The Timelock project
PreviewParadise R.I.P. (vboxed programs... bye bye!)
by Xoanon
15 June 1998
Well, well, well... sieh mal Eine an: the return of a great
cracker... and the demise of an improved timelock.dll protection. How long will we have to
repeat it? C-O-M-M-E-R-C-I-A-L R-E-A-D-Y M-A-D-E P-R-O-T-E-C-T-I-O-N-S A-R-E U-S-E-L-E-S-S.
Learn how to protect (on these very pages for instance) and then PROTECT YOURSELF your programs
with a couple of assembly routines. They will be eventually defeated, of course, but NEVER so
quickly and easily as a commercial protection can invariably be... man-o-man: learn to READ behind the hypes and frills,
and then you'll never believe again what the commercial protectionists
advertise (or anybody else for that matter: to advertise means to lie :-)
On one point Xoanon is dead wrong: I love him a lot, and hope that he will indulge in less
maggots,
more women and more reversing!
You will also notice that Xoanon is the mind behind the 'rolling'
of the whole 'timelock' +HCU project... and if you had forgot it, just read TimeLOCK_DLL reverse engineering (TL32V20.DLL),
written more than ONE YEAR ago (a whole "epoque" on the Web) yet still valid!
VBox (05/98 - 06/98)
PreviewParadise R.I.P.
Written by xOANON [UCF/CLASS]
Heya ol' Fravia+! Long time i'm not on your pages :) It's time
to come back i think..... Don't bug me if i don't support +HCU
as often as it would deserve, but you know.... i'm one of the
"crackers-for-the-masses" you don't love so much :)
Well, it's a choice... i like people use my cracks, i like to be
known, etc... But it's another story.
Last week i found a program called "Script Driven
Internet" and it appeared as protected with VBox. I read the
essay last month by Marigold
(very interesting indeed), so i took a look at it just to know
something more about this protection.
Marigold (amazing) technics is the virginity-restoration, i
present here a patching method instead.... much clear, much (not
so) easier and (i think) much useful coz it's goal is to produce
an universal cracked DLL which you can put in you \WINDOWS\SYSTEM
to crack *EVERY* Vboxed program.
SoftIce
W32D/ASM
Your favourite HexEditor
Cigarettes (5)
A fan (very hot here)
Some good grunge music (Nirvana, Stone Temple Pilots, etc...)
VBox
Builder (a tool to add Vbox to your programs, very useful for
cracking purposes too.... eheheh :)
TimeLock by PreviewSoft has long and glorious history (of its cracking). Vbox is
"a new beginning" of a kind. It's different from its
predecessors almost to the loss of the ancestorial resemblance.
Here we are.... let's start. First of all, install the VBox
builder (you need to get a .prv file from their webserver, so
connect to the internet for this and fill the form needed). Then
choose a .EXE file to protect (you could choose also a .DLL or an
.OCX, but choose an .EXE coz it's better and easier for cracking
purposes) and wrap it with VBox using the builder (choose now the
Trial days protection).
Now the fun begins. As Marigold says, and as we easily can
see, VBox protections const of 3 dlls which are copied into your
\WINDOWS\SYSTEM directories. These DLLs are : vboxp403.dll
- vboxb403.dll - vboxt403.dll. All these dlls except the
first are packed, so we will focus our attention on vboxp403.dll.This
dll acts as a loader/unpacker for the others (among the other
things, again just look at marigold's essay for a complete
explanation), so i tought this: if i find the code which unpacks
the dll, right after the unpacking i can patch *from
inside of vboxp403.dll* the protection code which
resides in vboxt403.dll memoryspace .... and i
did :) Smart approach isn't it ? :)
Note: This kind of patching can be done much easily with a
memory patch (see Stone's
essay), but memorypatch always need a loader, or a TSR-like
program to load just before the target. In this way, we can
obtain (as i said) a clean and universal crack which only need to
be copied in place of the original DLL.
So, stop talking and go on with cracking now......
First of all, move your system clock ahead so the target
expires.
Now, you VBoxed your .EXE with Trial days protection, right?
so it will be vulnerable to BPX GETLOCALTIME from our beloved
SoftICE. You will land in this code (after PRET from the API
routine) inside vboxp403.dll. We will use the
space of this code later to add our memorypatching code.
------------------------------------------------------------------------------------------------------------------------------
:0500E720 81ECCC000000 sub esp, 000000CC
:0500E726 8D442410 lea eax, dword ptr [esp+10] *we will add memorypatch code here later*
:0500E72A 56 push esi
:0500E72B 50 push eax
* Reference To: KERNEL32.GetLocalTime, Ord:00F5h
|
:0500E72C FF1544C50105 Call dword ptr [0501C544]
:0500E732 8D4C2404 lea ecx, dword ptr [esp+04]
:0500E736 51 push ecx
* Reference To: KERNEL32.GetSystemTime, Ord:0135h
|
:0500E737 FF1540C50105 Call dword ptr [0501C540]
:0500E73D 668B4C240E mov cx, word ptr [esp+0E]
:0500E742 66390D32AC0105 cmp word ptr [0501AC32], cx
:0500E749 7540 jne 0500E78B
:0500E74B 668B44240C mov ax, word ptr [esp+0C]
:0500E750 66390530AC0105 cmp word ptr [0501AC30], ax
:0500E757 7532 jne 0500E78B
(......... etc..... etc......... )
-----------------------------------------------------------------------------------------------------------------------------
Going ahead with tracing, you will find this code in vboxt403.dll
which checks if the target is expired or not :
:07005EFB F6451408 cmp eax, [ebp+10]
:07005EFE 7402 jz 7005F02 *NOP it*
and
:7005FAA 3B45F0 cmp eax, [ebp+10]
:7005FAD 751A jnz 7005FC9 * change it to JMP 7005FC9 *
Ok, now theoretically our patch is done.... VBox screen will
not appear anymore BUT: we just did it in memory, how to apply it
on the file if vboxt403.dll is packed?
Here comes a little Zen, as our +teacher says.... We know that
dll must be unpacked somewhere, so let's start hunting for the
unpacking routine setting a BPM 7005EFE W
(breakpoint on memory range on write). This means SoftICE will
popup just when this memoryspace is accessed for writing (which
is, in our case, the unpacking of vboxt403.dll).
Ok, so set this breakpoint and rerun. You will land in our
beloved vboxp403.dll here:
-----------------------------------------------------------------------------------------------------------------------------
:0500E856 8BD1 mov edx, ecx
:0500E858 83E203 and edx, 00000003
:0500E85B C1E902 shr ecx, 02
:0500E85E F3 repz
:0500E85F A5 movsd *this write the unpacked code to
DS:EDI*
:0500E860 FF249568E80005 jmp dword ptr [4*edx+0500E868]
:0500E867 90 nop
-----------------------------------------------------------------------------------------------------------------------------
As you will notice, this routine is executed many times, since
the unpacking is done at little steps. Anyway, we will focus our
attention just when EDI reach 07007000. Why?
well, simple: since we want to patch at DS:7005xxx, if EDI reach
07007000 it means the code we need is already unpacked and ready
for our "rape" :).
Now, problem #2 : we need space to do our memory patch. Easy,
look at here.... this code is of no more
use, since the protection is killed. So we can use the
memoryspace of this datecheck code to implement our memorypatch.
First of all, we have to locate the call to this routine and
NOP it, since we want to use it for our purpose. Here it is:
:05002880 6A00 push 00000000
:05002882 E899BE0000 call 0500E720 * just NOP this and
the DLL will not call the datecheck anymore *
:05002887 83C404 add esp, 00000004
:0500288A 50 push eax
Now for the memorypatch. We have to jump to our routine right?
so we need to modify this code right after the vboxt403.dll
is unpacked in memory:
change
:0500E860 FF249568E80005 jmp dword ptr [4*edx+0500E868]
to
:0500E860 E9C1FEFFFF909090 jmp 500E726 *ok, now this
jump to the entrypoint of our routine*
Here is the memorypatch routine:
-----------------------------------------------------------------------------------------------------------------------------
:0500E726 81FF00700007 cmp edi, 07007000 *check if the
code we need to patch is unpacked yet*
:0500E72C 7519 jne 0500E747 *act normally if not*
:0500E72E 66C787FEEEFFFF9090 mov word ptr [edi+FFFFEEFE], 9090 *patch
at EDI-1102 = 7005EFE*
:0500E737 C687ADEFFFFFEB mov byte ptr [edi+FFFFEFAD], EB *patch
at EDI-1053 = 7005FA0*
:0500E73E 66C787A5EEFFFF9090 mov word ptr [edi+FFFFEEA5], 9090 *patch
at EDI-115B = 7005EA5*
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0500E72C(C)
|
:0500E747 FF249568E80005 jmp dword ptr [4*edx+0500E868] *this
is the normal jump executed after unpacking*
:0500E74E 90 nop
:0500E74F 90 nop
-----------------------------------------------------------------------------------------------------------------------------
You notice i've done another patch at 0500E73E . What's it
about? well, it patch this code
-----------------------------------------------------------------------------------------------------------------------------
:7005E9C F6451408 test byte ptr [ebp+14],08
:7005EA0 BE01000000 mov esi, 00000001
:7005EA5 745B jz 7005F02 *NOP it*
-----------------------------------------------------------------------------------------------------------------------------
which bypass the "number of executions" check
(another option of VBox, try it with the builder).
Well.... that's all. VBox is totally dead now, thanks to
Marigold and your little xOANINO :) Go patch the vboxp403.dll
according to this essay, copy it to your \WINDOWS\SYSTEM
overwriting the original one and say "CIAO CIAO" to
WeiJuhn Li :)
Alla prossima amici... e speriamo che l'Italia vinca 'sti
mondiali.... anche se dopo la partita di ieri mi sembra
improbabile :(
I hope you all liked this essay. As you see, commercial
ready-made protections are not so secure as they claim (look at http://www.previewsoftware.com
and laugh.... they say even SoftICE creators can't crack VBox and
TimeLock, i can't believe it). There would be lot of ways to do a
very secure protection (like using a decent PE-crypter), but
maybe they think all of us +HCUkers are stupid.... bah :)
My greets fly out to: All UCF and CLASS members, Devil, Stone,
Miramax, Marquis, Random, SpaceOne, SaiBada, Goku, SoftPJ
(pleeeeeeeeeease improve your E-Zine) :)
I wont even bother explaining you that you
should BUY this target program if you intend to use it for a
longer period than the allowed one. Should you want to STEAL this
software instead, you don't need to crack its prot ection scheme
at all: you'll find it on most Warez sites, complete and already
regged, farewell.
You are deep inside Fravia's page of reverse engineering, choose your way out:
Back to the Timelock project
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_Fravia
Is reverse engineering legal?