An example of reverse process record is not used for an expiration date

?

An example of reverse process record is not used for an expiration date

Directory

An expired instance is not used as a reverse process record ???? 1

1. Restricted target functions ???? 1

2. Check the PE information :???? 1

3. View unregistered or limited-time display modes .???? 1

4. Load the file directly. Check the entry point .???? 1

5. Next, the string search method is preferred .???? 1

6. What will happen after expiration ???? 1

7. Search for strings ???? 1

8. Pause the program rollback stack ???? 1

9. The above is the inverse of the time detection .???? 1

10. Postscript ???? 1

11. Others ???? 1

?

?

SQL browser 3.5.7

1. Restricted target functions

For example, if you cannot use it after 30 days of expiration, you must purchase or use it, or you do not need to throw it to the garbage basket.

?

2. Check the PE information:

?

?

The OEP is large and the section is clear, but the extra information shows signs of compression. It may be shelled, and there is a debug zone ??? It's too big to include everything.

?

3. View unregistered or limited-time display modes.

You can use ollydbg to open it. The remaining days are displayed on the welcome page. The string format is "trial version, % d days remaining ". Note that the remaining days in this area must be calculated and written. So the guess process must be like this: when you open it, first check whether it is registered, not registered, get the local time, compare it with the first record, and then display the result. Now, we have four methods to find the key process statements: one is the simplest query string, and the other is the interface display file API (Standard Control, setwindowtext or setdlgitemtext; the text writing method on the GDI or DX interface has never been encountered and may need to be checked). I personally think this is close to the key statement and has a string and a conditional breakpoint; the third is to load the resource's loadresource, loadstring, and so on. The fourth is that the interface displays [F12] pausing the tracing stack,

4. Load it directly. Check the entry point.

Everything is OK, no suspicious places.

5. Next, the string search method is preferred.

Sequence module-CPU window-right-click menu-search-all referenced strings (the built-in format may only be "Push instant count" or "Move register instant count, it is often set windowtext (XX, "string"), the resource form is dynamic, May setwindowtext (XX, pszstring/arraystring ), and start [Ctrl + F] typing and searching "trial version". You don't have to do it all. Then [Ctrl + L]. Well, there is only one place.

?

?

Double-click the target or press Enter when the focus is on the target to locate it in the CPU window. Other key information is soon found: "registered to" string. The two previous jumps can be skipped.

The first hop here: mov EBX, change eax to mov BL, 1

Modify in the second hop; change jnz 00ae618d to JMP 00ae618d

Right-click menu-edit-copy all changes to executable files-pop-up window, right-click menu-save file...-Rename save

6. Check what will happen after expiration

First, adjust the system time to 30 days, and then open the previously modified file. The prompt has expired and is displayed in the second pop-up window: three options are provided: Buy, register, and close the program. Except for the second one, the program will be terminated.

It is a bit difficult here. ollydbg opens the renamed executable program, and the original program information cache cannot be used.

7. Search for strings in step 5

This dialog box is very different from the previous one, and the display is fixed. If you locate the string, you may not be able to see the key jump. Maybe this is the next-level call or callback of the key jump.

Obviously, these texts are displayed statically without any judgment.

In the user32.dll Module

The callback is similar to the lpdialogfunc dialog box.

?

Non-Modal Dialog Box

Hwnd createdialogparam (hinstance, lpctstr lptemplatename, hwnd hwndparent, dlgproc lpdialogfunc, lparam dwinitparam );

Hwnd createdialogindirectparam (hinstance, lpcdlgtemplate lptemplate, hwnd hwndparent, dlgproc lpdialogfunc, lparam lparaminit );

Modal Dialog Box

Int dialogboxindirectparam (hinstance, lpcdlgtemplate hdialogtemplate, hwnd hwndparent, dlgproc lpdialogfunc, lparam dwinitparam );

Int dialogboxparam (hinstance, lpctstr lptemplatename, hwnd hwndparent, dlgproc lpdialogfunc, Param dwinitparam );

?

Createdialogindirectparamaorw or dialogboxindirectparamaorw will be called to create the two non-modal dialog boxes or the two modal dialog boxes, both of which call create‑wex.

Hwnd createmediawex (DWORD example, lpctstr lpclassname, lpctstr lpwindowname, DWORD dwstyle, int X, int y, int nwidth, int nheight, hwnd hwndparent, hmenu, hinstance, lpvlpoid PARAM );

When a breakpoint is set on the function of the imported create dialog box, no response is returned. It is interrupted on createmediawex, but it is more likely because there are more widgets and other Windows than only one dialog box. Therefore, you can first break Unicode [[esp + 8] = "register." Under user32.createjavaswex .". Because createmediawex has been imported.

It is also possible that the button title may be added later, such as calling

Bool user32.setwindowtextw (hwnd, text), which calls sendmessage.

Lresult winapi sendmessage (_ in _ hwnd, _ in _ uint MSG, _ in _ wparam, _ in _ lparam );

# Define wm_settext 0x000c

User32.translatemessage bool winapi translatemessage (_ in _ const MSG * lpmsg );

Typedef struct tagmsg {

Hwnd;

Uint message;

Wparam;

Lparam;

DWORD time;

Point pt;

} MSG, * PMSG, * lpmsg;

?

As shown above, it may be slow to locate.

8. Pause the program rollback stack.

In addition, you can click [F12] to pause and trace the call stack in the displayed registration dialog box. We found the key call in the third backend. This call is blocked, that is, what to do after the button.

In fact, what we can see when we look for the string is to scroll down to see the same things as this graph.

?

Similar to the previous expectation, we double-click the [Alt + k] Call Stack window to enter the place where the call process is initiated, and click the call from. We disconnected the proc_012ed3c4 process. From the call Stack window, call 012ed3c4 is called in proc_012ef64c.

?

The call diagram is as follows. The process consists of stack records, call (push), and retn (POP), which can be viewed in the stack in the lower right corner of the CPU window:

?

After the above-level call, we can see that there is a jump that can be skipped. We can directly change it to a JMP hop, which is the third detection hop. [F9] The operation directly skips the pop-up window and comes to the main interface. The restriction is eliminated.

?

9. The above is the inverse of the time detection.

There is a registration window in front, and we can reverse the registration code. This is more difficult than modifying files and requires analysis algorithms.

First.

10. Postscript

Finally, my ollydbg has a problem. There is no problem in saving and running the first modification. There is a problem in the second modification. It is always abnormal and has been found for a long time, the trail finds that the second modification has not been run, but crashes at the beginning. It is impossible. It has been depressing for a long time.

The figure shows that the preceding debug section contains debugging information.

Every time I thought I had a problem with the modification, I saved the modification, but the file was too large. Later, I compared the FC commands from time to time, and right-click the ollydbg menu-find-all modifications: I found many more places, 6 more places, 7 more places I did not make changes. Relying on pitfalls ....

I remember someone said there was a problem with ollydbg storage.

?

11. Others

There are many methods to determine whether a file exists, such as createfile, findfirstfile, findnextfile, and getfileattributesex.

Bool kernel32.getfileattributesexw (filename, infolevel, pfileinfo ){

Call NTDLL. RtlDosPathNameToNtPathName_U

Call NTDLL. ntqueryfullattributesfile

}

?

?

?

?

An example of reverse process record is not used for an expiration date