fireshot延长试用期

darksied · 发表于 2023-7-3 13:37

本帖最后由 darksied 于 2023-12-26 16:41 编辑

fireshot是浏览器插件，用于截取网页长图。免费试用30天。
一共两个文件fireshot-chrome-plugin.exe和SSSx64.dll。
分析后，判断主要功能都在SSSx64.dll中，fireshot-chrome-plugin.exe用于更新版本、与浏览器通讯、加载dll。
使用IDA（使用高版本的，一开始使用的低版本，没有解析出可读的函数名称）打开SSSx64.dll，函数名基本都解析出来了，搜索TLicensor，发现一个函数TLicensor::DemoHasExpired(void)

[C++] 纯文本查看 复制代码

__int64 __fastcall TLicensor::DemoHasExpired(TLicensor *this, _SYSTEMTIME *a2, __int64 a3, __int64 a4)
{
  _SYSTEMTIME *v4; // rsi
  unsigned __int64 v5; // rdi
  bool *v7; // [rsp+0h] [rbp-80h]
  __int16 v8; // [rsp+0h] [rbp-80h]
  __int16 v9; // [rsp+0h] [rbp-80h]
  bool *v10; // [rsp+0h] [rbp-80h]
  __int16 v11; // [rsp+0h] [rbp-80h]
  __int16 v12; // [rsp+0h] [rbp-80h]
  __int16 v13; // [rsp+0h] [rbp-80h]
  DWORD v14; // [rsp+C8h] [rbp+48h]
  DWORD v15; // [rsp+D8h] [rbp+58h]
  DWORD Reserved; // [rsp+E8h] [rbp+68h]
  DWORD dwType; // [rsp+F8h] [rbp+78h]
  __int16 v19; // [rsp+198h] [rbp+118h]
  __int16 v20; // [rsp+19Ah] [rbp+11Ah]
  __int16 v21; // [rsp+19Eh] [rbp+11Eh]
  __int16 v22; // [rsp+1BAh] [rbp+13Ah]
  unsigned __int16 v23; // [rsp+1BEh] [rbp+13Eh]
  WCHAR SubKey[4]; // [rsp+1F0h] [rbp+170h] BYREF
  char v25; // [rsp+1FFh] [rbp+17Fh]
  bool v26[4]; // [rsp+200h] [rbp+180h] BYREF
  _SYSTEMTIME v27; // [rsp+204h] [rbp+184h] BYREF
  unsigned __int64 v28[256]; // [rsp+220h] [rbp+1A0h] BYREF
  unsigned __int64 v29[2]; // [rsp+A20h] [rbp+9A0h] BYREF
  wchar_t ulOptions[1028]; // [rsp+1220h] [rbp+11A0h] BYREF
  __int64 v31; // [rsp+1A28h] [rbp+19A8h]
  _SYSTEMTIME v32; // 0:rdx.16
  _SYSTEMTIME v33; // 0:rcx.8,8:r8.8

  v31 = a4;
  TLicensor::GetHiddenPaths(this, &a2->wYear, ulOptions, (wchar_t *)a4);
  *(_BYTE *)(a4 + 356) = 0;
  GetSystemTime((LPSYSTEMTIME)this);
  TLicensor::OffsetDateByDays(this, a2, (int)&v27.wSecond);
  *(_DWORD *)&v27.wHour = 1;
  *(_DWORD *)&v27.wDayOfWeek = 2;
  *(_DWORD *)&v27.wYear = 3;
  *(_DWORD *)v26 = 4;
  v25 = TLicensor::GetExpiryFromHiddenKey(
          this,
          (wchar_t *)a4,
          ulOptions,
          (unsigned __int64 *)a4,
          v28,
          (_SYSTEMTIME *)&v27.wHour,
          v7) & 1;
  v4 = (_SYSTEMTIME *)a4;
  v5 = (unsigned __int64)&v27.wSecond;
  TLicensor::GetExpiryFromHiddenFile((TLicensor *)&v27.wSecond, (wchar_t *)a4, v29, (unsigned __int64 *)a4, &v27, v26);
  if ( (v25 & 1) != 0 )
  {
    *(_DWORD *)&v27.wHour = *(_DWORD *)&v27.wYear;
    *(_DWORD *)&v27.wDayOfWeek = *(_DWORD *)v26;
    *(_QWORD *)SubKey = 0LL;
    v4 = (_SYSTEMTIME *)SubKey;
    v5 = 131078LL;
    if ( !RegOpenKeyExW((HKEY)0x20006, SubKey, (DWORD)ulOptions, 0x80000001, 0LL) )
    {
      dwType = *(_DWORD *)SubKey;
      System::UnicodeString::UnicodeString((System::UnicodeString *)0x20006);
      TLicensor::getRecName((TLicensor *)0x20006, (int)SubKey);
      Reserved = System::UnicodeString::c_str((System::UnicodeString *)0x20006);
      RegSetValueExW((HKEY)0x20006, SubKey, Reserved, dwType, 0LL, 4u);
      System::UnicodeString::~UnicodeString((System::UnicodeString *)0x20006);
      v15 = *(_DWORD *)SubKey;
      System::UnicodeString::UnicodeString((System::UnicodeString *)0x20006);
      TLicensor::getRecName((TLicensor *)0x20006, (int)SubKey);
      v14 = System::UnicodeString::c_str((System::UnicodeString *)0x20006);
      RegSetValueExW((HKEY)0x20006, SubKey, v14, v15, 0LL, 4u);
      System::UnicodeString::~UnicodeString((System::UnicodeString *)0x20006);
    }
    if ( *(_QWORD *)SubKey )
      RegCloseKey((HKEY)0x20006);
  }
  if ( *(_DWORD *)&v27.wHour == *(_DWORD *)&v27.wYear && *(_DWORD *)&v27.wDayOfWeek == *(_DWORD *)v26 )
  {
    GetSystemTime((LPSYSTEMTIME)v5);
    LOWORD(v4) = v22;
    *(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
                              (TLicensor *)v23,
                              v22,
                              v27.wHour,
                              a4,
                              LOBYTE(v27.wMinute),
                              v27.wDayOfWeek,
                              v8);
    *(_BYTE *)(a4 + 376) = (int)v27.wMinute >> 8 != 0;
    TLicensor::GetLastRunFromHiddenKey((TLicensor *)v23, &v4->wYear, ulOptions, (__int64 *)a4);
    TLicensor::GetLastRunFromFile((TLicensor *)v23, &v4->wYear, (__int64 *)v29);
    FileTimeToSystemTime((const FILETIME *)v23, v4);
    LOWORD(v4) = v22;
    v5 = v23;
    if ( (int)TLicensor::CompareDates((TLicensor *)v23, v22, v19, a4, v20, v21, v9) > 0 )
    {
      GetSystemTime((LPSYSTEMTIME)v23);
      TLicensor::OffsetDateByDays((TLicensor *)v23, v4, (int)&v27.wSecond);
      TLicensor::SetExpiryToHiddenKey(
        (TLicensor *)v23,
        &v4->wYear,
        ulOptions,
        (unsigned __int64 *)a4,
        v28,
        (_SYSTEMTIME *)&v27.wHour,
        v10);
      TLicensor::SetExpiryToHiddenFile((TLicensor *)v23, &v4->wYear, v29, (unsigned __int64 *)a4, &v27, v26);
      LOWORD(v5) = v27.wHour;
      v4 = (_SYSTEMTIME *)v23;
      *(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
                                (TLicensor *)v5,
                                v23,
                                v27.wHour,
                                a4,
                                LOBYTE(v27.wMinute),
                                v27.wDayOfWeek,
                                v11);
    }
    GetSystemTime((LPSYSTEMTIME)v5);
    *(_QWORD *)&v33.wHour = v28;
    *(_QWORD *)&v33.wYear = a4;
    TLicensor::SetLastRunToHiddenKey((TLicensor *)v5, &v4->wYear, ulOptions, v33);
    *(_QWORD *)&v32.wYear = v29;
    *(_QWORD *)&v32.wHour = a4;
    TLicensor::SetLastRunToFile((TLicensor *)v5, &v4->wYear, v32);
    if ( *(_BYTE *)(a4 + 178) == 84 && (*(_BYTE *)(a4 + 376) & 1) == 0 )
    {
      *(_BYTE *)(a4 + 376) = 1;
      GetSystemTime((LPSYSTEMTIME)v5);
      TLicensor::OffsetDateByDays((TLicensor *)v5, v4, (int)&v27.wSecond);
      v5 = (unsigned __int64)&v27.wSecond;
      TLicensor::SetExpiryToHiddenKey(
        (TLicensor *)&v27.wSecond,
        (wchar_t *)a4,
        ulOptions,
        (unsigned __int64 *)a4,
        v28,
        (_SYSTEMTIME *)&v27.wHour,
        v10);
      v4 = (_SYSTEMTIME *)&v27.wSecond;
      TLicensor::SetExpiryToHiddenFile((TLicensor *)&v27.wSecond, &v27.wSecond, v29, (unsigned __int64 *)a4, &v27, v26);
      *(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
                                (TLicensor *)&v27.wSecond,
                                (__int16)&v27.wSecond,
                                v27.wHour,
                                a4,
                                LOBYTE(v27.wMinute),
                                v27.wDayOfWeek,
                                v12);
    }
    if ( *(_DWORD *)(a4 + 352) > *(_DWORD *)(a4 + 372)
      && ((*(_BYTE *)(a4 + 376) & 1) == 0 || *(_DWORD *)(a4 + 352) > *(_DWORD *)(a4 + 372) + 3) )
    {
      GetSystemTime((LPSYSTEMTIME)v5);
      TLicensor::OffsetDateByDays((TLicensor *)v5, v4, (int)&v27.wSecond);
      TLicensor::SetExpiryToHiddenKey(
        (TLicensor *)v5,
        &v4->wYear,
        ulOptions,
        (unsigned __int64 *)a4,
        v28,
        (_SYSTEMTIME *)&v27.wHour,
        v10);
      TLicensor::SetExpiryToHiddenFile((TLicensor *)v5, &v4->wYear, v29, (unsigned __int64 *)a4, &v27, v26);
      LOWORD(v5) = v27.wHour;
      v4 = (_SYSTEMTIME *)v23;
      *(_DWORD *)(a4 + 352) = TLicensor::CompareDates(
                                (TLicensor *)v5,
                                v23,
                                v27.wHour,
                                a4,
                                LOBYTE(v27.wMinute),
                                v27.wDayOfWeek,
                                v13);
    }
    *(_BYTE *)(a4 + 356) = *(int *)(a4 + 352) <= 0;
  }
  else
  {
    *(_BYTE *)(a4 + 356) = 1;
  }
  if ( (*(_BYTE *)(a4 + 356) & 1) != 0 )
    *(_BYTE *)(a4 + 178) = 0;
  else
    TLicensor::ReadAppVariety((TLicensor *)v5, (char *)v4);
  return *(_BYTE *)(a4 + 356) & 1;
}

可以看出，调用系统时间，和隐藏文件中时间对比，判断是否过期。
最后返回一个是否过期的值，
这个函数只被TLicensor::ReadApplicationLicenseState()这个函数调用。
TLicensor::ReadApplicationLicenseState()被多次调用，用于读取授权状态。

水平有限，采用暴力方式。先修改DemoHasExpired返回值固定为0。

保存后，测试发现是试用状态了。

782878952 · 发表于 2023-7-5 11:11

有没有地址可以下载修改过的fireshot

传说中的CJ · 发表于 2023-10-17 13:02

sdieedu 发表于 2023-7-3 17:13
return *(_BYTE *)(a4 + 356) & 1;
改成
return 0;

return *(_BYTE *)(a4 + 356) & 1;
改成
return *(_BYTE *)(a4 + 356) & 0;

jianping520 · 发表于 2023-7-3 14:32

好复杂，这个怎么用？

无敌小儿 · 发表于 2023-7-3 14:35

不够详细，看了还是不会

sdieedu · 发表于 2023-7-3 17:13

return *(_BYTE *)(a4 + 356) & 1;
改成
return 0;

？？？？？？？？

moruye · 发表于 2023-7-3 18:18

感谢楼主整理分享，

三滑稽甲苯 · 发表于 2023-7-3 19:59

现在edge已经自带网页长截图了，不知道和这个比起来怎么样

jjghaa1234 · 发表于 2023-7-3 23:24

感谢大佬分享

zjh889 · 发表于 2023-7-4 00:10

谢谢大神分享，俺收藏看看！

tl;dr · 发表于 2023-7-4 06:43

提示: 作者被禁止或删除内容自动屏蔽

darksied · 发表于 2023-7-4 08:26

tl;dr 发表于 2023-7-4 06:43
特别长的能截图吗？

试用版应该是限制50页？

帐号		自动登录	找回密码
密码			注册[Register]

[原创] fireshot延长试用期

免费评分

个人中心

tl;dr tl;dr 当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	tl;dr 发表于 2023-7-4 06:43 提示: 作者被禁止或删除内容自动屏蔽

	回复支持举报