首页
论坛
专栏
课程

[原创]Ap Document To PDF V2.1算法分析

2008-9-22 16:03 4523

[原创]Ap Document To PDF V2.1算法分析

2008-9-22 16:03
4523
【破文标题】Ap Document To PDF V2.1算法分析
【破文作者】tianxj
【作者邮箱】[email]tianxj_2007@126.com[/email]
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】D-Windows XP sp2
【软件名称】Ap Document To PDF V2.1
【软件大小】1.3 MB
【软件语言】英文
【软件类别】国外软件 / 共享软件 / 文字处理
【更新时间】2007-01-18
【原版下载】自己找一下
【保护方式】注册码
【软件简介】文档转换工具。可以将你的文档批量转换成可搜索的PDF文件。允许将任何windows应用程序的文档转换成上百种文件类型,包括可搜索的PDF, DOC, TIFF, JPEG, RTF, HTML等等。只要应用程序支持打印功能,就能转换成PDF文档。对于PDF文档,甚至提供了多种选项:字体嵌入、分辨率、页面尺寸、文档信息、安全书签、自动链接、多语言等。是制作专业级PDF文档的最佳选择。
Picture To Video Converter图片视频转换器的应用被设计为一个易于使用的工具,加入图片一起视频过渡效果。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
"Series number error,please check it and try again."
**************************************************************
二、用PEiD对ApDocToPDF.exe查壳,为 ASPack 2.12 -> Alexey Solodovnikov
**************************************************************
三、带壳调试,运行OD,打开ApDocToPDF.exe,输入注册信息,F12暂停,alt+K
调用堆栈 , 项目 14
地址=0012F0D8
堆栈=00409317
程序过程 / 参数=? ApDocToP.004C22F8
调用来自=ApDocToP.00409312
结构=0012F0D4
==============================================================
004091E4    55                  PUSH    EBP
004091E5    8BEC                MOV     EBP, ESP
004091E7    83C4 D0             ADD     ESP, -30
004091EA    53                  PUSH    EBX
004091EB    8BD8                MOV     EBX, EAX
004091ED    B8 3C5C4C00         MOV     EAX, ApDocToP.004C5C3C
004091F2    E8 FDB00A00         CALL    ApDocToP.004B42F4
004091F7    66:C745 E4 1400     MOV     WORD PTR [EBP-1C], 14
004091FD    33D2                XOR     EDX, EDX
004091FF    8955 FC             MOV     DWORD PTR [EBP-4], EDX
00409202    8D55 FC             LEA     EDX, DWORD PTR [EBP-4]
00409205    FF45 F0             INC     DWORD PTR [EBP-10]
00409208    8B83 F4020000       MOV     EAX, DWORD PTR [EBX+2F4]
0040920E    E8 75E40700         CALL    ApDocToP.00487688
00409213    66:C745 E4 0800     MOV     WORD PTR [EBP-1C], 8
00409219    837D FC 00          CMP     DWORD PTR [EBP-4], 0
0040921D    74 05               JE      SHORT ApDocToP.00409224          ; //注册码为空则跳
0040921F    8B4D FC             MOV     ECX, DWORD PTR [EBP-4]           ; //试练码
00409222    EB 05               JMP     SHORT ApDocToP.00409229
00409224    B9 645A4C00         MOV     ECX, ApDocToP.004C5A64
00409229    51                  PUSH    ECX
0040922A    53                  PUSH    EBX
0040922B    E8 58FFFFFF         CALL    ApDocToP.00409188                ; //关键CALL
00409230    83C4 08             ADD     ESP, 8
00409233    3C 01               CMP     AL, 1
00409235    0F85 C3000000       JNZ     ApDocToP.004092FE                ; //关键跳转
0040923B    6A 40               PUSH    40
0040923D    68 BC5A4C00         PUSH    ApDocToP.004C5ABC                ; ASCII "Registered Version"
00409242    68 655A4C00         PUSH    ApDocToP.004C5A65                ; ASCII "Thank you register Ap DoumentToPDF software,if you have any problem,contact us please."
00409247    8BC3                MOV     EAX, EBX
00409249    E8 4E4B0800         CALL    ApDocToP.0048DD9C
0040924E    50                  PUSH    EAX
0040924F    E8 A4900B00         CALL    ApDocToP.004C22F8                ; JMP 到 USER32.MessageBoxA
00409254    8D55 D0             LEA     EDX, DWORD PTR [EBP-30]
00409257    52                  PUSH    EDX
00409258    68 CF5A4C00         PUSH    ApDocToP.004C5ACF                ; ASCII "Software\AdultPDF\Doc2PDF"
0040925D    68 02000080         PUSH    80000002
00409262    E8 97870B00         CALL    ApDocToP.004C19FE                ; JMP 到 advapi32.RegCreateKeyA
00409267    837D D0 00          CMP     DWORD PTR [EBP-30], 0
0040926B    74 3C               JE      SHORT ApDocToP.004092A9
0040926D    837D FC 00          CMP     DWORD PTR [EBP-4], 0
00409271    74 05               JE      SHORT ApDocToP.00409278
00409273    8B45 FC             MOV     EAX, DWORD PTR [EBP-4]
00409276    EB 05               JMP     SHORT ApDocToP.0040927D
00409278    B8 E95A4C00         MOV     EAX, ApDocToP.004C5AE9
0040927D    50                  PUSH    EAX
0040927E    E8 FDAC0A00         CALL    ApDocToP.004B3F80
00409283    59                  POP     ECX
00409284    40                  INC     EAX
00409285    50                  PUSH    EAX
00409286    837D FC 00          CMP     DWORD PTR [EBP-4], 0
0040928A    74 05               JE      SHORT ApDocToP.00409291
0040928C    8B55 FC             MOV     EDX, DWORD PTR [EBP-4]
0040928F    EB 05               JMP     SHORT ApDocToP.00409296
00409291    BA F15A4C00         MOV     EDX, ApDocToP.004C5AF1
00409296    52                  PUSH    EDX
00409297    6A 01               PUSH    1
00409299    6A 00               PUSH    0
0040929B    68 EA5A4C00         PUSH    ApDocToP.004C5AEA                ; ASCII "Serial"
004092A0    8B45 D0             MOV     EAX, DWORD PTR [EBP-30]
004092A3    50                  PUSH    EAX
004092A4    E8 6D870B00         CALL    ApDocToP.004C1A16                ; JMP 到 advapi32.RegSetValueExA
004092A9    8B4D D0             MOV     ECX, DWORD PTR [EBP-30]
004092AC    51                  PUSH    ECX
004092AD    E8 46870B00         CALL    ApDocToP.004C19F8                ; JMP 到 advapi32.RegCloseKey
004092B2    33D2                XOR     EDX, EDX
004092B4    8B83 08030000       MOV     EAX, DWORD PTR [EBX+308]
004092BA    8B08                MOV     ECX, DWORD PTR [EAX]
004092BC    FF51 64             CALL    DWORD PTR [ECX+64]
004092BF    66:C745 E4 2000     MOV     WORD PTR [EBP-1C], 20
004092C5    BA F25A4C00         MOV     EDX, ApDocToP.004C5AF2           ; ASCII "Close"
004092CA    8D45 F8             LEA     EAX, DWORD PTR [EBP-8]
004092CD    E8 9A6A0B00         CALL    ApDocToP.004BFD6C
004092D2    FF45 F0             INC     DWORD PTR [EBP-10]
004092D5    8B10                MOV     EDX, DWORD PTR [EAX]
004092D7    8B83 00030000       MOV     EAX, DWORD PTR [EBX+300]
004092DD    E8 D6E30700         CALL    ApDocToP.004876B8
004092E2    FF4D F0             DEC     DWORD PTR [EBP-10]
004092E5    8D45 F8             LEA     EAX, DWORD PTR [EBP-8]
004092E8    BA 02000000         MOV     EDX, 2
004092ED    E8 1E6C0B00         CALL    ApDocToP.004BFF10
004092F2    C783 4C020000 01000>MOV     DWORD PTR [EBX+24C], 1
004092FC    EB 35               JMP     SHORT ApDocToP.00409333
004092FE    6A 10               PUSH    10
00409300    68 2B5B4C00         PUSH    ApDocToP.004C5B2B                ; ASCII "Error"
00409305    68 F85A4C00         PUSH    ApDocToP.004C5AF8                ; ASCII "Series number error,please check it and try again."
0040930A    8BC3                MOV     EAX, EBX
0040930C    E8 8B4A0800         CALL    ApDocToP.0048DD9C
00409311    50                  PUSH    EAX
00409312    E8 E18F0B00         CALL    ApDocToP.004C22F8                ; JMP 到 USER32.MessageBoxA
00409317    FF4D F0             DEC     DWORD PTR [EBP-10]
0040931A    8D45 FC             LEA     EAX, DWORD PTR [EBP-4]
0040931D    BA 02000000         MOV     EDX, 2
00409322    E8 E96B0B00         CALL    ApDocToP.004BFF10
00409327    8B4D D4             MOV     ECX, DWORD PTR [EBP-2C]
0040932A    64:890D 00000000    MOV     DWORD PTR FS:[0], ECX
00409331    EB 1A               JMP     SHORT ApDocToP.0040934D
00409333    FF4D F0             DEC     DWORD PTR [EBP-10]
00409336    8D45 FC             LEA     EAX, DWORD PTR [EBP-4]
00409339    BA 02000000         MOV     EDX, 2
0040933E    E8 CD6B0B00         CALL    ApDocToP.004BFF10
00409343    8B4D D4             MOV     ECX, DWORD PTR [EBP-2C]
00409346    64:890D 00000000    MOV     DWORD PTR FS:[0], ECX
0040934D    5B                  POP     EBX
0040934E    8BE5                MOV     ESP, EBP
00409350    5D                  POP     EBP
00409351    C3                  RETN
=========================================================================
00409188    55                  PUSH    EBP
00409189    8BEC                MOV     EBP, ESP
0040918B    53                  PUSH    EBX
0040918C    56                  PUSH    ESI
0040918D    57                  PUSH    EDI
0040918E    8B5D 0C             MOV     EBX, DWORD PTR [EBP+C]
00409191    85DB                TEST    EBX, EBX
00409193    74 0C               JE      SHORT ApDocToP.004091A1
00409195    53                  PUSH    EBX
00409196    E8 E5AD0A00         CALL    ApDocToP.004B3F80
0040919B    59                  POP     ECX
0040919C    83F8 10             CMP     EAX, 10
0040919F    74 04               JE      SHORT ApDocToP.004091A5          ; //注册码长度等于10h则跳
004091A1    33C0                XOR     EAX, EAX
004091A3    EB 39               JMP     SHORT ApDocToP.004091DE
004091A5    0FBE73 07           MOVSX   ESI, BYTE PTR [EBX+7]            ; //ESI=注册码的第8个字符ASCII值
004091A9    8BC6                MOV     EAX, ESI                         ; //EAX=ESI
004091AB    0FBE7B 0A           MOVSX   EDI, BYTE PTR [EBX+A]            ; //EDI=注册码的第11个字符ASCII值
004091AF    03C7                ADD     EAX, EDI                         ; //EAX=EAX+EDI
004091B1    3D 9B000000         CMP     EAX, 9B                          ; //EAX与9B比较
004091B6    75 24               JNZ     SHORT ApDocToP.004091DC          ; //不等则跳
004091B8    8BCE                MOV     ECX, ESI                         ; //ECX=ESI=注册码的第8个字符ASCII值
004091BA    2BCF                SUB     ECX, EDI                         ; //ECX=ECX-EDI
004091BC    8BC1                MOV     EAX, ECX                         ; //EAX=ECX
004091BE    99                  CDQ
004091BF    33C2                XOR     EAX, EDX                         ; //EAX=EAX xor EDX
004091C1    2BC2                SUB     EAX, EDX                         ; //EAX=EAX-EDX
004091C3    83C0 41             ADD     EAX, 41                          ; //EAX=EAX+41
004091C6    0FBE53 03           MOVSX   EDX, BYTE PTR [EBX+3]            ; //EDX=注册码的第4个字符ASCII值
004091CA    3BC2                CMP     EAX, EDX                         ; //EAX与EDX比较
004091CC    75 0E               JNZ     SHORT ApDocToP.004091DC          ; //不等则跳
004091CE    8B45 08             MOV     EAX, DWORD PTR [EBP+8]
004091D1    C680 34030000 01    MOV     BYTE PTR [EAX+334], 1
004091D8    B0 01               MOV     AL, 1
004091DA    EB 02               JMP     SHORT ApDocToP.004091DE
004091DC    33C0                XOR     EAX, EAX
004091DE    5F                  POP     EDI
004091DF    5E                  POP     ESI
004091E0    5B                  POP     EBX
004091E1    5D                  POP     EBP
004091E2    C3                  RETN

**************************************************************  
【破解总结】
--------------------------------------------------------------
【算法总结】
1、注册码长度必须为16位
2、注册码的第8个字符和第11个字符ASCII值之和必须等于9Bh
3、注册码的第8个字符和第11个字符ASCII值之差加上41h必须等于第4个字符ASCII值
--------------------------------------------------------------
【算法注册机】
VB代码
Private Sub Command1_Click()
C11 = Int(Rnd() * 10)
C8 = Chr(&H9B - Asc(C11))
C4 = Chr(Asc(C8) - Asc(C11) + &H41)
Text1.Text = Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & C4 & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & C8 & Int(Rnd() * 10) & Int(Rnd() * 10) & C11 & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & Int (Rnd() * 10)
End Sub
--------------------------------------------------------------
【注册信息】
一组可用的注册码:288x599i26292519
保存在
[HKEY_LOCAL_MACHINE\SOFTWARE\AdultPDF\Doc2PDF]
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

     _/_/_/   _/   _/   _/_/_/
    _/   _/  _/  _/    _/      
   _/_/_/    _/_/     _/_/_/_/
  _/         _/      _/    _/
_/         _/      _/_/_/ _/    tianxj

[公告]安全服务和外包项目请将项目需求发到看雪企服平台:https://qifu.kanxue.com

最新回复 (4)
蚊香 3 2008-9-22 16:08
2
0
清晰,明了
tonyliou 2008-9-22 22:12
3
0
学习一下!
王小攀 2009-7-29 23:49
4
0
灌水,想换个id
寒晨 2009-7-29 23:57
5
0
LZ 神人啊  发的帖子超过一半是精华贴。。。
游客
登录 | 注册 方可回帖
返回