fireshot延长试用期

darksied · 发表于 2023-7-3 13:37

本帖最后由 darksied 于 2023-12-26 16:41 编辑

fireshot是浏览器插件，用于截取网页长图。免费试用30天。
一共两个文件fireshot-chrome-plugin.exe和SSSx64.dll。
分析后，判断主要功能都在SSSx64.dll中，fireshot-chrome-plugin.exe用于更新版本、与浏览器通讯、加载dll。
使用IDA（使用高版本的，一开始使用的低版本，没有解析出可读的函数名称）打开SSSx64.dll，函数名基本都解析出来了，搜索TLicensor，发现一个函数TLicensor::DemoHasExpired(void)

[C++] 纯文本查看 复制代码

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

__int64 __fastcall TLicensor::DemoHasExpired(TLicensor *this, _SYSTEMTIME *a2, __int64 a3, __int64 a4)
{
  _SYSTEMTIME *v4; // rsi
  unsigned __int64 v5; // rdi
  bool *v7; // [rsp+0h] [rbp-80h]
  __int16 v8; // [rsp+0h] [rbp-80h]
  __int16 v9; // [rsp+0h] [rbp-80h]
  bool *v10; // [rsp+0h] [rbp-80h]
  __int16 v11; // [rsp+0h] [rbp-80h]
  __int16 v12; // [rsp+0h] [rbp-80h]
  __int16 v13; // [rsp+0h] [rbp-80h]
  DWORD v14; // [rsp+C8h] [rbp+48h]
  DWORD v15; // [rsp+D8h] [rbp+58h]
  DWORD Reserved; // [rsp+E8h] [rbp+68h]
  DWORD dwType; // [rsp+F8h] [rbp+78h]
  __int16 v19; // [rsp+198h] [rbp+118h]
  __int16 v20; // [rsp+19Ah] [rbp+11Ah]
  __int16 v21; // [rsp+19Eh] [rbp+11Eh]
  __int16 v22; // [rsp+1BAh] [rbp+13Ah]
  unsigned __int16 v23; // [rsp+1BEh] [rbp+13Eh]
  WCHAR SubKey[4]; // [rsp+1F0h] [rbp+170h] BYREF
  char v25; // [rsp+1FFh] [rbp+17Fh]
  bool v26[4]; // [rsp+200h] [rbp+180h] BYREF
  _SYSTEMTIME v27; // [rsp+204h] [rbp+184h] BYREF
  unsigned __int64 v28[256]; // [rsp+220h] [rbp+1A0h] BYREF
  unsigned __int64 v29[2]; // [rsp+A20h] [rbp+9A0h] BYREF
  wchar_t ulOptions[1028]; // [rsp+1220h] [rbp+11A0h] BYREF
  __int64 v31; // [rsp+1A28h] [rbp+19A8h]
  _SYSTEMTIME v32; // 0:rdx.16
  _SYSTEMTIME v33; // 0:rcx.8,8:r8.8
 
  v31 = a4;
  TLicensor::GetHiddenPaths(this, &a2->wYear, ulOptions, (wchar_t *)a4);
  *(_BYTE *)(a4 + 356) = 0;
  GetSystemTime((LPSYSTEMTIME)this);
  TLicensor::OffsetDateByDays(this, a2, (int)&v27.wSecond);
  *(_DWORD *)&v27.wHour = 1;
  *(_DWORD *)&v27.wDayOfWeek = 2;
  *(_DWORD *)&v27.wYear = 3;
  *(_DWORD *)v26 = 4;
  v25 = TLicensor::GetExpiryFromHiddenKey(
          this,
          (wchar_t *)a4,
          ulOptions,
          (unsigned __int64 *)a4,
          v28,
          (_SYSTEMTIME *)&v27.wHour,
          v7) & 1;
  v4 = (_SYSTEMTIME *)a4;
  v5 = (unsigned __int64)&v27.wSecond;
  TLicensor::GetExpiryFromHiddenFile((TLicensor *)&v27.wSecond, (wchar_t *)a4, v29, (unsigned __int64 *)a4, &v27, v26);
  if ( (v25 & 1) != 0 )
  {
    *(_DWORD *)&v27.wHour = *(_DWORD *)&v27.wYear;
    *(_DWORD *)&v27.wDayOfWeek = *(_DWORD *)v26;
    *(_QWORD *)SubKey = 0LL;
    v4 = (_SYSTEMTIME *)SubKey;
    v5 = 131078LL;
    if ( !RegOpenKeyExW((HKEY)0x20006, SubKey, (DWORD)ulOptions, 0x80000001, 0LL) )
    {
      dwType = *(_DWORD *)SubKey;
      System::UnicodeString::UnicodeString((System::UnicodeString *)0x20006);
      TLicensor::getRecName((TLicensor *)0x20006, (int)SubKey);
      Reserved = System::UnicodeString::c_str((System::UnicodeString *)0x20006);
      RegSetValueExW((HKEY)0x20006, SubKey, Reserved, dwType, 0LL, 4u);
      System::UnicodeString::~UnicodeString((System::UnicodeString *)0x20006);
      v15 = *(_DWORD *)SubKey;
      System::UnicodeString::UnicodeString((System::UnicodeString *)0x20006);
      TLicensor::getRecName((TLicensor *)0x20006, (int)SubKey);
      v14 = System::UnicodeString::c_str((System::UnicodeString *)0x20006);
      RegSetValueExW((HKEY)0x20006, SubKey, v14, v15, 0LL, 4u);
      System::UnicodeString::~UnicodeString((System::UnicodeString *)0x20006);
    }
    if ( *(_QWORD *)SubKey )
      RegCloseKey((HKEY)0x20006);
  }
  if ( *(_DWORD *)&v27.wHour == *(_DWORD *)&v27.wYear && *(_DWORD *)&v27.wDayOfWeek == *(_DWORD *)v26 )
  {
    GetSystemTime((LPSYSTEMTIME)v5);
    LOWORD(v4) = v22;
    *(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
                              (TLicensor *)v23,
                              v22,
                              v27.wHour,
                              a4,
                              LOBYTE(v27.wMinute),
                              v27.wDayOfWeek,
                              v8);
    *(_BYTE *)(a4 + 376) = (int)v27.wMinute >> 8 != 0;
    TLicensor::GetLastRunFromHiddenKey((TLicensor *)v23, &v4->wYear, ulOptions, (__int64 *)a4);
    TLicensor::GetLastRunFromFile((TLicensor *)v23, &v4->wYear, (__int64 *)v29);
    FileTimeToSystemTime((const FILETIME *)v23, v4);
    LOWORD(v4) = v22;
    v5 = v23;
    if ( (int)TLicensor::CompareDates((TLicensor *)v23, v22, v19, a4, v20, v21, v9) > 0 )
    {
      GetSystemTime((LPSYSTEMTIME)v23);
      TLicensor::OffsetDateByDays((TLicensor *)v23, v4, (int)&v27.wSecond);
      TLicensor::SetExpiryToHiddenKey(
        (TLicensor *)v23,
        &v4->wYear,
        ulOptions,
        (unsigned __int64 *)a4,
        v28,
        (_SYSTEMTIME *)&v27.wHour,
        v10);
      TLicensor::SetExpiryToHiddenFile((TLicensor *)v23, &v4->wYear, v29, (unsigned __int64 *)a4, &v27, v26);
      LOWORD(v5) = v27.wHour;
      v4 = (_SYSTEMTIME *)v23;
      *(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
                                (TLicensor *)v5,
                                v23,
                                v27.wHour,
                                a4,
                                LOBYTE(v27.wMinute),
                                v27.wDayOfWeek,
                                v11);
    }
    GetSystemTime((LPSYSTEMTIME)v5);
    *(_QWORD *)&v33.wHour = v28;
    *(_QWORD *)&v33.wYear = a4;
    TLicensor::SetLastRunToHiddenKey((TLicensor *)v5, &v4->wYear, ulOptions, v33);
    *(_QWORD *)&v32.wYear = v29;
    *(_QWORD *)&v32.wHour = a4;
    TLicensor::SetLastRunToFile((TLicensor *)v5, &v4->wYear, v32);
    if ( *(_BYTE *)(a4 + 178) == 84 && (*(_BYTE *)(a4 + 376) & 1) == 0 )
    {
      *(_BYTE *)(a4 + 376) = 1;
      GetSystemTime((LPSYSTEMTIME)v5);
      TLicensor::OffsetDateByDays((TLicensor *)v5, v4, (int)&v27.wSecond);
      v5 = (unsigned __int64)&v27.wSecond;
      TLicensor::SetExpiryToHiddenKey(
        (TLicensor *)&v27.wSecond,
        (wchar_t *)a4,
        ulOptions,
        (unsigned __int64 *)a4,
        v28,
        (_SYSTEMTIME *)&v27.wHour,
        v10);
      v4 = (_SYSTEMTIME *)&v27.wSecond;
      TLicensor::SetExpiryToHiddenFile((TLicensor *)&v27.wSecond, &v27.wSecond, v29, (unsigned __int64 *)a4, &v27, v26);
      *(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
                                (TLicensor *)&v27.wSecond,
                                (__int16)&v27.wSecond,
                                v27.wHour,
                                a4,
                                LOBYTE(v27.wMinute),
                                v27.wDayOfWeek,
                                v12);
    }
    if ( *(_DWORD *)(a4 + 352) > *(_DWORD *)(a4 + 372)
      && ((*(_BYTE *)(a4 + 376) & 1) == 0 || *(_DWORD *)(a4 + 352) > *(_DWORD *)(a4 + 372) + 3) )
    {
      GetSystemTime((LPSYSTEMTIME)v5);
      TLicensor::OffsetDateByDays((TLicensor *)v5, v4, (int)&v27.wSecond);
      TLicensor::SetExpiryToHiddenKey(
        (TLicensor *)v5,
        &v4->wYear,
        ulOptions,
        (unsigned __int64 *)a4,
        v28,
        (_SYSTEMTIME *)&v27.wHour,
        v10);
      TLicensor::SetExpiryToHiddenFile((TLicensor *)v5, &v4->wYear, v29, (unsigned __int64 *)a4, &v27, v26);
      LOWORD(v5) = v27.wHour;
      v4 = (_SYSTEMTIME *)v23;
      *(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
                                (TLicensor *)v5,
                                v23,
                                v27.wHour,
                                a4,
                                LOBYTE(v27.wMinute),
                                v27.wDayOfWeek,
                                v13);
    }
    *(_BYTE *)(a4 + 356) = *(int *)(a4 + 352) <= 0;
  }
  else
  {
    *(_BYTE *)(a4 + 356) = 1;
  }
  if ( (*(_BYTE *)(a4 + 356) & 1) != 0 )
    *(_BYTE *)(a4 + 178) = 0;
  else
    TLicensor::ReadAppVariety((TLicensor *)v5, (char *)v4);
  return *(_BYTE *)(a4 + 356) & 1;
}

可以看出，调用系统时间，和隐藏文件中时间对比，判断是否过期。
最后返回一个是否过期的值，
这个函数只被TLicensor::ReadApplicationLicenseState()这个函数调用。
TLicensor::ReadApplicationLicenseState()被多次调用，用于读取授权状态。

水平有限，采用暴力方式。先修改DemoHasExpired返回值固定为0。

保存后，测试发现是试用状态了。

传说中的CJ · 发表于 2023-10-17 13:02

sdieedu 发表于 2023-7-3 17:13
return *(_BYTE *)(a4 + 356) & 1;
改成
return 0;

return *(_BYTE *)(a4 + 356) & 1;
改成
return *(_BYTE *)(a4 + 356) & 0;

782878952 · 发表于 2023-7-5 11:11

有没有地址可以下载修改过的fireshot

jianping520 · 发表于 2023-7-3 14:32

好复杂，这个怎么用？

无敌小儿 · 发表于 2023-7-3 14:35

不够详细，看了还是不会

sdieedu · 发表于 2023-7-3 17:13

return *(_BYTE *)(a4 + 356) & 1;
改成
return 0;

？？？？？？？？

moruye · 发表于 2023-7-3 18:18

提示: 作者被禁止或删除内容自动屏蔽

三滑稽甲苯 · 发表于 2023-7-3 19:59

现在edge已经自带网页长截图了，不知道和这个比起来怎么样

jjghaa1234 · 发表于 2023-7-3 23:24

感谢大佬分享

zjh889 · 发表于 2023-7-4 00:10

提示: 作者被禁止或删除内容自动屏蔽

tl;dr · 发表于 2023-7-4 06:43

提示: 作者被禁止或删除内容自动屏蔽

darksied · 发表于 2023-7-4 08:26

tl;dr 发表于 2023-7-4 06:43
特别长的能截图吗？

试用版应该是限制50页？

帐号		自动登录	找回密码
密码			注册[Register]

[原创] fireshot延长试用期

免费评分

moruye moruye 当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	moruye 发表于 2023-7-3 18:18 提示: 作者被禁止或删除内容自动屏蔽

	回复支持举报

zjh889 zjh889 当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	zjh889 发表于 2023-7-4 00:10 提示: 作者被禁止或删除内容自动屏蔽

	回复支持举报

tl;dr tl;dr 当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	tl;dr 发表于 2023-7-4 06:43 提示: 作者被禁止或删除内容自动屏蔽

	回复支持举报