Tricky way unlimited trial Source insight3.5

    This week has been the reverse Si3.5 (version 3.5.66.0), the encryption algorithm is to restore them, but because they are lazy, do not want to write RI. Fillmore is not, in fact, mean no break SI, so I can try a variety of tricky way unrestricted use si.

    After the trial in order to activate si, every start, will display the number of days remaining in the trial:

Red part should be shaped like a "Trial License expire in% d days" string constant, the IDA open, can search for a character string which:

Follow it to find the piece of code that reference characters:

.text:004A7263 loc_4A7263:                             ; CODE XREF: sub_4A7077+1D1↑j
...
.text:004A72AC                 mov     eax, totalTrialDays  ;si3.5试用版设定的试用天数
.text:004A72B1                 sub     eax, trialDays  ;已经试用的天数
.text:004A72B7                 mov     [ebp+remainDays], eax
.text:004A72BD                 push    0FFh            ; color
.text:004A72C2                 push    [ebp+hdc]       ; hdc
.text:004A72C5                 call    ds:SetTextColor    ;设置字体颜色
.text:004A72CB                 mov     [ebp+color], eax
.text:004A72D1                 cmp     [ebp+remainDays], 0
.text:004A72D8                 jle     short loc_4A72F6
.text:004A72DA                 push    [ebp+remainDays]
.text:004A72E0                 push    offset trialRemainDays ; "Trial License expires in %d days."
.text:004A72E5                 lea     eax, [ebp+String]
.text:004A72EB                 push    eax             ; char *
.text:004A72EC                 call    _sprint

si call _sprint format string, the instruction

.text:004A72DA                 push    [ebp+remainDays]

Just the variable [ebp + remainDays]% d as a placeholder parameters on the stack. Exactly, modify variables [ebp + remainDays] statement in the vicinity:

.text:004A72AC                 mov     eax, totalTrialDays  ;si3.5试用版设定的试用天数
.text:004A72B1                 sub     eax, trialDays  ;已经试用的天数
.text:004A72B7                 mov     [ebp+remainDays], eax

Note, totalTrialDays and trialDays are global variables in the data segment:

.data:005E6F8C trialDays       dd ?                    ; DATA XREF: sub_445B93:loc_445BC4↑r
.data:005E6F8C                                         ; sub_448894+185↑w ...
.data:005E6F90 totalTrialDays  dd ?                    ; DATA XREF: sub_445B93+36↑r

I try to use OD modify the subtraction instruction at a 04A72B1, then let run si, si already extended the show there actually has 35-day trial period:

=>

Ah, in fact, to this stage it is considered successfully cracked. But every time you open the display as well as dozens of days si total, giving a total software soon to expire pressure. If so, then a change, so that the remaining number of days available is large. This is elementary knowledge of arithmetic, nothing less than to change the minuend and subtrahend trialDays totalTrialDays. IDA compared the software with reference to totalTrialDays / trialDays number, found a relatively small number of totalTrialDays cited, so I decided to get it cut.

View totalTrialDays again references, found a prominent instruction, "mov totalTrialDays, 23":

Directive 23 decimal 35 is not it? Is not that always the probation source insight3.5 it? Well, put the big immediate change, it changed to 100 years, 100 years later, anyway, I do not see the code.

发布了233 篇原创文章 · 获赞 106 · 访问量 56万+

Guess you like

Origin blog.csdn.net/lixiangminghate/article/details/88739718