一共两个文件fireshot-chrome-plugin.exe和SSSx64.dll。
分析后,判断主要功能都在SSSx64.dll中,fireshot-chrome-plugin.exe用于更新版本、与浏览器通讯、加载dll。
使用iad打开SSSx64.dll,函数名基本都解析出来了,搜索TLicensor,发现一个函数TLicensor::DemoHasExpired(void)
Snipaste_2023-07-03_13-30-31.png (83.65 KB, 下载次数: 0)
下载附件
2023-7-3 13:30 上传
[C++] 纯文本查看 复制代码__int64 __fastcall TLicensor::DemoHasExpired(TLicensor *this, _SYSTEMTIME *a2, __int64 a3, __int64 a4)
{
_SYSTEMTIME *v4; // rsi
unsigned __int64 v5; // rdi
bool *v7; // [rsp+0h] [rbp-80h]
__int16 v8; // [rsp+0h] [rbp-80h]
__int16 v9; // [rsp+0h] [rbp-80h]
bool *v10; // [rsp+0h] [rbp-80h]
__int16 v11; // [rsp+0h] [rbp-80h]
__int16 v12; // [rsp+0h] [rbp-80h]
__int16 v13; // [rsp+0h] [rbp-80h]
DWORD v14; // [rsp+C8h] [rbp+48h]
DWORD v15; // [rsp+D8h] [rbp+58h]
DWORD Reserved; // [rsp+E8h] [rbp+68h]
DWORD dwType; // [rsp+F8h] [rbp+78h]
__int16 v19; // [rsp+198h] [rbp+118h]
__int16 v20; // [rsp+19Ah] [rbp+11Ah]
__int16 v21; // [rsp+19Eh] [rbp+11Eh]
__int16 v22; // [rsp+1BAh] [rbp+13Ah]
unsigned __int16 v23; // [rsp+1BEh] [rbp+13Eh]
WCHAR SubKey[4]; // [rsp+1F0h] [rbp+170h] BYREF
char v25; // [rsp+1FFh] [rbp+17Fh]
bool v26[4]; // [rsp+200h] [rbp+180h] BYREF
_SYSTEMTIME v27; // [rsp+204h] [rbp+184h] BYREF
unsigned __int64 v28[256]; // [rsp+220h] [rbp+1A0h] BYREF
unsigned __int64 v29[2]; // [rsp+A20h] [rbp+9A0h] BYREF
wchar_t ulOptions[1028]; // [rsp+1220h] [rbp+11A0h] BYREF
__int64 v31; // [rsp+1A28h] [rbp+19A8h]
_SYSTEMTIME v32; // 0:rdx.16
_SYSTEMTIME v33; // 0:rcx.8,8:r8.8
v31 = a4;
TLicensor::GetHiddenPaths(this, &a2->wYear, ulOptions, (wchar_t *)a4);
*(_BYTE *)(a4 + 356) = 0;
GetSystemTime((LPSYSTEMTIME)this);
TLicensor::OffsetDateByDays(this, a2, (int)&v27.wSecond);
*(_DWORD *)&v27.wHour = 1;
*(_DWORD *)&v27.wDayOfWeek = 2;
*(_DWORD *)&v27.wYear = 3;
*(_DWORD *)v26 = 4;
v25 = TLicensor::GetExpiryFromHiddenKey(
this,
(wchar_t *)a4,
ulOptions,
(unsigned __int64 *)a4,
v28,
(_SYSTEMTIME *)&v27.wHour,
v7) & 1;
v4 = (_SYSTEMTIME *)a4;
v5 = (unsigned __int64)&v27.wSecond;
TLicensor::GetExpiryFromHiddenFile((TLicensor *)&v27.wSecond, (wchar_t *)a4, v29, (unsigned __int64 *)a4, &v27, v26);
if ( (v25 & 1) != 0 )
{
*(_DWORD *)&v27.wHour = *(_DWORD *)&v27.wYear;
*(_DWORD *)&v27.wDayOfWeek = *(_DWORD *)v26;
*(_QWORD *)SubKey = 0LL;
v4 = (_SYSTEMTIME *)SubKey;
v5 = 131078LL;
if ( !RegOpenKeyExW((HKEY)0x20006, SubKey, (DWORD)ulOptions, 0x80000001, 0LL) )
{
dwType = *(_DWORD *)SubKey;
System::UnicodeString::UnicodeString((System::UnicodeString *)0x20006);
TLicensor::getRecName((TLicensor *)0x20006, (int)SubKey);
Reserved = System::UnicodeString::c_str((System::UnicodeString *)0x20006);
RegSetValueExW((HKEY)0x20006, SubKey, Reserved, dwType, 0LL, 4u);
System::UnicodeString::~UnicodeString((System::UnicodeString *)0x20006);
v15 = *(_DWORD *)SubKey;
System::UnicodeString::UnicodeString((System::UnicodeString *)0x20006);
TLicensor::getRecName((TLicensor *)0x20006, (int)SubKey);
v14 = System::UnicodeString::c_str((System::UnicodeString *)0x20006);
RegSetValueExW((HKEY)0x20006, SubKey, v14, v15, 0LL, 4u);
System::UnicodeString::~UnicodeString((System::UnicodeString *)0x20006);
}
if ( *(_QWORD *)SubKey )
RegCloseKey((HKEY)0x20006);
}
if ( *(_DWORD *)&v27.wHour == *(_DWORD *)&v27.wYear && *(_DWORD *)&v27.wDayOfWeek == *(_DWORD *)v26 )
{
GetSystemTime((LPSYSTEMTIME)v5);
LOWORD(v4) = v22;
*(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
(TLicensor *)v23,
v22,
v27.wHour,
a4,
LOBYTE(v27.wMinute),
v27.wDayOfWeek,
v8);
*(_BYTE *)(a4 + 376) = (int)v27.wMinute >> 8 != 0;
TLicensor::GetLastRunFromHiddenKey((TLicensor *)v23, &v4->wYear, ulOptions, (__int64 *)a4);
TLicensor::GetLastRunFromFile((TLicensor *)v23, &v4->wYear, (__int64 *)v29);
FileTimeToSystemTime((const FILETIME *)v23, v4);
LOWORD(v4) = v22;
v5 = v23;
if ( (int)TLicensor::CompareDates((TLicensor *)v23, v22, v19, a4, v20, v21, v9) > 0 )
{
GetSystemTime((LPSYSTEMTIME)v23);
TLicensor::OffsetDateByDays((TLicensor *)v23, v4, (int)&v27.wSecond);
TLicensor::SetExpiryToHiddenKey(
(TLicensor *)v23,
&v4->wYear,
ulOptions,
(unsigned __int64 *)a4,
v28,
(_SYSTEMTIME *)&v27.wHour,
v10);
TLicensor::SetExpiryToHiddenFile((TLicensor *)v23, &v4->wYear, v29, (unsigned __int64 *)a4, &v27, v26);
LOWORD(v5) = v27.wHour;
v4 = (_SYSTEMTIME *)v23;
*(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
(TLicensor *)v5,
v23,
v27.wHour,
a4,
LOBYTE(v27.wMinute),
v27.wDayOfWeek,
v11);
}
GetSystemTime((LPSYSTEMTIME)v5);
*(_QWORD *)&v33.wHour = v28;
*(_QWORD *)&v33.wYear = a4;
TLicensor::SetLastRunToHiddenKey((TLicensor *)v5, &v4->wYear, ulOptions, v33);
*(_QWORD *)&v32.wYear = v29;
*(_QWORD *)&v32.wHour = a4;
TLicensor::SetLastRunToFile((TLicensor *)v5, &v4->wYear, v32);
if ( *(_BYTE *)(a4 + 178) == 84 && (*(_BYTE *)(a4 + 376) & 1) == 0 )
{
*(_BYTE *)(a4 + 376) = 1;
GetSystemTime((LPSYSTEMTIME)v5);
TLicensor::OffsetDateByDays((TLicensor *)v5, v4, (int)&v27.wSecond);
v5 = (unsigned __int64)&v27.wSecond;
TLicensor::SetExpiryToHiddenKey(
(TLicensor *)&v27.wSecond,
(wchar_t *)a4,
ulOptions,
(unsigned __int64 *)a4,
v28,
(_SYSTEMTIME *)&v27.wHour,
v10);
v4 = (_SYSTEMTIME *)&v27.wSecond;
TLicensor::SetExpiryToHiddenFile((TLicensor *)&v27.wSecond, &v27.wSecond, v29, (unsigned __int64 *)a4, &v27, v26);
*(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
(TLicensor *)&v27.wSecond,
(__int16)&v27.wSecond,
v27.wHour,
a4,
LOBYTE(v27.wMinute),
v27.wDayOfWeek,
v12);
}
if ( *(_DWORD *)(a4 + 352) > *(_DWORD *)(a4 + 372)
&& ((*(_BYTE *)(a4 + 376) & 1) == 0 || *(_DWORD *)(a4 + 352) > *(_DWORD *)(a4 + 372) + 3) )
{
GetSystemTime((LPSYSTEMTIME)v5);
TLicensor::OffsetDateByDays((TLicensor *)v5, v4, (int)&v27.wSecond);
TLicensor::SetExpiryToHiddenKey(
(TLicensor *)v5,
&v4->wYear,
ulOptions,
(unsigned __int64 *)a4,
v28,
(_SYSTEMTIME *)&v27.wHour,
v10);
TLicensor::SetExpiryToHiddenFile((TLicensor *)v5, &v4->wYear, v29, (unsigned __int64 *)a4, &v27, v26);
LOWORD(v5) = v27.wHour;
v4 = (_SYSTEMTIME *)v23;
*(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
(TLicensor *)v5,
v23,
v27.wHour,
a4,
LOBYTE(v27.wMinute),
v27.wDayOfWeek,
v13);
}
*(_BYTE *)(a4 + 356) = *(int *)(a4 + 352)
可以看出,调用系统时间,和隐藏文件中时间判断,对比,判断。
最后返回一个是否过期的值,
这个函数只被一个函数调用,TLicensor::ReadApplicationLicenseState(),这个函数,被多次调用,用于读取授权状态。
水平有限,采用暴力方式。先修改DemoHasExpired返回值固定为0。
保存后,测试发现是试用状态了。