8.4. HACKING WINDOWS CLOCK
.text:6EB9DC8E mov ecx, [ebp+arg_0]
.text:6EB9DC91 mov [ebp+var_8], eax
.text:6EB9DC94 mov eax, [ebp+arg_8]
.text:6EB9DC97 mov [ebp+var_4], eax
.text:6EB9DC9A lea eax, [ebp+var_8]
.text:6EB9DC9D push eax
.text:6EB9DC9E lea eax, [ebp+var_10]
.text:6EB9DCA1 push eax
.text:6EB9DCA2 push [ebp+arg_C]
.text:6EB9DCA5 call ?DrawLine@Graphics@Gdiplus@@QAE?⤦
ÇAW4Status@2@PBVPen@2@ABVPoint@2@1@Z ; Gdiplus::Graphics::DrawLine(Gdiplus::Pen const ,⤦
ÇGdiplus::Point const &,Gdiplus::Point const &)
.text:6EB9DCAA
.text:6EB9DCAA loc_6EB9DCAA: ; CODE XREF: CAnalogClock::_DrawHand(⤦
ÇGdiplus::Graphics ,int,ClockHand const &,Gdiplus::Pen )+9B
.text:6EB9DCAA ; CAnalogClock::_DrawHand(Gdiplus::⤦
ÇGraphics ,int,ClockHand const &,Gdiplus::Pen *)+9F
.text:6EB9DCAA pop edi
.text:6EB9DCAB pop esi
.text:6EB9DCAC pop ebx
.text:6EB9DCAD leave
.text:6EB9DCAE retn 10h
.text:6EB9DCAE ?_DrawHand@CAnalogClock@@AAE?⤦
ÇAW4Status@Gdiplus@@PAVGraphics@3@HABUClockHand@@PAVPen@3@@Z endp
.text:6EB9DCAE
We can see thatDrawLine()arguments are dependent on result ofMulDiv()function and atable[]table
(name is mine), which has 8-byte elements (look atLEA’s second operand).
What is inside of table[]?
.text:6EB87890 ; int table[]
.text:6EB87890 table dd 0
.text:6EB87894 dd 0FFFFE0C1h
.text:6EB87898 dd 344h
.text:6EB8789C dd 0FFFFE0ECh
.text:6EB878A0 dd 67Fh
.text:6EB878A4 dd 0FFFFE16Fh
.text:6EB878A8 dd 9A8h
.text:6EB878AC dd 0FFFFE248h
.text:6EB878B0 dd 0CB5h
.text:6EB878B4 dd 0FFFFE374h
.text:6EB878B8 dd 0F9Fh
.text:6EB878BC dd 0FFFFE4F0h
.text:6EB878C0 dd 125Eh
.text:6EB878C4 dd 0FFFFE6B8h
.text:6EB878C8 dd 14E9h
...
It’s referenced only fromDrawHand()function. It has 120 32-bit words or 60 32-bit pairs... wait, 60? Let’s
take a closer look at these values. First of all, I’ll zap 6 pairs or 12 32-bit words with zeros, and then I’ll put
patchedTIMEDATE.CPLintoC:\WINDOWS\SYSTEM32. (You may need to set owner of the TIMEDATE.CPL
file to your primary user account (instead ofTrustedInstaller), and also, boot in safe mode with command
prompt so you can copy the file, which is usually locked.)