fireshot延长试用期
本帖最后由 darksied 于 2023-12-26 16:41 编辑fireshot是浏览器插件,用于截取网页长图。免费试用30天。
一共两个文件fireshot-chrome-plugin.exe和SSSx64.dll。
分析后,判断主要功能都在SSSx64.dll中,fireshot-chrome-plugin.exe用于更新版本、与浏览器通讯、加载dll。
使用ida(使用高版本的,一开始使用的低版本,没有解析出可读的函数名称)打开SSSx64.dll,函数名基本都解析出来了,搜索TLicensor,发现一个函数TLicensor::DemoHasExpired(void)
__int64 __fastcall TLicensor::DemoHasExpired(TLicensor *this, _SYSTEMTIME *a2, __int64 a3, __int64 a4)
{
_SYSTEMTIME *v4; // rsi
unsigned __int64 v5; // rdi
bool *v7; //
__int16 v8; //
__int16 v9; //
bool *v10; //
__int16 v11; //
__int16 v12; //
__int16 v13; //
DWORD v14; //
DWORD v15; //
DWORD Reserved; //
DWORD dwType; //
__int16 v19; //
__int16 v20; //
__int16 v21; //
__int16 v22; //
unsigned __int16 v23; //
WCHAR SubKey; // BYREF
char v25; //
bool v26; // BYREF
_SYSTEMTIME v27; // BYREF
unsigned __int64 v28; // BYREF
unsigned __int64 v29; // BYREF
wchar_t ulOptions; // BYREF
__int64 v31; //
_SYSTEMTIME v32; // 0:rdx.16
_SYSTEMTIME v33; // 0:rcx.8,8:r8.8
v31 = a4;
TLicensor::GetHiddenPaths(this, &a2->wYear, ulOptions, (wchar_t *)a4);
*(_BYTE *)(a4 + 356) = 0;
GetSystemTime((LPSYSTEMTIME)this);
TLicensor::OffsetDateByDays(this, a2, (int)&v27.wSecond);
*(_DWORD *)&v27.wHour = 1;
*(_DWORD *)&v27.wDayOfWeek = 2;
*(_DWORD *)&v27.wYear = 3;
*(_DWORD *)v26 = 4;
v25 = TLicensor::GetExpiryFromHiddenKey(
this,
(wchar_t *)a4,
ulOptions,
(unsigned __int64 *)a4,
v28,
(_SYSTEMTIME *)&v27.wHour,
v7) & 1;
v4 = (_SYSTEMTIME *)a4;
v5 = (unsigned __int64)&v27.wSecond;
TLicensor::GetExpiryFromHiddenFile((TLicensor *)&v27.wSecond, (wchar_t *)a4, v29, (unsigned __int64 *)a4, &v27, v26);
if ( (v25 & 1) != 0 )
{
*(_DWORD *)&v27.wHour = *(_DWORD *)&v27.wYear;
*(_DWORD *)&v27.wDayOfWeek = *(_DWORD *)v26;
*(_QWORD *)SubKey = 0LL;
v4 = (_SYSTEMTIME *)SubKey;
v5 = 131078LL;
if ( !RegOpenKeyExW((HKEY)0x20006, SubKey, (DWORD)ulOptions, 0x80000001, 0LL) )
{
dwType = *(_DWORD *)SubKey;
System::UnicodeString::UnicodeString((System::UnicodeString *)0x20006);
TLicensor::getRecName((TLicensor *)0x20006, (int)SubKey);
Reserved = System::UnicodeString::c_str((System::UnicodeString *)0x20006);
RegSetValueExW((HKEY)0x20006, SubKey, Reserved, dwType, 0LL, 4u);
System::UnicodeString::~UnicodeString((System::UnicodeString *)0x20006);
v15 = *(_DWORD *)SubKey;
System::UnicodeString::UnicodeString((System::UnicodeString *)0x20006);
TLicensor::getRecName((TLicensor *)0x20006, (int)SubKey);
v14 = System::UnicodeString::c_str((System::UnicodeString *)0x20006);
RegSetValueExW((HKEY)0x20006, SubKey, v14, v15, 0LL, 4u);
System::UnicodeString::~UnicodeString((System::UnicodeString *)0x20006);
}
if ( *(_QWORD *)SubKey )
RegCloseKey((HKEY)0x20006);
}
if ( *(_DWORD *)&v27.wHour == *(_DWORD *)&v27.wYear && *(_DWORD *)&v27.wDayOfWeek == *(_DWORD *)v26 )
{
GetSystemTime((LPSYSTEMTIME)v5);
LOWORD(v4) = v22;
*(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
(TLicensor *)v23,
v22,
v27.wHour,
a4,
LOBYTE(v27.wMinute),
v27.wDayOfWeek,
v8);
*(_BYTE *)(a4 + 376) = (int)v27.wMinute >> 8 != 0;
TLicensor::GetLastRunFromHiddenKey((TLicensor *)v23, &v4->wYear, ulOptions, (__int64 *)a4);
TLicensor::GetLastRunFromFile((TLicensor *)v23, &v4->wYear, (__int64 *)v29);
FileTimeToSystemTime((const FILETIME *)v23, v4);
LOWORD(v4) = v22;
v5 = v23;
if ( (int)TLicensor::CompareDates((TLicensor *)v23, v22, v19, a4, v20, v21, v9) > 0 )
{
GetSystemTime((LPSYSTEMTIME)v23);
TLicensor::OffsetDateByDays((TLicensor *)v23, v4, (int)&v27.wSecond);
TLicensor::SetExpiryToHiddenKey(
(TLicensor *)v23,
&v4->wYear,
ulOptions,
(unsigned __int64 *)a4,
v28,
(_SYSTEMTIME *)&v27.wHour,
v10);
TLicensor::SetExpiryToHiddenFile((TLicensor *)v23, &v4->wYear, v29, (unsigned __int64 *)a4, &v27, v26);
LOWORD(v5) = v27.wHour;
v4 = (_SYSTEMTIME *)v23;
*(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
(TLicensor *)v5,
v23,
v27.wHour,
a4,
LOBYTE(v27.wMinute),
v27.wDayOfWeek,
v11);
}
GetSystemTime((LPSYSTEMTIME)v5);
*(_QWORD *)&v33.wHour = v28;
*(_QWORD *)&v33.wYear = a4;
TLicensor::SetLastRunToHiddenKey((TLicensor *)v5, &v4->wYear, ulOptions, v33);
*(_QWORD *)&v32.wYear = v29;
*(_QWORD *)&v32.wHour = a4;
TLicensor::SetLastRunToFile((TLicensor *)v5, &v4->wYear, v32);
if ( *(_BYTE *)(a4 + 178) == 84 && (*(_BYTE *)(a4 + 376) & 1) == 0 )
{
*(_BYTE *)(a4 + 376) = 1;
GetSystemTime((LPSYSTEMTIME)v5);
TLicensor::OffsetDateByDays((TLicensor *)v5, v4, (int)&v27.wSecond);
v5 = (unsigned __int64)&v27.wSecond;
TLicensor::SetExpiryToHiddenKey(
(TLicensor *)&v27.wSecond,
(wchar_t *)a4,
ulOptions,
(unsigned __int64 *)a4,
v28,
(_SYSTEMTIME *)&v27.wHour,
v10);
v4 = (_SYSTEMTIME *)&v27.wSecond;
TLicensor::SetExpiryToHiddenFile((TLicensor *)&v27.wSecond, &v27.wSecond, v29, (unsigned __int64 *)a4, &v27, v26);
*(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
(TLicensor *)&v27.wSecond,
(__int16)&v27.wSecond,
v27.wHour,
a4,
LOBYTE(v27.wMinute),
v27.wDayOfWeek,
v12);
}
if ( *(_DWORD *)(a4 + 352) > *(_DWORD *)(a4 + 372)
&& ((*(_BYTE *)(a4 + 376) & 1) == 0 || *(_DWORD *)(a4 + 352) > *(_DWORD *)(a4 + 372) + 3) )
{
GetSystemTime((LPSYSTEMTIME)v5);
TLicensor::OffsetDateByDays((TLicensor *)v5, v4, (int)&v27.wSecond);
TLicensor::SetExpiryToHiddenKey(
(TLicensor *)v5,
&v4->wYear,
ulOptions,
(unsigned __int64 *)a4,
v28,
(_SYSTEMTIME *)&v27.wHour,
v10);
TLicensor::SetExpiryToHiddenFile((TLicensor *)v5, &v4->wYear, v29, (unsigned __int64 *)a4, &v27, v26);
LOWORD(v5) = v27.wHour;
v4 = (_SYSTEMTIME *)v23;
*(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
(TLicensor *)v5,
v23,
v27.wHour,
a4,
LOBYTE(v27.wMinute),
v27.wDayOfWeek,
v13);
}
*(_BYTE *)(a4 + 356) = *(int *)(a4 + 352) <= 0;
}
else
{
*(_BYTE *)(a4 + 356) = 1;
}
if ( (*(_BYTE *)(a4 + 356) & 1) != 0 )
*(_BYTE *)(a4 + 178) = 0;
else
TLicensor::ReadAppVariety((TLicensor *)v5, (char *)v4);
return *(_BYTE *)(a4 + 356) & 1;
}
可以看出,调用系统时间,和隐藏文件中时间对比,判断是否过期。
最后返回一个是否过期的值,
这个函数只被TLicensor::ReadApplicationLicenseState()这个函数调用。
TLicensor::ReadApplicationLicenseState()被多次调用,用于读取授权状态。
水平有限,采用暴力方式。先修改DemoHasExpired返回值固定为0。
保存后,测试发现是试用状态了。
有没有地址可以下载修改过的fireshot sdieedu 发表于 2023-7-3 17:13
return *(_BYTE *)(a4 + 356) & 1;
改成
return 0;
return *(_BYTE *)(a4 + 356) & 1;
改成
return *(_BYTE *)(a4 + 356) & 0; 好复杂,这个怎么用? 不够详细,看了还是不会 return *(_BYTE *)(a4 + 356) & 1;
改成
return 0;
???????? 现在edge已经自带网页长截图了,不知道和这个比起来怎么样 感谢大佬分享 谢谢大神分享,俺收藏看看! tl;dr 发表于 2023-7-4 06:43
特别长的能截图吗?
试用版应该是限制50页?