Log in

View Full Version : What I can expect from InterLok?


neviens
November 22nd, 2001, 11:55
Hi all!
Has anybody a practice with Interlok shareware protection from
PACE? What is a right aproach to this beast? Any links, literature?
TIA,
Neviens.

Kythen
November 25th, 2001, 22:21
I've found Interlok to be very easy to eliminate (at least the wrapper version, never seen the API one). Just be sure that you don't use SoftICE, as Interlok uses a "fun" little vxd that will reboot your system if you're messing around with SI. My recommendation is to use an API level debugger like WinDbg (the debugger from the Windows SDK). Trace through your target app with it and you'll see how basic the wrapper is. A function call or two for the nag, and then a jump to the OEP. If you use WinDbg, you can even just dump it with procdump while the debugger is running because it's controlling the target process. No modifications should be required after dumping, but you may have to edit the debug info part in the PE header in order to get IDA to disassemble it. Just zero it out and you should be fine.

Cheers!
Kythen

tony b.
November 25th, 2001, 23:27
word up to that.

also, tsehp wrote this essay quite a while ago, if you haven't seen it yet: h**p://www.woodmann.net/fravia/tsehp_installpro62.htm

best regards,

tony

exit_2
November 29th, 2001, 04:37
Hello,
anyone have whole protector ? I want to look to it, not protected files, but protector. Pace hasn't free evaluation version, but maybe someone have it.


Thanks Exit

neviens
November 29th, 2001, 04:54
Thanks Kythen for suggestions and Tony for link. My case is a little
different - protected .dll (renaissance sound plugins) not .exe
Still working on it. Source is here: h**p://www.waves.com/
Neviens.

NikDH
November 29th, 2001, 06:42
Quote:
Originally posted by Kythen
Just be sure that you don't use SoftICE, as Interlok uses a "fun" little vxd that will reboot your system if you're messing around with SI.


Hi kythen,
think its quite easy to use the antisice trick just search the
search driver string in the vxd and change it
Perhaps u can study the vxd and find out where its rebooting the system (perhaps it should access the cr0 register) and work on it

See ya
NikDH

Kythen
November 29th, 2001, 13:04
Yeah, you can go in and eliminate that rebooting code, but it's not so easy to find actually. There is a ton of similar looking code tossed throughout that vxd. It really is just easier to use a different debugger. If you want to see what's doing the rebooting, look at the essay on Interlok written by Frog's_Print I believe. It does a semi-hidden output to the keyboard controller's reset port.

Cheers,
Kythen

JMI
November 30th, 2001, 19:35
Perhaps the article Kythen was referring to is:

Interlok VxD vagaries defeating the anti-debug trick inside tpkd.vxd, Written by macilaci

It has a good discussion of the rebooting feature of the Interlok vdx. The article is at:

http://www.woodmann.net/fravia/tpkdml.htm

The Interlok manuals are available on line, or at least an interim version. They are pushing their new dongle, called iLok.

Hope this is helpful. If you are interested, I have their readme file in text format which has several interesting point about their protection scheme in it. Most of my exterience with Pace was with removing their protection from Mac music software, which I did for years, before attempting to expand my reversing skills to the PC OS.