http://www.smoothmove.com - Webpage.
Available for public download (~18Mb's).
Another requested tutorial, which sadly necessitated me having to re-install 3D Studio Max (btw check out my updated tutorial wrt 3DSMax when you have a free moment). The SmoothMove Plugin installation doesn't seem to be very bright as it almost always fails to find an installed version of 3DSMax so you might end up copying the plugin files over manually. You'll soon discover that we have yet another TimeLock protection, however I wrote this because the tl32v20.dll we encounter here is just slightly different from others which I've seen on the web.
Trying to use the SmoothMove Panoramas will trigger the familiar unlock screen, note the appalling 5 trials only of this plugin, selecting purchase invites you to insert an unlock code, (any name/company will suffice). As we know from previous TimeLock journeys there are ordinarily several unlocking codes, one to restore the trial period (non-sensical here) and another to unlock the application permanently.
Grab yourselves a disassembly listing of tl32v20.dll and get ready for some SoftICE work. GetWindowTextA is the best entry point however you'll probably get some troublesome interference from 3DSMax using it, in the end I just used Hmemcpy and created a small macro shortcut to get me to the relevant code which is this:
:1000483A CALL GetWindowTextA
:10004840 LEA ECX, [EBP-28] <-- Unlock code entered.
:10004843 CALL 10001014 <-- Generate 1st code.
:1000484C LEA EAX, [EBP-14] <-- Real good unlock code.
:1000484F LEA ECX, [EBP-28] <-- Unlock code entered again.
:10004854 CALL 10006770 <-- Compare them (EAX=0 means identical).
:1000485C TEST EAX,EAX <-- EAX result.
:1000485E JNZ 100048A2 <-- More interesting than it first seems.
This looks obvious, reverse the jump or snatch the 1st code and voila either
a restored trial or thanks nice buyer, but no.....its "there has been an error
updating your system". Fair enough, maybe the first code isn't what we wan't,
trace on a little more and you'll find a 2nd code but that produces the same
result as the 1st, after these checks you can't avoid the "you have entered
an incorrect code". So theres a slight problem, neither of the unlock codes
will actually perform the required magic, you should of course soon realise that
both of our generated unlock codes are in fact valid, another routine throws
us to the error nag.
:10004873 CALL 100010AF <-- Important.
:1000487B TEST EAX,EAX <-- EAX's value once again is the key.
:1000487D JZ 100048F2 <-- Jump_to_error.
:10004889 PUSH 10001DABF <-- "Thank you for your purchase.....".
This call is the essence of the entire TimeLock scheme, all the relevant
registry keys are laid out in front of you, our simple tactic now is to trace
this call and find out why EAX isn't returned non-zero, recall that our 1st
generated unlock code is really what we need to enter. It turns out that the
return value of EAX depends on the success of being able to delete 2 files and
the lack of a registry key (you should just be able to create the 2 files and
manually remove the key). Note: files are amotsxg.dat/mdomsfg.cfg (Windows
directory), key is /Software/Infinite Pictures, Inc./SmoothMove(tm)......
We now get the nice message box :) and the nag disappears, but wait a second or 2, if you've got any cracked versions of 3DSMax 2.5 you'd better watch for this.
It seems as if Infinite Pictures are doing Kinetix's job for them or more likely Kinetix provided some sort of interface for plugin writers to check the presence of the dongle. Indeed a simple bpio -h 378 rw and F12 will get you inside Util.dll, go very careful how you reverse with "zen", its easy to crash your system with a never ending loop inside Sentinel.vxd. If you disassemble the actual plugin (SMPanMaxR2.dlu) you'll see that a call is made to util.HardwareLockID() which is pretty self-explanatory. Its really your preference as to whether you choose to patch the plugin, Util.dll or both.
Certainly just patching SMPanMaxR2.dlu is the easiest option, however I recommend you also improve Util.dll as well:
SMPanMaxR2.dlu
:10007D8F CALL EBP <-- Util.dll check.
:10007D91 TEST EAX,EAX <-- EAX is value of hardware lock ID.
:10007D93 JZ 10007DBA <-- Bad_jump.
Util.dll
:2802A999 DEC ECX <-- ECX's final value for relative JMP.
:2802A99A CMP ECX, 7 <-- Checks valid ranges.
:2802A9A6 JA 2802A9A6 <-- Can be used to JMP where we wan't.
:2802A99F JMP DWORD PTR [4*ECX+2802A9DC] <-- We won't let the code reach here.
:2802A9A6 MOV AX, 0313 <-- This can be changed.
:28021937 ADD EAX,ECX <-- Final value of EAX.
I've oversimplified how I traced here, it just involves tracing down CALL
EBP, just keeping in mind we need EAX!=0 and there are some fairly obvious
XOR EAX,EAX bad guys to see. There are literally hundreds of ways to patch
this, I left the plugin alone and fixed everything inside Util.dll, force the
JA to JMP, change the MOV AX, 0313 to MOV AX, 0400 and fix the final setting of
EAX's value at 28021937 (say MOV AL,1) although there is actually room to do
a little more.
