Object Oriented Protecting: the case of the tl32v20.dll
(Timelock vagaries inside DisKeeper Trial 3.0 for NT Workstation)
by BlueMan
(12 December 1997, slightly edited by fravia+)
Timelock
Courtesy of fravia's page
of reverse engineering
Well, its 'Time-lock' once more :-)
You'll read here about
a natural, I would say 'darwinian' matter of fact, my friends... if we
practicize our "Objected oriented cracking", and modify the *.dll(s) in
order to defeat protections, the next step was obvious: Protection schemes
that use bogus *.dll(s)... Oh my! We better begin gathering 'sound' copies
of the main *.dll(s) just in case!
A dll-battle! Who would have thought
of this development only a coupel of years ago? One year, on the web, is
a whole AERA!
Enjoy!
Object Oriented Protecting: the case of the tl32v20.dll
(Timelock vagaries inside DisKeeper Trial 3.0 for NT Workstation)
====================================================
Target: us_dkwstr_i.zip (length: 1,854,701 bytes , Build 176t)
A defragment tools for Windows NT 4.0 Workstation
Tools:
1.) SoftIce for NT
2.) W32Dasm (Windows disassembler)
:bpx getwindowtexta if (bpcount == 3)
You will see the following Softice's message:
Break due to BPX USER32!GetWindowTextA IF (BPCount==3)
(ET=16.54 seconds)
Just type F12 to return to the caller (tl32v20.dll) and look:
:10003EC8 6A31 PUSH 31
:10003ECA 68A0440110 PUSH 100144A0
:10003ECF 50 PUSH EAX
:10003ED0 FF15DC630110 CALL [USER32!GetWindowTextA]
:10003ED6 8D45D8 LEA EAX,[EBP-28]
:10003ED9 50 PUSH EAX
:10003EDA E885E9FFFF CALL 10002864
:10003EDF 83C404 ADD ESP,04
:10003EE2 8D45EC LEA EAX,[EBP-14]
:10003EE5 8D4DD8 LEA ECX,[EBP-28] <-- After executing "call 10002864"
the correct unlock code is at [ebp-28]
:10003EE8 50 PUSH EAX
type following command from softice to get a dump of the correct unlock code
:d [ebp-28]
b.) Let's crack another part of the protection inside our target
----------------------------------------------------------------
Now run the program again, it terminates abnormally, it seem that
the program has another protection scheme. So we copy the original
"dknt.tsf" back. (Don't forget to save the cracked "dknt.tsf" to
another file.)
After replacing dknt.tsf with the original one, we need to get the
exporting function of tl32v20.dll from softIce symbol loader.
After loding the exporting information of tl32v20.dll, press Ctrl-D to
switch to softice, type
:exp
Press the down arrow key until you see the following inside
SoftIce's command window,
tl32v20
:10003E05 verifyTimeLock32
:1000386A getUserName32
:1000397F getUserState
:10003843 getRegNum32
:100038D0 getUserNumExecutions
:10003B9D showMainDialog
:10003C92 showMainDialogEx
:10003DE6 trialEnvironmentOpen
:10003DB6 trialEnvironmentClose
:1000390A getUserNumMinutesUsed
:100039B1 invokeTimeLock32
:1000389E _getUserNumDaysLeft@4
Switch to Softice, type
:bpx ShowMainDialog
(c) BlueMan All rights reversed
You are deep inside fravia's page of reverse engineering,
choose your way out:
Back to the Timelock project
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
javascripts
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering legal?