DVD Audio Extractor at version 7.2.0
has two "protections":
Let's start with the time-bomb because it is the easiest to get rid of.
In sub_100074ac0
we find a sequence that checks whether the license has expired or the license is invalid. So at 0x100075107
we jump over that section into the next:
sub_100074ac0: 0000000100074ac0 55 push rbp 0000000100074ac1 4889E5 mov rbp, rsp 0000000100074ac4 4157 push r15 0000000100074ac6 4156 push r14 0000000100074ac8 4154 push r12 0000000100074aca 53 push rbx 0000000100074acb 4881ECD00A0000 sub rsp, 0xad0 ; ... ; Basic Block Input Regs: <nothing> - Killed Regs: rax rcx 00000001000750e4 B9FFFFFFFF mov ecx, 0xffffffff 00000001000750e9 F00FC148F8 lock xadd dword [ds:rax+0xfffffffffffffff8], ecx 00000001000750ee 85C9 test ecx, ecx 00000001000750f0 0F8F9B010000 jg 0x100075291 ; Basic Block Input Regs: <nothing> - Killed Regs: rsi 00000001000750f6 488D75B8 lea rsi, qword [ss:rbp-0xaf0+var_2728] 00000001000750fa E8F1558C00 call imp___stubs___ZNSs4_Rep10_M_destroyERKSaIcE ; std::string::_Rep::_M_destroy(std::allocator<char> const&) 00000001000750ff E98D010000 jmp 0x100075291 ; Basic Block Input Regs: rbx - Killed Regs: <nothing> 0000000100075104 83FB03 cmp ebx, 0x3 ; XREF=0x100074df9 0000000100075107 E985010000 jmp 0x100075291 000000010007510c 90 nop ; ... ; trial expired and invalid license ; ... 0000000100075291 488BBDD0FEFFFF mov rdi, qword [ss:rbp+0xfffffffffffffed0] ; XREF=0x1000750de, 0x1000750f0, 0x1000750ff, 0x100075107 0000000100075298 E8C13D8C00 call imp___stubs__free 000000010007529d 488BBDC0FEFFFF mov rdi, qword [ss:rbp+0xfffffffffffffec0] 00000001000752a4 E8B53D8C00 call imp___stubs__free 00000001000752a9 488B85B8FEFFFF mov rax, qword [ss:rbp+0xfffffffffffffeb8] ; ...
This takes care of the time-bomb.
When the application launches it displays a nag screen that can only be dismissed if one clicks the "Register Later" button. Instead of attacking the subroutine that displays the dialog directly, we find the following sequence that calls the dialog subroutine:
0000000100074d66 E994000000 jmp 0x100074dff ; Avoid the nag dialog sequence 0000000100074d6b 90 nop 0000000100074d6c 488DBDD8FAFFFF lea rdi, qword [ss:rbp+0xfffffffffffffad8] 0000000100074d73 E838C5FFFF call sub_1000712b0 ; This is the nag dialog subroutine. 0000000100074d78 488B85D8FAFFFF mov rax, qword [ss:rbp+0xfffffffffffffad8] 0000000100074d7f 488B8088070000 mov rax, qword [ds:rax+0x788] 0000000100074d86 488DBDD8FAFFFF lea rdi, qword [ss:rbp+0xfffffffffffffad8] 0000000100074d8d FFD0 call rax 0000000100074d8f 3DEC130000 cmp eax, 0x13ec 0000000100074d94 7550 jne 0x100074de6
The jmp
and nop
is added such that the subroutine responsible for displaying the dialog sub_1000712b0
is never called.