Tl32v20.dll - how to find right unlock code

Tl32v20.dll - how to find right unlock code by GustawKit

Tl32v20.dll is used to time-limits in shareware programs. After start, you see nag-screen informing how much time left to use trial version of the program. You can enter registering code. Many programs use this library. Information about timelock library you can find on http://www.timelock.com. In this essey we have to try find right registering code.

Run program which uses this .dll f.e. Quick View Plus Trial or another. Next push "Purchase" button. I mean this version which you can enter code. So enter any code (f.e. 654321) and any user and company name. In SoftIce we put breakpoint on call GetWindowTextA function (bpx ..function name..) and push Ok button. SoftIce take control and stop on first call of this function. TimeLock library calls this function three times ( to take three texts), we looking for a moment after all calls and we find this code:

:10003FAD 68503B0110     push 10013B50
:10003FB2 50             push eax
:10003FB3 FFD3           call ebx <--- we are here
:10003FB5 8D45D8         lea eax, dword ptr [ebp-28]
:10003FB8 50             push eax
:10003FB9 E84ADDFFFF     call 10001D08
:10003FBE 83C404         add esp, 00000004
:10003FC1 8D45EC         lea eax, dword ptr [ebp-14]<- good code
:10003FC4 8D4DD8         lea ecx, dword ptr [ebp-28]<- enter code
:10003FC7 50             push eax
:10003FC8 51             push ecx
:10003FC9 E8A21A0000     call 10005A70
:10003FCE 83C408         add esp, 00000008
:10003FD1 85C0           test eax, eax
:10003FD3 7553           jne 10004028     <-- jump good/bad guy

What have we here ? :

push eax put EAX on stack
call ebx call GetWindowTextA
lea eax, dword ptr [ebp-28]         in EAX - adress of good code
push eax put EAX on stack as function call parameter
call 10001D08 call function which generate good code
add esp, 00000004
lea eax, dword ptr [ebp-14] in EAX  - adress entered code
lea ecx, dword ptr [ebp-28] in ECX  - adress good code
push eax put EAX on stack
push ecx put ECX on stack
call 10005A70 Call function - compare codes (in EAX -results)
add esp, 00000008
test eax, eax checking result
jne 10004028        jump good/bad guy

For finding good code we must check what is under adress stores in ECX register (d ECX). There is good code which you have to enter in dialog window. :-)

Last note:

This solution is the best. We can register program as well as we will pay for it and we not modify program's code.

More informations you can find on http://fravia.org in TimeLock project.