November 1998

"Splash v1.1"

(Another TimeLock UnLock)

Win '95/'98 PROGRAM

Win Code Reversing



by Punisher 



Cracking 4 Newbies 



Program Details

Program Name: Splash11.exe

Program Type: Web Authoring Tool

Program Location:

Program Size: 1.87mb 

   Tools Used:

Soft-Ice -- Debugger

Hacker's View -- Hex Editor


Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 

There is a crack, a crack in everything. That's how the light gets in.


Splash v1.1

( Another TimeLock Unlock )

Written by Punisher



The author(s) of this program can be found at:
The author says:

" SPLASH! features tools and easy to use options unseen in many of
today's popular HTML authoring software packages. Everything can
be controlled at the main screen, from color and image
manipulation to the placement of images and text anywhere on your
web-page. "


About this protection system


This program uses the TimeLock DLL as it's protection scheme. Registration is via the Purchase button on the start up nag screen. There are three edit boxes to enter your info:-

Unlock Code :

Name :

Company :


Install Splash and run it. You are presented with a nag screen with three buttons, Purchase, Cancel and OK. There is also a Trial Usage Meter telling you the amount of time left to use the trial version. Also there is a Registration number.

Click on the Purchase button and you are presented with a dialogbox with three fields to enter you Unlock Code, Name and Company. Type in a fake Unlock code, Your name and Company.

Go into Softice by pressing ctrl-d. Set a breakpoint on GetWindowTextA.

eg:- BPX GetWindowTextA

Leave Softice by pressing ctrl-d. Now click the ok button.

Softice breaks in at GetwindowTextA. Type x and press enter. Sofice breaks in at GetWindowTextA a second time. This is because we have three field with info so press x and hit enter again. Softice breaks in at GetWindowTextA a third time.

Press F11 to to get back to the caller. You will now be inside the code of TL32v20.DLL. You will see this piece of code:-

:10003FB5    lea eax, dword ptr [ebp-28]    ; You will be here
:10003FB8 push eax
:10003FB9 call 10001D08 ; this call gets unlock code
:10003FBE add esp, 00000004
:10003FC1 lea eax, dword ptr [ebp-14]
:10003FC4 lea ecx, dword ptr [ebp-28]
:10003FC7 push eax
:10003FC8 push ecx
:10003FC9 call 10005A70
:10003FCE add esp, 00000008
:10003FD1 test eax, eax
:10003FD3 jnz 10004028 ; bad_cracker jump


At lea eax, dword ptr [ebp-28] dump the memory address at eax :

d eax

You will see your name. Now step pass the call at 10003FB9 using F10. You will see the unlock code appear at the memory address you just dumped. Write it down and type x and press enter. You will be back in the Purchase Dialog box. Now remove your fake unlock code and put in the real code and press enter. A message box will thank you for purchase and the program will go into the main program window.

I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.

You should buy this program if you intend to use it longer than the evaluation period.