|
Introduction:
Well, here we are again, another version of the Voodoolights
screensaver..........and still
the same old protection. The only difference being it is now a 21 day
trial limit rather than 30 days.
The Crack:
Well, let's see, we have to remove the check that
is made for the 21 days expiring and
change a bit of text in the main file referring this fact.
Tools needed:
WDASM, Hex-editor
Let's go........
First of all try putting your system
clock forward by a month and run the screensaver
to see what happens. You get a message at the bottom of the screen 'Evaluation
period is over' then the screensaver quits. So we need to find areference
to this string
in the main file.
There are 2 files we need to be concerned with here: VoodooLights.scr
and
VoodooLightsCP.exe. They are both in the
windows\system folder. So disassemble
VoodooLights.scr first.
Search for the string 'evaluation period' amd you will find what your
looking for at
the code shown below:
|
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:00408AE5(C), :00408AE9(C)
* Possible StringData Ref
from Data Obj ->"Evaluation period
is over."
:00408B3A 68F08D4500 push 00458DF0
:00408B3F 6858D54500 push 0045D558
|
If you trace the calls highlighted in blue
then you will end up here:
:00408AD6 E8A5840200 call 00430F80
:00408ADB B915000000 mov ecx, 00000015
> Put value 15h in ecx
:00408AE0 2BC8 sub ecx, eax ------------------->
Subtract from ecx
:00408AE2 83F9FF cmp ecx, FFFFFFFF
------> Test for value -1
:00408AE5 7C53 jl 00408B3A -------------------->
Jumps to 'evaluation period is over'
:00408AE7 85C9 test ecx, ecx
:00408AE9 7E4F jle 00408B3A ------------------>
Jumps to 'evaluation period is over'
:00408AEB 56 push esi
:00408AEC 8D4C2408 lea ecx, dword ptr [esp+08]
:00408AF0 E8EB810200 call 00430CE0 |
Let's take a closer look at this
code:
At 00408ADB a value of 15h is placed
in register ecx.
At 00408AE0 the value of eax is
subtracted from ecx.
At 00408AE2 a test is made for ecx
being -1.
At 00408AE5
and 00408AE9 the program jumps to the evaluation notice if
ecx is -1 or 0.
The value 15h is 21 in decimal, so this is the number of days we had
originally to evaluate
the program.
The value in eax is the number of days we have been using the program.
The value in ecx after the subtraction is the number of days we have
left to evaluate the
program.
So if the resultant value is 0 days or less then the time limit is up
and the program issues
the 'evaluation period is over' notice then quits.
To crack this routine we need the
value in ecx to be 1 or greater. So by removing the
subtraction part of the routine the value will always be 21. Simply
replace it with 2 NOPs.
What
we now have to do is check how many times this routine appears in the
code and
alter them all.
Do a search from the top of the dissasembled listing for 'mov ecx, 00000015'.
You need to find the below code around it as well.
call 00430F80
mov ecx, 00000015
sub ecx, eax
cmp ecx, FFFFFFFF |
You
will find it 5 times, here are the offsets to patch with 9090.
8809,
8AE0, 8A07, 8A28, 8B01. So load the VoodooLights.scr
into your hex-editor and patch it.
We can make things even neater by getting the program to generate the
'Registered to'
message by patching 9090 at offset 8A9D.
And make it even neater still by patching the VoodoolightsCP.exe
at offset 852E with 9090
and patch two spaces at offset 58DAB.
|