How can I modify the trial software in the Registry to use it?

Generally, when the software is installed for the first time (or during the first run), it takes the current date and time as the benchmark and is recorded as the start of the trial period. This record will be taken out before each running in the future, and then compared with the current time. If it is okay during the trial period, you can continue to use it; otherwise, then, the software has expired. Continue to use, Money! Therefore, the method for modifying the system time mentioned above is only a temporary solution. To solve this problem, the key is to start from the root cause.

So how can we modify this time record? Don't worry. It's not easy to change it. First you have to find it first. This is also the key of this article. You should take a closer look.

Think about where this record will be stored? In Windows, where is the software configuration information stored? Yes! Just in the Registry, this Registry is a large and complex database, so it is mysterious for general users and does not dare to step over the record. This provides a hiding place for some software encryption. Many software puts the current time in a location in the registry for the first time. In the future, the time will be taken out from here and then compared with the current time to determine whether it expires. This record will not be automatically cleared after the software is uninstalled, which is why it will be said the reason for expiration when the software is reinstalled once. Now that we know this record is in the registry, how can we find it?

Someone may ask, how can I not find this time using the Registry Editor (RegEdit) search function?

Dumb! Are you playing hide-and-seek? Since it is a hidden object, can you just find it in that way? This time record is stored in encrypted data, and you will see odd and practically meaningless strings such as A4ECFA57-D0A3-9FF3-8481-A492EB945058. It is a waste of time to search for date formats such as 2000-1-1 Using Regedit. So you can see a strange string of data in the registry. The more eccentric it is, the more suspicious it is.

In fact, it is not difficult to find them in the registry. There are two methods: one is to back up the entire registry before the software is installed (the first installation), and then install. Compare the two registries before and after installation to find out the newly added or changed ones, narrow down the suspicious scope, and then further judge. Here we can use Regsnap to do this. However, this method has a major disadvantage, that is, the workload is large, and once the software has been installed in advance, this method will be ineffective. So in this case, we can only use the second method. Some related tools are used to monitor software operations on the registry, such as the well-known RegMon (Registry Monitor ). Use regmon to monitor the events that read this record from the registry at software startup, so as to find its hiding place.

The specific operation method is described in the following example using Paint Shop Pro 6.0:

You have to install the Paint Shop Pro (nonsense ). After preparing, let's start. Open Regmon and fill in psp (name of the execution file of Paint Shop Pro) in the filtering settings. This indicates that only the PSP file is monitored. After filtering, start monitoring. Open PSP and stop monitoring when the startup screen appears and the time in use is displayed. What information does PSP read from the Registry during this period of time? Then carefully analyze the monitoring results (focus on the next part, and think about why ?). Since the software stores the time in the Registry in encrypted form, it is time for regmon to monitor a strange string of characters in the data. Although we do not know its specific encryption algorithm, the simplest method-delete will not solve the problem? Double-click the data that is being monitored, directly let RegMon Open RegEdit, locate the HKEY_CLASSES_ROOTCLSID {ADBB2D80-5DFD-11D2-A00C-00104B65AAF5} MS, and delete the iPID60u value in the right window. Restart PSP and you will find that it has timed again since the first day.

How is it? Isn't it difficult to change it? In fact, it is so easy to manually remove the time limit of some software. The key is to find the hiding place of the time record first, and then take a Del key gently. Done!

Of course, not all software can be solved in this simple way. They also seem to understand this point, and the light only hides a value in the registry, is easily discovered by others. So they add a protection layer. For a single record, you may encounter a dead mouse and let it hit you. Are you lucky to keep two records? However, it is difficult to avoid RegMon. As long as the program needs to read and write the registry, it cannot escape its monitoring. You only need to be careful and try more. N records can also be found! Haha ........ If you don't want to know, unless it is no longer. Every time you do anything, there will be some clues. Hey ........ The software that contains two records has Turbo Browser98, and its two records are hidden in:

[HKEY_LOCAL_MACHINESecurity]
"Tool1." = hex: e0, 59, 9b, 87, fd, d5, be, 01
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion]
"Q. Status" = hex: e0, 59, 9b, 87, fd, d5, be, 01.

But will they only hide and seek in the registry? Why is the hard disk space so big? Therefore, there are a considerable number of software encryption methods not only limited to the registry, but also a few fish that may leak in a certain location on the hard disk.

After a bitter battle, I finally found a great secret to how to take these fugitives into account. You can hear it. This method is my careful research for dozens of years, taking the power of the family, only one school, do not pass the child to change ****. Before doing this, I have to ask another assistant. In addition, this platform is also another fellow brother of Regmon's Sysinternal company, Filemon. Once you hear the name, you will know how it is. Sure enough, any software's operations on files (whether it is reading, writing, or modifying) cannot escape their eyes.

For example, for Zipmagic2000, Regmon and Fiemon are used for joint and joint cooperation. RegMon indicates that Zipmagic2000 reads [HKEY_CLASSES_ROOTCLSID {187b1580-324b-11d0-9398-0020aff0e034}] at = "GYSupport" from the registry at startup"
"Data28" = "BIPJBPIGFSLHGKDULONNMOMPJNIUMLDM" value, while FileMon also moved the C: windowscontrol dot ini file during startup, and analyzed the content in the Winini file carefully, A suspicious string is found:
[Screens data]
Screens28 = CJQKCQJHGTMIHLEVMPOONPNQKOJVNMEN

It is estimated that a record should be read from here at startup, and then the record in the Registry above should be verified to obtain the time for the first installation, and then determine whether the software has expired.

Therefore, to verify whether our speculation is correct, we first adjust the system time so that it exceeds the 30-day trial period. Delete the key value and the middle character in the registry. Start it, and it tells you that the trial time record of the software has been damaged. Please reinstall it. After the installation is re-installed, you can use it again. Haha, the above inference is correct. Add 10 points!

Before the conclusion, I would like to make a summary.

A common type of encryption for software trial is the time record used for the first time stored in a location in the registry. This record will be retrieved for each subsequent operation, then compare it with the current time. To determine whether it expires. Note 1. The software varies when the record is stored. Some of them are written into the registry on the current date when you install them for the first time. Therefore, you may need to re-install the record once you directly delete it. Some software is added when the program runs for the first time, which means that it does not write time during installation. Before running these software, you must first query this record in the registry. If there is no such record, you will think that this is the first installation and write it into the registry intelligently. For this type of software, we only need to delete these records. NOTE 2: there is not necessarily only one record. Some software will write two locations in the Registry to verify each other. Once one of them is damaged, an error occurs and cannot be used again. Therefore, you have to clean all the time records.

Another method is file encryption. The software writes time records to one or more files, and these files are hidden. It is generally stored in an initial file or binary file. It is stored in a Windows subdirectory or Windowssystem directory that is not easy to be found. The file also has a hidden or read-only attribute. In a word, you cannot easily find out. But we are not afraid of this, as long as it needs to read this record at startup, it can be pulled out.

Of course, some software also uses these two methods at the same time, registering a few values, and hiding several files in the system directory. They are mutually verified and indispensable. If one of them is damaged, an error will occur, so you must clean the software. Such as Quick View Plus 5.0, as it suddenly hid two values in the Registry HKEY_LOCAL_MACHINESoftwareCLASSES.wav {A4ECFA57-D0A3-9FF3-8481-A492EB945058} And HKEY_LOCAL_MACHINESoftwareCLASSESCLSID {D60EB4AA-B69E-BA5C-88FE-CEFE4F8EECC7} system directory has 2 files c: os067271.bin, C: WINDOWSSYSTEMws476828.ocx and a directory C: WINDOWSSYSTEMViewers! Layer-by-layer encryption allows you to find your brains. But it finally let me solve it ......

I don't know how much you can understand. "It is better to teach people to fish than to teach them to fish." I hope this article will give you an interesting role.