATRIAL.DLL essay

I wrote, cause if you remember, I wasn't able to explain the following code

of the main executable SD32.EXE :



* Reference To: ole32.CoInitialize, Ord:0025h

                                  |

:0040D483 FF15ACE14100            Call dword ptr [0041E1AC]      ; ???

:0040D489 8D45FC                  lea eax, dword ptr [ebp-04]

:0040D48C 50                      push eax

:0040D48D 68606C4100              push 00416C60

:0040D492 56                      push esi

:0040D493 57                      push edi

:0040D494 68706C4100              push 00416C70



* Reference To: ole32.CoCreateInstance, Ord:000Bh  ; You land in IRATRIAL.DLL

                                  |

:0040D499 FF15B0E14100            Call dword ptr [0041E1B0]

:0040D49F 85C0                    test eax, eax

:0040D4A1 7C3A                    jl 0040D4DD

:0040D4A3 57                      push edi

:0040D4A4 8B45FC                  mov eax, dword ptr [ebp-04]

:0040D4A7 56                      push esi



* Possible StringData Ref from Data Obj ->"Norton Speed Disk Trial"

                                  |

:0040D4A8 6874B84100              push 0041B874



* Possible StringData Ref from Data Obj ->"Symantec"

                                  |

:0040D4AD 6868B84100              push 0041B868

:0040D4B2 8B00                    mov eax, dword ptr [eax]

:0040D4B4 FF75FC                  push [ebp-04]

:0040D4B7 FF500C                  call [eax+0C]    ; You land in IRATRIAL.DLL

:0040D4BA 85C0                    test eax, eax

:0040D4BC 7C14                    jl 0040D4D2

:0040D4BE 57                      push edi

:0040D4BF 8B45FC                  mov eax, dword ptr [ebp-04]

:0040D4C2 57                      push edi

:0040D4C3 57                      push edi

:0040D4C4 8B00                    mov eax, dword ptr [eax]

:0040D4C6 FF75FC                  push [ebp-04]

:0040D4C9 FF5014                  call [eax+14]    ; You land in IRATRIAL.DLL



I __CallBack to you that this library, IRATRIAL.DLL, was nowhere to be

found inside the exports of SD32.EXE. Then, how could it be called? 

I couldn't explain this curious function, call Ole32.CoCreateInstance.



But now, with the help of Fravia's Blackboard, PCMAG and Borland, I can!

Thanks to the three of you!



First, look at this function, call Ole32.CoInitialize. And look at the OLE

help file that comes with the complete C++ Builder version (and many more 

goodies) for only 38 FF (8 dollars).

"The CoInitialize function initializes the Component Object Model (COM)

library"

Well, Is it that? The IRATRIAL.DLL is then a 'COM' object? Well, that was the

problem : in my old Win32 SDK, I did not have any documentation on these 'COM'.

Not my fault if Micro$oft is full of imagination and invent every month a

new word, like COM. I let you read this COM chapter in the help file.



Anyway, IRATRIAL.DLL is a COM file, yes, but it is a library like the others

librarys. And what it puts me wrong was that it wasn't called by the classic

LoadLibrary function.

No, the CoInitialize prepares place for the object; for us, the library.

And then, comes the interessting function I've noted above : CoCreateInstance.

Look in the Help file :

CoCreateInstance :

"Create a single uninitialized object of the class associated with a 

specified CLSID"

When I saw 'CLSID', I ran (remark I ran a lot and often) and searched my 

books on the registry base.



If you look in your registry, at the branch HKEY_CLASSES_ROOT\CLSID\,

you'll remark a lot of "enormous" following numbers. These are the CLSIDs 

of all your programs supporting OLE exchanges.

One entry interest us. This is when the setup program of Norton Speed Disk

Trial installed all the programs and modified the registry base, in this 

way :



[HKEY_CLASSES_ROOT\CLSID\{2832E101-2360-11D0-B6CF-000000000000}\InprocServer 32]

Default="D:\\PROGRA~1\\Symantec\\IRATRIAL.DLL"

"ThreadingModel"="Apartment"



The big hexadecimal number will of course be different on your machine. If you

don't know why, run yourself to read a good book about registry :-)

The subkey "InProcServer32" means that IRATRIAL.DLL does an In-Process-Server

for an object group... not explicit? I agree: I did not invent that! But the

micro$oft documentation do it! ::-)



Well, what's really interesting here is that IRATRIAL.DLL is rattached with

this CLSID number : 2832E101-2360-11D0-B6CF-000000000000.



Now, fire Winnie. Do a breakpoint on :

BPX OLE32.COINITIALIZE

Fire SD32.EXE (Norton Speed Disk Trial).

Well, you'll land in OLE32, hit

F12

to go back in SD32.EXE.

We pass this memory preparation that ole32.CoInitialize has done, and we step 

into the following instructions :



* Reference To: ole32.CoInitialize, Ord:0025h

                                  |

:0040D483 FF15ACE14100   Call dword ptr [0041E1AC]   ; where the breakpoint land

:0040D489 8D45FC         lea eax, dword ptr [ebp-04]

:0040D48C 50             push eax

:0040D48D 68606C4100     push 00416C60

:0040D492 56             push esi

:0040D493 57             push edi

:0040D494 68706C4100     push 00416C70               ; Ha ha!



* Reference To: ole32.CoCreateInstance, Ord:000Bh

                                  |

:0040D499 FF15B0E14100   Call dword ptr [0041E1B0]  



Ha ha! Look at all this PUSH instructions before the Call

ole32.CoCreateInstance.

And look in the OLE help file what this function means :



STDAPI CoCreateInstance(



    REFCLSID rclsid,	//Class identifier (CLSID) of the object

    LPUNKNOWN pUnkOuter,//Pointer to whether object is or isn't part of an aggregate 

    DWORD dwClsContext,	//Context for running executable code

    REFIID riid,	//Reference to the identifier of the interface

    LPVOID * ppv	//Indirect pointer to requested interface

   );



Now, look closer at the instruction just before the call :

:0040D494 68706C4100     push 00416C70



And remember that all the PUSH instructions are reversed regarding the

C function calling convention.

Therefore this last push before the call is the first parameter :  



REFCLSID rclsid,	//Class identifier (CLSID) of the object

                       

Hey, the CLSID!

To verify, ask Winnie to do a:

DD 416C70 (Assuring your memory range is at DS=ES=SS)

And look!



-----SD32!.rdata+1C60--------------------------------

0023:00416C70  2832E101  11D02360  0000CFB6  00000000   ; looks familiar, isn't it?

                                                                              

All right! What was the CLSID of IRATRIAL.DLL in my registry? Remember :

2832E101-2360-11D0-B6CF-000000000000.



This is the way this curious DLL is called by the program.

Forget LoadLibrary. Because we know now we must care of the hideous

ole32CoCreateInstance, A DLL could be a 'COM' program, and therefore NOT 

listed in the exports!



Well, this protection could have be good if :

- The name of the libray wasn't iraTRIAL.dll

- there would have been no usual MSVCRT!TIME calls.

- no time values would have been set in the registry.



Without the three blunders above, i would have traced a little more...



If you get from the web a registered copy of the Norton Utilities (where 

Norton Speed Disk stand), you'll remark that, in the exports of the 

executable SD32.EXE, there are no more the three following functions, like 

in the "trial" one:

CoInitialize, CoCreateInstance, and CoUninitalize.

These functions are used only for the trial version. 

The file IRALTRIAL.DLL is of course missing too.



Oops, if you clock back your system before running the patche I've done

in the previous essay, it won't work. 

This is due to two registry checks I'had negliged. 

Here they are :

Offset        : AFD

Find          : 0F850A020000

Replace with  : 404840484048

Offset        : B5C

Find          : 0F842E000000

Replace with  : 404840484048



Good Idea, this 'Blackboard'! Without it... :-)



--FootSteps (We create cracks!)   





(c) FootSteps, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?