好友
阅读权限40
听众
最后登录1970-1-1
|
【破文标题】Ap Document To PDF V2.1算法分析
【破文作者】tianxj
【作者邮箱】tianxj_2007@126.com
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】D-Windows XP sp2
【软件名称】Ap Document To PDF V2.1
【软件大小】1.3 MB
【软件语言】英文
【软件类别】国外软件 / 共享软件 / 文字处理
【更新时间】2007-01-18
【原版下载】自己找一下
【保护方式】注册码
【软件简介】文档转换工具。可以将你的文档批量转换成可搜索的PDF文件。允许将任何windows应用程序的文档转换成上百种文件类型,包括可搜索的PDF, DOC, TIFF, JPEG, RTF, HTML等等。只要应用程序支持打印功能,就能转换成PDF文档。对于PDF文档,甚至提供了多种选项:字体嵌入、分辨率、页面尺寸、文档信息、安全书签、自动链接、多语言等。是制作专业级PDF文档的最佳选择。
Picture To Video Converter图片视频转换器的应用被设计为一个易于使用的工具,加入图片一起视频过渡效果。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
"Series number error,please check it and try again."
**************************************************************
二、用PEiD对ApDocToPDF.exe查壳,为 ASPack 2.12 -> Alexey Solodovnikov
**************************************************************
三、带壳调试,运行OD,打开ApDocToPDF.exe,输入注册信息,F12暂停,alt+K
调用堆栈 , 项目 14
地址=0012F0D8
堆栈=00409317
程序过程 / 参数=? ApDocToP.004C22F8
调用来自=ApDocToP.00409312
结构=0012F0D4
==============================================================004091E455PUSHEBP004091E58BECMOV EBP, ESP004091E783C4 D0 ADD ESP, -30004091EA53PUSHEBX004091EB8BD8MOV EBX, EAX004091EDB8 3C5C4C00 MOV EAX, ApDocToP.004C5C3C004091F2E8 FDB00A00 CALLApDocToP.004B42F4004091F766:C745 E4 1400 MOV WORD PTR [EBP-1C], 14004091FD33D2XOR EDX, EDX004091FF8955 FC MOV DWORD PTR [EBP-4], EDX004092028D55 FC LEA EDX, DWORD PTR [EBP-4]00409205FF45 F0 INC DWORD PTR [EBP-10]004092088B83 F4020000 MOV EAX, DWORD PTR [EBX+2F4]0040920EE8 75E40700 CALLApDocToP.004876880040921366:C745 E4 0800 MOV WORD PTR [EBP-1C], 800409219837D FC 00CMP DWORD PTR [EBP-4], 00040921D74 05 JESHORT ApDocToP.00409224; //注册码为空则跳0040921F8B4D FC MOV ECX, DWORD PTR [EBP-4] ; //试练码00409222EB 05 JMP SHORT ApDocToP.0040922900409224B9 645A4C00 MOV ECX, ApDocToP.004C5A640040922951PUSHECX0040922A53PUSHEBX0040922BE8 58FFFFFF CALLApDocToP.00409188; //关键CALL0040923083C4 08 ADD ESP, 8004092333C 01 CMP AL, 1004092350F85 C3000000 JNZ ApDocToP.004092FE; //关键跳转0040923B6A 40 PUSH400040923D68 BC5A4C00 PUSHApDocToP.004C5ABC; ASCII "Registered Version"0040924268 655A4C00 PUSHApDocToP.004C5A65; ASCII "Thank you register Ap DoumentToPDF software,if you have any problem,contact us please."004092478BC3MOV EAX, EBX00409249E8 4E4B0800 CALLApDocToP.0048DD9C0040924E50PUSHEAX0040924FE8 A4900B00 CALLApDocToP.004C22F8; JMP 到 USER32.MessageBoxA004092548D55 D0 LEA EDX, DWORD PTR [EBP-30]0040925752PUSHEDX0040925868 CF5A4C00 PUSHApDocToP.004C5ACF; ASCII "Software\AdultPDF\Doc2PDF"0040925D68 02000080 PUSH8000000200409262E8 97870B00 CALLApDocToP.004C19FE; JMP 到 advapi32.RegCreateKeyA00409267837D D0 00CMP DWORD PTR [EBP-30], 00040926B74 3C JESHORT ApDocToP.004092A90040926D837D FC 00CMP DWORD PTR [EBP-4], 00040927174 05 JESHORT ApDocToP.00409278004092738B45 FC MOV EAX, DWORD PTR [EBP-4]00409276EB 05 JMP SHORT ApDocToP.0040927D00409278B8 E95A4C00 MOV EAX, ApDocToP.004C5AE90040927D50PUSHEAX0040927EE8 FDAC0A00 CALLApDocToP.004B3F800040928359POP ECX0040928440INC EAX0040928550PUSHEAX00409286837D FC 00CMP DWORD PTR [EBP-4], 00040928A74 05 JESHORT ApDocToP.004092910040928C8B55 FC MOV EDX, DWORD PTR [EBP-4]0040928FEB 05 JMP SHORT ApDocToP.0040929600409291BA F15A4C00 MOV EDX, ApDocToP.004C5AF10040929652PUSHEDX004092976A 01 PUSH1004092996A 00 PUSH00040929B68 EA5A4C00 PUSHApDocToP.004C5AEA; ASCII "Serial"004092A08B45 D0 MOV EAX, DWORD PTR [EBP-30]004092A350PUSHEAX004092A4E8 6D870B00 CALLApDocToP.004C1A16; JMP 到 advapi32.RegSetValueExA004092A98B4D D0 MOV ECX, DWORD PTR [EBP-30]004092AC51PUSHECX004092ADE8 46870B00 CALLApDocToP.004C19F8; JMP 到 advapi32.RegCloseKey004092B233D2XOR EDX, EDX004092B48B83 08030000 MOV EAX, DWORD PTR [EBX+308]004092BA8B08MOV ECX, DWORD PTR [EAX]004092BCFF51 64 CALLDWORD PTR [ECX+64]004092BF66:C745 E4 2000 MOV WORD PTR [EBP-1C], 20004092C5BA F25A4C00 MOV EDX, ApDocToP.004C5AF2 ; ASCII "Close"004092CA8D45 F8 LEA EAX, DWORD PTR [EBP-8]004092CDE8 9A6A0B00 CALLApDocToP.004BFD6C004092D2FF45 F0 INC DWORD PTR [EBP-10]004092D58B10MOV EDX, DWORD PTR [EAX]004092D78B83 00030000 MOV EAX, DWORD PTR [EBX+300]004092DDE8 D6E30700 CALLApDocToP.004876B8004092E2FF4D F0 DEC DWORD PTR [EBP-10]004092E58D45 F8 LEA EAX, DWORD PTR [EBP-8]004092E8BA 02000000 MOV EDX, 2004092EDE8 1E6C0B00 CALLApDocToP.004BFF10004092F2C783 4C020000 01000>MOV DWORD PTR [EBX+24C], 1004092FCEB 35 JMP SHORT ApDocToP.00409333004092FE6A 10 PUSH100040930068 2B5B4C00 PUSHApDocToP.004C5B2B; ASCII "Error"0040930568 F85A4C00 PUSHApDocToP.004C5AF8; ASCII "Series number error,please check it and try again."0040930A8BC3MOV EAX, EBX0040930CE8 8B4A0800 CALLApDocToP.0048DD9C0040931150PUSHEAX00409312E8 E18F0B00 CALLApDocToP.004C22F8; JMP 到 USER32.MessageBoxA00409317FF4D F0 DEC DWORD PTR [EBP-10]0040931A8D45 FC LEA EAX, DWORD PTR [EBP-4]0040931DBA 02000000 MOV EDX, 200409322E8 E96B0B00 CALLApDocToP.004BFF10004093278B4D D4 MOV ECX, DWORD PTR [EBP-2C]0040932A64:890D 00000000MOV DWORD PTR FS:[0], ECX00409331EB 1A JMP SHORT ApDocToP.0040934D00409333FF4D F0 DEC DWORD PTR [EBP-10]004093368D45 FC LEA EAX, DWORD PTR [EBP-4]00409339BA 02000000 MOV EDX, 20040933EE8 CD6B0B00 CALLApDocToP.004BFF10004093438B4D D4 MOV ECX, DWORD PTR [EBP-2C]0040934664:890D 00000000MOV DWORD PTR FS:[0], ECX0040934D5BPOP EBX0040934E8BE5MOV ESP, EBP004093505DPOP EBP00409351C3RETN=========================================================================0040918855PUSHEBP004091898BECMOV EBP, ESP0040918B53PUSHEBX0040918C56PUSHESI0040918D57PUSHEDI0040918E8B5D 0C MOV EBX, DWORD PTR [EBP+C]0040919185DBTESTEBX, EBX0040919374 0C JESHORT ApDocToP.004091A10040919553PUSHEBX00409196E8 E5AD0A00 CALLApDocToP.004B3F800040919B59POP ECX0040919C83F8 10 CMP EAX, 100040919F74 04 JESHORT ApDocToP.004091A5; //注册码长度等于10h则跳004091A133C0XOR EAX, EAX004091A3EB 39 JMP SHORT ApDocToP.004091DE004091A50FBE73 07 MOVSX ESI, BYTE PTR [EBX+7]; //ESI=注册码的第8个字符ASCII值004091A98BC6MOV EAX, ESI ; //EAX=ESI004091AB0FBE7B 0A MOVSX EDI, BYTE PTR [EBX+A]; //EDI=注册码的第11个字符ASCII值004091AF03C7ADD EAX, EDI ; //EAX=EAX+EDI004091B13D 9B000000 CMP EAX, 9B; //EAX与9B比较004091B675 24 JNZ SHORT ApDocToP.004091DC; //不等则跳004091B88BCEMOV ECX, ESI ; //ECX=ESI=注册码的第8个字符ASCII值004091BA2BCFSUB ECX, EDI ; //ECX=ECX-EDI004091BC8BC1MOV EAX, ECX ; //EAX=ECX004091BE99CDQ004091BF33C2XOR EAX, EDX ; //EAX=EAX xor EDX004091C12BC2SUB EAX, EDX ; //EAX=EAX-EDX004091C383C0 41 ADD EAX, 41; //EAX=EAX+41004091C60FBE53 03 MOVSX EDX, BYTE PTR [EBX+3]; //EDX=注册码的第4个字符ASCII值004091CA3BC2CMP EAX, EDX ; //EAX与EDX比较004091CC75 0E JNZ SHORT ApDocToP.004091DC; //不等则跳004091CE8B45 08 MOV EAX, DWORD PTR [EBP+8]004091D1C680 34030000 01MOV BYTE PTR [EAX+334], 1004091D8B0 01 MOV AL, 1004091DAEB 02 JMP SHORT ApDocToP.004091DE004091DC33C0XOR EAX, EAX004091DE5FPOP EDI004091DF5EPOP ESI004091E05BPOP EBX004091E15DPOP EBP004091E2C3RETN
【破解总结】
--------------------------------------------------------------
【算法总结】
1、注册码长度必须为16位
2、注册码的第8个字符和第11个字符ASCII值之和必须等于9Bh
3、注册码的第8个字符和第11个字符ASCII值之差加上41h必须等于第4个字符ASCII值
--------------------------------------------------------------
【算法注册机】
VB代码
Private Sub Command1_Click()
C11 = Int(Rnd() * 10)
C8 = Chr(&H9B - Asc(C11))
C4 = Chr(Asc(C8) - Asc(C11) + &H41)
Text1.Text = Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & C4 & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & C8 & Int(Rnd() * 10) & Int(Rnd() * 10) & C11 & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & Int (Rnd() * 10)
End Sub
--------------------------------------------------------------
【注册信息】
一组可用的注册码:288x599i26292519
保存在
[HKEY_LOCAL_MACHINE\SOFTWARE\AdultPDF\Doc2PDF]
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
|
发表于 2008-9-22 17:37
发表于 2008-9-23 10:38
