A crippled tl32v20.dll protection scheme: diskeeper

(Cracking efficiently)

by as65pp

(12 October 1997, slightly edited by fravia+)


Courtesy of fravia's page of reverse engineering

Well, another very interesting essay from a "new" collaborator... Timelock protection scheme, once more... this new "breed" of tl32v20.dll protection (timelock) must have been created as a consequence of our own work on these pages, which is pretty interesting... not all shareware authors have the courtesy of telling us that they learned from our site :-)

Cracking efficiently - by as65pp - 12 October 1997
A crippled tl32v20.dll protection scheme: diskeeper

Hidden register button
tl32v20.dll once more: Timelock-protected software
A small +HCU exercise for you clever reverser

Here as65pp's letter to the +HCU Caretakers (i.e. me and +gthorne :-)

Hi Fravia, Hi Greythorne

I've followed your site for quite a while now and I have to say it's for sure the most interesting place on the net. Thank you for maintaining it for such a long time and giving us the chance to learn!
I must admit that I'm not that excited about staring at huge code-listings for hours on end, so your "dead-listing" approach is definitely not for me.
To be honest, I wasn't any good at maths in school either :(
Nevertheless I was able to crack some programs by using a bit of common-sense and imagination. This one is a good example:
- "Fooling" Diskeeper -
-----------------------

Diskeeper from Executive Software is a defragmentation 
tool for Windows NT, it can handle NTFS- and 
FAT-Partitions and comes in two flavours: a 
'lite'-version (free of charge) and a 'pro'-version 
(prices from around $200 to $1500 for the NT-Server 
version), the main difference being that the 
pro-version can defrag in the background. 
Now guess which version I wanted to use :)
A free 30-day-demo of the pro-version can be downloaded 
from their website at www.execsoft.com. 
As I fetched and installed it, I saw that one of the files 
copied was named tl32v20.dll :)))
Great, I thougt, this will be dead in two minutes. 
(See Xoanon's essay on how to crack this lame 
protection). I didn't plan to patch the whole dll, I 
just wanted to use SoftICE to sniff the correct 
'unlock-code' from memory, as I had done many times 
before. Generally I prefer not to change too much of 
the code, if I can avoid it. So I started Diskeeper and 
up comes the familiar Nagscreen with it's three 
buttons... But hey, where is the infamous 'Purchase' 
button gone? Nothing there just 'OK' & 'Cancel'! The 
Nag-Text says something about contacting 
Executive-Software by phone if you would like to spend 
big bucks for their efforts (Ha!), but there is no 
option to 'Register by phone', as there normally would. 

What's going on here? In my opinion, the people at 
Executive-Software had read Xoanon's essay too (grin) 
and decided to be clever: 
"Let's disable the 'purchase' option, so bad, bad cracker 
gets no chance to sniff our unlock-code". 
By looking a bit deeper on 'tl32v20.dll' you can see that 
it has a different size than usual (86.528 bytes to 91.648 
bytes for the regular version). 
So what do we have here? A crippled protection scheme! 
Nice one, this.

Think a (tiny) bit about it all:

-  tl32v20.dll has to be called by the main module (DkWork.exe)
-  there are two copys of the dll installed by the program, one in 
   the main program directory and another one in the \defrag subdir
	IMPORTANT: If you haven't installed any Timelock-software before, 
        it is possible that another copy will be installed in the \WINNT 
        directory. 
        This wasn't the case on my machine, as I already had a 'uncrippled' 
        tl32v20.dll (91.648 bytes) from an earlier Timelock-protected 
        software (Boundschecker 5.0).
-  most likely, 'dkwork.exe' will call 'tl32v20.dll' only by it's name 
   no size-checking)
-  the whole point of the missing 'Purchase' option is that, if you enter 
   the correct code, it will modify an existing '*.tsf' - file (different 
   for each product) and put the correct code in there. 
   If 'tl32v20.dll' is called the next time (by 'DkWork.exe') it will in 
   turn look for the '*.tsf' - file, check the code in it, and won't pop-up 
   anymore if the code is right.

Got it ?! Exactly! We just have to replace the crippled 
version of 'tl32v20.dll' with the uncrippled one (both 
copyes of it must be replaced), run the app (Now the 
purchase-button is right there where it should be, 
fine), sniff the correct code with SoftICE and Bang!: 							
Thank you for your purchase!

For some reason, after you've done all this and let 
Diskeeper defrag for the first time, it will pop up 
with a "copy protect violation". You are then again 
presented with the Nagscreen - dont worry! Just enter 
the sniffed code for a second time and you'll be safe, 
it won't bother you again. I suppose this has something 
to do with the second copy of 'tl32v20.dll' in the 
\defrag - subdir, but that's only a guess.
training

This is intended as +HCU (easy) exercise for beginners: EXPLAIN this point. Best explanation(s) will be inserted here with the name of the author(s) on 1 Novemeber 1997, so don't rush, work deep: you have enough time to explain well this point (which is important)... send solutions to fravia+ and/or +gthorne
As you see there are three things needed to crack 
Diskeeper: 
- SoftICE for NT (3.0 or higher) to sniff the code 
  (you'll find it everywhere on the Net) 
- Xoanons essay about cracking the Timelock scheme 
  (read the others timelock essays too) 
- an 'uncrippled' copy of the Timelock-dll 
  (peruse your old "magazines" CD-roms or download any Timelock-protected 
  software (GeoBoy, Boundschecker, etc.) 
Small hint if you follow Xoanons essay: 'task' & 'hwnd' won't work in NT 
(error: no LDT), so a reverse engineer has to use 'bpx getwindowtexta' instead.

Conclusion: Well, nothing special really, except that 
it is possible to crack without knowing much about 
Assembler and without risking to get lost in the dark 
codewoods - just by using your brain and trying to 
understand the protectionist's reasons. 
In a quite similar way I managed to avoid the whole checksum-stuff 
(far too complicated!) when cracking SoftICE 3.01 for NT, but that's a 
different story (and maybe not that interesting anymore since v3.20 is 
already out).

That's all folks - bye for now!

-- as65pp  
(c) as65pp 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?