- QModem Pro v2.1 (QM95NT.EXE - (3.65Mb)).
http://www.smoothmove.com - SmoothMove v2.0 (~18Mb's).
The TimeLock as used in QModem Pro is an interesting scheme because it is marketed as a commercial software protection scheme. Launch QModem Pro and take a look.
When you first start, you'll be confronted with a trial usage meter, however there is an option to purchase so click that and you'll be confronted with a screen asking you to enter various details. So let's enter some details into the 3 boxes, before you do anything else it might also be a good idea to write down the Registration Number which you are supposed to supply when you purchase. Mine is 2719007704087881.
So lets set some suitable breakpoints in our favourite debugger SoftICE, you should find that GetWindowTextA works well. Now, you'll notice in SoftICE that the code you break inside is tl32v20.dll. So type >mod tl32v20 and SoftICE will tell you where this file is located. Once you've performed the necessary actions in SoftICE, you'll be looking at this code :-
:10003FB5 LEA EAX,[EBP-28]
:10003FB8 PUSH EAX
:10003FB9 CALL 10001D08 <-- Call code calculation routine.
:10003FBE ADD ESP,04 <-- Tidy stack.
:10003FC1 LEA EAX,[EBP-14] <-- Load EAX with serial # entered.
:10003FC4 LEA ECX,[EBP-28] <-- Load ECX with good serial #.
:10003FC7 PUSH EAX
:10003FC8 PUSH ECX <-- Save EAX,ECX for later use.
:10003FC9 CALL 10005A70 <-- Almost certainly compare EAX with ECX, returns 1 in EAX.
:10003FCE ADD ESP,08 <-- Tidy the stack.
:10003FD1 TEST EAX,EAX <-- Test EAX for 0.
:10003FD3 JNZ 10004028 <-- Jump_bad_serial_#.
Without delving into the maths behind the protection scheme you can easily see what this code snippet does, though it seems no manipulation of the name and company name is actually performed. However, lets examine this scheme a little more closely.
The TimeLock code actually offers 2 possibilities, although the 2nd is not obvious, when you fail the check at JNZ 10004028 another section of code checks your serial # again, this time against a different code. If you examine this in SoftICE you'll discover that theres' also a time-extend code. Lets also take a look at a disassembly listing of tl32v20.dll, note these rather interestingly named functions:
Let's face it, this is a very poor protection scheme, the function names are unimaginative to say the least. Since this protection scheme is sold commercially there are many other applications out there using the tl32v20.dll, I actually elected to patch the dll so that it would return the correct serial # in the message box, that requires a bit of thought, although not much. I've pasted the results of a file compare of the good tl32v20.dll with my modified version for your information, this probably isn't the only solution but you may find it useful.
000033D3: 75 EB
000033D4: 53 30
0000340F: 68 52
00003410: CF 90
00003411: 42 90
00003412: 01 90
00003413: 10 90
I have successfully used my tl32v20.dll with other TimeLock-ed applications (check out Web Essentials ListCaster) and found it effective.
Another requested tutorial, which sadly necessitated me having to re-install 3D Studio Max (btw check out my updated tutorial wrt 3DSMax when you have a free moment). The SmoothMove Plugin installation doesn't seem to be very bright as it almost always fails to find an installed version of 3DSMax so you might end up copying the plugin files over manually. You'll soon discover that we have yet another TimeLock protection, however I wrote this because the tl32v20.dll we encounter here is just slightly different from others which I've seen on the web.
Trying to use the SmoothMove Panoramas will trigger the familiar unlock screen, note the appalling 5 trials only of this plugin, selecting purchase invites you to insert an unlock code, (any name/company will suffice). As we know from previous TimeLock journeys there are ordinarily several unlocking codes, one to restore the trial period (non-sensical here) and another to unlock the application permanently.
Grab yourselves a disassembly listing of tl32v20.dll and get ready for some SoftICE work. GetWindowTextA is the best entry point however you'll probably get some troublesome interference from 3DSMax using it, in the end I just used Hmemcpy and created a small macro shortcut to get me to the relevant code which is this:
:1000483A CALL GetWindowTextA
:10004840 LEA ECX, [EBP-28] <-- Unlock code entered.
:10004843 CALL 10001014 <-- Generate 1st code.
:1000484C LEA EAX, [EBP-14] <-- Real good unlock code.
:1000484F LEA ECX, [EBP-28] <-- Unlock code entered again.
:10004854 CALL 10006770 <-- Compare them (EAX=0 means identical).
:1000485C TEST EAX,EAX <-- EAX result.
:1000485E JNZ 100048A2 <-- More interesting than it first seems.
This looks obvious, reverse the jump or snatch the 1st code and voila either a restored trial or thanks nice buyer, but no.....its "there has been an error updating your system". Fair enough, maybe the first code isn't what we wan't, trace on a little more and you'll find a 2nd code but that produces the same result as the 1st, after these checks you can't avoid the "you have entered an incorrect code". So theres a slight problem, neither of the unlock codes will actually perform the required magic, you should of course soon realise that both of our generated unlock codes are in fact valid, another routine throws us to the error nag.
:10004873 CALL 100010AF <-- Important.
:1000487B TEST EAX,EAX <-- EAX's value once again is the key.
:1000487D JZ 100048F2 <-- Jump_to_error.
:10004889 PUSH 10001DABF <-- "Thank you for your purchase.....".
This call is the essence of the entire TimeLock scheme, all the relevant registry keys are laid out in front of you, our simple tactic now is to trace this call and find out why EAX isn't returned non-zero, recall that our 1st generated unlock code is really what we need to enter. It turns out that the return value of EAX depends on the success of being able to delete 2 files and the lack of a registry key (you should just be able to create the 2 files and manually remove the key). Note: files are amotsxg.dat/mdomsfg.cfg (Windows directory), key is /Software/Infinite Pictures, Inc./SmoothMove(tm)......
We now get the nice message box :) and the nag disappears, but wait a second or 2, if you've got any cracked versions of 3DSMax 2.5 you'd better watch for this.
It seems as if Infinite Pictures are doing Kinetix's job for them or more likely Kinetix provided some sort of interface for plugin writers to check the presence of the dongle. Indeed a simple bpio -h 378 rw and F12 will get you inside Util.dll, go very careful how you reverse with "zen", its easy to crash your system with a never ending loop inside Sentinel.vxd. If you disassemble the actual plugin (SMPanMaxR2.dlu) you'll see that a call is made to util.HardwareLockID() which is pretty self-explanatory. Its really your preference as to whether you choose to patch the plugin, Util.dll or both.
Certainly just patching SMPanMaxR2.dlu is the easiest option, however I recommend you also improve Util.dll as well:
:10007D8F CALL EBP <-- Util.dll check.
:10007D91 TEST EAX,EAX <-- EAX is value of hardware lock ID.
:10007D93 JZ 10007DBA <-- Bad_jump.
:2802A999 DEC ECX <-- ECX's final value for relative
:2802A99A CMP ECX, 7 <-- Checks valid ranges.
:2802A9A6 JA 2802A9A6 <-- Can be used to JMP where we wan't.
:2802A99F JMP DWORD PTR [4*ECX+2802A9DC] <-- We won't let the code reach here.
:2802A9A6 MOV AX, 0313 <-- This can be changed.
:28021937 ADD EAX,ECX <-- Final value of EAX.
I've oversimplified how I traced here, it just involves tracing down CALL EBP, just keeping in mind we need EAX!=0 and there are some fairly obvious XOR EAX,EAX bad guys to see. There are literally hundreds of ways to patch this, I left the plugin alone and fixed everything inside Util.dll, force the JA to JMP, change the MOV AX, 0313 to MOV AX, 0400 and fix the final setting of EAX's value at 28021937 (say MOV AL,1) although there is actually room to do a little more.