【破文标题】Ap Document To PDF V2.1算法分析
【破文作者】tianxj
【作者邮箱】tianxj_2007@126.com
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】D-Windows XP sp2
【软件名称】Ap Document To PDF V2.1
【软件大小】1.3 MB
【软件语言】英文
【软件类别】国外软件 / 共享软件 / 文字处理
【更新时间】2007-01-18
【原版下载】自己找一下
【保护方式】注册码
【软件简介】文档转换工具。可以将你的文档批量转换成可搜索的PDF文件。允许将任何windows应用程序的文档转换成上百种文件类型,包括可搜索的PDF, DOC, TIFF, JPEG, RTF, HTML等等。只要应用程序支持打印功能,就能转换成PDF文档。对于PDF文档,甚至提供了多种选项:字体嵌入、分辨率、页面尺寸、文档信息、安全书签、自动链接、多语言等。是制作专业级PDF文档的最佳选择。
Picture To Video Converter图片视频转换器的应用被设计为一个易于使用的工具,加入图片一起视频过渡效果。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
"Series number error,please check it and try again."
**************************************************************
二、用PEiD对ApDocToPDF.exe查壳,为 ASPack 2.12 -> Alexey Solodovnikov
**************************************************************
三、带壳调试,运行OD,打开ApDocToPDF.exe,输入注册信息,F12暂停,alt+K
调用堆栈 , 项目 14
地址=0012F0D8
堆栈=00409317
程序过程 / 参数=? ApDocToP.004C22F8
调用来自=ApDocToP.00409312
结构=0012F0D4
==============================================================
004091E4 55 PUSH EBP 004091E5 8BEC MOV EBP, ESP 004091E7 83C4 D0 ADD ESP, -30 004091EA 53 PUSH EBX 004091EB 8BD8 MOV EBX, EAX 004091ED B8 3C5C4C00 MOV EAX, ApDocToP.004C5C3C 004091F2 E8 FDB00A00 CALL ApDocToP.004B42F4 004091F7 66:C745 E4 1400 MOV WORD PTR [EBP-1C], 14 004091FD 33D2 XOR EDX, EDX 004091FF 8955 FC MOV DWORD PTR [EBP-4], EDX 00409202 8D55 FC LEA EDX, DWORD PTR [EBP-4] 00409205 FF45 F0 INC DWORD PTR [EBP-10] 00409208 8B83 F4020000 MOV EAX, DWORD PTR [EBX+2F4] 0040920E E8 75E40700 CALL ApDocToP.00487688 00409213 66:C745 E4 0800 MOV WORD PTR [EBP-1C], 8 00409219 837D FC 00 CMP DWORD PTR [EBP-4], 0 0040921D 74 05 JE SHORT ApDocToP.00409224 ; //注册码为空则跳 0040921F 8B4D FC MOV ECX, DWORD PTR [EBP-4] ; //试练码 00409222 EB 05 JMP SHORT ApDocToP.00409229 00409224 B9 645A4C00 MOV ECX, ApDocToP.004C5A64 00409229 51 PUSH ECX 0040922A 53 PUSH EBX 0040922B E8 58FFFFFF CALL ApDocToP.00409188 ; //关键CALL 00409230 83C4 08 ADD ESP, 8 00409233 3C 01 CMP AL, 1 00409235 0F85 C3000000 JNZ ApDocToP.004092FE ; //关键跳转 0040923B 6A 40 PUSH 40 0040923D 68 BC5A4C00 PUSH ApDocToP.004C5ABC ; ASCII "Registered Version" 00409242 68 655A4C00 PUSH ApDocToP.004C5A65 ; ASCII "Thank you register Ap DoumentToPDF software,if you have any problem,contact us please." 00409247 8BC3 MOV EAX, EBX 00409249 E8 4E4B0800 CALL ApDocToP.0048DD9C 0040924E 50 PUSH EAX 0040924F E8 A4900B00 CALL ApDocToP.004C22F8 ; JMP 到 USER32.MessageBoxA 00409254 8D55 D0 LEA EDX, DWORD PTR [EBP-30] 00409257 52 PUSH EDX 00409258 68 CF5A4C00 PUSH ApDocToP.004C5ACF ; ASCII "Software\AdultPDF\Doc2PDF" 0040925D 68 02000080 PUSH 80000002 00409262 E8 97870B00 CALL ApDocToP.004C19FE ; JMP 到 advapi32.RegCreateKeyA 00409267 837D D0 00 CMP DWORD PTR [EBP-30], 0 0040926B 74 3C JE SHORT ApDocToP.004092A9 0040926D 837D FC 00 CMP DWORD PTR [EBP-4], 0 00409271 74 05 JE SHORT ApDocToP.00409278 00409273 8B45 FC MOV EAX, DWORD PTR [EBP-4] 00409276 EB 05 JMP SHORT ApDocToP.0040927D 00409278 B8 E95A4C00 MOV EAX, ApDocToP.004C5AE9 0040927D 50 PUSH EAX 0040927E E8 FDAC0A00 CALL ApDocToP.004B3F80 00409283 59 POP ECX 00409284 40 INC EAX 00409285 50 PUSH EAX 00409286 837D FC 00 CMP DWORD PTR [EBP-4], 0 0040928A 74 05 JE SHORT ApDocToP.00409291 0040928C 8B55 FC MOV EDX, DWORD PTR [EBP-4] 0040928F EB 05 JMP SHORT ApDocToP.00409296 00409291 BA F15A4C00 MOV EDX, ApDocToP.004C5AF1 00409296 52 PUSH EDX 00409297 6A 01 PUSH 1 00409299 6A 00 PUSH 0 0040929B 68 EA5A4C00 PUSH ApDocToP.004C5AEA ; ASCII "Serial" 004092A0 8B45 D0 MOV EAX, DWORD PTR [EBP-30] 004092A3 50 PUSH EAX 004092A4 E8 6D870B00 CALL ApDocToP.004C1A16 ; JMP 到 advapi32.RegSetValueExA 004092A9 8B4D D0 MOV ECX, DWORD PTR [EBP-30] 004092AC 51 PUSH ECX 004092AD E8 46870B00 CALL ApDocToP.004C19F8 ; JMP 到 advapi32.RegCloseKey 004092B2 33D2 XOR EDX, EDX 004092B4 8B83 08030000 MOV EAX, DWORD PTR [EBX+308] 004092BA 8B08 MOV ECX, DWORD PTR [EAX] 004092BC FF51 64 CALL DWORD PTR [ECX+64] 004092BF 66:C745 E4 2000 MOV WORD PTR [EBP-1C], 20 004092C5 BA F25A4C00 MOV EDX, ApDocToP.004C5AF2 ; ASCII "Close" 004092CA 8D45 F8 LEA EAX, DWORD PTR [EBP-8] 004092CD E8 9A6A0B00 CALL ApDocToP.004BFD6C 004092D2 FF45 F0 INC DWORD PTR [EBP-10] 004092D5 8B10 MOV EDX, DWORD PTR [EAX] 004092D7 8B83 00030000 MOV EAX, DWORD PTR [EBX+300] 004092DD E8 D6E30700 CALL ApDocToP.004876B8 004092E2 FF4D F0 DEC DWORD PTR [EBP-10] 004092E5 8D45 F8 LEA EAX, DWORD PTR [EBP-8] 004092E8 BA 02000000 MOV EDX, 2 004092ED E8 1E6C0B00 CALL ApDocToP.004BFF10 004092F2 C783 4C020000 01000>MOV DWORD PTR [EBX+24C], 1 004092FC EB 35 JMP SHORT ApDocToP.00409333 004092FE 6A 10 PUSH 10 00409300 68 2B5B4C00 PUSH ApDocToP.004C5B2B ; ASCII "Error" 00409305 68 F85A4C00 PUSH ApDocToP.004C5AF8 ; ASCII "Series number error,please check it and try again." 0040930A 8BC3 MOV EAX, EBX 0040930C E8 8B4A0800 CALL ApDocToP.0048DD9C 00409311 50 PUSH EAX 00409312 E8 E18F0B00 CALL ApDocToP.004C22F8 ; JMP 到 USER32.MessageBoxA 00409317 FF4D F0 DEC DWORD PTR [EBP-10] 0040931A 8D45 FC LEA EAX, DWORD PTR [EBP-4] 0040931D BA 02000000 MOV EDX, 2 00409322 E8 E96B0B00 CALL ApDocToP.004BFF10 00409327 8B4D D4 MOV ECX, DWORD PTR [EBP-2C] 0040932A 64:890D 00000000 MOV DWORD PTR FS:[0], ECX 00409331 EB 1A JMP SHORT ApDocToP.0040934D 00409333 FF4D F0 DEC DWORD PTR [EBP-10] 00409336 8D45 FC LEA EAX, DWORD PTR [EBP-4] 00409339 BA 02000000 MOV EDX, 2 0040933E E8 CD6B0B00 CALL ApDocToP.004BFF10 00409343 8B4D D4 MOV ECX, DWORD PTR [EBP-2C] 00409346 64:890D 00000000 MOV DWORD PTR FS:[0], ECX 0040934D 5B POP EBX 0040934E 8BE5 MOV ESP, EBP 00409350 5D POP EBP 00409351 C3 RETN ========================================================================= 00409188 55 PUSH EBP 00409189 8BEC MOV EBP, ESP 0040918B 53 PUSH EBX 0040918C 56 PUSH ESI 0040918D 57 PUSH EDI 0040918E 8B5D 0C MOV EBX, DWORD PTR [EBP+C] 00409191 85DB TEST EBX, EBX 00409193 74 0C JE SHORT ApDocToP.004091A1 00409195 53 PUSH EBX 00409196 E8 E5AD0A00 CALL ApDocToP.004B3F80 0040919B 59 POP ECX 0040919C 83F8 10 CMP EAX, 10 0040919F 74 04 JE SHORT ApDocToP.004091A5 ; //注册码长度等于10h则跳 004091A1 33C0 XOR EAX, EAX 004091A3 EB 39 JMP SHORT ApDocToP.004091DE 004091A5 0FBE73 07 MOVSX ESI, BYTE PTR [EBX+7] ; //ESI=注册码的第8个字符ASCII值 004091A9 8BC6 MOV EAX, ESI ; //EAX=ESI 004091AB 0FBE7B 0A MOVSX EDI, BYTE PTR [EBX+A] ; //EDI=注册码的第11个字符ASCII值 004091AF 03C7 ADD EAX, EDI ; //EAX=EAX+EDI 004091B1 3D 9B000000 CMP EAX, 9B ; //EAX与9B比较 004091B6 75 24 JNZ SHORT ApDocToP.004091DC ; //不等则跳 004091B8 8BCE MOV ECX, ESI ; //ECX=ESI=注册码的第8个字符ASCII值 004091BA 2BCF SUB ECX, EDI ; //ECX=ECX-EDI 004091BC 8BC1 MOV EAX, ECX ; //EAX=ECX 004091BE 99 CDQ 004091BF 33C2 XOR EAX, EDX ; //EAX=EAX xor EDX 004091C1 2BC2 SUB EAX, EDX ; //EAX=EAX-EDX 004091C3 83C0 41 ADD EAX, 41 ; //EAX=EAX+41 004091C6 0FBE53 03 MOVSX EDX, BYTE PTR [EBX+3] ; //EDX=注册码的第4个字符ASCII值 004091CA 3BC2 CMP EAX, EDX ; //EAX与EDX比较 004091CC 75 0E JNZ SHORT ApDocToP.004091DC ; //不等则跳 004091CE 8B45 08 MOV EAX, DWORD PTR [EBP+8] 004091D1 C680 34030000 01 MOV BYTE PTR [EAX+334], 1 004091D8 B0 01 MOV AL, 1 004091DA EB 02 JMP SHORT ApDocToP.004091DE 004091DC 33C0 XOR EAX, EAX 004091DE 5F POP EDI 004091DF 5E POP ESI 004091E0 5B POP EBX 004091E1 5D POP EBP 004091E2 C3 RETN
【破解总结】
--------------------------------------------------------------
【算法总结】
1、注册码长度必须为16位
2、注册码的第8个字符和第11个字符ASCII值之和必须等于9Bh
3、注册码的第8个字符和第11个字符ASCII值之差加上41h必须等于第4个字符ASCII值
--------------------------------------------------------------
【算法注册机】
VB代码
Private Sub Command1_Click()
C11 = Int(Rnd() * 10)
C8 = Chr(&H9B - Asc(C11))
C4 = Chr(Asc(C8) - Asc(C11) + &H41)
Text1.Text = Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & C4 & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & C8 & Int(Rnd() * 10) & Int(Rnd() * 10) & C11 & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & Int (Rnd() * 10)
End Sub
--------------------------------------------------------------
【注册信息】
一组可用的注册码:288x599i26292519
保存在
[HKEY_LOCAL_MACHINE\SOFTWARE\AdultPDF\Doc2PDF]
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
_/_/_/ _/ _/ _/_/_/
_/ _/ _/ _/ _/
_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/
_/ _/ _/_/_/ _/ tianxj