The WinToFlash program is designed to create boot and installation flash drives from Windows distributions, LiiveCDs, antivirus disks and other media. The basic version of the program is even considered free, but it spins ads and is limited in functionality. Professional edition have these shortcomings, but have a larger disadvantage need to lay out money for a license. The software is really good and useful, but with all due respect it is not in my rules to pay for the software.
Let’s try to bring the maximum Business-version to a normal fight. Get the distributive from the off-site, install it, run it. First offer to activate just is ignored, next startup starts the program from the main window. There are a lot of warning signs of unregistered application: caption in the window, message of missing license file in the About window, and, what’s most important, restriction of its functionality. Any attempt to create a bootable flash drive will unambiguously require registration.
The main executable is not packaged in any way, let’s send it to the disassembler. Let’s start the search for reference points with the text in the About window.
It’s not really a message, it’s an index used to load a string in the multi-language interface. Well nothing, let’s see how and where it is used.
.text:00203875 lea eax, [ebp var_C] .text:00203878 push eax .text:00203879 call AboutDialogDataUpdate .text:0020387E lea eax, [ebp var_4] .text:00203881 xor edx, edx .text:00203883 call sub_16C9C ; Pointer to settings block .text:00203888 mov eax, off_237D4C .text:0020388D mov eax, [eax] ; Check registration byte .text:0020388F cmp byte ptr [eax 51h], 0 ; Program not registered .text:00203893 jz loc_203B3F .text:00203899 mov eax, off_237D4C .text:0020389E mov eax, [eax] .text:002038A0 cmp byte ptr [eax 78h], 0 .text:002038A4 jnz loc_203995 .text:002038AA lea eax, [ebp var_8] .text:00203B3F loc_203B3F: .text:00203B3F lea eax, [ebp var_4] .text:00203B42 push eax .text:00203B43 mov eax, [ebx] .text:00203B45 mov ecx, offset aAboutLicenseNo ; About License No valid key file fou .text:00203B4A xor edx, edx .text:00203B4C call sub_1735D4
What have we learned? The parameters responsible for registration are stored in some settings block in the byte with the 51h index. We need to find the place where this byte is initialized. The search will be performed on the line 51h], After a few hits, the search will lead us to the following code:
.text:001809B7 mov byte ptr [ebx 25h], 0 .text:001809BB mov byte ptr [ebx 51h], 0 .text:001809BF mov dword ptr [ebx 58h], 0 .text:001809C6 mov dword ptr [ebx 5Ch], 0 .text:001809CD mov dword ptr [ebx 60h], 0 .text:001809D4 mov dword ptr [ebx 64h], 0
What is characteristic, there are some manipulations with dates and time, user data and other quirky stuff before and after this block. I suspect that this is just an initialization of the logging parameters block. Let’s replace the command mov byte ptr [ebx 51h], 0 with the command similar in length mov byte ptr [ebx 51h], 1. Save changes, start.
My hunch was right, the title says Lite-license. That’s better, but it’s not quite right yet, because the Lite-version is also somewhat limited in functionality. It means that besides the sign of being registered we should also see the license type. Let’s find the name line of the current license.
String is found, we cross-reference it to find the place where it is used. The following code is found:
; Проверить байт зарегистрированности .text:001F87D7 movzx ebx, byte ptr [eax 51h] .text:001F87DB test bl, bl .text:001F87DD jz short loc_1F883A ; Проверить тип лицензии .text:001F87DF mov eax, off_237D4C .text:001F87E4 mov eax, [eax] .text:001F87E6 mov eax, [eax 60h] .text:001F87E9 sub eax, 1 .text:001F87EC jb short loc_1F87FB .text:001F87EE jz short loc_1F880D .text:001F87F0 dec eax .text:001F87F1 jz short loc_1F881C .text:001F87F3 dec eax .text:001F87F4 jz short loc_1F882B .text:001F87F6 jmp loc_1F888F .text:001F87FB ; .text:001F87FB loc_1F87FB: .text:001F87FB lea eax, [ebp var_4] .text:001F87FE mov edx, offset aLiteNonCommerc ; Lite (non-commercial use only) .text:001F8803 call sub_16C9C .text:001F8808 jmp loc_1F888F .text:001F880D ; – .text:001F880D loc_1F880D: .text:001F880D lea eax, [ebp var_4] .text:001F8810 mov edx, offset aHome ; Home .text:001F8815 call sub_16C9C .text:001F881A jmp short loc_1F888F .text:001F881C ; – .text:001F881C loc_1F881C: .text:001F881C lea eax, [ebp var_4] .text:001F881F mov edx, offset aProfessional ; Professional .text:001F8824 call sub_16C9C .text:001F8829 jmp short loc_1F888F .text:001F882B ; – .text:001F882B loc_1F882B: .text:001F882B lea eax, [ebp var_4] .text:001F882E mov edx, offset aBusiness ; Business .text:001F8833 call sub_16C9C .text:001F8838 jmp short loc_1F888F
We see the familiar registration byte from the settings block at address 51h, and then the double word at address 60h is checked. One byte at a time is subtracted from this word and, depending on the result, one or another license type is output. It is not difficult to calculate that value 3 is required for a Business license. Let’s go back to the initialization code and see. The DWORD at address 60h is also present there. Replace the command mov dword ptr [ebx 60h], 0 with mov dword ptr [ebx 60h], 3.
https://s04.radikal.ru/i177/1705/23/253e7e74ff54.png Program has been successfully registered Now we see maximum Business version in the program heading, About window too, and an attempt to reactivate makes us happy with message that everything is already activated. Checking the functionality, everything is working without any restrictions. Goal achieved. Thanks to the author for a great program!
Author: ManHunter Source: manhunter.ru
the dump store hours