The application has two annoyances:
About/Registration…
menu that shows that the application is not registered.
Removing the time-bomb consists in disabling an entire section or manipulating the jump right before that section (the beq
) in order to skip over it.
00022b54 beq 0x22b80 ;;;;;;;;;;;;;;;;;;;;;;;;;;; SKIP SECTION BEGIN ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ; This section references 0xb7afc which is the string "The Trial [...]" so we either ; eliminate this entire section or we change "beq 0x22b80" to an unconditional jump. ; 00022b58 ldr r2, = 0xb7ae8 ; 0x22bac (sub_22b14 + 0x98) 00022b5c mov r3, #0x0 00022b60 ldr r1, = 0xb7afc ; 0x22ba8 (sub_22b14 + 0x94) 00022b64 mov r0, r4 00022b68 bl sub_a5d08 00022b6c mov r0, r4 ; argument #1 for method sub_24e28 00022b70 bl sub_24e28 00022b74 ldr r0, [r5] 00022b78 cmp r0, #0x0 00022b7c beq 0x22b98 ; ;;;;;;;;;;;;;;;;;;;;;;;;;;; SKIP SECTION END ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 00022b80 ldr r0, = 0xd12f8 ; 0x22ba4 (sub_22b14 + 0x90), XREF=sub_22b14+48, sub_22b14+64 00022b84 ldr r0, [r0] ; 0xd12f8 (imp_ordinal_olece300.dll_88 + 0x208b0) 00022b88 cmp r0, #0x1 00022b8c bne 0x22bbc 00022b90 mov r0, r4 ; argument #1 for method sub_24b84 00022b94 bl sub_24b84 00022b98 mov r0, #0x0 ; XREF=sub_22b14+104 00022b9c bl sub_a6df4 00022ba0 b 0x23c94 00022ba4 dd 0x000d12f8 ; XREF=sub_22b14+108 00022ba8 dd 0x000b7afc ; "The Trial [...]" referenced by XREF=sub_22b14+76 00022bac dd 0x000b7ae8 ; XREF=sub_22b14+68 00022bb0 dd 0x000d12e8 ; XREF=sub_22b14+52 00022bb4 dd 0x000d12e4 ; XREF=sub_22b14+36 00022bb8 dd 0x00000a68 ; XREF=sub_22b14+4
Removing the menu item is quite easy given that PocketRSS builds the menu items sequentially by calling sub_6691c
after pulling-in the strings.
; ... Above and below this section builds the menu ... ;;;;;;;;;;;;;;;;;;;;;;;;;;; NOP SECTION BEGIN ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; This section must be noped entirely to remove the "About/Registration" menu item. 00023e2c mov r2, #0xbb0 00023e30 ldr r3, = 0xb88b8 ; "About/Registration..." reference. 00023e34 orr r2, r2, #0xc 00023e38 str r4, [sp] 00023e3c mov r1, #0x0 00023e40 add r0, sp, #0x18 00023e44 bl sub_6691c ;;;;;;;;;;;;;;;;;;;;;;;;;;;; NOP SECTION END ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 00023e48 mov r3, #0x0 00023e4c str r4, [sp] 00023e50 mov r2, #0x0 00023e54 mov r1, #0x800 00023e58 add r0, sp, #0x18 00023e5c bl sub_6691c ; ... 00023ec4 dd 0x000b88e4 ; XREF=sub_23cb8+428 00023ec8 dd 0x000b88b8 ; "About/Registration..." referenced by XREF=sub_23cb8+376 00023ecc dd 0x000b88ac ; XREF=sub_23cb8+348 00023ed0 dd 0x000b8880 ; XREF=sub_23cb8+296 00023ed4 dd 0x000b8854 ; XREF=sub_23cb8+268 00023ed8 dd 0x000b8834 ; XREF=sub_23cb8+216 00023edc dd 0x000b8814 ; XREF=sub_23cb8+188 00023ee0 dd 0x000b87f4 ; XREF=sub_23cb8+136 00023ee4 dd 0x000b87cc ; XREF=sub_23cb8+84 00023ee8 dd 0x000b87a8 ; XREF=sub_23cb8+52 00023eec dd 0x000d13ac ; XREF=sub_23cb8+8
; ... 001053c8 ldr r3, [sp, #0x30] ; XREF=sub_104b18+2208 001053cc cmp r3, #0x0 001053d0 mov r0, r0 ; "bne 0x106c78" replaced with "mov r0, r0" (NOP) 001053d4 ldr r3, [r4, #0x110] ; The original code jumps to ''0x0106c78'' which ; ... ; we want to avoid: 00106c78 add r1, r4, #0x90 ; XREF=sub_104b18+2232 is now eliminated. 00106c7c add r0, sp, #0x18 00106c80 bl sub_17672c 00106c84 mov r3, #0x190 00106c88 ldrb r0, [r5] 00106c8c str r3, [sp, #0xec] 00106c90 ands r3, r0, #0xff 00106c94 ldrne r1, = 0x17e464 00106c98 bne 0x106dfc 00106c9c ldr r3, [sp, #0x30] 00106ca0 cmp r3, #0x0 00106ca4 ldrne r1, = 0x17e4f4 ; references the trial over message 00106ca8 mov r0, r0 ; "bne 0x106dfc" replaced with "mov r0, r0" (NOP) 00106cac ldr r3, [r4, #0x110] 00106cb0 cmp r3, #0x0 00106cb4 beq 0x106cd0 00106cb8 add r1, r4, #0x114 00106cbc add r0, sp, #0x18 00106cc0 bl sub_176720 00106cc4 b 0x106e04 00106cc8 dd 0x0017e4f4 ; Sorry, but the Trial Period for [...] 00106ccc dd 0x0017e464 ; XREF=sub_105576+5918 00106cd0 ldr r1, = 0x17e628 ; XREF=sub_105576+5950 ; ...