• Adult PDF Password Recovery v2.1
  • 标 题:Adult PDF Password Recovery v2.1注册算法(简单)
  • 作 者:coldeye
  • 时 间:2003年12月02日 07:33
  • 链 接:http://bbs.pediy.com

PDF密码破解工具,针对那些设定用户密码,无法编辑或更改、打印、复制文字或图片,增加注释等等方面,它可以轻松的解除这些限制。

源程序Adult PDF Password Recovery.exe用Aspack加壳,脱壳后,W32Dasm反汇编

注册码算法

* Referenced by a CALL at Addresses:
|:004041C1   , :00404940   
|
:004049AC 56                      push esi
:004049AD 8BF2                    mov esiedx
:004049AF 85F6                    test esiesi                            注册码是否为空
:004049B1 7504                    jne 004049B7                                   不空跳转
:004049B3 33C0                    xor eaxeax
:004049B5 5E                      pop esi
:004049B6 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049B1(C)
|
:004049B7 803E00                  cmp byte ptr [esi], 00
:004049BA 7504                    jne 004049C0
:004049BC 33C0                    xor eaxeax
:004049BE 5E                      pop esi
:004049BF C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049BA(C)
|
:004049C0 56                      push esi
:004049C1 E82A4B0C00              call 004C94F0                      获取注册码长度入EAX
:004049C6 59                      pop ecx
:004049C7 83F810                  cmp eax, 00000010                长度是否为h10(十六位)
:004049CA 7404                    je 004049D0                              是跳转,否出错
:004049CC 33C0                    xor eaxeax
:004049CE 5E                      pop esi
:004049CF C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049CA(C)
|
:004049D0 33D2                    xor edxedx
:004049D2 8BC6                    mov eaxesi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049EA(C)
|
这段代码用来测试注册码的每一位属于A~Z之间
:004049D4 0FBE08                  movsx ecxbyte ptr [eax]
:004049D7 83F941                  cmp ecx, 00000041                         A的ASCII值
:004049DA 7C05                    jl 004049E1
:004049DC 83F95A                  cmp ecx, 0000005A                         Z的ASCII值
:004049DF 7E04                    jle 004049E5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049DA(C)
|
:004049E1 33C0                    xor eaxeax
:004049E3 5E                      pop esi
:004049E4 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049DF(C)
|
:004049E5 42                      inc edx                                       edx=edx+1
:004049E6 40                      inc eax
:004049E7 83FA10                  cmp edx, 00000010     edx是否等于h10,即是否每位测试到
:004049EA 7CE8                    jl 004049D4

:004049EC 0FBE5609                movsx edxbyte ptr [esi+09]  edx=注册码的09偏移(第10位)的ASCII值
:004049F0 0FBE4E0C                movsx ecxbyte ptr [esi+0C]  ecx=注册码的0C偏移(第13位)的ASCII值
:004049F4 03D1                    add edxecx                  edx=edx+ecx
:004049F6 81FA9B000000            cmp edx, 0000009B             edx是否等于9B
:004049FC 7404                    je 00404A02                   是跳转,否出错
:004049FE 33C0                    xor eaxeax
:00404A00 5E                      pop esi
:00404A01 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004049FC(C)
|
:00404A02 B001                    mov al, 01
:00404A04 5E                      pop esi
:00404A05 C3                      ret

总结如下:
Email地址任意,注册码需16位,全部为大写字母(A~Z),其中第10位和13位的ASCII值相加等于9B即可。

注册文件格式如下:
文件名:系统system目录下的adultpdf_Decrypt_reg.ini
[Decrypt_Register]
Mail=Coldeye@Crack.cn           Eamil地址任意
Serial=COLDEYECRACKZZCN                 注册码