OmniPlan is a personal time organiser created by the Omni group. The protection system consists of a simple date-range check that will make OmniPlan stop working after 14 days.
Typical for the Omni-group, the first check is to be found in the initialisation routine.
methImpl_static_OZZuul_initialize: 00000001000fa700 55 push rbp 00000001000fa701 4889E5 mov rbp, rsp 00000001000fa704 4157 push r15 00000001000fa706 4156 push r14 00000001000fa708 4155 push r13 00000001000fa70a 4154 push r12 00000001000fa70c 53 push rbx 00000001000fa70d 4881ECE8000000 sub rsp, 0xE8 00000001000fa714 488B0555020700 mov rax, qword [ds:imp___got____stack_chk_guard] ... 00000001000fa741 8A05C1480C00 mov al, byte [ds:0x1001BF008] 00000001000fa747 84C0 test al, al 00000001000fa749 E96B090000 jmp 0x1000FB0B9 ... 00000001000fb0b9 488B05B0F80600 mov rax, qword [ds:imp___got____stack_chk_guard] ; XREF=0x1000fa749 00000001000fb0c0 488B00 mov rax, qword [ds:rax] 00000001000fb0c3 483B45D0 cmp rax, qword [ss:rbp+0xFFFFFFFFFFFFFFD0] 00000001000fb0c7 7512 jne 0x1000FB0DB 00000001000fb0c9 4881C4E8000000 add rsp, 0xE8 00000001000fb0d0 5B pop rbx 00000001000fb0d1 415C pop r12 00000001000fb0d3 415D pop r13 00000001000fb0d5 415E pop r14 00000001000fb0d7 415F pop r15 00000001000fb0d9 5D pop rbp 00000001000fb0da C3 ret
The subroutine at 0x1000f9570 is responsible for verifying whether the application is licensed.
sub_1000f9570: 00000001000f9570 55 push rbp ; XREF=0x1000034b9, 0x100004a90, 0x1000ed258, 0x1000ff522 00000001000f9571 4889E5 mov rbp, rsp 00000001000f9574 4157 push r15 00000001000f9576 4156 push r14 00000001000f9578 4154 push r12 00000001000f957a 53 push rbx 00000001000f957b B301 mov bl, 0x1 00000001000f957d 833DEC5B0C0002 cmp dword [ds:0x1001BF170], 0x2 00000001000f9584 E906010000 jmp 0x1000F968F ... 00000001000f968f 0FB6C3 movzx eax, bl ; XREF=0x1000f9584, 0x1000f9593, 0x1000f95e0, 0x1000f95f3, 0x1000f9777, 0x1000f97b5, ... 00000001000f9692 5B pop rbx 00000001000f9693 415C pop r12 00000001000f9695 415E pop r14 00000001000f9697 415F pop r15 00000001000f9699 5D pop rbp 00000001000f969a C3 ret
The third modification may be optional since it may be related just to the validation process when a new license is added.
sub_1000f9480: 00000001000f9480 55 push rbp 00000001000f9481 4889E5 mov rbp, rsp 00000001000f9484 4157 push r15 00000001000f9486 4156 push r14 00000001000f9488 4155 push r13 00000001000f948a 4154 push r12 00000001000f948c 53 push rbx 00000001000f948d 4883EC28 sub rsp, 0x28 00000001000f9491 4989FD mov r13, rdi 00000001000f9494 4D85ED test r13, r13 00000001000f9497 E9BE000000 jmp 0x1000F955A ... 00000001000f955a 31C0 xor eax, eax ; XREF=0x1000f9497 00000001000f955c 4883C428 add rsp, 0x28 00000001000f9560 5B pop rbx 00000001000f9561 415C pop r12 00000001000f9563 415D pop r13 00000001000f9565 415E pop r14 00000001000f9567 415F pop r15 00000001000f9569 5D pop rbp 00000001000f956a C3 ret