The Timelock project

PreviewParadise R.I.P. (vboxed programs... bye bye!)
by Xoanon

15 June 1998

Well, well, well... sieh mal Eine an: the return of a great cracker... and the demise of an improved timelock.dll protection. How long will we have to repeat it? C-O-M-M-E-R-C-I-A-L R-E-A-D-Y M-A-D-E P-R-O-T-E-C-T-I-O-N-S A-R-E U-S-E-L-E-S-S.
Learn how to protect (on these very pages for instance) and then PROTECT YOURSELF your programs with a couple of assembly routines. They will be eventually defeated, of course, but NEVER so quickly and easily as a commercial protection can invariably be... man-o-man: learn to READ behind the hypes and frills, and then you'll never believe again what the commercial protectionists advertise (or anybody else for that matter: to advertise means to lie :-)
On one point Xoanon is dead wrong: I love him a lot, and hope that he will indulge in less maggots, more women and more reversing!
You will also notice that Xoanon is the mind behind the 'rolling' of the whole 'timelock' +HCU project... and if you had forgot it, just read TimeLOCK_DLL reverse engineering (TL32V20.DLL), written more than ONE YEAR ago (a whole "epoque" on the Web) yet still valid!

VBox (05/98 - 06/98)
PreviewParadise R.I.P.
Written by xOANON [UCF/CLASS]


Heya ol' Reverser+! Long time i'm not on your pages :) It's time to come back i think..... Don't bug me if i don't support +HCU as often as it would deserve, but you know.... i'm one of the "crackers-for-the-masses" you don't love so much :) Well, it's a choice... i like people use my cracks, i like to be known, etc... But it's another story.

Last week i found a program called "Script Driven Internet" and it appeared as protected with VBox. I read the essay last month by Marigold (very interesting indeed), so i took a look at it just to know something more about this protection.

Marigold (amazing) technics is the virginity-restoration, i present here a patching method instead.... much clear, much (not so) easier and (i think) much useful coz it's goal is to produce an universal cracked DLL which you can put in you \WINDOWS\SYSTEM to crack *EVERY* Vboxed program.

Tools required

Your favourite HexEditor
Cigarettes (5)
A fan (very hot here)
Some good grunge music (Nirvana, Stone Temple Pilots, etc...)

Target's URL/FTP

VBox Builder (a tool to add Vbox to your programs, very useful for cracking purposes too.... eheheh :)

Program History

TimeLock by PreviewSoft has long and glorious history (of its cracking). Vbox is "a new beginning" of a kind. It's different from its predecessors almost to the loss of the ancestorial resemblance.


Here we are.... let's start. First of all, install the VBox builder (you need to get a .prv file from their webserver, so connect to the internet for this and fill the form needed). Then choose a .EXE file to protect (you could choose also a .DLL or an .OCX, but choose an .EXE coz it's better and easier for cracking purposes) and wrap it with VBox using the builder (choose now the Trial days protection).

Now the fun begins. As Marigold says, and as we easily can see, VBox protections const of 3 dlls which are copied into your \WINDOWS\SYSTEM directories. These DLLs are : vboxp403.dll - vboxb403.dll - vboxt403.dll. All these dlls except the first are packed, so we will focus our attention on vboxp403.dll.This dll acts as a loader/unpacker for the others (among the other things, again just look at marigold's essay for a complete explanation), so i tought this: if i find the code which unpacks the dll, right after the unpacking i can patch *from inside of vboxp403.dll* the protection code which resides in vboxt403.dll memoryspace .... and i did :) Smart approach isn't it ? :)

Note: This kind of patching can be done much easily with a memory patch (see Stone's essay), but memorypatch always need a loader, or a TSR-like program to load just before the target. In this way, we can obtain (as i said) a clean and universal crack which only need to be copied in place of the original DLL.

So, stop talking and go on with cracking now......

First of all, move your system clock ahead so the target expires.

Now, you VBoxed your .EXE with Trial days protection, right? so it will be vulnerable to BPX GETLOCALTIME from our beloved SoftICE. You will land in this code (after PRET from the API routine) inside vboxp403.dll. We will use the space of this code later to add our memorypatching code.


:0500E720 81ECCC000000 sub esp, 000000CC
:0500E726 8D442410 lea eax, dword ptr [esp+10] *we will add memorypatch code here later*
:0500E72A 56 push esi
:0500E72B 50 push eax

* Reference To: KERNEL32.GetLocalTime, Ord:00F5h
:0500E72C FF1544C50105 Call dword ptr [0501C544]
:0500E732 8D4C2404 lea ecx, dword ptr [esp+04]
:0500E736 51 push ecx

* Reference To: KERNEL32.GetSystemTime, Ord:0135h
:0500E737 FF1540C50105 Call dword ptr [0501C540]
:0500E73D 668B4C240E mov cx, word ptr [esp+0E]
:0500E742 66390D32AC0105 cmp word ptr [0501AC32], cx
:0500E749 7540 jne 0500E78B
:0500E74B 668B44240C mov ax, word ptr [esp+0C]
:0500E750 66390530AC0105 cmp word ptr [0501AC30], ax
:0500E757 7532 jne 0500E78B

(......... etc..... etc......... )


Going ahead with tracing, you will find this code in vboxt403.dll which checks if the target is expired or not :

:07005EFB F6451408 cmp eax, [ebp+10]
:07005EFE 7402 jz 7005F02 *NOP it*


:7005FAA 3B45F0 cmp eax, [ebp+10]
:7005FAD 751A jnz 7005FC9 * change it to JMP 7005FC9 *

Ok, now theoretically our patch is done.... VBox screen will not appear anymore BUT: we just did it in memory, how to apply it on the file if vboxt403.dll is packed?

Here comes a little Zen, as our +teacher says.... We know that dll must be unpacked somewhere, so let's start hunting for the unpacking routine setting a BPM 7005EFE W (breakpoint on memory range on write). This means SoftICE will popup just when this memoryspace is accessed for writing (which is, in our case, the unpacking of vboxt403.dll).

Ok, so set this breakpoint and rerun. You will land in our beloved vboxp403.dll here:


:0500E856 8BD1 mov edx, ecx
:0500E858 83E203 and edx, 00000003
:0500E85B C1E902 shr ecx, 02
:0500E85E F3 repz
:0500E85F A5 movsd *this write the unpacked code to DS:EDI*
:0500E860 FF249568E80005 jmp dword ptr [4*edx+0500E868]
:0500E867 90 nop


As you will notice, this routine is executed many times, since the unpacking is done at little steps. Anyway, we will focus our attention just when EDI reach 07007000. Why? well, simple: since we want to patch at DS:7005xxx, if EDI reach 07007000 it means the code we need is already unpacked and ready for our "rape" :).

Now, problem #2 : we need space to do our memory patch. Easy, look at here.... this code is of no more use, since the protection is killed. So we can use the memoryspace of this datecheck code to implement our memorypatch.

First of all, we have to locate the call to this routine and NOP it, since we want to use it for our purpose. Here it is:

:05002880 6A00 push 00000000
:05002882 E899BE0000 call 0500E720 * just NOP this and the DLL will not call the datecheck anymore *
:05002887 83C404 add esp, 00000004
:0500288A 50 push eax

Now for the memorypatch. We have to jump to our routine right? so we need to modify this code right after the vboxt403.dll is unpacked in memory:


:0500E860 FF249568E80005 jmp dword ptr [4*edx+0500E868]


:0500E860 E9C1FEFFFF909090 jmp 500E726 *ok, now this jump to the entrypoint of our routine*

Here is the memorypatch routine:


:0500E726 81FF00700007 cmp edi, 07007000 *check if the code we need to patch is unpacked yet*
:0500E72C 7519 jne 0500E747 *act normally if not*
:0500E72E 66C787FEEEFFFF9090 mov word ptr [edi+FFFFEEFE], 9090 *patch at EDI-1102 = 7005EFE*
:0500E737 C687ADEFFFFFEB mov byte ptr [edi+FFFFEFAD], EB *patch at EDI-1053 = 7005FA0*
:0500E73E 66C787A5EEFFFF9090 mov word ptr [edi+FFFFEEA5], 9090 *patch at EDI-115B = 7005EA5*

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0500E747 FF249568E80005 jmp dword ptr [4*edx+0500E868] *this is the normal jump executed after unpacking*
:0500E74E 90 nop
:0500E74F 90 nop


You notice i've done another patch at 0500E73E . What's it about? well, it patch this code


:7005E9C F6451408 test byte ptr [ebp+14],08
:7005EA0 BE01000000 mov esi, 00000001
:7005EA5 745B jz 7005F02 *NOP it*


which bypass the "number of executions" check (another option of VBox, try it with the builder).

Well.... that's all. VBox is totally dead now, thanks to Marigold and your little xOANINO :) Go patch the vboxp403.dll according to this essay, copy it to your \WINDOWS\SYSTEM overwriting the original one and say "CIAO CIAO" to WeiJuhn Li :)

Alla prossima amici... e speriamo che l'Italia vinca 'sti mondiali.... anche se dopo la partita di ieri mi sembra improbabile :(


Final Notes

I hope you all liked this essay. As you see, commercial ready-made protections are not so secure as they claim (look at http://www.previewsoftware.com and laugh.... they say even SoftICE creators can't crack VBox and TimeLock, i can't believe it). There would be lot of ways to do a very secure protection (like using a decent PE-crypter), but maybe they think all of us +HCUkers are stupid.... bah :)

My greets fly out to: All UCF and CLASS members, Devil, Stone, Miramax, Marquis, Random, SpaceOne, SaiBada, Goku, SoftPJ (pleeeeeeeeeease improve your E-Zine) :)

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its prot ection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside reverser's page of reverse engineering, choose your way out:
Back to the Timelock project

red homepage red links red search_forms red +ORC red students' essays red academy database
red reality cracking red how to search red javascript wars
red tools red anonymity academy red cocktails red antismut CGI-scripts red mail_reverser
red Is reverse engineering legal?