Ok, so this is a no brainer for those of you with a little experience, but hey, we all gotta learn somewhere.

 Have you ever found yourself wishing-"Man, I wish I would have backed up my system before that crash." I don't know how
many times that's happened to me, but I hate it. I have a cd burner but I'm a little lazy at times. Anyway, that's no way
to treat your hard-earned investments. And I'm all for doing this on a regular basis now. I have a few backup software
on my system that I'm not too happy with as a rule. I decided to download the trial of Veritas Backup Exec.(used to be
Seagate Backup Exec) Anyway, since it would time out in thirty days, I decided to put my clock ahead 10 years. That
should be plenty of time to evaluate this software. Lo and behold it didn't work. You may laugh, but I'll tell you that
NovaStor/NovaCd let me do that very thing. I've still got about 9 years and 8 months left on that one friends, so don't
laugh. You gotta have the ganas, the balls, the desire, you put your own word in there. My wife has a T-shirt from
Gloria Vanderbuilt and it says "Break the Rules!" Yuo know what I mean. That's enough! 

w32dasm 8.x--your choice of flavors

hex editor needed- UltraEdit 7.xx or whatever you want to use

www.veritas.com

Just go to this site and then to their download section and get what you need.

Here we go guys and girls. Go get the prog and download it, then run the installation setup. Now let's go ahead and 
disassemble it with w32dasm. Now, I have to admit that I never really could get w32dasm to run this baby straight out. I 
kept getting a start error message. Of course, by that time I had already timed myself out. I did look around inside of the 
disaasembly though and saw some references to none other than the timelock dll. I couldn't believe it, but it was there.
Well, I just about patted myself on the back because I knew I could lick this thing with one hand tied behind my back. I 
went ahead and disassembled that as well and had a look around inside and saw lots of goodies. I went ahead and nopped and
patched a butt-load of code---to no avail. My program was still expired. Huh. I had to get serious now. What is a guy to 
do when he can't run the program from the beginning. Well, fortunately, I had a nice big MessageBoxA staring me in the face 
telling me my program was expired. The only reasonable thing I could think of was to try to run w32dasm over the top of
Backup Exec, now that it was up and running. I know that maybe this doesn't sound very useful since my program was 
already timed out, but my mindset was that maybe the initial expiration was not called by timelock itself, but by the 
Backup Exec prog. It was hard to be sure--the old chicken and the egg question anew. I had nothing to lose to try that was
for sure. I did use the disassembled tl32v21.dll as my entry point to the backup prog and attached it with w32dasm. Of
course, as you know if you're at all familiar with w32dasm we go right to where we need to be initially if it's going to 
work. In our case I got a debug break in Kernel32 and did a single-step only to bypass that. Now, I surmised that this was
indeed a USER32.MessageBoxA and decided to set breakpoints on all the messageboxes there were, but you have to remember
to go one line underneith the original call to the messagebox or you'll miss the return when you click 'OK'. The reason
is because the function has already been called, so if you don't set beneath it you lose but you'd never know it. Now trace 
this down to 004407DEt


* Reference To: USER32.MessageBoxA, Ord:01BEh   <------This is the right messagebox
                                  |
:0044066C FF15544C4500            Call dword ptr [00454C54]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044065E(U)
|
:00440672 FF75FC                  push [ebp-04] ////Set your breakpoint here or you'll miss the boat
 
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
                                  |
:00440675 FF1504404500            Call dword ptr [00454004]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004405C2(C), :004405D8(C), :0044060C(C), :00440629(C), :00440694(U)
|
:0044067B 8BC3                    mov eax, ebx
:0044067D E95C010000              jmp 004407DE
:00440682 6A00                    push 00000000
:00440684 FF7534                  push [ebp+34]

* Possible StringData Ref from Data Obj ->"This product has expired."
                                  |
:00440687 68105C4700              push 00475C10
:0044068C 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:0044068E FF15544C4500            Call dword ptr [00454C54]
:00440694 EBE5                    jmp 0044067B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00440623(C)
|
:00440696 33C9                    xor ecx, ecx
:00440698 3B4520                  cmp eax, dword ptr [ebp+20]
:0044069B 0F95C1                  setne cl
:0044069E 8BC1                    mov eax, ecx
:004406A0 E939010000              jmp 004407DE

OK, so now we've followed this lead. What do I do? Well you could single-step through to 004407E2
Then you eventually end up at 00440AF8
/////////////////////////////////////////////////////////////////////////
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044067D(U), :004406A0(U), :0044074D(U), :004407B0(U)
|
:004407DE 5F                      pop edi
:004407DF 5E                      pop esi
:004407E0 5B                      pop ebx
:004407E1 C9                      leave
:004407E2 C3                      ret <---------HERE


///////////////////////////////////////////////////////////////////////
:00440AF0 8D85B8F8FFFF            lea eax, dword ptr [ebp+FFFFF8B8]
:00440AF6 50                      push eax
:00440AF7 56                      push esi
:00440AF8 E8F3F9FFFF              call 004404F0 <-------HERE
:00440AFD 83C430                  add esp, 00000030

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044085D(U), :004408E4(U)
|
:00440B00 5F                      pop edi
:00440B01 5E                      pop esi
:00440B02 5B                      pop ebx
:00440B03 C9                      leave
:00440B04 C3                      ret <--------HERE
 

Now follow the lead again and you will get to this ret above at 00440B04 and end up here at 0042D77D. And this in turn
is called by 0042C987. Whew, what a pain right? No, it's part of the chase friends. Persistance. Perseverance. The kicker 
comes here at 0042D782. What we need to do to keep from getting timed out is change this little jewel from an 85C0 to
a 31C0, which is xor eax, eax. Now the jump will occur and your program will open up, even though it says it's expired.
Go figure!!!! Now you probably want to get rid of the messagebox altogether don't you? Go ahead, it's alright. Be honest.
you won't believe it. First go below this explanation.

///////////////////////////////////////////////////////////////////////
* Referenced by a CALL at Addresses:
|:0042C987   , :0042CA2E   , :0042CA9C   , :0042CE95   , :0042D545   
|:0042DE33   
|
:0042D76F 56                      push esi
:0042D770 33F6                    xor esi, esi
:0042D772 E83BD50000              call 0043ACB2
:0042D777 FF350C684700            push dword ptr [0047680C]
:0042D77D E891300100              call 00440813 <-------HERE
:0042D782 85C0                    test eax, eax <------And HERE
:0042D784 59                      pop ecx
:0042D785 A374574700              mov dword ptr [00475774], eax
:0042D78A 7403                    je 0042D78F
:0042D78C 6A01                    push 00000001
:0042D78E 5E                      pop esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D78A(C)
|
:0042D78F 8BC6                    mov eax, esi
:0042D791 5E                      pop esi
:0042D792 C3                      ret

You need to go all the way back to the original messagebox at 0044066C and then just a little more at 0044065E.Just change
the 7512 to EB12 to force the jump. You may ask, "Well, why didn't we just do that in the first place?" Because it would
not have helped you. All you would have succeeded in doing would have been to prevent the message from showing. The
program still would not have worked. Now it will work properly. Enjoy!!! You see, the timelock dll didn't even matter.
Can you believe spending money on that junk?

//////////////////////////////////////////////////////////////////////
* Reference To: ADVAPI32.RegQueryValueExA, Ord:017Bh
                                  |
:00440656 FF1554404500            Call dword ptr [00454054]
:0044065C 85C0                    test eax, eax
:0044065E 7512                    jne 00440672 <------HERE
:00440660 56                      push esi
:00440661 8D85CCF7FFFF            lea eax, dword ptr [ebp+FFFFF7CC]
:00440667 FF7534                  push [ebp+34]
:0044066A 50                      push eax
:0044066B 56                      push esi

* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:0044066C FF15544C4500            Call dword ptr [00454C54]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044065E(C)
|
:00440672 FF75FC                  push [ebp-04]

* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
                                  |
:00440675 FF1504404500            Call dword ptr [00454004]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004405C2(C), :004405D8(C), :0044060C(C), :00440629(C), :00440694(U)
|
:0044067B 8BC3                    mov eax, ebx
:0044067D E95C010000              jmp 004407DE
 
 

 This was a little convoluted lesson, but certainly having to look to figure things out. Until later.

If you have any questions please feel free to contact me at jomamameister@yahoo.com