Shortnote

OmniPlan is a personal time organiser created by the Omni group. The protection system consists of a simple date-range check that will make OmniPlan stop working after 14 days.

Typical for the Omni-group, the first check is to be found in the initialisation routine.

                                            methImpl_static_OZZuul_initialize:
00000001000fa700 55                              push       rbp
00000001000fa701 4889E5                          mov        rbp, rsp
00000001000fa704 4157                            push       r15
00000001000fa706 4156                            push       r14
00000001000fa708 4155                            push       r13
00000001000fa70a 4154                            push       r12
00000001000fa70c 53                              push       rbx
00000001000fa70d 4881ECE8000000                  sub        rsp, 0xE8
00000001000fa714 488B0555020700                  mov        rax, qword [ds:imp___got____stack_chk_guard]
...
00000001000fa741 8A05C1480C00                    mov        al, byte [ds:0x1001BF008]
00000001000fa747 84C0                            test       al, al
00000001000fa749 E96B090000                      jmp        0x1000FB0B9
...
00000001000fb0b9 488B05B0F80600                  mov        rax, qword [ds:imp___got____stack_chk_guard] ; XREF=0x1000fa749
00000001000fb0c0 488B00                          mov        rax, qword [ds:rax]
00000001000fb0c3 483B45D0                        cmp        rax, qword [ss:rbp+0xFFFFFFFFFFFFFFD0]
00000001000fb0c7 7512                            jne        0x1000FB0DB
00000001000fb0c9 4881C4E8000000                  add        rsp, 0xE8
00000001000fb0d0 5B                              pop        rbx
00000001000fb0d1 415C                            pop        r12
00000001000fb0d3 415D                            pop        r13
00000001000fb0d5 415E                            pop        r14
00000001000fb0d7 415F                            pop        r15
00000001000fb0d9 5D                              pop        rbp
00000001000fb0da C3                              ret

The subroutine at 0x1000f9570 is responsible for verifying whether the application is licensed.

                                            sub_1000f9570:
00000001000f9570 55                              push       rbp                           ; XREF=0x1000034b9, 0x100004a90, 0x1000ed258, 0x1000ff522
00000001000f9571 4889E5                          mov        rbp, rsp
00000001000f9574 4157                            push       r15
00000001000f9576 4156                            push       r14
00000001000f9578 4154                            push       r12
00000001000f957a 53                              push       rbx
00000001000f957b B301                            mov        bl, 0x1
00000001000f957d 833DEC5B0C0002                  cmp        dword [ds:0x1001BF170], 0x2
00000001000f9584 E906010000                      jmp        0x1000F968F
...
00000001000f968f 0FB6C3                          movzx      eax, bl                       ; XREF=0x1000f9584, 0x1000f9593, 0x1000f95e0, 0x1000f95f3, 0x1000f9777, 0x1000f97b5, ...
00000001000f9692 5B                              pop        rbx
00000001000f9693 415C                            pop        r12
00000001000f9695 415E                            pop        r14
00000001000f9697 415F                            pop        r15
00000001000f9699 5D                              pop        rbp
00000001000f969a C3                              ret

The third modification may be optional since it may be related just to the validation process when a new license is added.

                                            sub_1000f9480:
00000001000f9480 55                              push       rbp
00000001000f9481 4889E5                          mov        rbp, rsp
00000001000f9484 4157                            push       r15
00000001000f9486 4156                            push       r14
00000001000f9488 4155                            push       r13
00000001000f948a 4154                            push       r12
00000001000f948c 53                              push       rbx
00000001000f948d 4883EC28                        sub        rsp, 0x28
00000001000f9491 4989FD                          mov        r13, rdi
00000001000f9494 4D85ED                          test       r13, r13
00000001000f9497 E9BE000000                      jmp        0x1000F955A
...
00000001000f955a 31C0                            xor        eax, eax                      ; XREF=0x1000f9497
00000001000f955c 4883C428                        add        rsp, 0x28
00000001000f9560 5B                              pop        rbx
00000001000f9561 415C                            pop        r12
00000001000f9563 415D                            pop        r13
00000001000f9565 415E                            pop        r14
00000001000f9567 415F                            pop        r15
00000001000f9569 5D                              pop        rbp
00000001000f956a C3                              ret

cracks/omniplan.txt ยท Last modified: 2017/02/22 18:30 (external edit)

Access website using Tor


For the copyright, license, warranty and privacy terms for the usage of this website please see the license and privacy pages.