for Windoze NT4

(The mysterious IRATRIAL.DLL and the "vectoring breakpoint" trick)

by FootSteps

(21 October 1997, slightly edited by fravia)

Courtesy of fravia's page of reverse engineering

Well, here is what FootSteps wrote to me (among other things... he seems to have waited 15 years long the moment to start cracking :-)
Hi Fravia,
my essay it's about a time crack with WindozeNT4 inside a *very* curiously 
called DLL.

It's very difficult to be on the other side of the mirror : Me, writing an
essay. I still cannot believe it... I'll try to be the less hopeless and 
boring as possible!
Well I don't find this essay boring at all... in fact the style that FootSteps uses is quite humorous... well I must confess that I like essays where INTUITION is given the merits and the role that "zen" deserves... I like a lot the "vectoring breakpoint" technique that FootSteps describes... when your target let's a breakpoint you need snap much too much, you use ANOTHER breakpoint to be transported in the correct part of the code AND THEN you set your "correct" breakpoint and gather the code snippet you were looking for!
At the bottom you'll find quite a lot of (may be too many) "requests"

NORTON SPEED DISK TRIAL 1.0 for Windoze NT4 or
The mysterious dynamic link library : IRATRIAL.DLL

When I reverse I should confess that I do not like much the 
"dead listing" way.
Recently, I recognised a little of myself inside As65pp's essay. 
He wrote :
  > I'm not that excited about staring at huge code-listings 
  > for hours on end
Yeah, that's me !

  > To be honest, I wasn't any good at maths in school either :(
Err... I think I wasn't too...

  > Nevertheless I was able to crack some programs by using a bit 
  > of common-sense and imagination

So do I (And a big part of the cracking scene too, I suppose).
Sure we must always learn (it was a thing +ORC was right).
But the simpler world of yesterday was a little easier for our 
poor brains: my old 8bits computers weren't too much difficult to 
program in assembler, and a 64ko disassembled file was just right to 
manage entirely.
Today it's just a little too hard to have knowledge of thousands
of API, to switch continuously from W95 to WNT4, sometimes from 
Dos to Unix...
I will try to imagine the blackboard on fravia+'s site in just 
10 years:

"Hi, I know a little Kernel, but I lack knowledge about the
GDI. A friend of mine could help: he knows the USER pretty well. 
Perhaps someone else could help, we have been cracking for 20 years, 
but we need advices about the last LineTo() API, which is a little 
too complex for us. We are reverse-engineering the new Notepad.exe 
for SuperWindowsJaved 2003, (Notepad_SWJ_2003.exe, 
bytes" :----)

Well, I remember the title of a lesson which +ORC never released. 
It was : "Intuition & Luck".
These are the two things I use.

NORTON SPEED DISK TRIAL 30 Days 1.0 for Windoze NT4
by SYMANTEC, *** ***

Tools you need :
SoftIce 3.2 or 3.01 for NT4 (everywhere)
WDasm89 (regged) or 8.5 or 8.7 (cracked)
WindozeNT4 itself

I was gently installing my NT4 service pack 3, when I thought: 
Hey, it's just two months I'm using this OS, I know it's watching 
his file system itself, yet I would like to clean my hard drive. 
Hmm... Well, Start Button, Accessories, system tools and... what? 
No ScanDisk? No Defrag? 
Well, a click on the HD properties, tools, and look: 
"No defragmentation tool is currently installed"
(And you can search, but there's none coming with NT)
Hey, that's nevertheless a good thing : a society different than 
Micro$oft can offer a tool for this system.
OK, I Heard that this good Pete made his utilities for NT, too. 
(And it was a good idea, because of the As65pp1 essay on the other NT
disk defragmenter, DiskKeeper). 
And obviously, none of my friends has a copy of these Utilities, all 
of them stupidly using only Windoze95
(I must confess I'm a stupid guy too, using this OS to play games, a
little too much... Yet only good games).
Well, fired Netscape, visit Symantec, got the speed disk trial file.
Installed it. Well, works nice. I was in a hurry to see his 
protection instead of using it... guess this happens to all reverser...

Well, let's go to work... less funny, but useful:

Install Speed Disk trial. You must reboot, so reboot. Hope you've got
a speed machine. I do not. I can assure you that debugging with NT4 is
boring, coz you reboot often; and always the same soap: "please wait
while OS write info to disk" and rebooting: "OS loader..." seems
to last ages and ages... Sure Micro$oft got a deal with many cigarettes 
and cafeine vendors in regard of the time you spend waiting along...
Play a little with sd32 (speeddisk), see how it works, etc, etc.
Note a nagscreen before the application.
Profite to optimize your HD if you have never made it, since you loaded 
this app!
OK, let's pass to serious reversing: clock a month later. Fire Speed Disk.
Oh, no! a silly nag : "This product trial period has expired..."
No more defragmenting...
This could have been very sad, but you know the right Web Sites, like 
the one where you are reading this, and where you learn to laugh about 
sad nagscreen protection schemes.
Like usual, we clock back to the right month.
Oh, no! a second nag : "Cannot locate a valid evaluation section in
your registry..."

We must know who's owner of the nag. Is it the executable, SD32 ? 
Or is it one of the DLL installed with it ?
Fire SoftIce. CTRL+D.
TASK. This give "No LDT". Hey, what's that ?
HWND. This give "Unable to find a desktop window".
Hmm... What's up with Winnie ? When I use it with Windoze95, I...
I ran to read the SoftIce manual. If you haven't understand run too!
Everything is normal.
We are not in the habitual W95, then type: PROC
And you remark, between all the procs running on your system: SD32
Interesting. This should say that this nag belong to SD32.EXE.
This is true.
But this is a little false as well: if you search the executable 
SD32.EXE for words of nag-strings we have seen, like "trial period 
has expired" or "valid evaluation section", you won't find them...
You'll find them in a very interesting file, if you search for these 
last words inside your whole HD (or if you have sniffed the 
installation of Speed Disk Trial), IRATRIAL.DLL, located in your hard
disk at c:\Program Files\Symantec.

Let's examine this curious DLL.
Hmm, this name recalls all by itself its purpose! (Names ARE important 
indeed): ira "TRIAL" !
Let's disassemble it with W32Dasm.
Your eyes should twinkle in front of the following imported function :
Double-click on it. Yeah, just one reference in this file.
With this, you must smell that the protection dwells here...

But wait. One thing made me doubt. 
Looking the exports of SD32.EXE, I didn't see any import 
This is a point I like someone to explain me. 
How does the executable SD32.EXE know it calls the library 
IRATRIAL.DLL (coz in fact, it use it ; see below).
If you like tracing with Winnie, like me, you'll notice that you land
inside the code of IRATRIAL.DLL from the code of SD32.EXE, here :

* Reference To: ole32.CoInitialize, Ord:0025h
:0040D483 FF15ACE14100            Call dword ptr [0041E1AC]
:0040D489 8D45FC                  lea eax, dword ptr [ebp-04]
:0040D48C 50                      push eax
:0040D48D 68606C4100              push 00416C60
:0040D492 56                      push esi
:0040D493 57                      push edi
:0040D494 68706C4100              push 00416C70

* Reference To: ole32.CoCreateInstance, Ord:000Bh
:0040D499 FF15B0E14100            Call dword ptr [0041E1B0] ;You land
                                                            ;in IRATRIAL.DLL
:0040D49F 85C0                    test eax, eax
:0040D4A1 7C3A                    jl 0040D4DD
:0040D4A3 57                      push edi
:0040D4A4 8B45FC                  mov eax, dword ptr [ebp-04]
:0040D4A7 56                      push esi

* Possible StringData Ref from Data Obj ->"Norton Speed Disk Trial"
:0040D4A8 6874B84100              push 0041B874

* Possible StringData Ref from Data Obj ->"Symantec"
:0040D4AD 6868B84100              push 0041B868
:0040D4B2 8B00                    mov eax, dword ptr [eax]
:0040D4B4 FF75FC                  push [ebp-04]
:0040D4B7 FF500C                  call [eax+0C]                    ;You land in
:0040D4BA 85C0                    test eax, eax
:0040D4BC 7C14                    jl 0040D4D2
:0040D4BE 57                      push edi
:0040D4BF 8B45FC                  mov eax, dword ptr [ebp-04]
:0040D4C2 57                      push edi
:0040D4C3 57                      push edi
:0040D4C4 8B00                    mov eax, dword ptr [eax]
:0040D4C6 FF75FC                  push [ebp-04]
:0040D4C9 FF5014                  call [eax+14]                    ;You land in
And a lot of others connections...
Remark that from the first call I noted above, Callole32.CoCreateInstance,
you land in ole32 before landing in IRATRIAL.DLL.
I can't explain The smart TRICK THAT this DLL uses to go into 
Try stepping over this Call (ole32.CoCreateInstance) with Winnie. 
You'll see, in the code window the following report:

NTICE: Load32 START=1180000 SIZE=9000 KPEB=80644020 MOD=IRATRIAL
LDR: Automatic DLL relocation in sd32.exe
LDR: Dll IRATRIAL.DLL base 10000000 relocated due to collision with
                 D:\ProgramFiles\Norton\Speed Disk Trial\MFCEXT.DLL

Uh? What's that? a collision with the Micro$oft MFC library? Are there 
any wounded codesnippets around?
Where is this curious process allowing the SD32.EXE file calling this
unlisted DLL?
I think I lack something...

But I was sure (you know, luck & intuition!) that all came from 
this DLL, coz of his name. They could also have called it
IRA30DAYSTRIALPROTECTIONLOOKHERE.DLL, this would have been the same 
for me!

Then, look with W32Dasm the imports of this curious library.
Hey! You should jump seeing : MSVCRT.time !
And another one: MSVCRT.locatime.
And, if you are as much silly as me, you fire Winnie, make a :
BPX MSVCRT!TIME (Assuring you've loaded all the exports in winice.dat)
and you trace.
And you trace.
And you trace. And you trace again. Again.
Well, I can assure you'll trace for a long time... and you will 
eventually find, but this will happen ages later... Because the 
comparison is far, far away...

That's not zen at all.
And I was not mad (not yet again).
Then, I've stop tracing, took a sit and started thinking.
Mmm... I was first thinking about these type of time-crippled software
Often, this kind of reversing is very easy. The comparison between 
installation date and current date is usually not very far away.
But sometimes... Well, just one trial time soft I couldn't crack :
this was (and still is) CorelDraw7 30 days Trial. I've never seen 
a crack for this one (a good crack). A great protection, apparently. 
Someone taking this gauntlet? What are all the +HCUkers doing? 
I was hoping this one wasn't a hard type, like Corel, when I 
remembered I did not have a look at the Registry Base.
It was coz I haven't TechFacts for NT4. This program is indeed a 
great tool
Indeed! just try the orphan dll function on your own hard disk (curiously called "search for dll") and you'll see wich TREASURES are inside techfakt :-)
and I lack it with WindozeNT.

I installed again Speed Disk, after a good cleanup of HD and registry,
I started it again - It works fine - and
I looked the modification in my HD and inside my registry myself, 
comparing my old registry (always backup your registry before 
installing and reversing!).
I compared them too before and after the launch of Speed Disk.
Then I did the same before and after clocking away and back a month.
And I sniffed an interesting fact:

My registry was altered this way, in the registry :
[HKEY_CURRENT_USER\Software\Symantec\Norton Speed Disk Trial\1.0]
this key: "Evaluation"
contained following bytes :

Well, examining what's happening before and after launching Speed
Disk, two bytes were each time changed :
the first one , here "ED", and the 27th one, here "74", 
were changed with other values.

Then, I tried to change myself these bytes to some fake value, 
such  as "FF" for the first one and "00" for the other one, and 
then fired Speed Disk once more.
Immediately, the nag "Cannot locate a valid evaluation section in 
your registry..." nagging us like when we clocked back, remember?

All right. All was sure, now. Each time SpeedDisk was fired, these 
two values were changed, and they regard the time. 
Time was out, bad value were in the key of the registry.
Another look in the IRATRIAL.DLL and I point a finger, slowly on the
following imported function : ADVAPI32.RegQueryValueExa
There's only one place in the code where this DLL uses it.
The DLL should know the registry key in order to place the string
"Cannot locate a valid evaluation" which it contains and obviously 
uses ADVAPI32.RegQueryValueExa as API.

If you BPX MSVCRT!REGQUERYVALUEEXA you will break much too much before 
the good snippet.
No, we need a "vectoring breakpoint", i.e. a breakpoint that brings us 
in a part of the code where we'll be able to use the "correct" breakpoint 
(in this case MSVCRT!REGQUERYVALUEEXA) without interferences.
Therefore we'll use now as vectoring breakpoint BPX MSVCRT!TIME, for the 
reasons that we have seen above.
Hit F12 to return from MSVCRT, and you will land in IRATRIAL.DLL
then, disable this vectoring breakpoint, and use now
And you will land in the good portion of code:

* Reference To: ADVAPI32.RegQueryValueExA, Ord:0136h
:02C50 FF15A4610010            Call dword ptr [100061A4]		;HERE
:02C56 8945F8                  mov dword ptr [ebp-08], eax
:02C59 8B45F8                  mov eax, dword ptr [ebp-08]
:02C5C E900000000              jmp 2C61				; curious jmp

* Referenced by a Jump at Addresses:02C35(U), :02C5C(U)
:02C61 5F                      pop edi
:02C62 5E                      pop esi
:02C63 5B                      pop ebx
:02C64 C9                      leave
:02C65 C20C00                  ret 000C

Remark this "curious jmp", at offset 10002C5C : this jumps to the 
offset just following, 2C61. The DLL is full of such boring 
short-jumps. Works like an anti-debugging "nagging" for two reasons:
- It's unpleasant when you trace : you think always, seeing a jmp:
"My, where the hell in the code we'll we land now ?" And you go 
right after it interrupting your thoughts...
- It's really boring when you read the dead listing, coz you look at
all the locations and you think always this is a important reference 
to look for and in fact it's just a silly do-nothing jmp !

Well, you make the ADVAPI32.RegQueryValueExA call, storing your
"evaluation" key in memory (keep an eye on it), and from the 
10002C65 location, we far RET 000C and land here :

:016F6 E81F150000       call 10002C1A			; call ADVAPI32.RegQueryValueExA
:016FB 85C0             test eax, eax			; is there a key ?
:016FD 0F850A020000     jne 1000190D			; yes, no jmp
:01703 C745D400000000   mov [ebp-2C], 00000000
:0170A 8B4D08           mov ecx, dword ptr [ebp+08]
:0170D 83C109           add ecx, 00000009
:01710 E863180000       call 10002F78	               ; make checksum with
                                                     ; the time and key
:01715 50               push eax
:01716 8B4D08           mov ecx, dword ptr [ebp+08]
:01719 83C109           add ecx, 00000009
:0171C E8141A0000       call 10003135			; make checksum with
                                                     ; the time and key
:01721 50               push eax
:01722 6A26             push 00000026
:01724 8B4508           mov eax, dword ptr [ebp+08]
:01727 83C031           add eax, 00000031
:0172A 50               push eax
:0172B 8B4D08           mov ecx, dword ptr [ebp+08]
:0172E E891030000       call 10001AC4			; make checksum with
                                                     ; the time and key
:01733 8B4D08           mov ecx, dword ptr [ebp+08]
:01736 83C131           add ecx, 00000031
:01739 E86F020000       call 100019AD
:0173E 85C0             test eax, eax			
:01740 0F844A000000     je 10001790			; no jmp and no interest
:01746 6890400010       push 10004090
:0174B 8B4508           mov eax, dword ptr [ebp+08]
:0174E 83C033           add eax, 00000033
:01751 50               push eax
:01752 E8F1010000       call 10001948			; make checksum with
							; the time and key
:01757 83C408           add esp, 00000008
:0175A 85C0             test eax, eax	
:0175C 0F842E000000     je 10001790			; no jmp and no
:01762 8B4D08           mov ecx, dword ptr [ebp+08]
:01765 83C157           add ecx, 00000057
:01768 E8BCFEFFFF       call 10001629			; make checksum with
                                                     ; the time and key
:0176D 8B4D08           mov ecx, dword ptr [ebp+08]
:01770 3B4143           cmp eax, dword ptr [ecx+43]
:01773 0F8217000000     jb 10001790			; NO! else "Cannot locate..."
:01779 8B4D08            mov ecx, dword ptr [ebp+08]
:0177C 83C157            add ecx, 00000057
:0177F E8A5FEFFFF        call 10001629
:01784 8B4D08            mov ecx, dword ptr [ebp+08]
:01787 3B4147            cmp eax, dword ptr [ecx+47]
:0178A 0F8336000000      jnb 100017C6			; JUMP! else "Cannot locate..."

* Referenced by a Jump at Addresses:01740(C), :0175C(C), :01773(C)
:01790 837D1000                cmp dword ptr [ebp+10], 00000000
:01794 0F8520000000            jne 100017BA
:0179A 6A00                    push 00000000
:0179C 6A30                    push 00000030
:0179E FF750C                  push [ebp+0C]

* String Resource ID=00102: "Cannot locate a valid Evaluation 
				section in your registry"                                  |
:017A1 6A66                    push 00000066

I pass the checksum manipulating, we're not here to make 
a time-key-generator... we are here to reverse and understand some 
alien code... so we don't care at all about the call to "make checksum 
with the time and key" I noted, nor about the tests "no jmp and no 
interest" too, which verify if in fact, there is or not a key (then don't 
erase yours in the registry!)

The jb 10001790 is much more interesting, and happens when you clock 
back: you land in the nag "Cannot locate a valid Evaluation".
So we patch it with three 
"inc eax; dec eax" (6 bytes)
40 48 40 48 40 48

Look at the jnb 100017C6: if there's no jmp here, you land too in
the nag "Cannot locate a valid Evaluation".
We patch it, obviously, with "jmp 100017C6" : EB 3A
Only two bytes instead of six, just patch the following 4 to 
40 48 40 48 even if we'll never land there (one never knows how the 
many Intel processors may interpret code ahead :-)

Then, let's go to this 100017C6 location we must jump :

* Referenced by a Jump at Address:0178A(C)
:017C6 8B4D08                  mov ecx, dword ptr [ebp+08]
:017C9 83C157                  add ecx, 00000057
:017CC E858FEFFFF              call 1629
:017D1 8B4D08                  mov ecx, dword ptr [ebp+08]
:017D4 3B414F                  cmp eax, dword ptr [ecx+4F]
:017D7 0F871D000000            ja 17FA			; NO! else "This
                                                            ; product's trial..."
:017DD 8B4D08                  mov ecx, dword ptr [ebp+08]
:017E0 83C157                  add ecx, 00000057
:017E3 E841FEFFFF              call 1629
:017E8 8B4D08                  mov ecx, dword ptr [ebp+08]
:017EB 2B4143                  sub eax, dword ptr [ecx+43]
:017EE 8B4D08                  mov ecx, dword ptr [ebp+08]
:017F1 3B414B                  cmp eax, dword ptr [ecx+4B]
:017F4 0F8631000000            jbe 182B			; JMP! else "This
                                                            ; product's trial..."

* Referenced by a Jump at Address:017D7(C)
:017FA 837D1000                cmp dword ptr [ebp+10], 00000000
:017FE 0F8520000000            jne 1824			; we don't care
:01804 6A00                    push 00000000
:01806 6A30                    push 00000030
:01808 FF750C                  push [ebp+0C]

* String Resource ID=00103: "This product's trial period has 
                              expired. Please contact your"
:0180B 6A67                    push 00000067

You see we must avoid that ja 100017FA, which lands in the 
preparation of the "Trial expiration" string. Well, the same 
as above, replace with three "inc eax; dec eax" (nopping 6 bytes)

We'll never land in the :017FE location, so we don't care 
about this jump.
Why? Coz we gonna patch the first verification, jbe 182B.
We must jump, avoiding the following (frightening) location: 
"Trial Expiration"
Then we patch with :
jmp 1000182B (EB 35)

Now you fire your Speed Disk.
Yep! It works! You gonna defragment your NT4 for ages and ages 
till the cows come home!
Even your little-little kids will use it in twenty years!

The patch :
Offset : B73
Find         : 0F8217000000
Replace with : 404840484048

Offset : B8A
Find         : 0F8336000000
Replace with : EB3A40484048

Offset : BD7
Find         : 0F871D000000
Replace with : 404840484048

Offset : BF4
Find         : 0F8631000000
Replace with : EB3540484840

(C)1997 --FootSteps (We create cracks!)

End of FootSteps' ESSAY

FootSteps' REQUESTS About the checksum with Windoze NT4: To all of you working in the WinIce NT essay part, the sympathic "project2" company: BOZO, Birdy Harry and ViceVersa+ : I don't work on the checksum of this IRATRIAL.DLL coz I know much too few of WindozeNT. Is the checksum verification of this OS activated somewhere? Is this only with a NTFS partition? Is this verificated with drivers only? Then, why not with the EXE and the DLL? Thanx for an answer.
FootSteps' REQUESTS (more) I'd like to thank everybody on this site about teaching me the little knowledge I got by now. Few years ago, I was still looking everywhere in the newsgroups for a new crack I needed, you know, one of those "me too" guys. And now, most of the time, It takes me just a few hours of interesting amazing work to reverse my software. And to give too: I've now got some requests by friends of mine! The world is reverse-engeenering itself, isnt'it? :-) I don't totally agree with the whole "ideology" of +ORC, but I must admit: His tutorial was good indeed, and it was not boring to read at all. One maxim was really true : "Give a man a crack... Teach him..."!!! Thanx +ORC! I will never be hungry again :-) Razzia, you impressed me with your "function disabled" essay. This is much more than simple cracking; thanks to have given me to follow you on this way and learn from you. This remember me about a fact that happened last week. I was looking the "big" computer of a friend of mine, who plays some (marvellous) 3DFX games. Then he showed me a SNES emulator. I saw him playing a copy of Donkey Kong with it. I didn't believe my eyes : I forgot immediately about the pretty 3dfx game in itself, and thought about this guy who reversed the SUPER FAMICOM alone, and made this emulator! Well done, man. We got still a very long way in reversing and learning... About cracking 3DFX games, I got a little problem. I can only use the dead listing method. Because when you start a 3DFX game, the video is switched to the 3DFX board, and Softice breakpoints inside a blackscreen where you cannot see anything at all... Someone's got a idea? Can someone explain me why Softice 3.21 works very well with this new (and windowed) video driver under Windoze95, and it does not work with my version of Softice 3.2 for WindozeNT4? I got the same video switch as with the old 3.01... Numega's support cannot help me unfortunately :-) (Yet I love those guys... the BEST by far (very far) programmers and reversers of the whole universe. I would never have been able to write this without you, men!)
FootSteps' REQUESTS(even more) Could someone explain the CoreDraw7 Trial 30 days protection...Thanx. I will not tell you how many hours I spent on this without result... A lot! :-) & :-(. Only thing I understood is that it is protected by a DLL type of timelock. This protection is named Sentinel. I liked your reverse essay on Filemon, fravia+, and the great introduction to VxD by +Rcg. Can you teach us more about these VxDs? Cause we continuously need to make some kind of old DOS TSR, and these new VxD that are poorly documented on the whole Web. Thx to all of you, from the authors of the "Most stupid protection" essays to the "Toughest" one's. Note that I've never employed the words "by the way" nor the "BTW" abbreviation, which seems to be present mostly on most pages of this site... Sometimes, I think that searching for "reverse engeenering" or "by the way" on any search engine will land you to the same site : this one! :--------------)
End of FootSteps' REQUESTS (was about time)
(C)1997 --FootSteps (We create cracks!)
(c) FootSteps 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?