http://www.mustang.com - Webpage.
QM95NT.EXE - (3.65Mb).
When you first start, you'll be confronted with a trial usage meter, however there is an option to purchase so click that and you'll be confronted with a screen asking you to enter various details. So let's enter some details into the 3 boxes, before you do anything else it might also be a good idea to write down the Registration Number which you are supposed to supply when you purchase. Mine is 2719007704087881.
So lets set some suitable breakpoints in our favourite debugger SoftICE, you should find that GetWindowTextA works well. Now, you'll notice in SoftICE that the code you break inside is tl32v20.dll. So type >mod tl32v20 and SoftICE will tell you where this file is located.
Once you've performed the necessary actions in SoftICE, you'll be looking at this code:
:10003FB5 LEA EAX,[EBP-28]
:10003FB8 PUSH EAX
:10003FB9 CALL 10001D08 <-- Call code calculation routine.
:10003FBE ADD ESP,04 <-- Tidy stack.
:10003FC1 LEA EAX,[EBP-14] <-- Load EAX with serial # entered.
:10003FC4 LEA ECX,[EBP-28] <-- Load ECX with good serial #.
:10003FC7 PUSH EAX
:10003FC8 PUSH ECX <-- Save EAX,ECX for later use.
:10003FC9 CALL 10005A70 <-- Almost certainly compare EAX with ECX, returns 1 in EAX.
:10003FCE ADD ESP,08 <-- Tidy the stack.
:10003FD1 TEST EAX,EAX <-- Test EAX for 0.
:10003FD3 JNZ 10004028 <-- Jump_bad_serial_#.
Without delving into the maths behind the protection scheme you can easily see what this code snippet does, though it seems no manipulation of the name and company name is actually performed. However, lets examine this scheme a little more closely.
The TimeLock code actually offers 2 possibilities, although the 2nd is not obvious, when you fail the check at JNZ 10004028 another section of code checks your serial # again, this time against a different code. If you examine this in SoftICE you'll discover that theres' also a time-extend code.
Lets also take a look at a disassembly listing of tl32v20.dll, note these rather interestingly named functions:
invokeTimeLock32
trialEnvironmentOpen
verifyTimeLock32
Let's face it, this is a very poor protection scheme, the function names are unimaginative to say the least. Since this protection scheme is sold commercially there are many other applications out there using the tl32v20.dll, I actually elected to patch the dll so that it would return the correct serial # in the message box, that requires a bit of thought, although not much.
I've pasted the results of a file compare of the good tl32v20.dll with my modified version for your information, this probably isn't the only solution but you may find it useful.
000033D3: 75 EB
000033D4: 53 30
0000340F: 68 52
00003410: CF 90
00003411: 42 90
00003412: 01 90
00003413: 10 90
I have successfully used my tl32v20.dll with other TimeLock-ed applications (check out Web Essentials ListCaster) and found it effective.