[PYG首发]Word方正转换器分析(完全破解)
【文章标题】: Word方正转换器分析(完全破解)【文章作者】: JackyChou
【作者邮箱】: [email protected]
【软件名称】: Word方正转换器
【下载地址】: 自己搜索下载
【加壳方式】: themida 1.0.0.5
【保护方式】: 加壳
【编写语言】: VB 6.0
【使用工具】: OD、PEID、LordPE、ImportREC
【操作平台】: XP Sp3正版
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这次分析的程序是一个word转Fbd文件的程序,软件是用themida加壳,可以用脱壳脚本脱,但是脚本跑完后有偷代码,
并且IAT需要修复的。也可以用脱壳机脱,但是脱壳后程序可以正常使用,但是OEP不是并不是真正的OEP,需要手动再处理
下,并把无用的区段删除,到达软件减肥的目的。详细过程略。
进入程序分析:软件未注册的情况下,只能转换1页,超过就会出错。
程序启动时,会进行网络检查,如果没有网络的情况下,那么【开始转换】就会变灰并显示【网络不通】。下面把程序
启动时的部分代码贴出来看下:
=============================================================================================
004AC050mov dword ptr , 0
004AC05Alea ecx, dword ptr
004AC05Dpush ecx
004AC05Elea edx, dword ptr
004AC061push edx
004AC062push 2
004AC064call dword ptr [<&msvbvm60.__vbaFreeObjList>] ;msvbvm60.__vbaFreeObjList
004AC06Aadd esp, 0C
004AC06Dmov dword ptr , 12
004AC074lea eax, dword ptr
004AC07Apush eax ; /TMPend8
004AC07Blea ecx, dword ptr ; |
004AC081push ecx ; |TMPstep8
004AC082lea edx, dword ptr ; |
004AC085push edx ; |Counter8
004AC086call dword ptr [<&msvbvm60.__vbaVarForNext>] ; \__vbaVarForNext
004AC08Cmov dword ptr , eax
004AC092cmp dword ptr , 0
004AC099jnz 004ABC88
004AC09Fmov dword ptr , 13
004AC0A6call 004B0B10
004AC0ABcmp ax, 0FFFF ;网络检查
004AC0AFjnz 004AC2EE ;这边可以NOP,无网络也可以用
004AC0B5mov dword ptr , 14
004AC0BCcall 004ADE90
004AC0C1mov dword ptr , 15
004AC0C8push 004FE04C
004AC0CDcall 004B0BF0
004AC0D2mov dword ptr , 16
004AC0D9lea eax, dword ptr
004AC0DCpush eax
004AC0DDcall 004B3F40
004AC0E2lea ecx, dword ptr
004AC0E5push ecx
004AC0E6call dword ptr [<&msvbvm60.__vbaStrVarMove>] ;msvbvm60.__vbaStrVarMove
004AC0ECmov edx, eax
004AC0EElea ecx, dword ptr
004AC0F1call dword ptr [<&msvbvm60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004AC0F7lea edx, dword ptr
004AC0FApush edx
004AC0FBcall 004B13E0
004AC100xor ebx, ebx
004AC102cmp ax, 0FFFF
004AC106sete bl
004AC109neg ebx
004AC10Bcall 004B4C20
004AC110xor ecx, ecx
004AC112cmp ax, 0FFFF
004AC116sete cl
004AC119neg ecx
004AC11Band bx, cx
004AC11Emov word ptr , bx
004AC125lea ecx, dword ptr
004AC128call dword ptr [<&msvbvm60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
004AC12Elea ecx, dword ptr
004AC131call dword ptr [<&msvbvm60.__vbaFreeVar>] ;msvbvm60.__vbaFreeVar
004AC137movsx edx, word ptr
004AC13Etest edx, edx ;程序启动时,注册比较
004AC140je 004AC264 ;这边可以NOP
004AC146mov dword ptr , 17
004AC14Dmov eax, dword ptr
004AC150mov ecx, dword ptr
004AC152mov edx, dword ptr
004AC155push edx
004AC156call dword ptr
004AC15Cpush eax
004AC15Dlea eax, dword ptr
004AC160push eax
004AC161call dword ptr [<&msvbvm60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
004AC167mov dword ptr , eax
004AC16Dpush 0040B974 ;字符串(已注册)
004AC172mov ecx, dword ptr
004AC178mov edx, dword ptr
004AC17Amov eax, dword ptr
004AC180push eax
004AC181call dword ptr
004AC184fclex
004AC186mov dword ptr , eax
004AC18Ccmp dword ptr , 0
004AC193jge short 004AC1B8
004AC195push 54
004AC197push 0040B008
004AC19Cmov ecx, dword ptr
004AC1A2push ecx
004AC1A3mov edx, dword ptr
004AC1A9push edx
004AC1AAcall dword ptr [<&msvbvm60.__vbaHresultCheckObj>];msvbvm60.__vbaHresultCheckObj
004AC1B0mov dword ptr , eax
004AC1B6jmp short 004AC1C2
004AC1B8mov dword ptr , 0
004AC1C2lea ecx, dword ptr
004AC1C5call dword ptr [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
004AC1CBmov dword ptr , 18
004AC1D2mov eax, dword ptr
004AC1D5mov ecx, dword ptr
004AC1D7mov edx, dword ptr
004AC1DApush edx
004AC1DBcall dword ptr
004AC1E1push eax
004AC1E2lea eax, dword ptr
004AC1E5push eax
004AC1E6call dword ptr [<&msvbvm60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
004AC1ECmov dword ptr , eax
004AC1F2push 0
004AC1F4mov ecx, dword ptr
004AC1FAmov edx, dword ptr
004AC1FCmov eax, dword ptr
004AC202push eax
004AC203call dword ptr
004AC209fclex
004AC20Bmov dword ptr , eax
004AC211cmp dword ptr , 0
004AC218jge short 004AC240
004AC21Apush 8C
004AC21Fpush 0040B008
004AC224mov ecx, dword ptr
004AC22Apush ecx
004AC22Bmov edx, dword ptr
004AC231push edx
004AC232call dword ptr [<&msvbvm60.__vbaHresultCheckObj>];msvbvm60.__vbaHresultCheckObj
004AC238mov dword ptr , eax
004AC23Ejmp short 004AC24A
004AC240mov dword ptr , 0
004AC24Alea ecx, dword ptr
004AC24Dcall dword ptr [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
004AC253mov dword ptr , 19
004AC25Acall 004AD790
004AC25Fjmp 004AC2E9
004AC264mov dword ptr , 1B
004AC26Bmov eax, dword ptr
004AC26Emov ecx, dword ptr
004AC270mov edx, dword ptr
004AC273push edx
004AC274call dword ptr
004AC27Apush eax
004AC27Blea eax, dword ptr
004AC27Epush eax
004AC27Fcall dword ptr [<&msvbvm60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
004AC285mov dword ptr , eax
004AC28Bpush 0040B980
004AC290mov ecx, dword ptr
004AC296mov edx, dword ptr
004AC298mov eax, dword ptr
004AC29Epush eax
004AC29Fcall dword ptr
004AC2A2fclex
004AC2A4mov dword ptr , eax
004AC2AAcmp dword ptr , 0
004AC2B1jge short 004AC2D6
004AC2B3push 54
004AC2B5push 0040B008
004AC2BAmov ecx, dword ptr
004AC2C0push ecx
004AC2C1mov edx, dword ptr
004AC2C7push edx
004AC2C8call dword ptr [<&msvbvm60.__vbaHresultCheckObj>];msvbvm60.__vbaHresultCheckObj
004AC2CEmov dword ptr , eax
004AC2D4jmp short 004AC2E0
004AC2D6mov dword ptr , 0
004AC2E0lea ecx, dword ptr
004AC2E3call dword ptr [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
004AC2E9jmp 004AC4A0
004AC2EEmov dword ptr , 1E
004AC2F5mov eax, dword ptr
004AC2F8mov ecx, dword ptr
004AC2FAmov edx, dword ptr
004AC2FDpush edx
004AC2FEcall dword ptr
004AC304push eax
004AC305lea eax, dword ptr
004AC308push eax
004AC309call dword ptr [<&msvbvm60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
004AC30Fmov dword ptr , eax
004AC315push 0
004AC317mov ecx, dword ptr
004AC31Dmov edx, dword ptr
004AC31Fmov eax, dword ptr
004AC325push eax
004AC326call dword ptr
004AC32Cfclex
004AC32Emov dword ptr , eax
004AC334cmp dword ptr , 0
004AC33Bjge short 004AC363
004AC33Dpush 8C
004AC342push 0040B008
004AC347mov ecx, dword ptr
004AC34Dpush ecx
004AC34Emov edx, dword ptr
004AC354push edx
004AC355call dword ptr [<&msvbvm60.__vbaHresultCheckObj>];msvbvm60.__vbaHresultCheckObj
004AC35Bmov dword ptr , eax
004AC361jmp short 004AC36D
004AC363mov dword ptr , 0
004AC36Dlea ecx, dword ptr
004AC370call dword ptr [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
004AC376mov dword ptr , 1F
004AC37Dmov eax, dword ptr
004AC380mov ecx, dword ptr
004AC382mov edx, dword ptr
004AC385push edx
004AC386call dword ptr
004AC38Cpush eax
004AC38Dlea eax, dword ptr
004AC390push eax
004AC391call dword ptr [<&msvbvm60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
004AC397mov dword ptr , eax
004AC39Dpush 0040B98C
004AC3A2mov ecx, dword ptr
004AC3A8mov edx, dword ptr
004AC3AAmov eax, dword ptr
004AC3B0push eax
004AC3B1call dword ptr
004AC3B4fclex
004AC3B6mov dword ptr , eax
004AC3BCcmp dword ptr , 0
004AC3C3jge short 004AC3E8
004AC3C5push 54
004AC3C7push 0040B008
004AC3CCmov ecx, dword ptr
004AC3D2push ecx
004AC3D3mov edx, dword ptr
004AC3D9push edx
004AC3DAcall dword ptr [<&msvbvm60.__vbaHresultCheckObj>];msvbvm60.__vbaHresultCheckObj
004AC3E0mov dword ptr , eax
004AC3E6jmp short 004AC3F2
004AC3E8mov dword ptr , 0
004AC3F2lea ecx, dword ptr
004AC3F5call dword ptr [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
004AC3FBmov dword ptr , 20
004AC402mov dword ptr , 80020004
004AC409mov dword ptr , 0A
004AC413mov dword ptr , 80020004
004AC41Amov dword ptr , 0A
004AC421mov dword ptr , 0040BA3C ;ASCII "衏:y"
004AC42Bmov dword ptr , 8
004AC435lea edx, dword ptr
004AC43Blea ecx, dword ptr
004AC43Ecall dword ptr [<&msvbvm60.__vbaVarDup>] ;msvbvm60.__vbaVarDup
004AC444mov dword ptr , 0040B9BC ;字符串(程序检测出电脑没有连接网络...)信息
004AC44Emov dword ptr , 8
004AC458lea edx, dword ptr
004AC45Elea ecx, dword ptr
004AC461call dword ptr [<&msvbvm60.__vbaVarDup>] ;msvbvm60.__vbaVarDup
004AC467lea eax, dword ptr
004AC46Dpush eax
004AC46Elea ecx, dword ptr
004AC471push ecx
004AC472lea edx, dword ptr
004AC475push edx
004AC476push 10
004AC478lea eax, dword ptr
004AC47Bpush eax
004AC47Ccall dword ptr [<&msvbvm60.rtcMsgBox>] ;出现提示消息框
004AC482lea ecx, dword ptr
004AC488push ecx
004AC489lea edx, dword ptr
004AC48Cpush edx
004AC48Dlea eax, dword ptr
004AC490push eax
004AC491lea ecx, dword ptr
004AC494push ecx
004AC495push 4
004AC497call dword ptr [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
004AC49Dadd esp, 14
004AC4A0mov dword ptr , 22
004AC4A7push -1 ; /OnErrEvent = Resume Next
004AC4A9call dword ptr [<&msvbvm60.__vbaOnError>] ; \__vbaOnError
004AC4AFmov dword ptr , 23
004AC4B6mov edx, 0040BA48 ;s2gappdir
004AC4BBlea ecx, dword ptr
004AC4BEcall dword ptr [<&msvbvm60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
004AC4C4lea edx, dword ptr
004AC4C7push edx
004AC4C8lea eax, dword ptr
004AC4CBpush eax
004AC4CCcall 004AD550
004AC4D1mov dword ptr , 0040BA60 ;/temp/*.tmp
004AC4DBmov dword ptr , 8
004AC4E5lea ecx, dword ptr
004AC4E8push ecx
004AC4E9lea edx, dword ptr
004AC4EFpush edx
004AC4F0lea eax, dword ptr
004AC4F3push eax
004AC4F4call dword ptr [<&msvbvm60.__vbaVarCat>] ;msvbvm60.__vbaVarCat
004AC4FApush eax
004AC4FBcall dword ptr [<&msvbvm60.rtcKillFiles>] ;msvbvm60.rtcKillFiles
004AC501lea ecx, dword ptr
004AC504call dword ptr [<&msvbvm60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
004AC50Alea ecx, dword ptr
004AC50Dpush ecx
004AC50Elea edx, dword ptr
004AC511push edx
004AC512push 2
004AC514call dword ptr [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
004AC51Aadd esp, 0C
004AC51Dmov dword ptr , 24
004AC524mov edx, 0040BA48 ;s2gappdir
004AC529lea ecx, dword ptr
004AC52Ccall dword ptr [<&msvbvm60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
004AC532lea eax, dword ptr
004AC535push eax
004AC536lea ecx, dword ptr
004AC539push ecx
004AC53Acall 004AD550
004AC53Fmov dword ptr , 0040BA7C ;/bin/*.bat
004AC549mov dword ptr , 8
004AC553lea edx, dword ptr
004AC556push edx
004AC557lea eax, dword ptr
004AC55Dpush eax
004AC55Elea ecx, dword ptr
004AC561push ecx
004AC562call dword ptr [<&msvbvm60.__vbaVarCat>] ;msvbvm60.__vbaVarCat
004AC568push eax
004AC569call dword ptr [<&msvbvm60.rtcKillFiles>] ;msvbvm60.rtcKillFiles
004AC56Flea ecx, dword ptr
004AC572call dword ptr [<&msvbvm60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
004AC578lea edx, dword ptr
004AC57Bpush edx
004AC57Clea eax, dword ptr
004AC57Fpush eax
004AC580push 2
004AC582call dword ptr [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
004AC588add esp, 0C
004AC58Bmov dword ptr , 25
004AC592mov edx, 0040BA98 ;mathtypepath
004AC597lea ecx, dword ptr
004AC59Acall dword ptr [<&msvbvm60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
004AC5A0lea ecx, dword ptr
004AC5A3push ecx
004AC5A4lea edx, dword ptr
004AC5A7push edx
004AC5A8call 004AD550
004AC5ADmov dword ptr , 0040ADBC
004AC5B7mov dword ptr , 8008
004AC5C1lea eax, dword ptr
004AC5C4push eax ; /var18
004AC5C5lea ecx, dword ptr ; |
004AC5CBpush ecx ; |var28
004AC5CCcall dword ptr [<&msvbvm60.__vbaVarTstEq>] ; \__vbaVarTstEq
004AC5D2mov word ptr , ax
004AC5D9lea ecx, dword ptr
004AC5DCcall dword ptr [<&msvbvm60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
004AC5E2lea ecx, dword ptr
004AC5E5call dword ptr [<&msvbvm60.__vbaFreeVar>] ;msvbvm60.__vbaFreeVar
004AC5EBmovsx edx, word ptr
004AC5F2test edx, edx
004AC5F4je 004AC873
004AC5FAmov dword ptr , 26
004AC601mov edx, 0040BB10 ;progdir
004AC606lea ecx, dword ptr
004AC609call dword ptr [<&msvbvm60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
004AC60Fmov edx, 0040BAB8 ;software\design science\dsmt5\directories
004AC614lea ecx, dword ptr
004AC617call dword ptr [<&msvbvm60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
004AC61Dmov dword ptr , 80000002
004AC627lea eax, dword ptr
004AC62Apush eax
004AC62Blea ecx, dword ptr
004AC62Epush ecx
004AC62Flea edx, dword ptr
004AC635push edx
004AC636lea eax, dword ptr
004AC639push eax
004AC63Acall 004ACE30
004AC63Flea ecx, dword ptr
004AC642push ecx
004AC643call dword ptr [<&msvbvm60.__vbaStrVarMove>] ;msvbvm60.__vbaStrVarMove
004AC649mov edx, eax
004AC64Blea ecx, dword ptr
004AC64Ecall dword ptr [<&msvbvm60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004AC654lea edx, dword ptr
004AC657push edx
004AC658lea eax, dword ptr
004AC65Bpush eax
004AC65Cpush 2
004AC65Ecall dword ptr [<&msvbvm60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
004AC664add esp, 0C
004AC667lea ecx, dword ptr
004AC66Acall dword ptr [<&msvbvm60.__vbaFreeVar>] ;msvbvm60.__vbaFreeVar
004AC670mov dword ptr , 27
004AC677lea ecx, dword ptr
004AC67Amov dword ptr , ecx
004AC680mov dword ptr , 4008
004AC68Alea edx, dword ptr
004AC690push edx
004AC691lea eax, dword ptr
004AC694push eax
004AC695call dword ptr [<&msvbvm60.rtcTrimVar>] ;msvbvm60.rtcTrimVar
004AC69Bmov ecx, dword ptr
004AC69Epush ecx ; /String
004AC69Fcall dword ptr [<&msvbvm60.__vbaLenBstr>] ; \__vbaLenBstr
004AC6A5mov dword ptr , eax
004AC6A8mov dword ptr , 3
004AC6AFlea edx, dword ptr
004AC6B2push edx ; /Length8
004AC6B3push 1 ; |Start = 1
004AC6B5lea eax, dword ptr ; |
004AC6B8push eax ; |dString8
004AC6B9lea ecx, dword ptr ; |
004AC6BCpush ecx ; |RetBUFFER
004AC6BDcall dword ptr [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar
004AC6C3lea edx, dword ptr
004AC6C6push edx
004AC6C7call dword ptr [<&msvbvm60.__vbaStrVarMove>] ;msvbvm60.__vbaStrVarMove
004AC6CDmov edx, eax
004AC6CFlea ecx, dword ptr
004AC6D2call dword ptr [<&msvbvm60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004AC6D8lea eax, dword ptr
004AC6DBpush eax
004AC6DClea ecx, dword ptr
004AC6DFpush ecx
004AC6E0lea edx, dword ptr
004AC6E3push edx
004AC6E4push 3
004AC6E6call dword ptr [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
004AC6ECadd esp, 10
004AC6EFmov dword ptr , 28
004AC6F6mov eax, dword ptr
004AC6F9push eax
004AC6FApush 0040ADBC
004AC6FFcall dword ptr [<&msvbvm60.__vbaStrCmp>] ;msvbvm60.__vbaStrCmp
004AC705test eax, eax
004AC707je short 004AC746
004AC709mov dword ptr , 29
004AC710mov edx, 0040BA98 ;mathtypepath
004AC715lea ecx, dword ptr
004AC718call dword ptr [<&msvbvm60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
004AC71Elea ecx, dword ptr
004AC721push ecx
004AC722lea edx, dword ptr
004AC725push edx
004AC726lea eax, dword ptr
004AC729push eax
004AC72Acall 004AD440
004AC72Flea ecx, dword ptr
004AC732call dword ptr [<&msvbvm60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
004AC738lea ecx, dword ptr
004AC73Bcall dword ptr [<&msvbvm60.__vbaFreeVar>] ;msvbvm60.__vbaFreeVar
004AC741jmp 004AC873
004AC746mov dword ptr , 2B
004AC74Dmov dword ptr , 80020004
004AC754mov dword ptr , 0A
004AC75Emov dword ptr , 80020004
004AC765mov dword ptr , 0A
004AC76Cmov dword ptr , 0040BA3C ;字符(未安装Mathtype...)
004AC776mov dword ptr , 8
004AC780lea edx, dword ptr
004AC786lea ecx, dword ptr
004AC789call dword ptr [<&msvbvm60.__vbaVarDup>] ;msvbvm60.__vbaVarDup
004AC78Fmov dword ptr , 0040BB24
004AC799mov dword ptr , 8
004AC7A3lea edx, dword ptr
004AC7A9lea ecx, dword ptr
004AC7ACcall dword ptr [<&msvbvm60.__vbaVarDup>] ;msvbvm60.__vbaVarDup
004AC7B2lea ecx, dword ptr
004AC7B8push ecx
004AC7B9lea edx, dword ptr
004AC7BCpush edx
004AC7BDlea eax, dword ptr
004AC7C0push eax
004AC7C1push 10
004AC7C3lea ecx, dword ptr
004AC7C6push ecx ;未安装MathType提示
004AC7C7call dword ptr [<&msvbvm60.rtcMsgBox>] ;msvbvm60.rtcMsgBox
004AC7CDlea edx, dword ptr
004AC7D3push edx
004AC7D4lea eax, dword ptr
004AC7D7push eax
004AC7D8lea ecx, dword ptr
004AC7DBpush ecx
004AC7DClea edx, dword ptr
004AC7DFpush edx
004AC7E0push 4
004AC7E2call dword ptr [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
004AC7E8add esp, 14
004AC7EBmov dword ptr , 2C
004AC7F2mov eax, dword ptr
004AC7F5mov ecx, dword ptr
004AC7F7mov edx, dword ptr
004AC7FApush edx
004AC7FBcall dword ptr
004AC801push eax
004AC802lea eax, dword ptr
004AC805push eax
004AC806call dword ptr [<&msvbvm60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
004AC80Cmov dword ptr , eax
004AC812push 0
004AC814mov ecx, dword ptr
004AC81Amov edx, dword ptr
004AC81Cmov eax, dword ptr
004AC822push eax
004AC823call dword ptr
004AC829fclex
004AC82Bmov dword ptr , eax
004AC831cmp dword ptr , 0
004AC838jge short 004AC860
004AC83Apush 8C
004AC83Fpush 0040B008
004AC844mov ecx, dword ptr
004AC84Apush ecx
004AC84Bmov edx, dword ptr
004AC851push edx
004AC852call dword ptr [<&msvbvm60.__vbaHresultCheckObj>];msvbvm60.__vbaHresultCheckObj
004AC858mov dword ptr , eax
004AC85Ejmp short 004AC86A
004AC860mov dword ptr , 0
004AC86Alea ecx, dword ptr
004AC86Dcall dword ptr [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
004AC873mov dword ptr , 0
004AC87Await
004AC87Bpush 004AC8F7
004AC880jmp short 004AC8CB
004AC882lea eax, dword ptr
004AC885push eax
004AC886lea ecx, dword ptr
004AC889push ecx
004AC88Alea edx, dword ptr
004AC88Dpush edx
004AC88Epush 3
004AC890call dword ptr [<&msvbvm60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
004AC896add esp, 10
004AC899lea eax, dword ptr
004AC89Cpush eax
=============================================================================================
通过上面的修改后,程序会显示已注册,并且在没有网络的情况下仍然可以使用。
下面开始分析点开始转换时的页数显示,解决完这个问题,就没有其他任何限制了,基本上是个无需注册的完美版了。
因为WORD超过页数,那么程序会提示错误并退出,所以比较容易找地方,这里就直接把转换那里的关键点贴出来分析下了。
=============================================================================================
004C121Amov dword ptr , 0
004C1224mov dword ptr , 1
004C122Emov dword ptr , 8002
004C1238lea ecx, dword ptr
004C123Bpush ecx ; /var18
004C123Clea edx, dword ptr ; |
004C1242push edx ; |var28
004C1243call dword ptr [<&msvbvm60.__vbaVarTstGt>] ; \__vbaVarTstGt
004C1249mov word ptr , ax
004C1250lea ecx, dword ptr
004C1253call dword ptr [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
004C1259lea ecx, dword ptr
004C125Ccall dword ptr [<&msvbvm60.__vbaFreeVar>] ;msvbvm60.__vbaFreeVar
004C1262movsx eax, word ptr
004C1269test eax, eax
004C126Bje 004C1480 ;关键比较1,这边可以跳
004C1271mov dword ptr , 14
004C1278lea ecx, dword ptr
004C127Bpush ecx
004C127Ccall 004B3F40
004C1281lea edx, dword ptr
004C1284push edx
004C1285call dword ptr [<&msvbvm60.__vbaStrVarMove>] ;msvbvm60.__vbaStrVarMove
004C128Bmov edx, eax
004C128Dlea ecx, dword ptr
004C1290call dword ptr [<&msvbvm60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004C1296lea eax, dword ptr
004C1299push eax
004C129Acall 004B13E0
004C129Fmov si, ax
004C12A2neg si
004C12A5sbb esi, esi
004C12A7inc esi
004C12A8neg esi
004C12AAcall 004B4C20
004C12AFneg ax
004C12B2sbb eax, eax
004C12B4inc eax
004C12B5neg eax
004C12B7or si, ax
004C12BAxor ecx, ecx
004C12BCcmp word ptr , 0
004C12C4sete cl
004C12C7neg ecx
004C12C9or si, cx
004C12CCmov word ptr , si
004C12D3lea ecx, dword ptr
004C12D6call dword ptr [<&msvbvm60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
004C12DClea ecx, dword ptr
004C12DFcall dword ptr [<&msvbvm60.__vbaFreeVar>] ;msvbvm60.__vbaFreeVar
004C12E5movsx edx, word ptr
004C12ECtest edx, edx
004C12EEje 004C1472 ;关键比较2,也可以在这边跳过
004C12F4mov dword ptr , 15
004C12FBmov dword ptr , 80020004
004C1302mov dword ptr , 0A
004C1309mov dword ptr , 80020004
004C1310mov dword ptr , 0A
004C1317mov dword ptr , 0040BA3C ;ASCII "衏:y"
004C1321mov dword ptr , 8
004C132Blea edx, dword ptr
004C1331lea ecx, dword ptr
004C1334call dword ptr [<&msvbvm60.__vbaVarDup>] ;msvbvm60.__vbaVarDup
004C133Amov dword ptr , 0040D0F4 ;未注册版本每次只能转换16K的一页...字符
004C1344mov dword ptr , 8
004C134Elea edx, dword ptr
004C1354lea ecx, dword ptr
004C1357call dword ptr [<&msvbvm60.__vbaVarDup>] ;msvbvm60.__vbaVarDup
004C135Dlea eax, dword ptr
004C1360push eax
004C1361lea ecx, dword ptr
004C1364push ecx
004C1365lea edx, dword ptr
004C1368push edx
004C1369push 10
004C136Blea eax, dword ptr
004C136Epush eax
004C136Fcall dword ptr [<&msvbvm60.rtcMsgBox>] ;msvbvm60.rtcMsgBox
004C1375lea ecx, dword ptr
004C1378push ecx
004C1379lea edx, dword ptr
004C137Cpush edx
004C137Dlea eax, dword ptr
004C1380push eax
004C1381lea ecx, dword ptr
004C1384push ecx
004C1385push 4
004C1387call dword ptr [<&msvbvm60.__vbaFreeVarList>>;msvbvm60.__vbaFreeVarList
004C138Dadd esp, 14
004C1390mov dword ptr , 16
004C1397cmp dword ptr , 0
004C139Ejnz short 004C13BC
004C13A0push 004FEC90
004C13A5push 0040B22C
004C13AAcall dword ptr [<&msvbvm60.__vbaNew2>] ;msvbvm60.__vbaNew2
004C13B0mov dword ptr , 004FEC90
004C13BAjmp short 004C13C6
004C13BCmov dword ptr , 004FEC90
004C13C6mov edx, dword ptr
004C13CCmov eax, dword ptr
004C13CEmov dword ptr , eax
004C13D4cmp dword ptr , 0
004C13DBjnz short 004C13F9
004C13DDpush 004FE010
004C13E2push 00408714
004C13E7call dword ptr [<&msvbvm60.__vbaNew2>] ;msvbvm60.__vbaNew2
004C13EDmov dword ptr , 004FE010
004C13F7jmp short 004C1403
004C13F9mov dword ptr , 004FE010
004C1403mov ecx, dword ptr
004C1409mov edx, dword ptr
004C140Bpush edx
004C140Clea eax, dword ptr
004C140Fpush eax
004C1410call dword ptr [<&msvbvm60.__vbaObjSetAddref>;msvbvm60.__vbaObjSetAddref
004C1416push eax
004C1417mov ecx, dword ptr
004C141Dmov edx, dword ptr
004C141Fmov eax, dword ptr
004C1425push eax
004C1426call dword ptr
004C1429fclex
004C142Bmov dword ptr , eax
004C1431cmp dword ptr , 0
004C1438jge short 004C145D
004C143Apush 10
004C143Cpush 0040B21C
004C1441mov ecx, dword ptr
004C1447push ecx
004C1448mov edx, dword ptr
004C144Epush edx
004C144Fcall dword ptr [<&msvbvm60.__vbaHresultCheck>;msvbvm60.__vbaHresultCheckObj
004C1455mov dword ptr , eax
004C145Bjmp short 004C1467
004C145Dmov dword ptr , 0
004C1467lea ecx, dword ptr
004C146Acall dword ptr [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
004C1470jmp short 004C147E
004C1472mov dword ptr , 18
004C1479call 004C1560
004C147Ejmp short 004C148C
004C1480mov dword ptr , 1B
004C1487call 004C1560
004C148Cpush 004C1549
004C1491jmp 004C152A
004C1496lea ecx, dword ptr
004C1499call dword ptr [<&msvbvm60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
004C149Flea eax, dword ptr
004C14A2push eax
004C14A3lea ecx, dword ptr
=============================================================================================
除了上面这处,另外有一个地方为了确保转换,也可以跳过,不然你启动的时候未跳过,这里就有可能在转换的时候在标题
栏显示猪头了哦,呵呵。
=============================================================================================
004C2CD0mov dword ptr , 0
004C2CDAmov eax, dword ptr
004C2CDDpush eax
004C2CDEpush 0040B980
004C2CE3call dword ptr [<&msvbvm60.__vbaStrCmp>] ;msvbvm60.__vbaStrCmp
004C2CE9neg eax
004C2CEBsbb eax, eax
004C2CEDinc eax
004C2CEEneg eax
004C2CF0xor ecx, ecx
004C2CF2cmp word ptr , 1
004C2CFAsetg cl
004C2CFDneg ecx
004C2CFFand ax, cx
004C2D02mov word ptr , ax
004C2D09lea ecx, dword ptr
004C2D0Ccall dword ptr [<&msvbvm60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
004C2D12lea ecx, dword ptr
004C2D15call dword ptr [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
004C2D1Bmovsx edx, word ptr
004C2D22test edx, edx
004C2D24je 004C2E82 ;关键跳转,跳过即可
004C2D2Amov dword ptr , 49
004C2D31cmp dword ptr , 0
004C2D38jnz short 004C2D56
004C2D3Apush 004FE010
004C2D3Fpush 00408714
004C2D44call dword ptr [<&msvbvm60.__vbaNew2>] ;msvbvm60.__vbaNew2
004C2D4Amov dword ptr , 004FE010
004C2D54jmp short 004C2D60
004C2D56mov dword ptr , 004FE010
004C2D60mov eax, dword ptr
004C2D66mov ecx, dword ptr
004C2D68mov dword ptr , ecx
004C2D6Ecmp dword ptr , 0
004C2D75jnz short 004C2D93
004C2D77push 004FE010
004C2D7Cpush 00408714
004C2D81call dword ptr [<&msvbvm60.__vbaNew2>] ;msvbvm60.__vbaNew2
004C2D87mov dword ptr , 004FE010
004C2D91jmp short 004C2D9D
004C2D93mov dword ptr , 004FE010
004C2D9Dmov edx, dword ptr
004C2DA3mov eax, dword ptr
004C2DA5mov dword ptr , eax
004C2DABlea ecx, dword ptr
004C2DAEpush ecx
004C2DAFmov edx, dword ptr
004C2DB5mov eax, dword ptr
004C2DB7mov ecx, dword ptr
004C2DBDpush ecx
004C2DBEcall dword ptr
004C2DC1fclex
004C2DC3mov dword ptr , eax
004C2DC9cmp dword ptr , 0
004C2DD0jge short 004C2DF5
004C2DD2push 50
004C2DD4push 0040A6FC
004C2DD9mov edx, dword ptr
004C2DDFpush edx
004C2DE0mov eax, dword ptr
004C2DE6push eax
004C2DE7call dword ptr [<&msvbvm60.__vbaHresultCheck>;msvbvm60.__vbaHresultCheckObj
004C2DEDmov dword ptr , eax
004C2DF3jmp short 004C2DFF
004C2DF5mov dword ptr , 0
004C2DFFmov ecx, dword ptr
004C2E02push ecx ;这边会显示猪头
004C2E03push 0040D3D0 ; /^oo^
004C2E08call dword ptr [<&msvbvm60.__vbaStrCat>] ; \__vbaStrCat
004C2E0Emov edx, eax
004C2E10lea ecx, dword ptr
004C2E13call dword ptr [<&msvbvm60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004C2E19push eax
004C2E1Amov edx, dword ptr
004C2E20mov eax, dword ptr
004C2E22mov ecx, dword ptr
004C2E28push ecx
004C2E29call dword ptr
004C2E2Cfclex
004C2E2Emov dword ptr , eax
004C2E34cmp dword ptr , 0
004C2E3Bjge short 004C2E60
004C2E3Dpush 54
004C2E3Fpush 0040A6FC
004C2E44mov edx, dword ptr
004C2E4Apush edx
004C2E4Bmov eax, dword ptr
004C2E51push eax
004C2E52call dword ptr [<&msvbvm60.__vbaHresultCheck>;msvbvm60.__vbaHresultCheckObj
004C2E58mov dword ptr , eax
004C2E5Ejmp short 004C2E6A
004C2E60mov dword ptr , 0
004C2E6Alea ecx, dword ptr
004C2E6Dpush ecx
004C2E6Elea edx, dword ptr
004C2E71push edx
=============================================================================================
测试了下,转换没有问题,断开网络,仍然可以转换。程序跟不用注册一样。
提醒:如果你分析程序后,把程序修改过后保存为另一个文件名,转换程序虽然成功,但是程序自动关闭再次打开时,发现
这次又出现要注册,并且不能转换多页以及无网络不能使用时,这时不要以为是程序破解的不对。
原因:在程序目录下,有个文件名为"backrun.exe"的程序。程序在转换完毕后,退出本程序并调用backrun.exe,而
backrun.exe是打开Word方正转换器.exe程序的,所以你原版还在的话,当然是启用原版啦。你破解完后,把原文件删除,
再把破解文件修改成原名即可。(当然也可以采用补丁方式。)
--------------------------------------------------------------------------------
【经验总结】
拿到程序分析,首先要耐心,慢慢分析应该都能搞定的,不过小弟实在太菜,算法分析能力还比较差,目前还是在学习中,
以后可能会多分析算法,这样可能进步更快,希望高手多多指点,谢谢!!!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于飘云阁技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年05月21日 19:30:01
[ 本帖最后由 JackyChou 于 2008-5-22 08:18 编辑 ] 不错的学习了一下啊!/:001 太感谢jackychou了,很需要这方面的破解练习方法。 楼主分析得很透彻,正在学习中…… 楼主分析得很透彻,正在学习中……/:good /:good 楼主分析的不错嘛,还那么谦虚,哈哈,
页:
[1]