HOW TO CRACK:
VoodooLights v1.2

Introduction:

Voodoolights is a configurable screensaver using the features of the voodoo/voodoo2 chipset. It has 2 screensavers, lighting, lensflare effets and a space/cosmos effect,both of which you can change the values of the stars, swirls etc. Get it along with other 3DFX screensavers from http://www.3dgw.com/screensavers.htm

If you are within the 30 days time limit you get the following screen whan clicking on 'Registration'.

If you put your clock forward 1 month or more then you get the following message instead.

We really do not like this screen so we must do something about it!!

 

The Crack:

This protection involved disabling itself as a screen saver after 30 days after installing. This was quite an easy protection to remove as only 3 checks were made on the date.

You could crack the protection by finding a reg-key for it but that would take too long tracing through all the calls made to RegQueryValueExa so the best and easiest way is to find where the program tests whether 30 days have past since you installed it. Once you find them then they are easy to remove.

 

Tools needed: WDASM & a Hex Editor

First, load the original vooloolights.exe into WDASM. We want to look for the value 30 in the program. It's no good just looking for '30' as this will not find it. You have to search the hexadecimal value of 30 which is '1E'. When disassambled these values will be 'padded out' with zeroes. So we want to search for '0000001E'.

Since there will be a comparison test performed on this number we really want be searching for an instruction something like CMP EAX, 0000001E or CMP ECX, 0000001E. Something along these lines. This is just a CoMParison to see if the registers EAX or ECX have the value 1E, which will be 30 days.

So if we search for ', 0000001E' we will find either of these instructions. After searching we come to a few instructions CMP DWORD PTR [EBP-30], 0000001E. We do not want these type of instructions so keep searching.

After searching down the text we eventually come to the first instruction that we want, CMP ECX, 0000001E. Look at address 004095BA.

  

 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004095A3(C)


:004095B6 8BC8        mov ecx, eax
:004095B8 2BCA        sub ecx, edx    --> Calculate days since install
:004095BA 83F91E      cmp ecx, 0000001E > Are 1E (30) days up yet?
:004095BD 7E07        jle 004095C6 -----> If less than 30 then keep running
:004095BF B91E000000  mov ecx, 0000001E > End trial period
:004095C4 EB04        jmp 004095CA

 

Above that line the instruction SUB ECX, EDX must be SUBtracting todays day from the day we installed the program which will result in the number of days is has been installed ending up in register ECX. If this value is less than or equal to 30 then the program continues normally. We can see this in the following instruction JLE, which means Jump if Less or Equal (JLE), which is what happens if has been on the machine for less than 30 days.

We want to make the program always JLE so to do that the value in ECX must always be 0 or less than 30. In order to do this we can replace the SUB ECX, EDX with an instruction that makes ECX 0 all the time. This instruction is XOR ECX, ECX. In hex this instruction is 33C9. Which just happens to fit in place of 2BCA at address 4095B8.

 

Continuing the search for ', 0000001E' we find another one exactly the same.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004095CC(C)


:004095D2 8BC8        mov ecx, eax
:004095D4 2BCA        sub ecx, edx     --> Calculate days since install
:004095D6 83F91E      cmp ecx, 0000001E -> Are 30 days up yet
:004095D9 7E07        jle 004095E2    ---> If less than 30 then keep running
:004095DB B91E000000  mov ecx, 0000001E -> End trial period
:004095E0 EB04        jmp 004095E6

 

So we can do exactly the same with this one as the one above.

The next instance is slightly different in that the CMP is made on EAX instead of ECX.

* Referenced by a CALL at Addresses:
|:004013F7 , :00406485


:004095F8 E807FDFFFF   call 00409304 ----> Calculate days since install
:004095FD 85C0         test eax, eax ----> Is it 0?
:004095FF 7C05         jl   00409606 ----> If less than,then disable
:00409601 83F81E       cmp eax, 0000001E > Are 30 days up yet?
:00409604 7C04         jl 0040960A     --> If not then keep running

 

So to change this one we need to know what XOR EAX, EAX is in hex, and it just happens to be 33C0, which also fits nicely in the gap in place of 85C0 (TEST EAX, EAX).

Now all you have to do is load up the hex editor and replace those bytes with the ones mentioned and you have cracked the 30 day time limit.

Instead of the message 'This copy of Voodoolights is not registered.....blah, blah,blah. We can replace it with a message of your choice. Since it will always show that screen so now, how about something like.........................

 

Ah...........but wait, reading the release notes I see that it runs out in July 1999, so set you clock forward to August then try running it again, you get this message.



Oops, it has expired. Ok then let's fix it then. Search the disassembly for 'this version of voodoolights' and you will find at address 4097CA as shown below so we know we dont's want to go there. If you look how the program actually gets to this address then look above and you will at 4097BA there is a comparison done and as a result a conditional jump is made on the line below depending on this result. Take a look.

:004097B5 E807C00400 Call 004557C1
:004097BA 66813C24CF07 cmp word ptr [esp], 07CF ------>1st test
:004097C0 7208 jb 004097CA -------------------------------> jump to error message (bad guy)
:004097C2 66837C240206 cmp word ptr [esp+02], 0006 ----> 2nd test
:004097C8 761F jbe 004097E9 -------------------------------> jump past error message (good guy)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004097C0(C)
|
:004097CA 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Error"
|
:004097CC 68339B4500 push 00459B33

* Possible StringData Ref from Data Obj ->"This version of VoodooLights has expired. Please get a new one."
|
:004097D1 68BA9A4500 push 00459ABA

* Reference To: USER32.GetForegroundWindow, Ord:0000h
|
:004097D6 E804C30400 Call 00455ADF
:004097DB 50 push eax

* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004097DC E88EC30400 Call 00455B6F
:004097E1 6A00 push 00000000
:004097E3 E8FCA10400 call 004539E4 --------> display error message dialog messagebox
:004097E8 59 pop ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004097C8(C)
|
:004097E9 E816FBFFFF call 00409304 ------> good guy jump here
:004097EE 85C0 test eax, eax
:004097F0 7D0D jge 004097FF

 

So we need to make the program ignore the 1st test then always jump to the good guy.
At 4097C0 replace the jb 004097CA with 2 NOPs as the instruction is 2 bytes long, (7208) we need to replace it with 9090 (2 NOPs) to ignore the first test.
At 004097C8 we need to make it the program always jump to 4097E9, so replace the jbe with a jmp (jump always), the instruction byte for this is EB, so we just need to change 1 byte here. Get your hexeditor out again and goto the offset where these instructions are (8DC0h & 8DC8h) and replace the bytes accordingly.

And there we have it. A cracked program in under 30 minutes.

That's it - enjoy