By ro0ted | March 6, 2015 - 13:07 | Posted in /b/ | Comments Off on #ro0ted #OpNewblood What the blackhats don’t want you to know: Bypassing Part 2
#ro0ted #OpNewblood What the blackhats don’t want you to know: Bypassing Part 2

This is how to Bypass 30 day trial along with Server Check. Bypassing Part 2. –

The target:


We can choose two versions Easy mode or Advanced. We select Advanced:
Note: Set our PC clock 30 days ahead so the trials expired.


Now we see the 30 day trial expired…and Try is grayed out.
So we run it in Ollydbg; selecting advanced mode again:


It terminates when we select any mode for that matter.
This happened why? No Anti-Debugger trick.
The program we started is only a loader, so when we choose “Advanced” it starts another program and terminates itself.
Directory view:

As you can see there’s two folders
A.) Advanced_Mode
B.) Easy_Mode
We want Advanced_Mode
So let’s go there:

This is our real target for Olly. Let’s load it and see if it terminates:


Coast is clear.
Pause Olly and press Alt + F9. As the only Button we can press on is “Purchase” we do that. Close the pop website and return to Olly:


we land here after the call that called the nag. Let us look on the code above the Call. It must decide somewhere which string to show in the nag


All the calls you can see to MFC42 are not interesting because we don’t want to jump out of main file.
if you look in to the calls you’ll see there are no Conditional jumps and no call deeper in the code. Try to change the flag and let Olly run




So now yeh it’s not over yet..Click Try


we don’t want to get our e-mail on some registration list, and to get on some list it must connect to the internet. Okay disconnect from the internet and fire up Fiddler. Go back to and enter a fake Email (we will delete it in the registry later).And Click “Register”


The program loads fine because the program does not need any feedback from the server, it just sends your information to the server, well I don’t want my IP logged not even with a fake E-mail, take a look in Fiddler:


As you can see the first line sends your email and language to the server to add you on their list. But the 2 next lines what are they? It seems like it also runs an update in the background every time the program starts. Ok let us kill that first line that sends our email. To do that we need the nag so lets us delete our registry key
To “clean” your e-mail registration, run regedit.exe and navigate to “HKEY_LOCAL_MACHINE\SOFTWARE\honestech\honestech Video Editor” and delete the folder named “8.0” now next time we Click “try” the nag will pop up again. (How did I find that path to the key? I just made a search for the company name “honestech” in the registry. )

run the target in Olly again, so restart it, change the jump again and Click “Try”. Now you should be here again:


Set a BP at 00443215 and change the flags in the register and run the target, go back to Fiddler:
Cross your fingers…


We patched the 30 day trial
We patched any attempt to connect to the server
We removed the Nag for entering our email.




(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101


(Visited 348 times, 1 visits today)

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.