Introduction

 
The author of  Cache And Cookie Washer for Opera   says:

"Cache & Cookie Washer for Opera is a very useful program for cleaning up tracks that you leave behind when using Opera's Browser. Many people do not realize that Opera stores information about what they have done on the Internet and what websites they have visited. Opera even allows web sites to store cookies, which are files that may possibly contain personal information about the user. As a result, anyone else can see what you have been doing on the Internet with Opera, which raises several privacy concerns. Furthermore, much of your Opera activity information takes up valuable disk space, and recovering this space can be very beneficial.

Cleaning up the history of your activities from Opera can be a tedious chore of manually removing each history file or entry. If privacy and disk space are to be maintained, cleaning these tracks must be done every time you are finished using Opera. Cache & Cookie Washer automates this process for you! It will automatically run in the background and clean up whatever tracks you want removed, whenever you want."
 

About this protection system

 
This program is a 30 day trial program, with a nag screen shown each time you run it.
The nag screen doesn't show up until after 5 days' use, after which it decrements the # of days remaining
in the trial, giving you a choice of "Try it" or "Buy it". After 30 days "Try it" is no longer an option.

The Essay

 

The first thing I did after installing this program was to start messing with my system clock. Setting the time ahead a few days or weeks allowed me to observe what is described above. OK, obviously the program is referring to my clock and checking the time/date against ...something. Set clock back to correct date/time and we're inside the 5 day no-nag period.

This is where Wdasm comes in. We load our main program, Washerop.exe, into Wdasm and go make a sandwich and paint the living room.(486, you see). Having done this we check our String Data References
for anything interesting. (keep in mind that this is just a hobby for me and I don't really know what I'm doing)
Scroll down a bit and we see: "software\atr1" hmm. Well, "nothing ventured etc. Start Regedit.exe and
go to HKEY_LOCAL_MACHINE\SOFTWARE\atr1 and we see some values. The "data" is interesting;
a 5 digit number that looks something like an encoded date. We bravely go ahead an increase this value by oh, I don't know, 5 sounds good. We re-start Washerop.exe and lo and behold, a nag screen; "you currently have 25 days remaining....." Now we're cooking. Emboldened by this revelation I decided to see what would happen
if I deleted this key altogether.(BTW for those who aren't aware your registry files are C:\windows(95)\user.dat & C:\windows(95)\system.dat & anything with a pol extension. 'Nuf said, right?) Well we all make mistakes, turns out this prog. just won't run without that registry key. Go figger. We'll take this opportunity to re-install our program.

Just for fun let's go back to Wdasm and look at our Import Functions. We're looking for time-related stuff so we wander about until we come across kernel32.GetLocalTime and kernel32.GetSystemTime. Double-click
on these guys to see what we get: GetSystemTime is referred to twice while GetLocalTime is referred to four times. -
*Reference To: kernel32.GetSystemTime, Ord:0000h
  |
:004011EC FF25DC214600 Jmp dword ptr [004621DC]
:004011F2 8BC0 mov eax, eax

* Reference To: kernel32.GetSystemTime, Ord:0000h
  |
:00402A1E E8C9E7FFFF Call 004011EC
:00402A23 0FB745F0 movzx eax, word ptr [ebp-10]
:00402A27 6BC03C imul eax, 0000003C
:00402A2A 660345F2 add ax, word ptr [ebp-0E]
:00402A2E 6BC03C imul eax, 0000003C
:00402A31 31D2 xor edx, edx
:00402A33 668B55F4 mov dx, word ptr [ebp-0C]
:00402A37 01D0 add eax, edx
:00402A39 69C0E8030000 imul eax, 000003E8
:00402A3F 668B55F6 mov dx, word ptr [ebp-0A]
:00402A43 01D0 add eax, edx
:00402A45 89053C104600 mov dword ptr [0046103C], eax
:00402A4B 8BE5 mov esp, ebp
:00402A4D 5D pop ebp
:00402A4E C3 ret

* Reference To: kernel32.GetLocalTime, Ord:0000h
  |
:00405BA8 FF2540234600 Jmp dword ptr [00462340]
:00405BAE 8BC0 mov eax, eax

* Reference To: kernel32.GetLocalTime, Ord:0000h
  |
:0040866C E837D5FFFF Call 00405BA8
:00408671 668B4C240E mov cx, word ptr [esp+0E]
:00408676 668B54240A mov dx, word ptr [esp+0A]
:0040867B 668B442408 mov ax, word ptr [esp+08]
:00408680 E81FFEFFFF call 004084A4
:00408685 DD1C24 fstp qword ptr [esp]
:00408688 9B wait
:00408689 DD0424 fld qword ptr [esp]
:0040868C 83C418 add esp, 00000018
:0040868F C3 ret

* Reference To: kernel32.GetLocalTime, Ord:0000h
  |
:00408698 E80BD5FFFF Call 00405BA8
:0040869D 668B442416 mov ax, word ptr [esp+16]
:004086A2 50 push eax
:004086A3 668B4C2418 mov cx, word ptr [esp+18]
:004086A8 668B542416 mov dx, word ptr [esp+16]
:004086AD 668B442414 mov ax, word ptr [esp+14]
:004086B2 E811FCFFFF call 004082C8
:004086B7 DD1C24 fstp qword ptr [esp]
:004086BA 9B wait
:004086BB DD0424 fld qword ptr [esp]
:004086BE 83C418 add esp, 00000018
:004086C1 C3 ret

* Reference To: kernel32.GetLocalTime, Ord:0000h
  |
:004086C8 E8DBD4FFFF Call 00405BA8
:004086CD 668B0424 mov ax, word ptr [esp]
:004086D1 83C410 add esp, 00000010
:004086D4 C3 ret

Interesting, but nothing really jumps out at you.
Now let's look at the string data references again for the nag screen messages. We see "You currently have"
and " left in your trial." and "Sorry! Your 30 day trial." We search for these references and they all show up quite close together. -

:0045DADE E8E9C7FFFF call 0045A2CC
:0045DAE3 833D8819460009 cmp dword ptr [00461988], 00000009 } compare with 9
:0045DAEA 7546 jne 0045DB32 } <== very interesting! note where this points

* Possible StringData Ref from Code Obj ->"You currently have "
  |
:0045DAEC 6820E64500 push 0045E620
:0045DAF1 FF358C194600 push dword ptr [0046198C]

* Possible StringData Ref from Code Obj ->" left in your trial."
  |
:0045DAF7 683CE64500 push 0045E63C
:0045DAFC 8D45EC lea eax, dword ptr [ebp-14]
:0045DAFF BA03000000 mov edx, 00000003
:0045DB04 E8BB62FAFF call 00403DC4
:0045DB09 8B55EC mov edx, dword ptr [ebp-14]
:0045DB0C A1680E4600 mov eax, dword ptr [00460E68]
:0045DB11 8B00 mov eax, dword ptr [eax]
:0045DB13 8B80E0010000 mov eax, dword ptr [eax+000001E0]
:0045DB19 E84A29FCFF call 00420468
:0045DB1E A1E80E4600 mov eax, dword ptr [00460EE8]
:0045DB23 C60001 mov byte ptr [eax], 01
:0045DB26 A1680E4600 mov eax, dword ptr [00460E68]
:0045DB2B 8B00 mov eax, dword ptr [eax]
:0045DB2D E84205FDFF call 0042E074

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045DAEA(C)
|
:0045DB32 833D881946000A cmp dword ptr [00461988], 0000000A <== compare with 10
:0045DB39 7568 jne 0045DBA3
:0045DB3B A1680E4600 mov eax, dword ptr [00460E68]
:0045DB40 8B00 mov eax, dword ptr [eax]
:0045DB42 8B80E0010000 mov eax, dword ptr [eax+000001E0]

* Possible StringData Ref from Code Obj ->" Sorry! Your 30 day trial "
  ->"has expired."

These compare routines and conditional jumps so close to the nag messages just beg attention so let's set our
clock ahead at least 5 days so we know the nag will pop.
Now, with Soft-ice running we Ctrl-D in and set a couple of breakpoints namely bpx getsystemtime and bpx getlocaltime. F5 out and start our program. Incidentally, my taskbar is set to auto-hide and Soft-ice breaks when
the taskbar reveals itself. No big deal, we just F5 again. When we start the program Soft-ice breaks, due to getlocaltime, in some horribly unrelated location. Wait a minute, according to Wdasm that import was referred to 4 times, right? With much confidence and about 11 pounds of horseshoes up our ass we merrily hit F5 3 times
to allow Soft-ice to break on each of those references (I think) and then strike the F11 key to step out of that call. The first thing that catchs our eye is WASHEROP!CODE. Good sign. F10 to step through the instructions until we see something interesting. (77 times I believe)

0045DADE E8E9C7FFFF call 0045A2CC
:0045DAE3 833D8819460009 cmp dword ptr [00461988], 00000009 <== remember this stuff ?
:0045DAEA 7546 jne 0045DB32
:0045DAEC 6820E64500 push 0045E620

We think it would be a good idea to maybe change that conditional jump to an unconditional one so:

a 0045DAEA [enter]
jmp 0045DB32 [enter] [enter]

Disable all breakpoints "be * [enter]" and F5 out. Well, Well, no nag! But we're not done yet. Set the clock ahead a month and run the program. "Sorry, your 30 day...." Set the clock back a month so we're in the last 25 days of the trial and do all that stuff you did to get to 0045DAEA and set that jump again but this time F10 down
to 0045DB39 and set that conditional to unconditional as well:

a 0045DB39 [enter]
jmp 0045DBA3 [enter] [enter]

Disable breakpoints and F5 out... Hooray!

 

The Patches

 

 Now to make these changes permanent:

First make a back-up copy of Washerop.exe
Using HIEW, load Washerop.exe and F4 to select decode mode
F5 and go to .0045DAEA
Place the cursor over 7546, F3 and change to EB46, F9 to update
Scroll down to 0045DB39
Place the cursor over 7568, F3 and change to EB68, F9 to update
F10 to exit

Done!

REMEMBER,I'm cracking as a hobby and for the challenge. If you like this or any other shareware
utility and want to continue using it, please support the author and pay for it.
 
 
 

Final Notes

 It is interesting to note that a less aggressive way to get past the 30 day expiry would be to un-install the program, delete aforementioned "atr1" key , re-start Windows and re-install the program = 30 more days
ad infinitum.

Thanks to all the other curious deviants out there who just can't leave well enough alone.