Alt-Tab Terminator is a better alt-tab window switcher for windows.
You should support the author here .
Although there are many Alt-Tab Terminator patches out there, here is mine, which mainly aims to study how to use the exception breakpoint patch feature provided by Baymax patch tool to apply in-memory patches.
Let’s play
Step 1
First, i found this by searching for the string registered.
00007FF62DE4D1A8 | 48:8BC7 | mov rax,rdi |
00007FF62DE4D1AB | 833D F6403F00 00 | cmp dword ptr ds:[7FF62E2412A8],0 |
00007FF62DE4D1B2 | 74 4E | je alttabter.7FF62DE4D202 |
00007FF62DE4D1B4 | 48:8D15 A5B93400 | lea rdx,qword ptr ds:[7FF62E198B60] | 00007FF62E198B60:L"This product is registered to:\\n\\t\\h"
00007FF62DE4D1BB | 0F1F4400 00 | nop dword ptr ds:[rax+rax],eax |
00007FF62DE4D1C0 | 48:FFC0 | inc rax |
00007FF62DE4D1C3 | 66:833C42 00 | cmp word ptr ds:[rdx+rax*2],0 |
00007FF62DE4D1C8 | 75 F6 | jne alttabter.7FF62DE4D1C0 |
00007FF62DE4D1CA | 44:8BC0 | mov r8d,eax |
00007FF62DE4D1CD | 48:8D4C24 28 | lea rcx,qword ptr ss:[rsp+28] |
00007FF62DE4D1D2 | E8 39010000 | call alttabter.7FF62DE4D310 |
00007FF62DE4D1D7 | 48:8B15 D2403F00 | mov rdx,qword ptr ds:[7FF62E2412B0] |
00007FF62DE4D1DE | 44:8B42 F0 | mov r8d,dword ptr ds:[rdx-10] |
00007FF62DE4D1E2 | 48:8D4C24 28 | lea rcx,qword ptr ss:[rsp+28] |
00007FF62DE4D1E7 | E8 24010000 | call alttabter.7FF62DE4D310 |
00007FF62DE4D1EC | 48:8D15 BDB93400 | lea rdx,qword ptr ds:[7FF62E198BB0] | 00007FF62E198BB0:L"\\u\\d\\d\\d\\d\\n\\n"
00007FF62DE4D1F3 | 48:8BC7 | mov rax,rdi |
00007FF62DE4D1F6 | 48:FFC0 | inc rax |
00007FF62DE4D1F9 | 66:833C42 00 | cmp word ptr ds:[rdx+rax*2],0 |
00007FF62DE4D1FE | 75 F6 | jne alttabter.7FF62DE4D1F6 |
00007FF62DE4D200 | EB 18 | jmp alttabter.7FF62DE4D21A |
00007FF62DE4D202 | 48:8D15 C7B93400 | lea rdx,qword ptr ds:[7FF62E198BD0] | 00007FF62E198BD0:L"YOU ARE USING FREE VERSION OF ALT-TAB\\nTERMINATOR. UPGRADE TO PRO AT:\\n\\t\\hwww.ntwind.com\\u\\n\\n"
00007FF62DE4D209 | 0F1F80 00000000 | nop dword ptr ds:[rax],eax |
00007FF62DE4D210 | 48:FFC0 | inc rax |
If 7FF62E2412A8 is 0, it is the free version, otherwise it is the pro version.
So the goal is to set address 7FF62E2412A8 to 1.
Step 2
Second, i set a hardware breakpoint at 7FF62E2412A8, to see its write attempts. Found the last instruction which writes to it.
00007FF62DE481AA | FF50 08 | call qword ptr ds:[rax+8] |
00007FF62DE481AD | 4C:8D87 80010000 | lea r8,qword ptr ds:[rdi+180] |
00007FF62DE481B4 | 48:8B55 E0 | mov rdx,qword ptr ss:[rbp-20] |
00007FF62DE481B8 | E8 53F8FFFF | call alttabter.7FF62DE47A10 |
00007FF62DE481BD | 8987 78010000 | mov dword ptr ds:[rdi+178],eax |
00007FF62DE481C3 | 48:8B55 E0 | mov rdx,qword ptr ss:[rbp-20] |
00007FF62DE481C7 | 48:83C2 E8 | add rdx,FFFFFFFFFFFFFFE8 |
00007FF62DE481CB | 8BC3 | mov eax,ebx |
00007FF62DE481CD | F0:0FC142 10 | lock xadd dword ptr ds:[rdx+10],eax |
Step 3
Finally, set address 7FF62E2412A8 to 1 at the instruction after the one which was found in the previous step.
I use the exception breakpoint feature provided by Baymax patch tool to verify the result.
Patch
7z password 543210.
sha256: A8E12742AEC30F85A2903E12B783869686BC0DE6C228047C9AAE32D7AFAB7BC9.
How to use
- Install the the genuine version .
- Unpack the patch archieve to the
C:\Program Files\Alt-Tab Terminatorfolder. - Restart the program.