![]() ![]() The conditional is inverted in this case. ![]() Where we nop the jne instead of replacing it the jump. On the same wavelength but with a small difference is: ![]() Basic Block Input Regs: esi edi - Killed Regs: esi edi 0003ebf3 31F6 xor esi, esi XREF=0x3ebec Basic Block Input Regs: edi - Killed Regs: 0003ebe5 80BF2AC80B0000 cmp byte, 0x0 0003ebec 7405 je 0x3EBF3 Basic Block Input Regs: - Killed Regs: 0003ebee E83D800000 call _DisplayTrialPeriodExpiredMessage_46c30 This is not necessary, of course, if we avoid the setting of the flag to 0x1 initially. Roughly translates to "if the gTrialPeriodExpiredFlag is 0x0 then do not display the trial expired message". Basic Block Input Regs: ebx edi - Killed Regs: ebx edi 00011076 31FF xor edi, edi XREF=0x1106f Basic Block Input Regs: ebx - Killed Regs: 00011068 80BB67A80E0000 cmp byte, 0x0 0001106f 7405 je 0x11076 Basic Block Input Regs: - Killed Regs: 00011071 E8BA5B0300 call _DisplayTrialPeriodExpiredMessage_46c30 But we can go on and mess with the conditionals where the flag is checked. Now we could stop because the flag is never set. We turn the jbe into a jmp to void setting it. We just set the jbe to a jmp in order to avoid setting the gTrialPeriodExpiredFlag to 0x1.Ġ000ffda 7607 jbe 0xFFE3 Basic Block Input Regs: - Killed Regs: edi 0000ffdc C687D7B70E0001 mov byte, 0x1 Basic Block Input Regs: ebp - Killed Regs: eax 0000ffe3 8B85D4FEFFFF mov eax, dword XREF=0xffc3, 0xffda So that the trial never expires, we never set it to 0x1. This is because the first jne leads to the code segment responsible with displaying he DEMO message when SecuritySpy is running in Active mode. We turn the jne to 0x4EDFA into a jump to 0x4F25A. Basic Block Input Regs: ebp - Killed Regs: eax ecx ebx esi edi ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |