Ilok -> Pace-> A solution ;-)

[taos]

Hi:
I've worked very hard with a program packed with ILOK (last version 2004).

1st. It's very hard to break this protection (you know uses ring 0 driver).
2nd. There is not information about his driver TPKD.SYS
3.It searchs the file NTICE.SYS and the registry key of Numega.

Well, there's a solution to renew the trial date.
If you have not a dongle (usb) then you have a trial demo (xx days and fully).

In older versions (Installshield program protected) used 2 keys in the registry, if you delete the keys then renew the trial period.
In this version it stores 4 keys in the registry, 2 with a unique name and 2 with random names, and in the HD stores several files (a file with Javathread.mxp name,etc...) , but the most important it's that USES ALTERNATE DATA STREAMS!!!!

In the folder program files\internet explorer and in the folder outlook express, it's attach information using ALTERNATE DATA STREAMS.
If you delete the keys in the registry, the files and the ADS files then.... voil�, RENEW your trial date, you have xx days again.
The ADS are attached to a folder, not to a file, and when you're going to rename this folders, the SO tell you that the folders are been used by another person or program.
To delete the ADS I use a freeware tool from Sysinternals (Streams v1.5).
If someon is interesting in this method of renew the trial I can do a program that make it.

Regards.

[dyn!o]

Hi,

My comments:

1. Pace isn't hard to break. The hardest part in Pace is anti-debug driver, only the driver. The rest of protection doesn't contain anything strong, new or incovex.

2. Some versions indeed search for ntice and reg keys but that doesn't matter - you can still run Pace protected software without the need to hide these data. Of course the problem begin when you turn on SICE.

Anyway, Pace seems to be out of the game nowadays. There have been some titles protected with it, some even known (e.g. BodyStudio) but most commonly it is/was used in audio software. There are two unpackers.


Regards.

[taos]

Hi

I am totally in agreement with you except in a thing, the antidebug-driver do not detect ring 3 debuggers (Olly) and if you want to unpack manually it's very hard.
Unpack a file (DLL) with Pace for me and with the last version it's no possible...

I don't understand you when you say:"you can still run Pace protected software without the need to hide these data"- How???

Actually it's used in audio programs, but it's very agressive with the SO and many companys refuse to buy it (Inaccessable floppy drives. This could also apply to any other device using IRQ 6.,BSOD on shutdown or startup with "DRIVER_POWER_STATE_ERROR",Spontaneous reboots,corrupt registry entries (could be related to spontaneous reboots if Windows is writing to the registry when this occurs.) missing (not zero-byte, but none) paging file (swapfile.) ,etc...)
And of course it's very expensive

Use ADS in folder systems, create ghost cookies files... it's very stupid but how pack the files Ipace, it's not stupid.

are the 2 unpackers older?
where are the unpackers?
I've found 1 from TNT but it's for a old version.
If you can,please send me a link for this unpackers.
Regards

[dyn!o]

"It searchs the file NTICE.SYS and the registry key of Numega". So, I understood you suggest that SICE can't be even installed. I had in mind that SICE can be installed but not RUNNING. I didn't tried it with user level debuggers like Ollydbg since I'm not using Olly at all. I use Olly to discover software compatibility malfunctions, not for cracking.

"you can still run Pace protected software without need to hide these data"
I mean with installed (but not running) SICE.

About incompatibility. As I said in "StarForce going down?" thread: in my humble opinion it's not wise to use drivers to protect any software. As life shows, it usually ends with USB/FDD/HDD problems. Can anyone pay such a high price? Ask XtremeProtector, StarForce and PACE developers... do they have new customers?

Mentioned unpackers were build for v4 and v5 and stay pretty private (I don't have them too). In my opinion all powerful unpackers should stay private, at least not accessible to the developer who made the defeated protection. It's endless job and if someone want to learn then he/she has a lot tutorials including XtremeProtector (Ukraininan) and Armadillo.

Everything is unpackable... it's always matter of time only.

Regards.

[/dev/null]

22 years later, any updates on this? hehe i've been on this journey for a week, diving into research -- with almost zero knowledge on rev, but there's so little information about it online :/ i have found quosego/snd doc but it's outdated, so any docs, tips or pointers would be great. thanks!