Registration restrictions of simple brute-force cracking software

It's another weekend.
If a software is not registered, the function of saving work results to files is defined. To save the results, a dialog box is displayed: "This feature is available in registered version only. buy it now? ", Other functions of the software are normal.
1. disassembly. First find the address of the string in the preceding dialog box:
SSZ00B62EC8_This_feature_is_available_in_reg:
Db 'this feature is available in registered version only. ', 0Ah, 'Buy it now? ', 0
2. Find the module that uses the string address. There is only one module in the software:
L00479667:
Mov dword ptr [ebp-28h], L00D4AC98
Mov ecx, L00D4AC98
Movedx, 00000001 h
Lock
Xadd [ecx], edx
Push ffffffh
Push SSZ00B624D8_Inpaint
Mov dword ptr [ebp-04h], 00000000 h
Call SUB_L0097C820
Mov [ebp-24h], eax
Push 00000000 h
Lea eax, [ebp-34h]
Push L00B145FC
Push eax
Mov byte ptr [ebp-04h], 01 h
Call SUB_L00473160
Mov esi, eax
Push 00000000 h
Lea ecx, [ebp-30h]
Push L00B145F8
Push ecx
Mov byte ptr [ebp-04h], 02 h
Call SUB_L00473160
Mov ebx, eax
Push 00000000 h
Lea edx, [ebp-2Ch]
Push SSZ00B62EC8_This_feature_is_available_in_reg here
Push edx
 
3. Find the place where the above module is called. There are two parts in total:
SUB_L00479330:
Push ebp
Mov ebp, esp
Mov eax, fs: [00000000 h]
Push ffffffh
Push L00A8FFFB
Push eax
Mov fs: [00000000 h], esp
Sub esp, 00000044 h
Push ebx
Push esi
Push edi
Mov edi, ecx
Mov eax, [edi + 14 h]
Mov eax, [eax + 08 h]
Lea esi, [edi + 14 h]
Test eax, eax
Call jz L00479667 at 1st
Push esi
Call SUB_L00475930
Add esp, 00000004 h
Test al, al
Jnz L0047937F
Push esi
Call SUB_L00476010
Add esp, 00000004 h
Test al, al
Call jz L00479667 at 2nd

4. Change the total number of calls and 11 sentences in the middle of the two statements to "90" in the hex editor. Save and run the statements. The statements are as good as those of the registered software.
 
Author
Dzyedzye
 
 
 
Let's talk about ideas.
1. When the software is running, the system prompts that the time has elapsed. The registration window is displayed, so you can check whether you can change the system time for trial use.
2. Change the system time to. A dialog box is displayed, indicating that the system time is incorrect. Based on this prompt, you can enter bpx MessageBoxA in OD, that is, the breakpoint in the dialog box.
3. Run the program again. If the program is disconnected in MessageBoxA, click "OK" and track it gradually. You can return it to the top of the call dialog box and look up at the called place, find a suspicious jump, with the following breakpoint:
0040928E/0F84 6C000000 je 00409300; Determine whether the time has been adjusted
Try to change je to jne and run the program. The main program screen is displayed.
4. Adjust the time back and run the program again. The program is disconnected at 0040928E and jumps to the next suspicious location, namely:
00409369/0 F85 75000000 jnz 004093E4; Determine whether the time has expired
Try to change jnz to jz and run the program. The main screen of the program appears.
5. The initial brute-force cracking was successful, but I don't know what the program functions are, so I cannot test whether the function is complete.
6. You can follow up several calls in 00409369. It should be the registration code judgment function. If you are interested, you can follow up.
 
Author otdr