Ap Document To PDF V2.1算法分析
【破文标题】Ap Document To PDF V2.1算法分析【破文作者】tianxj
【作者邮箱】[email protected]
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】D-Windows XP sp2
【软件名称】Ap Document To PDF V2.1
【软件大小】1.3 MB
【软件语言】英文
【软件类别】国外软件 / 共享软件 / 文字处理
【更新时间】2007-01-18
【原版下载】自己找一下
【保护方式】注册码
【软件简介】文档转换工具。可以将你的文档批量转换成可搜索的PDF文件。允许将任何windows应用程序的文档转换成上百种文件类型,包括可搜索的PDF, DOC, TIFF, JPEG, RTF, HTML等等。只要应用程序支持打印功能,就能转换成PDF文档。对于PDF文档,甚至提供了多种选项:字体嵌入、分辨率、页面尺寸、文档信息、安全书签、自动链接、多语言等。是制作专业级PDF文档的最佳选择。
Picture To Video Converter图片视频转换器的应用被设计为一个易于使用的工具,加入图片一起视频过渡效果。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
"Series number error,please check it and try again."
**************************************************************
二、用PEiD对ApDocToPDF.exe查壳,为 ASPack 2.12 -> Alexey Solodovnikov
**************************************************************
三、带壳调试,运行OD,打开ApDocToPDF.exe,输入注册信息,F12暂停,alt+K
调用堆栈 , 项目 14
地址=0012F0D8
堆栈=00409317
程序过程 / 参数=? ApDocToP.004C22F8
调用来自=ApDocToP.00409312
结构=0012F0D4
==============================================================004091E4 55 PUSH EBP
004091E5 8BEC MOV EBP, ESP
004091E7 83C4 D0 ADD ESP, -30
004091EA 53 PUSH EBX
004091EB 8BD8 MOV EBX, EAX
004091ED B8 3C5C4C00 MOV EAX, ApDocToP.004C5C3C
004091F2 E8 FDB00A00 CALL ApDocToP.004B42F4
004091F7 66:C745 E4 1400 MOV WORD PTR , 14
004091FD 33D2 XOR EDX, EDX
004091FF 8955 FC MOV DWORD PTR , EDX
00409202 8D55 FC LEA EDX, DWORD PTR
00409205 FF45 F0 INC DWORD PTR
00409208 8B83 F4020000 MOV EAX, DWORD PTR
0040920E E8 75E40700 CALL ApDocToP.00487688
00409213 66:C745 E4 0800 MOV WORD PTR , 8
00409219 837D FC 00 CMP DWORD PTR , 0
0040921D 74 05 JE SHORT ApDocToP.00409224 ; //注册码为空则跳
0040921F 8B4D FC MOV ECX, DWORD PTR ; //试练码
00409222 EB 05 JMP SHORT ApDocToP.00409229
00409224 B9 645A4C00 MOV ECX, ApDocToP.004C5A64
00409229 51 PUSH ECX
0040922A 53 PUSH EBX
0040922B E8 58FFFFFF CALL ApDocToP.00409188 ; //关键CALL
00409230 83C4 08 ADD ESP, 8
00409233 3C 01 CMP AL, 1
00409235 0F85 C3000000 JNZ ApDocToP.004092FE ; //关键跳转
0040923B 6A 40 PUSH 40
0040923D 68 BC5A4C00 PUSH ApDocToP.004C5ABC ; ASCII "Registered Version"
00409242 68 655A4C00 PUSH ApDocToP.004C5A65 ; ASCII "Thank you register Ap DoumentToPDF software,if you have any problem,contact us please."
00409247 8BC3 MOV EAX, EBX
00409249 E8 4E4B0800 CALL ApDocToP.0048DD9C
0040924E 50 PUSH EAX
0040924F E8 A4900B00 CALL ApDocToP.004C22F8 ; JMP 到 USER32.MessageBoxA
00409254 8D55 D0 LEA EDX, DWORD PTR
00409257 52 PUSH EDX
00409258 68 CF5A4C00 PUSH ApDocToP.004C5ACF ; ASCII "Software\AdultPDF\Doc2PDF"
0040925D 68 02000080 PUSH 80000002
00409262 E8 97870B00 CALL ApDocToP.004C19FE ; JMP 到 advapi32.RegCreateKeyA
00409267 837D D0 00 CMP DWORD PTR , 0
0040926B 74 3C JE SHORT ApDocToP.004092A9
0040926D 837D FC 00 CMP DWORD PTR , 0
00409271 74 05 JE SHORT ApDocToP.00409278
00409273 8B45 FC MOV EAX, DWORD PTR
00409276 EB 05 JMP SHORT ApDocToP.0040927D
00409278 B8 E95A4C00 MOV EAX, ApDocToP.004C5AE9
0040927D 50 PUSH EAX
0040927E E8 FDAC0A00 CALL ApDocToP.004B3F80
00409283 59 POP ECX
00409284 40 INC EAX
00409285 50 PUSH EAX
00409286 837D FC 00 CMP DWORD PTR , 0
0040928A 74 05 JE SHORT ApDocToP.00409291
0040928C 8B55 FC MOV EDX, DWORD PTR
0040928F EB 05 JMP SHORT ApDocToP.00409296
00409291 BA F15A4C00 MOV EDX, ApDocToP.004C5AF1
00409296 52 PUSH EDX
00409297 6A 01 PUSH 1
00409299 6A 00 PUSH 0
0040929B 68 EA5A4C00 PUSH ApDocToP.004C5AEA ; ASCII "Serial"
004092A0 8B45 D0 MOV EAX, DWORD PTR
004092A3 50 PUSH EAX
004092A4 E8 6D870B00 CALL ApDocToP.004C1A16 ; JMP 到 advapi32.RegSetValueExA
004092A9 8B4D D0 MOV ECX, DWORD PTR
004092AC 51 PUSH ECX
004092AD E8 46870B00 CALL ApDocToP.004C19F8 ; JMP 到 advapi32.RegCloseKey
004092B2 33D2 XOR EDX, EDX
004092B4 8B83 08030000 MOV EAX, DWORD PTR
004092BA 8B08 MOV ECX, DWORD PTR
004092BC FF51 64 CALL DWORD PTR
004092BF 66:C745 E4 2000 MOV WORD PTR , 20
004092C5 BA F25A4C00 MOV EDX, ApDocToP.004C5AF2 ; ASCII "Close"
004092CA 8D45 F8 LEA EAX, DWORD PTR
004092CD E8 9A6A0B00 CALL ApDocToP.004BFD6C
004092D2 FF45 F0 INC DWORD PTR
004092D5 8B10 MOV EDX, DWORD PTR
004092D7 8B83 00030000 MOV EAX, DWORD PTR
004092DD E8 D6E30700 CALL ApDocToP.004876B8
004092E2 FF4D F0 DEC DWORD PTR
004092E5 8D45 F8 LEA EAX, DWORD PTR
004092E8 BA 02000000 MOV EDX, 2
004092ED E8 1E6C0B00 CALL ApDocToP.004BFF10
004092F2 C783 4C020000 01000>MOV DWORD PTR , 1
004092FC EB 35 JMP SHORT ApDocToP.00409333
004092FE 6A 10 PUSH 10
00409300 68 2B5B4C00 PUSH ApDocToP.004C5B2B ; ASCII "Error"
00409305 68 F85A4C00 PUSH ApDocToP.004C5AF8 ; ASCII "Series number error,please check it and try again."
0040930A 8BC3 MOV EAX, EBX
0040930C E8 8B4A0800 CALL ApDocToP.0048DD9C
00409311 50 PUSH EAX
00409312 E8 E18F0B00 CALL ApDocToP.004C22F8 ; JMP 到 USER32.MessageBoxA
00409317 FF4D F0 DEC DWORD PTR
0040931A 8D45 FC LEA EAX, DWORD PTR
0040931D BA 02000000 MOV EDX, 2
00409322 E8 E96B0B00 CALL ApDocToP.004BFF10
00409327 8B4D D4 MOV ECX, DWORD PTR
0040932A 64:890D 00000000 MOV DWORD PTR FS:, ECX
00409331 EB 1A JMP SHORT ApDocToP.0040934D
00409333 FF4D F0 DEC DWORD PTR
00409336 8D45 FC LEA EAX, DWORD PTR
00409339 BA 02000000 MOV EDX, 2
0040933E E8 CD6B0B00 CALL ApDocToP.004BFF10
00409343 8B4D D4 MOV ECX, DWORD PTR
00409346 64:890D 00000000 MOV DWORD PTR FS:, ECX
0040934D 5B POP EBX
0040934E 8BE5 MOV ESP, EBP
00409350 5D POP EBP
00409351 C3 RETN
=========================================================================
00409188 55 PUSH EBP
00409189 8BEC MOV EBP, ESP
0040918B 53 PUSH EBX
0040918C 56 PUSH ESI
0040918D 57 PUSH EDI
0040918E 8B5D 0C MOV EBX, DWORD PTR
00409191 85DB TEST EBX, EBX
00409193 74 0C JE SHORT ApDocToP.004091A1
00409195 53 PUSH EBX
00409196 E8 E5AD0A00 CALL ApDocToP.004B3F80
0040919B 59 POP ECX
0040919C 83F8 10 CMP EAX, 10
0040919F 74 04 JE SHORT ApDocToP.004091A5 ; //注册码长度等于10h则跳
004091A1 33C0 XOR EAX, EAX
004091A3 EB 39 JMP SHORT ApDocToP.004091DE
004091A5 0FBE73 07 MOVSX ESI, BYTE PTR ; //ESI=注册码的第8个字符ASCII值
004091A9 8BC6 MOV EAX, ESI ; //EAX=ESI
004091AB 0FBE7B 0A MOVSX EDI, BYTE PTR ; //EDI=注册码的第11个字符ASCII值
004091AF 03C7 ADD EAX, EDI ; //EAX=EAX+EDI
004091B1 3D 9B000000 CMP EAX, 9B ; //EAX与9B比较
004091B6 75 24 JNZ SHORT ApDocToP.004091DC ; //不等则跳
004091B8 8BCE MOV ECX, ESI ; //ECX=ESI=注册码的第8个字符ASCII值
004091BA 2BCF SUB ECX, EDI ; //ECX=ECX-EDI
004091BC 8BC1 MOV EAX, ECX ; //EAX=ECX
004091BE 99 CDQ
004091BF 33C2 XOR EAX, EDX ; //EAX=EAX xor EDX
004091C1 2BC2 SUB EAX, EDX ; //EAX=EAX-EDX
004091C3 83C0 41 ADD EAX, 41 ; //EAX=EAX+41
004091C6 0FBE53 03 MOVSX EDX, BYTE PTR ; //EDX=注册码的第4个字符ASCII值
004091CA 3BC2 CMP EAX, EDX ; //EAX与EDX比较
004091CC 75 0E JNZ SHORT ApDocToP.004091DC ; //不等则跳
004091CE 8B45 08 MOV EAX, DWORD PTR
004091D1 C680 34030000 01 MOV BYTE PTR , 1
004091D8 B0 01 MOV AL, 1
004091DA EB 02 JMP SHORT ApDocToP.004091DE
004091DC 33C0 XOR EAX, EAX
004091DE 5F POP EDI
004091DF 5E POP ESI
004091E0 5B POP EBX
004091E1 5D POP EBP
004091E2 C3 RETN**************************************************************
【破解总结】
--------------------------------------------------------------
【算法总结】
1、注册码长度必须为16位
2、注册码的第8个字符和第11个字符ASCII值之和必须等于9Bh
3、注册码的第8个字符和第11个字符ASCII值之差加上41h必须等于第4个字符ASCII值
--------------------------------------------------------------
【算法注册机】
VB代码
Private Sub Command1_Click()
C11 = Int(Rnd() * 10)
C8 = Chr(&H9B - Asc(C11))
C4 = Chr(Asc(C8) - Asc(C11) + &H41)
Text1.Text = Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & C4 & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & C8 & Int(Rnd() * 10) & Int(Rnd() * 10) & C11 & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & Int(Rnd() * 10) & Int (Rnd() * 10)
End Sub
--------------------------------------------------------------
【注册信息】
一组可用的注册码:288x599i26292519
保存在
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
_/_/_/ _/ _/ _/_/_/
_/ _/_/_/ _/
_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/
_/ _/ _/_/_/ _/ tianxj
页:
[1]