• 标 题:Adult PDF Encrypt V2.1
  • 作 者:coldeye
  • 时 间:2003-12-02 周二, 下午7:21
  • 链 接:http://bbs.pediy.com

强大的PDF文档加密工具,支持标准的40-bit或者128bit加密,可以给现有的pdf文档设置权限、增加用户和所有者等等。


源程序Adult PDF Encrypt.exe用Aspack加壳,脱壳后,W32Dasm反汇编

:00408D50 55                      push ebp
:00408D51 8BEC                    mov ebp, esp
:00408D53 81C4B8FEFFFF            add esp, FFFFFEB8
:00408D59 53                      push ebx
:00408D5A 8BD8                    mov ebx, eax
:00408D5C B89CA84D00              mov eax, 004DA89C
:00408D61 E8F2020C00              call 004C9058
:00408D66 8D8DB8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEB8]
:00408D6C 8D95CCFEFFFF            lea edx, dword ptr [ebp+FFFFFECC]
:00408D72 8BC3                    mov eax, ebx
:00408D74 E8A3020000              call 0040901C                            关键Call进入
:00408D79 84C0                    test al, al
:00408D7B 0F84A7000000            je 00408E28                                    关键跳转
:00408D81 66C745DC0800            mov [ebp-24], 0008
:00408D87 8D95CCFEFFFF            lea edx, dword ptr [ebp+FFFFFECC]
:00408D8D 8D45FC                  lea eax, dword ptr [ebp-04]
:00408D90 E877C70C00              call 004D550C
:00408D95 FF45E8                  inc [ebp-18]
:00408D98 8B10                    mov edx, dword ptr [eax]
:00408D9A 8B8328050000            mov eax, dword ptr [ebx+00000528]
:00408DA0 E893790600              call 00470738
:00408DA5 FF4DE8                  dec [ebp-18]
:00408DA8 8D45FC                  lea eax, dword ptr [ebp-04]
:00408DAB BA02000000              mov edx, 00000002
:00408DB0 E8B7C80C00              call 004D566C
:00408DB5 66C745DC1400            mov [ebp-24], 0014
:00408DBB 8D95B8FEFFFF            lea edx, dword ptr [ebp+FFFFFEB8]
:00408DC1 8D45F8                  lea eax, dword ptr [ebp-08]
:00408DC4 E843C70C00              call 004D550C
:00408DC9 FF45E8                  inc [ebp-18]
:00408DCC 8B10                    mov edx, dword ptr [eax]
:00408DCE 8B8308050000            mov eax, dword ptr [ebx+00000508]
:00408DD4 E85F790600              call 00470738
:00408DD9 FF4DE8                  dec [ebp-18]
:00408DDC 8D45F8                  lea eax, dword ptr [ebp-08]
:00408DDF BA02000000              mov edx, 00000002
:00408DE4 E883C80C00              call 004D566C
:00408DE9 66C745DC2000            mov [ebp-24], 0020

* Possible StringData Ref from Data Obj ->"Registered version"   注册版本
                                  |
:00408DEF BAADA64D00              mov edx, 004DA6AD
:00408DF4 8D45F4                  lea eax, dword ptr [ebp-0C]
:00408DF7 E810C70C00              call 004D550C
:00408DFC FF45E8                  inc [ebp-18]
:00408DFF 8B10                    mov edx, dword ptr [eax]
:00408E01 8B8314050000            mov eax, dword ptr [ebx+00000514]
:00408E07 E82C790600              call 00470738
:00408E0C FF4DE8                  dec [ebp-18]
:00408E0F 8D45F4                  lea eax, dword ptr [ebp-0C]
:00408E12 BA02000000              mov edx, 00000002
:00408E17 E850C80C00              call 004D566C
:00408E1C C70540714D0010270000    mov dword ptr [004D7140], 00002710
:00408E26 EB3D                    jmp 00408E65

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408D7B(C)
|
:00408E28 66C745DC2C00            mov [ebp-24], 002C

* Possible StringData Ref from Data Obj ->"Trial version"    试用版本
                                  |
:00408E2E BAC0A64D00              mov edx, 004DA6C0
:00408E33 8D45F0                  lea eax, dword ptr [ebp-10]
:00408E36 E8D1C60C00              call 004D550C
:00408E3B FF45E8                  inc [ebp-18]
:00408E3E 8B10                    mov edx, dword ptr [eax]

* Referenced by a CALL at Address:
|:00408D74   
|
:0040901C 53                      push ebx
:0040901D 56                      push esi
:0040901E 57                      push edi
:0040901F 81C400FCFFFF            add esp, FFFFFC00
:00409025 8BF9                    mov edi, ecx
:00409027 8BF2                    mov esi, edx
:00409029 8BD8                    mov ebx, eax
:0040902B 6800010000              push 00000100
:00409030 6A00                    push 00000000
:00409032 8D442408                lea eax, dword ptr [esp+08]
:00409036 50                      push eax
:00409037 E814FB0B00              call 004C8B50
:0040903C 83C40C                  add esp, 0000000C
:0040903F 6800010000              push 00000100
:00409044 6A00                    push 00000000
:00409046 8D942408010000          lea edx, dword ptr [esp+00000108]
:0040904D 52                      push edx
:0040904E E8FDFA0B00              call 004C8B50
:00409053 83C40C                  add esp, 0000000C
:00409056 6800010000              push 00000100
:0040905B 6A00                    push 00000000
:0040905D 8D8C2408020000          lea ecx, dword ptr [esp+00000208]
:00409064 51                      push ecx
:00409065 E8E6FA0B00              call 004C8B50
:0040906A 83C40C                  add esp, 0000000C
:0040906D 6800010000              push 00000100
:00409072 6A00                    push 00000000
:00409074 8D842408030000          lea eax, dword ptr [esp+00000308]
:0040907B 50                      push eax
:0040907C E8CFFA0B00              call 004C8B50
:00409081 83C40C                  add esp, 0000000C
:00409084 6800010000              push 00000100
:00409089 8D542404                lea edx, dword ptr [esp+04]
:0040908D 52                      push edx

* Reference To: KERNEL32.GetSystemDirectoryA, Ord:0000h             获取系统system目录
                                  |
:0040908E E8D7CE0C00              Call 004D5F6A

* Possible StringData Ref from Data Obj ->"adultreg.ini"                    注册文件名
                                  |
:00409093 6856A74D00              push 004DA756
:00409098 8D4C2404                lea ecx, dword ptr [esp+04]
:0040909C 51                      push ecx
:0040909D E852FB0B00              call 004C8BF4
:004090A2 83C408                  add esp, 00000008
:004090A5 54                      push esp
:004090A6 6800010000              push 00000100
:004090AB 8D842408010000          lea eax, dword ptr [esp+00000108]
:004090B2 50                      push eax
:004090B3 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Mail"                                 Mail栏
                                  |
:004090B5 6878A74D00              push 004DA778

* Possible StringData Ref from Data Obj ->"PDFEncrypt_Register"                     标题
                                  |
:004090BA 6864A74D00              push 004DA764

* Reference To: KERNEL32.GetPrivateProfileStringA, Ord:0000h
                                  |
:004090BF E876CE0C00              Call 004D5F3A
:004090C4 54                      push esp
:004090C5 6800010000              push 00000100
:004090CA 8D942408020000          lea edx, dword ptr [esp+00000208]
:004090D1 52                      push edx
:004090D2 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Serial"                             Serial栏
                                  |
:004090D4 6891A74D00              push 004DA791

* Possible StringData Ref from Data Obj ->"PDFEncrypt_Register"                     标题
                                  |
:004090D9 687DA74D00              push 004DA77D

对注册码进行校验

:00409158 56                      push esi
:00409159 8BF2                    mov esi, edx
:0040915B 85F6                    test esi, esi                            注册码是否为空
:0040915D 7504                    jne 00409163                                   不空跳转
:0040915F 33C0                    xor eax, eax
:00409161 5E                      pop esi
:00409162 C3                      ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040915D(C)
|
:00409163 803E00                  cmp byte ptr [esi], 00
:00409166 7504                    jne 0040916C
:00409168 33C0                    xor eax, eax
:0040916A 5E                      pop esi
:0040916B C3                      ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409166(C)
|
:0040916C 56                      push esi
:0040916D E812FB0B00              call 004C8C84                      获取注册码长度入EAX
:00409172 59                      pop ecx
:00409173 83F810                  cmp eax, 00000010               长度是否为h10(十六位)
:00409176 7404                    je 0040917C                             是跳转,否出错
:00409178 33C0                    xor eax, eax
:0040917A 5E                      pop esi
:0040917B C3                      ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409176(C)
|
:0040917C 33D2                    xor edx, edx
:0040917E 8BC6                    mov eax, esi

这段代码用来测试注册码的每一位属于A~Z之间
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409196(C)
|
:00409180 0FBE08                  movsx ecx, byte ptr [eax]
:00409183 83F941                  cmp ecx, 00000041                         A的ASCII值
:00409186 7C05                    jl 0040918D
:00409188 83F95A                  cmp ecx, 0000005A                         Z的ASCII值
:0040918B 7E04                    jle 00409191

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409186(C)
|
:0040918D 33C0                    xor eax, eax
:0040918F 5E                      pop esi
:00409190 C3                      ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040918B(C)
|
:00409191 42                      inc edx                                       edx=edx+1
:00409192 40                      inc eax
:00409193 83FA10                  cmp edx, 00000010             edx是否等于h10,即是否每位测试到
:00409196 7CE8                    jl 00409180
:00409198 0FBE5609                movsx edx, byte ptr [esi+09]  edx=注册码的09偏移(第10位)的ASCII值
:0040919C 0FBE4E0D                movsx ecx, byte ptr [esi+0D]  ecx=注册码的0D偏移(第14位)的ASCII值
:004091A0 03D1                    add edx, ecx                  edx=edx+ecx
:004091A2 81FA9B000000            cmp edx, 0000009B             edx是否等于9B
:004091A8 7404                    je 004091AE                   是跳转,否出错
:004091AA 33C0                    xor eax, eax
:004091AC 5E                      pop esi
:004091AD C3                      ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004091A8(C)
|
:004091AE B001                    mov al, 01
:004091B0 5E                      pop esi
:004091B1 C3                      ret

总结如下:
Email地址任意,注册码需16位,全部为大写字母(A~Z),其中第10位和14位的ASCII值相加等于9B即可。

注册文件格式如下:
文件名:系统system目录下的adultreg.ini
[PDFEncrypt_Register]
Mail=coldeye@Crack.cn           Eamil地址任意
Serial=COLDEYECRACKZZCN                注册码