PDA

View Full Version : TrialMaster


AdamA
August 7th, 2001, 07:19
Hi,
does anyone know TrialMaster(www.geeworks.com/trialmaster/) protected apps?

thanks,
AdamA

BlackB
August 7th, 2001, 08:12
How many times did we see "you can be sure your intellectual property is safely distributed and tried before they're purchased" before... :-)
As from what I've read I would guess it's SoftWrap's successor (http://www.softwrap.com).
Personally I don't think this piece of protection software will make a lot of trouble when trying to unwrap it. Never heard of it either, and never saw an app protected with it.
Some of us going to have a fun (short/long??)time with it :-)

greets

BlackB

AdamA
August 7th, 2001, 09:45
Hi,

at this time i was a little bored, so i thought about an generic TrialMaster KeyGen.
At their site you can read(about Geeworks):
"Geeworks was founded by Peter Chiu, an ex-Microsoft Windows NT developer..."
I think more fun you can't get anymore.

greets,
AdamA

+SplAj
August 8th, 2001, 06:24
well, this proved a 5 minute challenge while eating my burger for lunch ( no harrisa - too hot for me) with the free hand I did this :-

Start Trialmaster (lite - the other std don't run yet - CRC ?)
see the nag screen to register
get into SI
BPX GETVERSION
F5
press 'Start Now'
SI pops
F12 back to the target (now a strange thread like 4c54fd1.bmp)
set EIP to 435C6A (this is the OEiP)
type E EIP EB FE
F5
DUMP that file 4c4c545c.bmp whatever with LordPE as dumped.exe , edit the raw offset 35c6a from EB FE to 55 8B and thats it. You are free to patch+play :-) no more trialmaster wrapper - the dumped exe is FULLY fixed as original cos it IS the original !

BTW direct links :-

h**p://www.geeworks.com/trialmaster/tm20.exe
h**p://www.geeworks.com/trialmaster/tm20lite.exe


+SplAj }>
'patch+play'

AdamA
August 8th, 2001, 07:46
Hi,
so we know how to dump it(thanks +SplAj),
for those who are interested in crypto,
they use RSA in following way:
md5=MD5(name+email+2nd part of Prod. ID)
chksum(md5)=md5[0]+...+md5[15]
serial=chksum^d mod n (serial is Base36)

have fun,
AdamA

+SplAj
August 8th, 2001, 08:40
Just D/L standard again today and this one launches.

Tried the same trick and the OEiP is 435C1A for this std version. Dumped and runs fine... tried resetting the clock back and forward 20 years and it still runs. What can i say, you can MD5 and hash and mash as much as you like but in those immortal words... 'if it runs it can be defeated' and it is so who wants to waste 2 years studying the algo ?

+Spl/\j }>
'patch+play'

BTW probably the last post from me for a while...... what's that you whispered ? .............' thank god :-) '

OK
CYA........Guinness here I come.

CoDe_InSiDe
August 8th, 2001, 15:45
Hi Everyone,

I looked at that TrialMaster thing a little bit and you can indeed defeat it "very" easy
My method is a bit different then the one from +Splaj ;D
Anyway this is for the Standard version (Haven't tested it for the Lite version, btw +Splaj Standard has some debug Tracing tricks .
So read my attachment if your interested ;D

Cya...

CoDe_InSiDe

CoDe_InSiDe
August 8th, 2001, 15:52
I just checked the lite version and it's exactly the same

Cya...

CoDe_InSiDe

CoDe_InSiDe
August 13th, 2001, 03:37
Hi Everyone,

I also took a look at that SoftWrap Wrapper and it's as easy as Trialmaster
So if anyone is interested here's my solution (Btw actually no need for an Attachment like my previous solution )

Run the Wrapped Program and you'll get an evaluation Window.
Get into SoftICE and put an Breakpoint on "WriteProcessMemory".
Get out of SoftICE and press the Button "Try It".
When SoftICE breaks type "BC *" and type "d esp+0C" and look at the data window.
There'll be an Offset that points to the Code that'll be copied into the real Program.
Type "d (Offset you'll see there, it's in reverse like 10 F5 66 00 == 0066F510)" and then replace in the Data Window the first 2 Bytes (Ofcourse remember those 2 Bytes) with "EBFE".
Get out of SoftICE and now the Main Program runs in a loop.
Dump the Main Program with ProcDump for example, you can recognize it because the
name contains ".locked.exe".
Now open the Dumped file in an Hex Editor and go to the OEP, replace "EBFE" with the normal Bytes and save the file.
TaTaam, File Unwrapped

Ok, err ... have fun with it ? ;D

Cya...

CoDe_InSiDe

BlackB
August 13th, 2001, 04:44
I reversed the softwrap protection a few montsh ago....i even wrote a tutorial for it ;p
http://users.belgacom.net/blackb/softwrap.html

greets

BlackB

CoDe_InSiDe
August 13th, 2001, 05:44
Hi BlackB,

Hehe nice one

Cya...

CoDe_InSiDe

NchantA
August 13th, 2001, 23:48
i also did a short tutor on softwrap, but i cheated a bit

although i didnt go into as much detail as BB

nC

dELTA
August 14th, 2001, 10:18
BlackB, in your tutorial you say this regarding what the wrapper does to protect the wrapped processes from dumping:

"...write the decrypted code to the process, write garbage to memory to prevent dumping..."

but when you dump it you do it right before the ResumeThread call. So is this garbage written to the process while it is executing then?

And also, i'm just a bit curious, what is this garbage that is written? The usual import table corruption? That seems a bit dangerous to do while the program is running I think?

What else, other than messing with the imports, are usual techniques of corrupting an executable image in memory to prevent dumping but still not trash the execution of the protected process? I can see several things that can be destryed in the PE-header in memory to accomplish this, but I would love to hear about some other used techniques.

Thanks!

ThrawN
September 22nd, 2001, 02:57
I also worked with softwrap 1.32 sometime ago, and I dont recall intercepting garbage code be'in writen to the locked process? it only writes the decrypted code to the entrypoint (how much is calculated from the exe size) and resumes the process

Forgive me if i am wrong tho

ThrawN