Software simulated dongle user count Control tracking notes

There are a lot of articles about "dotting" on the Internet, and there are also a lot of "software simulated dogs ". We can see that the number of registered users of some dongles is controlled from 2

User ~ 9999 users ~ 2.1 billion users, I felt very uncomfortable, so I downloaded a few

Different "software simulated dogs" start tracking.

Several downloaded "software simulated dogs" were tested after shelling and correction, some simply patched, and some even modified one or two jumps.

I think it is a "dog", and it does not follow the "dog" process, and does not restore the data in the "dog", so I gave up this

Test similar to "software simulated dog.

One "software simulated dog" has a good data recovery experience in the "dog". Compared with the original version, in addition to restoring data in the "dog ",

If no modification jump is found, use this to test and track.

Software simulated dogs are generally protected by some shells. The shelling process is omitted.

OD loads the shell-removing corrected file and F9 runs.

In addition to the user data that can be seen in the user list, this software cannot obtain the required sensitive characters in strings and memory.

It is difficult to break down. Fortunately, you can find the ASCII "all" through the plug-in and take it off.

//////////////////////////////////////// //////////////////////////////////////// //////////////
= Check the number of users =
00434CA4 |. 50 push eax;/Arg1 = 0012F780
00434CA5 |. E8 AAE2FFFF call un_SDE3S.00432F54; un_SDE3S.00432F54
00434CAA |. 59 pop ecx
00434CAB |. 83C0 04 add eax, 4
00434CAE |. 8945 D4 mov dword ptr ss: [ebp-2C], eax
00434CB1 |. 8D45 08 lea eax, dword ptr ss: [ebp + 8]
00434CB4 |. 8B4D D4 mov ecx, dword ptr ss: [ebp-2C]
00434CB7 8B55 0C mov edx, dword ptr ss: [ebp + C]; Number of users [ebp + C] --> edx
==========================================================
Stack ss: [0012F7C8] = 00000002 // Number of users
Edx = 03277960 // write address
==========================================================
00434CBA 8951 0C mov dword ptr ds: [ecx + C], edx; number of edx users --> [ecx + C]
==========================================================
Edx = 00000002 // Number of users
Ds: [03277980] = 00000003 // write address
==========================================================
//////////////////////////////////////// //////////////////////////////////////// //////////////
= About the number of checked users =

When we look at the Help ---> about, the software checks and confirms the number of users from here.

00434F8F |. 51 push ecx;/Arg1
00434F90 |. E8 BFDFFFFF call un_SDE3S.00432F54; un_SDE3S.00432F54
00434F95 |. 59 pop ecx
00434F96 |. 83C0 04 add eax, 4
00434F99 |. 8945 D0 mov dword ptr ss: [ebp-30], eax
00434F9C |. 837D 0C 00 cmp dword ptr ss: [ebp + C], 0
00434FA0 |. 74 0B je short un_SDE3S.00434FAD
00434FA2 |. 8B45 D0 mov eax, dword ptr ss: [ebp-30]
00434FA5 |. 8B4D 0C mov ecx, dword ptr ss: [ebp + C]
00434FA8 |. 8B50 0C mov edx, dword ptr ds: [eax + C]; [ebp + C] = number of users
========================================================== =
Ds: [03277980] = 00000002 // Number of users
Edx = 03277960 // write address
========================================================== =
00434FAB |. 8911 mov dword ptr ds: [ecx], edx
========================================================== =
Edx = 00000002 // Number of users
Stack ds: [0012F734] = 00000000 // memory address
========================================================== =
//////////////////////////////////////// //////////////////////////////////////// //////////////

According to the string "all", search here and break it under 00000089c.

0036689c E8 23770500 call SDE3Serv. 0047DFC4; dog data is restored here.
003478a1 50 push eax
00da-8a2 8D85 60 FFFFFF lea eax, dword ptr ss: [ebp-A0]
003478a8 66: C785 0 CFFFFFF> mov word ptr ss: [ebp-F4], 194
003478b1 BA 35C74800 mov edx, SDE3Serv. 0048C735; ASCII "all"
......
00656C39 8A4424 04 mov al, byte ptr ss: [esp + 4]; [esp + 4] = number of users
00656C3D E8 0C72F9FF call SDE3Serv. 005EDE4E; F7
00656C42 5A pop edx
......
005EDE4E/0F83 2E4A0500 jnb SDE3Serv. 00642882
005EDE54 | 0F82 0FD20200 jb SDE3Serv. 0061B069
005EDE5A | 9C pushfd
......
0047D8CD E8 4EE0FFFF call SDE3Serv. 0047B920; enter F7
0047D8D2 83C4 0C add esp, 0C
0047D8D5 EB 01 jmp short SDE3Serv. 0047D8D8
0047D8D7 24 59 and al, 59
0047D8D9 5A pop edx
0047D8DA 5D pop ebp
00