By ro0ted | March 6, 2015 - 13:07 | Posted in /b/ | Comments Off on #ro0ted #OpNewblood What the blackhats don’t want you to know: Bypassing Part 2
#ro0ted #OpNewblood What the blackhats don’t want you to know: Bypassing Part 2
This is how to Bypass 30 day trial along with Server Check. Bypassing Part 2. – https://twitter.com/ro0ted/
We can choose two versions Easy mode or Advanced. We select Advanced:
Note: Set our PC clock 30 days ahead so the trials expired.
Now we see the 30 day trial expired…and Try is grayed out.
So we run it in Ollydbg; selecting advanced mode again:
It terminates when we select any mode for that matter.
This happened why? No Anti-Debugger trick.
The program we started is only a loader, so when we choose “Advanced” it starts another program and terminates itself.
As you can see there’s two folders
We want Advanced_Mode
So let’s go there:
This is our real target for Olly. Let’s load it and see if it terminates:
Coast is clear.
Pause Olly and press Alt + F9. As the only Button we can press on is “Purchase” we do that. Close the pop website and return to Olly:
we land here after the call that called the nag. Let us look on the code above the Call. It must decide somewhere which string to show in the nag
All the calls you can see to MFC42 are not interesting because we don’t want to jump out of main file.
if you look in to the calls you’ll see there are no Conditional jumps and no call deeper in the code. Try to change the flag and let Olly run
So now yeh it’s not over yet..Click Try
we don’t want to get our e-mail on some registration list, and to get on some list it must connect to the internet. Okay disconnect from the internet and fire up Fiddler. Go back to and enter a fake Email (we will delete it in the registry later).And Click “Register”
The program loads fine because the program does not need any feedback from the server, it just sends your information to the server, well I don’t want my IP logged not even with a fake E-mail, take a look in Fiddler:
As you can see the first line sends your email and language to the server to add you on their list. But the 2 next lines what are they? It seems like it also runs an update in the background every time the program starts. Ok let us kill that first line that sends our email. To do that we need the nag so lets us delete our registry key
To “clean” your e-mail registration, run regedit.exe and navigate to “HKEY_LOCAL_MACHINE\SOFTWARE\honestech\honestech Video Editor” and delete the folder named “8.0” now next time we Click “try” the nag will pop up again. (How did I find that path to the key? I just made a search for the company name “honestech” in the registry. )
run the target in Olly again, so restart it, change the jump again and Click “Try”. Now you should be here again:
Set a BP at 00443215 and change the flags in the register and run the target, go back to Fiddler:
Cross your fingers…
We patched the 30 day trial
We patched any attempt to connect to the server
We removed the Nag for entering our email.
(Visited 348 times, 1 visits today)
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.