Express is an exciting addition to the InstallShield family of products.  It has been designed to make creating a professional-quality installation faster and easier than ever before, while still providing the features you need most. No other installation development system can match the features of Express:"
 

About this protection system

 
This program relies heavily on the TimeLock32 (TL32V2.DLL) protection system, so we should know by now that it's not going to give us any major problems. This .DLL file is located in the same directory as the main program program itself.
 
 

The Essay

     
I went straight into this program without first checking my System Registry File and current files on my hard disk, big mistake, I'm now unable to de-register myself from this program..:(  Anyone know where this program keeps the User Registration details?..
 
Right, once you've installed InstallShield Express run it.

We are greeted with the familiar 30 day evaluation screen, commonly used by this type of protection system.  Click on the 'Register' button then fill in your User details.
 
Before proceeding, press the CTRL-D keys together to fire up Softice.

Type bpx messageboxa then X to leave Softice.  We've just told Softice to break on any and all occasions when the program uses the system function MessageBoxA. For those who may not know what this system function does, it displays a message box on your screen, which in this case will simply tell us that our serial number is incorrect.

Now you can click on the 'OK' button..

Softice breaks at the start of the system function: MessageBoxA.

From within Softice press the 'F11' key once.
 
The expected messagebox box is now displayed telling us that our serial number was incorrect, oh dear, really!.

Click on the 'OK' button, this will close this annoying messagebox with which Softice once again breaks.  We are now in the TL32V2.DLL code, where the program's protection hides..
 
* Referenced by a (C)onditional Jump at Address: :10004BA2(C)

:10004BE2 6800200000              push 00002000
:10004BE7 6839D50110              push 1001D539
:10004BEC 680BDC0110              push 1001DC0B
:10004BF1 56                      push esi
:10004BF2 FF1594050210            Call USER32.MessageBoxA
:10004BF8 EB2D                    jmp 10004C27 ;We land here.

For those who have been following my previous essays on TimeLock32 cracking you will no doubt know that before the program displays our 'Sorry, invalid registration code bla bla bla.....' message it performs these tasks first.

1. Check if the entered serial number matches the 'Real' one,  generated by the program itself and which in turn, is based on our User Name.

2. If the above check fails, then see if the entered serial number matches the 'Extend Evaluation Period' unlock code. This code is based on the Installation key, a unique key that is generated at Install time.

One of the best things I like about this protection system is that all the protection routines are housed in a single .DLL file and that they are laid out in a logical order. I can't believe any software company would want to rely on such an easy protection system!  I've seen some Shareware programs better protected!.
 
OK, back to this essay..  In our dead listing of TL32V2.DLL (you did make a dead listing didn't you?) we see that this 'beggar off cracker' routine (So called because it tells us we got the code wrong) was called by a conditional jump at memory location: 10004BA2

* Referenced by a (C)onditional Jump at Address: :10004BA2(C)

So, lets now find this conditional jump location and try and find out what made the program reject our serial number..  Here's the code snippet that sent us to the 'Beggar off cracker' routine...

:10004B98 E8A31B0000              call 10006740 ;Check if the User's serial
                                                ;number is suppose to give
                                                ;them an extended 30 day
                                                ;evaluation period.

:10004B9D 83C408                  add esp, 00000008 ;Adjust extended stack.
:10004BA0 85C0                    test eax, eax     ;EAX=FFFFFFFF?
:10004BA2 753E                    jne 10004BE2      ;Yes? then beggar off.

While I have filled in the details to the above routine for you,  I still recommend that you too also check the above routine yourselves, it's the only way to learn.  Here's how:-

Once you've had softice break on the system function MessageboxA and then using the F11 key to return back into the TL32V2.DLL code you should THEN type: bpx 10004b98, which will set a new breakpoint at the start of the above code.  Now when you re-run the registration process Softice will break here first before displaying the 'Beggar off cracker' message. Simply press the 'F10' key a few times noting down what information the registers contain. To see what the temporary unlock code is and which is required by the program so that it extends your 30 day evaluation period by a further 30 days then you will need to follow the call 10006740 using the 'T' key instead of using the 'F10' key.
 
Once you've satisfied yourselves about how the temporary unlock code works we now proceed onto the main routines that handles our Registration codes.  To do this all we need to do is scroll up our dead listing a little until we come across the first occurrence of a Call instruction closely followed by a conditional jump instruction, which we find here:-

:10004B55 E841C5FFFF        call 1000109B     ;Check for *real* serial #
:10004B5A 83C404            add esp, 00000004 ;Adjust stack
:10004B5D 85C0              test eax, eax     ;Serial correct?
:10004B5F 7471              je 10004BD2       ;No? then check if this
                                              ;serial is a temporary
                                              ;30 day unlock code.
 
:10004B61 6800200000        push 00002000     ;Come here if serial OK!
:10004B66 6839D50110        push 1001D539
:10004B6B 68DFDA0110        push 1001DADF
:10004B70 6A00              push 00000000
:10004B72 FF1594050210      Call USER32.MessageBoxA ;Thank you cracker!

; The next instruction places a value of '1' into memory location:
; [1001AA30] which is used by the program tell it if the program has been
; *REGISTERED*!.
 
:10004B78 C70530AA011001000000  mov dword ptr [1001AA30], 00000001
:10004B82 EB4E                  jmp 10004BD2 ;Continue with program
 
Many newbies ask me how I 'know' that I've found the correct section of code I'm looking for just by looking at a dead listing. After back-tracking a little through the code I have a good idea of what the program SHOULD be doing, in other words I know how this protection works.  This type of protection system follows a simple 'set' of 'RULES' that dictate how the program should behave when it processes the User's serial number.

In plain english it means:-

1. Check the serial number (Call serial checking routine)
   Is serial correct?      (Perform a test/Cmp here)
 
   (1st Conditional Jump here)----------->
                                         |
2. Serial is Correct!  <-----------------|
    Display "Thank you message"          | 
                                         |
3. Serial Invalid!      <----------------|
    Check if serial is a temporary Unlock code.
    Is serial correct?      (Perform a test/Cmp here)
 
   (2nd Conditional Jump here)----------------------->
                                                     |
4. Yes?, then extend Evaluation period. <------------|
    Display "Evaluation period extended" message     |
                                                     |
5. No? then display Beggar off cracker message. <----|
 
When I used Softice to break on the messagebox routine that displays the message telling me that my registration code was invalid, I then knew that I would return from this system function straight into the 'Beggar off cracker' routine.  From here I know that if I scroll up the dead listing I will come across TWO conditional jump instructions.  The first conditional jump (we're working backwards remember) would be to do with the temporary 30 day unlock code. The second conditional jump I find will be to do with the checking of my *fake* serial against the *real* serial number.  Does this make any sense so far?.

Now we must follow where the call 1000109B leads us to...

* Referenced by a CALL at Addresses:
|:100032F0   , :10003316   , :10003377   , :100033C0   , :100033CE
|:100036E8   , :10003711   , :10004B55   , :10004BA6

:1000109B E908030000              jmp 100013A8
 

Now the program follows a complex course of generating then the *real* serial number and if you take the time to follow where all the call's and jumps leads to then you will end up eventually to this routine.
 

* Referenced by a (C)onditional Jump at Address: :10004B2F(C)
 
:10004B84 8D45D8   lea eax, dword ptr [ebp-28] ;Get memory address
                                               ;of where our *real*
                                               ;serial number is
                                               ;stored!.

;At this point you can type: d eax to reveal the *real* serial number
;you should use to register this program with.
 
:10004B87 50       push eax ;Save contents of eax register.

In order for you to get softice to break here, skipping over large sections of code in the process you need to the following:-

1. Fill in the Registration details for InstallShield.
2. Press Ctrl-D then type bpx messageboxa
3. type x to leave Softice.
4. Click 'OK' to have InstallShield check your serial & User Info.
5. Softice breaks..
6. Press F11 key once then click on the 'OK' button to the message on your screen.
7. Type bc * to clear any old Softice breakpoints.
8. type u 10004B84 then type bpx 10004b84
9. Type x to leave Softice.
10. Re-Run Registration process again and click on the 'OK' button to let
     InstallShield check your serial & User details.
11. Softice breaks at the point where it now retrieves your *real* serial number and places it's memory location into the eax register.  See above snippet of code.
12. Press the 'F10' key once.
13. Type d eax to see your *real* serial number..

Job Done...(from my point of view, not yours)
 

The Crack

     
None required.
 

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.