Run holiday lights and we are met with a host of restrictions:
1. Nag at startup
2. Locked out bulbs
3. Locked out music
4. More locked out bulbs.
5. Registration
Well lets disassemble the program and cut it at the throat so we don't have to spend an hour patching here and there and everywhere. Check the w32dasm Strn Ref's and lets check it out, plenty of useful info, nothing hidden or encrypted, even the nag is easy to spot, but then we notice "Serial Number" and "User". So double click that and we will land here:
* Referenced by a CALL at Address:
|:0041F377 , :0041F3F7 <-lets go and check out 41F377
|
:0041AAF0 56 push esi
:line of code
* Possible StringData Ref from Data Obj ->"User"
:0041AB11 68508E4400 push 00448E50
:0041AB16 8D4C2418 lea ecx, dword ptr [esp+18]
:0041AB1A E8F1F6FFFF call 0041A210
:0041AB1F 57 push edi
:0041AB20 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"Serial Number"
:0041AB22 68408E4400 push 00448E40
:0041AB27 8D4C2418 lea ecx, dword ptr [esp+18]
:lines of code
:0041AB52 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"User"
:0041AB54 68508E4400 push 00448E50
:0041AB59 8D4C2418 lea ecx, dword ptr [esp+18]
:0041AB5D E8AEF6FFFF call 0041A210
:0041AB62 57 push edi
:0041AB63 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"Serial Number"
:0041AB65 68408E4400 push 00448E40
:lines of code
:0041AB7E C3 ret
* Referenced by a CALL at Addresses:
|:00401049 , :00407F24 , :00417D90 , :00417F35 , :0041C845
|:0041C888 , :0041DC2C , :0041F3A6 , :00421EFB , :00421F0C
|:00422B06 , :00423D92 , :00424C38 <-seems like a lot of places, lets check a few of em out.
|
:0041F350 A048E74400 mov al, byte ptr [0044E748]
:0041F355 83EC50 sub esp, 00000050
:0041F358 84C0 test al, al
:0041F35A 753C jne 0041F398
:0041F35C 8A0D49E74400 mov cl, byte ptr [0044E749]
:0041F362 84C9 test cl, cl
:0041F364 7532 jne 0041F398
:0041F366 8D442400 lea eax, dword ptr [esp]
:0041F36A 8D4C2410 lea ecx, dword ptr [esp+10]
:0041F36E 50 push eax
:0041F36F 51 push ecx
:0041F370 C60549E7440001 mov byte ptr [0044E749], 01
:0041F377 E874B7FFFF call 0041AAF0 <-call to are we regged?
|:00401049 , :00407F24 , :00417D90 , :00417F35 , :0041C845
|:0041C888 , :0041DC2C , :0041F3A6 , :00421EFB , :00421F0C
|:00422B06 , :00423D92 , :00424C38 <-seems like a lot of places, lets check a few of em out.
Ok so i actually found this accidentally but who cares, notice that the above place is called from a ton of locations, go check a few of em out and you will notice that inside a bunch there is a conditional jump almost always and its a jne or je, also considered jnz or jz, jump if zero or jump if not zero. Here is a few examples of some of those locations:
first location 401049:
:00401049 E802E30100 call 0041F350
:0040104E 84C0 test al, al
:00401050 7528 jne 0040107A <-jump if not zero over the nag
:00401052 8B442404 mov eax, dword ptr [esp+04]
:00401056 8B0DF0E04400 mov ecx, dword ptr [0044E0F0]
:0040105C 6A00 push 00000000
:0040105E 68C0104000 push 004010C0
:00401063 50 push eax
* Possible StringData Ref from Data Obj ->"Reminder" <-nag
lets try another location, 41F3A6:
:0041F3A6 E8A5FFFFFF call 0041F350
:0041F3AB 84C0 test al, al
:0041F3AD 0F84E7000000 je 0041F49A <-jump if zero to "i need registered screen"
:0041F3B3 56 push esi
:0041F3B4 57 push edi
:0041F3B5 B916000000 mov ecx, 00000016
* Possible StringData Ref from Data Obj ->"You have already entered the serial "
->"number for this copy of Holiday "
->"Lights." <-allready regged screen!
and another location, 423D92:
:00423D92 E8B9B5FFFF call 0041F350
:00423D97 84C0 test al, al
:00423D99 7534 jne 00423DCF <-jump if not zero, bulb unlocked
:00423D9B 8B16 mov edx, dword ptr [esi]
:00423D9D 8BCE mov ecx, esi
:00423D9F FF5224 call [edx+24]
:00423DA2 84C0 test al, al
:00423DA4 7529 jne 00423DCF <-jump if not zero, bulb unlocked
:00423DA6 83FD64 cmp ebp, 00000064
:00423DA9 0F8452010000 je 00423F01
:00423DAF A14CEB4400 mov eax, dword ptr [0044EB4C]
:00423DB4 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"This Bulb is Locked"
So as you can see the point is that the calls here are looking for a 0 or a 1 (or any other number that isn't 0 will work i suppose). It looks to me that if we return with a 0 it stands for unregistered and if we return with a 1 to these locations we will be registered. So lets make it always 1.
Let's go here again:
* Referenced by a CALL at Addresses:
|:00401049 , :00407F24 , :00417D90 , :00417F35 , :0041C845
|:0041C888 , :0041DC2C , :0041F3A6 , :00421EFB , :00421F0C
|:00422B06 , :00423D92 , :00424C38
|
:0041F350 A048E74400 mov al, byte ptr [0044E748]
:0041F355 83EC50 sub esp, 00000050
Now what we want to do is return with 1 to all the calls, so...
change this:
:0041F350 A048E74400 mov al, byte ptr [0044E748]
:0041F355 83EC50 sub esp, 50
to this:
:0041F350 B801000000 mov eax, 000000001
C3 ret
Now it wont even run through the routine, it will just load eax with 1 making al 1 and return to all the calls, AL will be tested to see if it is 0 or 1 (or any other number) and will come back 1 (registered) and everything trickles from that. Run the program, everything unlocked and program regged to the invisible man heh. Well if you want it to show you name navigate regedit and go here:
HKEY_LOCAL_MACHINE\SOFTWARE\Tiger Technologies\Holiday Lights
Now make a string value called "User" and put in your name, next make a string value called "Serial Number" and put in you made up serial, or just cut and paste the info below into a file called "Whatever.reg" and edit the user and serial, then save and double click it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Tiger Technologies\Holiday Lights]
"Path"="C:\\PROGRA~1\\TIGERT~1\\HOLIDA~1\\Holiday Lights.exe"
"User"="sleepy"
"Serial Number"="666"
Note the above is windowsXP.
Cracked! Merry Christmas and all that stuff.