A crippled tl32v20.dll protection scheme: diskeeper
(12 October 1997, slightly edited by reverser+)
Courtesy of reverser's page
of reverse engineering
Well, another very interesting essay from a "new" collaborator...
Timelock protection scheme, once more... this new "breed" of
tl32v20.dll protection (timelock) must have been created as a
consequence of our own work on these pages, which is pretty
interesting... not all shareware authors have the courtesy of
telling us that they learned from our site :-)
Cracking efficiently - by as65pp - 12 October 1997
A crippled tl32v20.dll protection scheme: diskeeper
Hidden register button
tl32v20.dll once more: Timelock-protected software
A small +HCU exercise for you clever reverser
Here as65pp's letter to the +HCU Caretakers (i.e. me and +gthorne :-)
Hi Reverser, Hi Greythorne
I've followed your site for quite a while now and I
have to say it's for sure the most interesting place on
the net. Thank you for maintaining it for such a long
time and giving us the chance to learn!
I must admit
that I'm not that excited about staring at huge
code-listings for hours on end, so your "dead-listing"
approach is definitely not for me.
To be honest, I wasn't any good at maths in school either :(
Nevertheless I was able to crack some programs by using
a bit of common-sense and imagination. This one is a
- "Fooling" Diskeeper -
Diskeeper from Executive Software is a defragmentation
tool for Windows NT, it can handle NTFS- and
FAT-Partitions and comes in two flavours: a
'lite'-version (free of charge) and a 'pro'-version
(prices from around $200 to $1500 for the NT-Server
version), the main difference being that the
pro-version can defrag in the background.
Now guess which version I wanted to use :)
A free 30-day-demo of the pro-version can be downloaded
from their website at www.execsoft.com.
As I fetched and installed it, I saw that one of the files
copied was named tl32v20.dll :)))
Great, I thougt, this will be dead in two minutes.
(See Xoanon's essay on how to crack this lame
protection). I didn't plan to patch the whole dll, I
just wanted to use SoftICE to sniff the correct
'unlock-code' from memory, as I had done many times
before. Generally I prefer not to change too much of
the code, if I can avoid it. So I started Diskeeper and
up comes the familiar Nagscreen with it's three
buttons... But hey, where is the infamous 'Purchase'
button gone? Nothing there just 'OK' & 'Cancel'! The
Nag-Text says something about contacting
Executive-Software by phone if you would like to spend
big bucks for their efforts (Ha!), but there is no
option to 'Register by phone', as there normally would.
What's going on here? In my opinion, the people at
Executive-Software had read Xoanon's essay too (grin)
and decided to be clever:
"Let's disable the 'purchase' option, so bad, bad cracker
gets no chance to sniff our unlock-code".
By looking a bit deeper on 'tl32v20.dll' you can see that
it has a different size than usual (86.528 bytes to 91.648
bytes for the regular version).
So what do we have here? A crippled protection scheme!
Nice one, this.
Think a (tiny) bit about it all:
- tl32v20.dll has to be called by the main module (DkWork.exe)
- there are two copys of the dll installed by the program, one in
the main program directory and another one in the \defrag subdir
IMPORTANT: If you haven't installed any Timelock-software before,
it is possible that another copy will be installed in the \WINNT
This wasn't the case on my machine, as I already had a 'uncrippled'
tl32v20.dll (91.648 bytes) from an earlier Timelock-protected
software (Boundschecker 5.0).
- most likely, 'dkwork.exe' will call 'tl32v20.dll' only by it's name
- the whole point of the missing 'Purchase' option is that, if you enter
the correct code, it will modify an existing '*.tsf' - file (different
for each product) and put the correct code in there.
If 'tl32v20.dll' is called the next time (by 'DkWork.exe') it will in
turn look for the '*.tsf' - file, check the code in it, and won't pop-up
anymore if the code is right.
Got it ?! Exactly! We just have to replace the crippled
version of 'tl32v20.dll' with the uncrippled one (both
copyes of it must be replaced), run the app (Now the
purchase-button is right there where it should be,
fine), sniff the correct code with SoftICE and Bang!:
Thank you for your purchase!
For some reason, after you've done all this and let
Diskeeper defrag for the first time, it will pop up
with a "copy protect violation". You are then again
presented with the Nagscreen - dont worry! Just enter
the sniffed code for a second time and you'll be safe,
it won't bother you again. I suppose this has something
to do with the second copy of 'tl32v20.dll' in the
\defrag - subdir, but that's only a guess.
This is intended as +HCU (easy) exercise for
beginners: EXPLAIN this point. Best explanation(s) will
be inserted here with the name of the author(s) on 1
Novemeber 1997, so don't rush, work deep: you have
enough time to explain well this point (which is
important)... send solutions to reverser and/or
As you see there are three things needed to crack
- SoftICE for NT (3.0 or higher) to sniff the code
(you'll find it everywhere on the Net)
- Xoanons essay about cracking the Timelock scheme
(read the others timelock essays too)
- an 'uncrippled' copy of the Timelock-dll
(peruse your old "magazines" CD-roms or download any Timelock-protected
software (GeoBoy, Boundschecker, etc.)
Small hint if you follow Xoanons essay: 'task' & 'hwnd' won't work in NT
(error: no LDT), so a reverse engineer has to use 'bpx getwindowtexta' instead.
Conclusion: Well, nothing special really, except that
it is possible to crack without knowing much about
Assembler and without risking to get lost in the dark
codewoods - just by using your brain and trying to
understand the protectionist's reasons.
In a quite similar way I managed to avoid the whole checksum-stuff
(far too complicated!) when cracking SoftICE 3.01 for NT, but that's a
different story (and maybe not that interesting anymore since v3.20 is
That's all folks - bye for now!
(c) as65pp 1997. All rights reversed
You are deep inside reverser's page of reverse engineering,
choose your way out:
Is reverse engineering legal?