The TimeLOCK_DLL cracking (TL32V20.DLL)
(a cracking approach to a "model" protection scheme)

by Xoanon/PNC


Courtesy of Fravia's page of reverse engineering
As you'll read, this was intended as a message to +ORC, since anon.penet has unfortunately closed, Xoanon sent it to me. I'll simply publish it here (I think it's worth) and hope that +ORC will see it (and may be he'll also start thinking about REOPENING a bilateral channel asap :-)
About this essay: the interest of it lays (IMHO) in the following three elements 1)It's a "model" protection scheme, i.e. a scheme that protectionists "buy" and use "ready-made", which is interesting; 2) there is a "double checking", as Xoanon explains, the protection checks TWICE if you entered the correct unlock sequence; 3) Xoanon style is "refreshing", he cracks with enthusiasm and good will



Hi +ORC! I'm an italian cracker, my name is Xoanon and i crack for PiNNACLE

(an utility group). D'ya know them? I hope you do! 

First, sorry for my english... i don't think it's too bad, yet maybe 

sometimes i don't explain myself very well! :) 

In advance, i want to thank you for all your work! I think every

(or nearly every) new cracker in the world has learned this art from your

tutorial (me, i'm one of them!) .... So, back to the reason of this email:

you said "if u discover something new about protections, tell me.... i

will admit you to my +HCU and you will receive the missing lessons" ...

Well, i think i've something for you! Surely u'd know this already, or

maybe some of your +HCU students discovered it already.... but i'll try! :)

Well, my work is about a DLL used to protect W95 programs, the TL32V20.DLL.

I think the real name of this DLL is TimeLOCK, but who cares? i found a lot

of programs protected with it, like NetFusion Object 2.0, E-BroadCaster 1.0,

GeoBoy 1.3.1 .... and there are many others out there! I hope ya'll like it.



-----------------------------------------------------------------------------

                                 TimeLOCK DLL

                      "a cracking approach", by Xoanon/PNC

-----------------------------------------------------------------------------



The DLL i will talk about is a DLL frequently used to protect commercial

programs distributed on the web. This DLL provide a time limit protection: 

after xx days your program will not run anymore without purchasing.

The protection scheme is quite simple:



1) You are given a serial number by the program itself

2) You are asked to enter an unlock code calculated from this #

3) Name,Company and other stuffs doesn't interest the protection

  

Here the intersting findings:

1)	Everytime the program is installed the serial provided changes.

2)	The registering information are stored in the W95 Registry AND 

in a file .TSF stored in some locations of your HD, in encrypted form.



For example, in GeoBoy v1.3.1 (one of the many programs protected with TimeLOCK) 

if you search the registry for the word "GeoBoy" you will find some locations 

where there are a bunch of strange characters.... that's your information, 

encrypted. 



But in this approach we will crack the DLL brutally, so we will not care 

much about the registry!

Finally, if you want to reinstall it after the trial is expired (eh eh....

are you too lazy to try cracking it??? :) you have to COMPLETELY clean up

the registry (all branches where the word "Geoboy" dwells).



Now some Frequently Asked Questions:



Q:So, WHICH programs use this DLL? Where can I find them?



A:Well, i found a lot of programs that do use this DLL .... for example:

  E-BroadCaster, NetObject Fusion v2.0, GeoBoy v1.3.1. They're all on the web,

  search them using AltaVista or some other engine. Simply put in the name 

  of the program you are looking for, and then get it!



Q:Ok dude, i found that program! how can i see if it's protected with

  the DLL ?



A:Obvious..... it has to load it from your HD everytime it runs... so, simply

  search it with a DIR /S (will dwell most of the time inside the installation 

  directory of your new program, or else inside WIN/SYSTEM)



Ok boyz, now let's go cracking!

In this approach i will use as example target the program GeoBoy v1.3.1. 

Find it on the web, it's done by NDG Software so i think you'll easily find

it (every software house has at least an homepage!).

Well, fire your SoftICE as usually, light your cigarette (like me, or if

you prefer the +ORC way, prepare a good Martini Vodka!) and install GeoBoy.

Installed? Ok, now run it! You will see the classic TimeLOCK window (it's

the same in all the programs protected with it, this makes it easy to see 

if a program use this protection scheme). Enter a name, a company and an 

unlock code. As you can see, you have in the window 3 edit lines.

Now enter in SoftICE and act as usual with password-protected programs:



.TASK



 hmmmm is GeoBoy its task name? ...... found! Let's do an HWND on it!



.HWND GEOBOY



 good! let's see... we're searching for some edit boxes.... found!



 Handle         hQueue  SZ      QOwner  Class Name      Window Procedure

 .......        ....    ..      ......  ....            .............

 052C(2)        0D57    32      GEOBOY  Edit            177F:00000BF4 *

 0508(2)        0D57    32      GEOBOY  Edit            177F:00000BF4 *

 050C(2)        0D57    32      GEOBOY  Static          178f:000052FA

 0510(2)        0D57    32      GEOBOY  Edit            177f:00000BF4 *

 .......        ....    ..      ......  ....            .............



 We found 3 edit references.... let's try BMSGging the first (but will work

 alsoBMSGging on the others)



. BMSG 052C WM_GETTEXT



  Break due to BMSG 052C WM_GETTEXT !!! SoftICE pops up again!!!

  Well, now you are inside Windos95 Kernel (if i remember well) ...

  First, disable the breakpoint with BD 00 (or it will break on anyother

  GETWINDOWTEXT function.... generally if you found an entry point you

  should disable the BP after...).

  Now step some instructions (not too many) until you reach TL32V20.

  We have reached the DLL, now you have to show all your cracking capabilities!

  Well.... step step step and step, watching the EAX,ECX,EDI,ESI after every

  CALL or MOV EAX or MOV ECX or LEA EAX or LEA ECX (with D ).

  You'll soon find that the DLL use these register to store the addresses to

  everything you enter (name,company,unlock code) and also for the serial

  number (generated at every install) and the correct unlock code.

  You will also notice that the unlock code (es. 121212) you entered is stored

  at EBP-14, while the correct one is stored at EBP-28.

  Can we crack our target faking the MOV and LEA to these register? YES!

  Watch this piece of code (you will reach it after some stepping once you

  are working inside the DLL):

  ......

  LEA EAX, [EBP-28]

  PUSH EAX

  CALL 10001D08     







You are deep inside fravia's page of reverse engineering,  

choose your way out:





 homepage 

 links 

red

 anonymity 

 +ORC



 students' essays

 tools cocktails




 search_forms mailFraVia