Time and Time Again with Trialblazer v3, build 3001

A Serious Program for Product Testers aka Crackers and Reverse Engineers

Date 07/27/00
by Sojourner
There is a crack, a crack in everything. That's how the light gets in.
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

A nice prog for us . Simple protection but worth it. This is a much needed program.



 Who knows where I got this program originally. Maybe www.shareware.com in their Utilities section. I don't know for sure.
It doesn't matter though because I have the URL for you right now. See below. If you are constantly downloading software 
and testing it like I am, then this is a must have software. I tried it out skeptically and found out that it really does 
work as advertised. It works in a trial mode and a non-trial mode. In trial mode the software makes note of any software
changes that take place in your system and I mean any. I had forgotten that I had merely downloaded some new stuff, but
had not yet installed it and when I got out of trial mode, "voila', it was soon to be gone. I say soon to be gone, because
Trialblazer gives you the opportunity to keep the stuff you had before the trial started. It keeps everything in neat 
little folders--actually it keeps dupes of all your original folders whether there is anything in there or not that was 
saved from the trial mode. I tried this with a vboxed software package and ran in trial mode for a couple of days, enough
to test the system. Then I switched back to regular running again and reinstalled the vboxed software. Everything was fresh
and pristine, as if the vboxed software had never been there. All traces were wiped from my system. Additionally, something
that I did was to download another prog called Automate 4.3e so I could create a simple little macro that would change the 
date and then run the vboxed prog. I set the time ahead and ran my vboxed prog without any problems. The vboxed prog was 
still at the original starting time limit. Such is life friends. Now back on track.
Initially, when you get ready to install the Trialblazer prog it asks you to dial up the web and get a serial number. You
really don't need to do that, as I'll show you around that requirement as well. Jump down to the essay and let's go.

Tools required

w32dasm 8.x--your choice of flavors

hex editor needed- UltraEdit 7.xx or whatever you want to use

restorator 2.5 or your favorite resource editor

Target's URL/FTP


Just go to this site and then download what you need.

Program History
History lesson - see upstairs--I don't know any history on this prog--just get it!

Now here we go! It's not too often that I get the chance to really enjoy the software I examine, but I admit that this
is one. I did not mention earlier that this is a use limited version. The evaluation version allows only 5 uses. So
what we are going to do is:
  1. Fix the usage problem and
  2. Get around the initial serial number requirement and keep us out of procode's database of users.
Is that OK? When you get around to installing this program, you'll notice that it is a set of several executables. 
As soon as you click the trail25.exe to begin the installation you'll be shown a little messagebox about this being a 
trial that allows 5 uses, as I already said, then it will ask you to log in to their website so they can give you a 
free EKEY (Evaluation Unlock Key) to try their product. You can avoid all that by intercepting the request. Since the 
program is already running, you'll have to get w32dasm up and running and load (attach) a .dll, say user32.dll, which 
you will already have disassembled and saved, since you use it all the time like this. Attach it to _install.exe. 
Once the .dll is attached, you will see that you're really in the program you just attached to. If the debug breaks,
just be sure to single-step once to clear it. Of course, you'll have to back track some and eventually end up here:

:0040213E 90                      nop
:0040213F 90                      nop
:00402140 56                      push esi
:00402141 8BF1                    mov esi, ecx
:00402143 8B4C2410                mov ecx, dword ptr [esp+10]
:00402147 8B4108                  mov eax, dword ptr [ecx+08]
:0040214A 3D31FFFFFF              cmp eax, FFFFFF31
:0040214F 7455                    je 004021A6 <---This Must be nopped!!
:00402151 3D32FFFFFF              cmp eax, FFFFFF32
:00402156 742D                    je 00402185
:00402158 3D38FFFFFF              cmp eax, FFFFFF38
:0040215D 7416                    je 00402175  <---Very Important Jump!!
:0040215F 8B44240C                mov eax, dword ptr [esp+0C]
:00402163 51                      push ecx
:00402164 8B4C240C                mov ecx, dword ptr [esp+0C]
:00402168 50                      push eax
:00402169 51                      push ecx
:0040216A 8BCE                    mov ecx, esi
:0040216C E82F5D0000              call 00407EA0
:00402171 5E                      pop esi
:00402172 C20C00                  ret 000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004021A6 8B16                    mov edx, dword ptr [esi]
:004021A8 8BCE                    mov ecx, esi
:004021AA FF92D0000000            call dword ptr [edx+000000D0] <--This calls the wrong unlock code messagebox
:004021B0 84C0                    test al, al  <--This is where you land when you single-step into the messagebox
:004021B2 7417                    je 004021CB  <-- and ret back to here a couple of ret's.
:004021B4 8B7604                  mov esi, dword ptr [esi+04]
:004021B7 66FF8684030000          inc word ptr [esi+00000384]
:004021BE C6868603000001          mov byte ptr [esi+00000386], 01
:004021C5 33C0                    xor eax, eax
:004021C7 5E                      pop esi
:004021C8 C20C00                  ret 000C

As you'll notice at my very important jump this is where you need to be. But first to get there you have to-
change this little bit of code here:

:0040214F 7455 je 004021A6 <---This Must be nopped!!  Change to:
          9090 nop nop 

:0040215D 7416 je  00402175  You can just make this into a jump    Change to:
          EB16 jmp 00402175  Now the program will allow you to install it with whatever unlock code you want to use.

Great! Now we've taken care of step number 2 above. We've gotten around the serial number requirement. So onward we go.
(Now if you want to really find the correct serial number, you can do that. Just follow along. First look above at
004021AA . Next see below and follow my notes.

* Referenced by a CALL at Address:
:00402620 8B542404                mov edx, dword ptr [esp+04]
:00402624 57                      push edi
:00402625 8BFA                    mov edi, edx
:00402627 83C9FF                  or ecx, FFFFFFFF
:0040262A 33C0                    xor eax, eax
:0040262C F2                      repnz
:0040262D AE                      scasb
:0040262E F7D1                    not ecx
:00402630 49                      dec ecx
:00402631 83F906                  cmp ecx, 00000006 <--This compares the length, which is given by the program anyway.
:00402634 7404                    je 0040263A
:00402636 32C0                    xor al, al
:00402638 5F                      pop edi
:00402639 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040263A 52                      push edx
:0040263B E8607C0000              call 0040A2A0
:00402640 83C404                  add esp, 00000004
:00402643 3D7BB90C00              cmp eax, 000CB97B  <--Here is the long lost code number--Go figure!!!
:00402648 0F94C0                  sete al            --- 833915 in decimal form- 6 digits as needed
:0040264B 5F                      pop edi
:0040264C C3                      ret

Step #1 was little trickier as you'll have to shut down your system a time or two to get what you want here. The reason 
is because the program you really need to work with is always in use. You can't easily get it out of your system tray,
which is ok, because you really need it there to do its job anyway. So don't fret. We'll work our way through the dark 
code forest.

The program installs itself into C:\trlblzr and places several executables there along with txresdll.dll. I recommend 
you to disassemble this file and also to have a look at it with your resource editor. It is very important in helping 
you to find your way. Here are some key strings from the resource.

100	Either the use-by date for this evaluation edition of Procode TrialBlazer has expired or you have no evaluation 
uses remaining.  We invite you to registered this software to continue use.  Please use the online registration option 
or contact us by email at sales@procode.com.au.  Thank you.   (This is 100 = 64 in hex)
101	You have %d evaluation trials for this product remaining.
	Would you like to purchase this software online now?   (This is 101 = 65 in hex)

Number 101 comes up any time after you run the program the first time and continues to count down. Number 100 pops up
as it says, when you have no further evals left. Of course, there are other strings that you can mess with, but these 
are very important for us. They are markers left for us to find our way in the deep, dark code forest. The reason they
are important is because you can't access the resource dll directly from within txwin.exe, which is the main executable
to play with. Therefore you have to access the substance from within the dll and the way to do that is to know what
you're looking for. All the strings we need are referenced as hex code pushes. This is not that unusual, I've seen that
scenario play out time and time again. Since the strings were not provided in an easily read human form, I had to begin
thinking along a different line that they might be referenced values instead. Then I began to do searches for 00000064 
and 00000065 from with the disassembled prog. Now, you have to understand that the program could not be run during 
these search sessions through w32dasm because the program is already running. The only thing I could do was a static 
search to look for clues. I also looked for 00000005 since that might be either my time out or a counter load. Hard to 
tell at first glance.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00407E03 E848750000              call 0040F350
:00407E08 84C0                    test al, al
:00407E0A 0F85B7000000            jne 00407EC7
:00407E10 E82BE1FFFF              call 00405F40
:00407E15 E8B6E4FFFF              call 004062D0
:00407E1A 6800270000              push 00002700
:00407E1F 8BF0                    mov esi, eax
:00407E21 E8CAD00000              call 00414EF0 <--Very important call!!
:00407E26 85F6                    test esi, esi <--esi is loaded from back inside this last call--just follow it!
:00407E28 0F84B6000000            je 00407EE4   ---If there is no more time left,(esi=0) boom! you're out the door
:00407E2E 83F805                  cmp eax, 00000005 <--Here's a cmp for the eval uses
:00407E31 735B                    jnb 00407E8E      ---Note--if the use is = 5, then you just started and you won't get
:00407E33 50                      push eax          ---the nag screen #101 aka 65(h)
:00407E34 6A65                    push 00000065  <--Look Here!! As you can see, if there is time left, you fall through
:00407E36 E845D40000              call 00415280  ---the jump at 00407E31--Nice
:00407E3B 8D4C2418                lea ecx, dword ptr [esp+18]
:00407E3F 50                      push eax
:00407E40 51                      push ecx
:00407E41 E87AE10000              call 00415FC0
:00407E46 83C40C                  add esp, 0000000C
:00407E49 6824000100              push 00010024
:00407E4E 6A03                    push 00000003
:00407E50 E82BD40000              call 00415280
:00407E55 8D542418                lea edx, dword ptr [esp+18]
:00407E59 50                      push eax
:00407E5A 52                      push edx
:00407E5B 55                      push ebp
:00407E5C E82FD50000              call 00415390
:00407E61 83F806                  cmp eax, 00000006
:00407E64 0F84A3000000            je 00407F0D
:00407E6A 6824000100              push 00010024
:00407E6F 6A03                    push 00000003
:00407E71 E80AD40000              call 00415280
:00407E76 50                      push eax
:00407E77 6A66                    push 00000066
:00407E79 E802D40000              call 00415280
:00407E7E 50                      push eax
:00407E7F 55                      push ebp
:00407E80 E80BD50000              call 00415390
:00407E85 83F806                  cmp eax, 00000006
:00407E88 0F858D000000            jne 00407F1B

* Referenced by a CALL at Address:
:00414EF0 81EC80120000            sub esp, 00001280
:00414EF6 56                      push esi
:00414EF7 668B842488120000        mov ax, word ptr [esp+00001288]
:00414EFF 33F6                    xor esi, esi
:00414F01 8D4C2404                lea ecx, dword ptr [esp+04]
:00414F05 56                      push esi
:00414F06 56                      push esi
:00414F07 6840090000              push 00000940
:00414F0C 51                      push ecx
:00414F0D 8D942454090000          lea edx, dword ptr [esp+00000954]
:00414F14 6840090000              push 00000940
:00414F19 52                      push edx
:00414F1A 6800E00000              push 0000E000
:00414F1F 6689842460090000        mov word ptr [esp+00000960], ax
:00414F27 89742420                mov dword ptr [esp+20], esi
:00414F2B E8F0F7FFFF              call 00414720
:00414F30 84C0                    test al, al
:00414F32 7404                    je 00414F38
:00414F34 8B742404                mov esi, dword ptr [esp+04] <--Important--easily changed to
                                                              --31F64646, which is xor esi,esi and inc esi, inc esi
Why do that? Answer--to have always 2 days available to use.  You don't have to do that though really. You can just
as easily fix the jump at:
00407E31 735B  jnb 00407E8E  to be a plain vanilla 
         EB5B  jmp 00407E8E  to always force the jump so the nag screen never shows anyway. Your choice.
Back to 00407E21

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00407EE4 6840000100              push 00010040
:00407EE9 6A03                    push 00000003
:00407EEB E890D30000              call 00415280
:00407EF0 50                      push eax
:00407EF1 6A64                    push 00000064 <--Ah, what do we have here? Of course, the expired screen!!! Return
:00407EF3 E888D30000              call 00415280
:00407EF8 50                      push eax
:00407EF9 55                      push ebp
:00407EFA E891D40000              call 00415390
:00407EFF E82CE3FFFF              call 00406230
:00407F04 8BCF                    mov ecx, edi
:00407F06 E895010000              call 004080A0
:00407F0B EB13                    jmp 00407F20

That wasn't so bad, was it? Sometimes you just have to look at things a little differently to accomplish what you want.
Once you figure out what it is that you need to change in your hex editor you will have to save as a different name
because the txwin.exe is running as I said earlier. Then what you need to do is shut your system down and either open
into Safe mode or just load off of a start disk so you have access to your drives at the dos level. At the C:> prompt,
cd into the C:\trlblzr directory and find the original txwin.exe and rename it. Then rename the file you fixed to be
txwin.exe. Away you go! Now restart your system and you're back in business.

Final Notes

 This 2 step lesson was a little more complicated, but certainly worth having to look to figure things out. Until later.

If you have any questions please feel free to contact me at jomamameister@yahoo.com

Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one.