Hi all,

Does anybody know how to remove the time limit for driverstudio 2.5RC1?
I mean something else then setting the system time back.

This is dissasembled code by cr0aker

DSConfig: Time-limit checking procedure:

Calling from here...

call ds:GetSystemTime
lea eax, [esp+390h+SystemTime]
test eax, eax
jnz short loc_403A68
mov eax, offset sub_405D60
jmp short loc_403AE5

; ---------------------------------------------------------------------------

loc_403A68: ; CODE XREF: sub_403790+2CFj

mov ax, [esp+390h+SystemTime.wDay]
cmp ax, 3
jnb short loc_403A7A
mov eax, offset sub_405BE0
jmp short loc_403AE5

; ---------------------------------------------------------------------------

loc_403A7A: ; CODE XREF: sub_403790+2E1j

cmp ax, 6
jnb short loc_403A87
mov eax, offset sub_405C60
jmp short loc_403AE5

; ---------------------------------------------------------------------------

loc_403A87: ; CODE XREF: sub_403790+2EEj

cmp ax, 9
jnb short loc_403A94
mov eax, offset sub_405CE0
jmp short loc_403AE5

; ---------------------------------------------------------------------------

loc_403A94: ; CODE XREF: sub_403790+2FBj

cmp ax, 0Ch
jnb short loc_403AA1
mov eax, offset sub_405D60
jmp short loc_403AE5

; ---------------------------------------------------------------------------

loc_403AA1: ; CODE XREF: sub_403790+308j

cmp ax, 0Fh
jnb short loc_403AAE
mov eax, offset sub_405DE0
jmp short loc_403AE5

; ---------------------------------------------------------------------------

loc_403AAE: ; CODE XREF: sub_403790+315j

cmp ax, 12h
jnb short loc_403ABB
mov eax, offset sub_405E60
jmp short loc_403AE5

; ---------------------------------------------------------------------------

loc_403ABB: ; CODE XREF: sub_403790+322j

cmp ax, 15h
jnb short loc_403AC8
mov eax, offset sub_405EE0
jmp short loc_403AE5

; ---------------------------------------------------------------------------

loc_403AC8: ; CODE XREF: sub_403790+32Fj

cmp ax, 18h
jnb short loc_403AD5
mov eax, offset sub_405F60
jmp short loc_403AE5

; ---------------------------------------------------------------------------

loc_403AD5: ; CODE XREF: sub_403790+33Cj

cmp ax, 1Bh
mov eax, offset sub_405FE0
jb short loc_403AE5
mov eax, offset sub_406060

loc_403AE5: ; CODE XREF: sub_403790+2D6j
; sub_403790+2E8j ...

push eax ; lpTimerFunc ; PREDEFINED PROCEDURE!!!
push 2710h ; uElapse
push 1962h ; nIDEvent
push esi ; hWnd
call ds:SetTimer
jmp short loc_403B0B

Anyway, we set timer and break in one of predefined procedure. All these
procedeures have the same format.

Calling checking procedure:

sub_405EE0 / sub_405BE0 / sub_405C60 / sub_405CE0 / sub_405D60 / sub_405DE0 /
sub_405E60 / sub_405EE0 / sub_405F60 / sub_405FE0 / sub_406060


sub esp, 20h
mov eax, [esp+20h+uIDEvent]
push esi
mov esi, [esp+24h+hWnd]
push eax ; uIDEvent
push esi ; hWnd
call ds:KillTimer
lea ecx, [esp+24h+SystemTime]
push ecx ; lpSystemTime
call ds:GetLocalTime
lea edx, [esp+24h+FileTime1]
lea eax, [esp+24h+SystemTime]
push edx ; lpFileTime
push eax ; lpSystemTime
mov [esp+2Ch+FileTime2.dwLowDateTime], 0D57AFA20h ; PREDEFINED
mov [esp+2Ch+FileTime2.dwHighDateTime], 1C15522h ; TIME LIMIT
call ds:SystemTimeToFileTime
lea ecx, [esp+24h+FileTime2]
lea edx, [esp+24h+FileTime1]
push ecx ; lpFileTime2
push edx ; lpFileTime1
call ds:CompareFileTime
test eax, eax
jl short loc_405F4A
push 0 ; lParam
push 0 ; wParam
push 10h ; Msg
push esi ; hWnd
mov dword_41DC9C, 1
call ds:PostMessageA ; TIME EXPIRED!!!

loc_405F4A: ; CODE XREF: sub_405EE0+51j

pop esi ; ALL IS OK!
add esp, 20h
retn 10h

sub_405EE0 endp

Winice95: Time-limit checking procedure:

Calling from here... :

loc_111D8: ; CODE XREF: start+1Dj

call sub_113EE ; THIS ONE!!!
jb loc_111EC ; JMP if bad date
mov si, offset aWin_com ; "win.com"
call sub_164E6

loc_111E5: ; CODE XREF: start+27j

call sub_174A9
jnb loc_111F0

loc_111EC: ; CODE XREF: start+2Dj

mov ah, 4Ch
int 21h ; DOS - 2+ - QUIT WITH EXIT CODE (EXIT)
; AL = exit code

Calling this checking procedure...


sub_113EE proc near ; CODE XREF: start+2Ap

mov ah, 2Ah
int 21h ; DOS - GET CURRENT DATE
; Return: DL = day, DH = month, CX = year
; AL = day of the week (0=Sunday, 1=Monday, etc.)
cmp cx, 2001 ; YEAR
jnz loc_1140F
cmp dh, 9 ; MONTH
jbe loc_11418
cmp dh, 10 ; MONTH
ja loc_1140F
cmp dl, 15 ; DAY
jb loc_11418

loc_1140F: ; CODE XREF: sub_113EE+8j
; sub_113EE+16j

mov ah, 9
mov dx, offset aThisVersionOfW ; "This version of WINICE.EXE is no longer"...
int 21h ; DOS - PRINT STRING
; DSX -> string terminated by "$"
stc
retn

; ---------------------------------------------------------------------------

loc_11418: ; CODE XREF: sub_113EE+Fj
; sub_113EE+1Dj
clc
retn

sub_113EE endp

Hi,

Using NT. Where is this timecheck located?

See subroutine at .init.14730e(hex offset 13730e) - this sub must return zero.