AutoDWG PDF Converter V3.2.2.3简单分析
【破文标题】AutoDWG PDF Converter V3.2.2.3简单分析【破文作者】冰糖
【作者邮箱】[email protected]
【作者主页】http://bbs.thulu.com
【破解工具】peid0.94+OD
【破解平台】XPsp3
【软件名称】AutoDWG DWG2PDF Converter
【软件大小】6.66 MB
【原版下载】http://www.skycn.com//soft/22012.html
【保护方式】注册码
【软件简介】AutoDWG DWG to PDF Converter allows you to convert DWG to PDF, DXF to PDF, DWF to PDF directly, NO AutoCAD required, batch conversion supported.
【破解声明】本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处
------------------------------------------------------------------------
【破解过程】好久没破解,今天想把自己的CAD图纸转换成PDF格式的,就百度到这个软件,15天试用限制
准备好工具,下面开始动工
PEID查找无壳,Microsoft Visual C++ 6.0
OD载入,运行,输入假码确定,弹出窗口提示“register failed!”
查找字符串,双击进入
0041518E/.55 push ebp ;F2下断
0041518F|.8BEC mov ebp, esp
00415191|.51 push ecx
00415192|.894D FC mov dword ptr , ecx
00415195|.6A 01 push 1
00415197|.8B4D FC mov ecx, dword ptr
0041519A|.E8 7DBA4600 call <jmp.&MFC42.#6334>
0041519F|.6A 00 push 0
004151A1|.68 384BAB00 push 00AB4B38
004151A6|.8B4D FC mov ecx, dword ptr
004151A9|.81C1 B0030000 add ecx, 3B0
004151AF|.E8 88BB4600 call <jmp.&MFC42.#6877>
004151B4|.8B4D FC mov ecx, dword ptr
004151B7|.81C1 B4030000 add ecx, 3B4
004151BD|.E8 FEC8FEFF call 00401AC0
004151C2|.85C0 test eax, eax ;是否输入EMAIL检测
004151C4|.74 19 je short 004151DF
004151C6|.6A 00 push 0
004151C8|.68 3C4BAB00 push 00AB4B3C ;autodwgdwg2pdf
004151CD|.68 4C4BAB00 push 00AB4B4C ;please input your email!
004151D2|.8B4D FC mov ecx, dword ptr
004151D5|.E8 D8BD4600 call <jmp.&MFC42.#4224>
004151DA|.E9 F8000000 jmp 004152D7
004151DF|>6A 00 push 0
004151E1|.68 684BAB00 push 00AB4B68 ;@
004151E6|.8B4D FC mov ecx, dword ptr
004151E9|.81C1 B4030000 add ecx, 3B4
004151EF|.E8 B8BD4600 call <jmp.&MFC42.#6663>
004151F4|.85C0 test eax, eax ;EMAIL格式检测
004151F6|.7F 14 jg short 0041520C
004151F8|.6A 00 push 0
004151FA|.68 6C4BAB00 push 00AB4B6C ;autodwgdwg2pdf
004151FF|.68 7C4BAB00 push 00AB4B7C ;please input correct email address.
00415204|.8B4D FC mov ecx, dword ptr
00415207|.E8 A6BD4600 call <jmp.&MFC42.#4224>
0041520C|>8B4D FC mov ecx, dword ptr
0041520F|.81C1 B0030000 add ecx, 3B0
00415215|.E8 A6C8FEFF call 00401AC0
0041521A|.85C0 test eax, eax ;是否输入注册码检测
0041521C|.74 19 je short 00415237
0041521E|.6A 00 push 0
00415220|.68 A04BAB00 push 00AB4BA0 ;autodwgdwg2pdf
00415225|.68 B04BAB00 push 00AB4BB0 ;please input the register code!
0041522A|.8B4D FC mov ecx, dword ptr
0041522D|.E8 80BD4600 call <jmp.&MFC42.#4224>
00415232|.E9 A0000000 jmp 004152D7
00415237|>8B4D FC mov ecx, dword ptr
0041523A|.E8 EFB94600 call <jmp.&MFC42.#1669>
0041523F|.8B4D FC mov ecx, dword ptr
00415242|.81C1 B0030000 add ecx, 3B0
00415248|.E8 23C9FEFF call 00401B70
0041524D|.50 push eax ;假码98765432101234567890123456
0041524E|.8B4D FC mov ecx, dword ptr
00415251|.81C1 B4030000 add ecx, 3B4
00415257|.E8 14C9FEFF call 00401B70
0041525C|.50 push eax ;我的EMAIL:[email protected]
0041525D|.E8 08A60300 call 0044F86A ;算法CALL F7跟入
00415262|.83C4 08 add esp, 8
00415265|.25 FF000000 and eax, 0FF
0041526A|.85C0 test eax, eax
0041526C|.74 4D je short 004152BB
0041526E|.8B4D FC mov ecx, dword ptr
00415271|.E8 94B94600 call <jmp.&MFC42.#4853>
00415276|.8B45 FC mov eax, dword ptr
00415279|.C780 B8030000 0>mov dword ptr , 1
00415283|.8B4D FC mov ecx, dword ptr
00415286|.83B9 B8030000 0>cmp dword ptr , 0
0041528D|.74 16 je short 004152A5
0041528F|.6A 00 push 0
00415291|.68 D04BAB00 push 00AB4BD0 ;autodwgdwg2pdf
00415296|.68 E04BAB00 push 00AB4BE0 ;thank you, registered succeed !
0041529B|.8B4D FC mov ecx, dword ptr
0041529E|.E8 0FBD4600 call <jmp.&MFC42.#4224>
004152A3|.EB 14 jmp short 004152B9
004152A5|>6A 00 push 0
004152A7|.68 004CAB00 push 00AB4C00 ;autodwgdwg2pdf
004152AC|.68 104CAB00 push 00AB4C10 ;thank you, registered fail !
004152B1|.8B4D FC mov ecx, dword ptr
004152B4|.E8 F9BC4600 call <jmp.&MFC42.#4224>
004152B9|>EB 1C jmp short 004152D7
004152BB|>6A 00 push 0
004152BD|.68 304CAB00 push 00AB4C30 ;autodwgdwg2pdf
004152C2|.68 404CAB00 push 00AB4C40 ;register failed!
004152C7|.8B4D FC mov ecx, dword ptr
004152CA|.E8 E3BC4600 call <jmp.&MFC42.#4224>
004152CF|.8B4D FC mov ecx, dword ptr
004152D2|.E8 4BB94600 call <jmp.&MFC42.#2652>
004152D7|>8BE5 mov esp, ebp
004152D9|.5D pop ebp
004152DA\.C3 retn
0044F86A/$55 push ebp
0044F86B|.8BEC mov ebp, esp
0044F86D|.6A FF push -1
0044F86F|.68 2BD49500 push 0095D42B ;SE 处理程序安装
0044F874|.64:A1 00000000mov eax, dword ptr fs:
0044F87A|.50 push eax
0044F87B|.64:8925 0000000>mov dword ptr fs:, esp
0044F882|.83EC 14 sub esp, 14
0044F885|.C645 EC 01 mov byte ptr , 1
0044F889|.8B45 0C mov eax, dword ptr ;假码98765432101234567890123456
0044F88C|.50 push eax
0044F88D|.8D4D F0 lea ecx, dword ptr
0044F890|.E8 B1164300 call <jmp.&MFC42.#537>
0044F895|.C745 FC 0000000>mov dword ptr , 0
0044F89C|.8B4D 0C mov ecx, dword ptr
0044F89F|.51 push ecx
0044F8A0|.E8 36040000 call 0044FCDB ;算法关键CALL
0044F8A5|.83C4 04 add esp, 4
0044F8A8|.25 FF000000 and eax, 0FF
0044F8AD|.85C0 test eax, eax
0044F8AF|.75 19 jnz short 0044F8CA
0044F8B1|.8B55 0C mov edx, dword ptr
0044F8B4|.52 push edx
0044F8B5|.E8 C3130000 call 00450C7D
0044F8BA|.83C4 04 add esp, 4
0044F8BD|.85C0 test eax, eax
0044F8BF|.75 09 jnz short 0044F8CA ;不跳就死
0044F8C1|.C645 EC 00 mov byte ptr , 0
0044F8C5 E9 A8000000 jmp 0044F972
0044F8CA|>8D4D E8 lea ecx, dword ptr
0044F8CD|.E8 8E15FDFF call 00420E60
0044F8D2|.C645 FC 01 mov byte ptr , 1
0044F8D6|.6A 00 push 0
0044F8D8|.6A 00 push 0
0044F8DA|.68 3F000F00 push 0F003F
0044F8DF|.6A 00 push 0 ;下面把注册信息保存到注册表
0044F8E1|.6A 00 push 0
0044F8E3|.68 88A1AB00 push 00ABA188 ;software\autodwg\dwg_pdf_conver
0044F8E8|.68 02000080 push 80000002
0044F8ED|.8D4D E8 lea ecx, dword ptr
0044F8F0|.E8 DB180000 call 004511D0
0044F8F5|.85C0 test eax, eax
0044F8F7|.75 19 jnz short 0044F912
0044F8F9|.68 A8A1AB00 push 00ABA1A8 ;key
0044F8FE|.8B45 0C mov eax, dword ptr
0044F901|.50 push eax
0044F902|.8D4D E8 lea ecx, dword ptr
0044F905|.E8 36190000 call 00451240
0044F90A|.85C0 test eax, eax
0044F90C|.74 04 je short 0044F912
0044F90E|.C645 EC 00 mov byte ptr , 0
0044F912|>8D4D E4 lea ecx, dword ptr
0044F915|.E8 4615FDFF call 00420E60
0044F91A|.C645 FC 02 mov byte ptr , 2
0044F91E|.6A 00 push 0
0044F920|.6A 00 push 0
0044F922|.68 3F000F00 push 0F003F
0044F927|.6A 00 push 0
0044F929|.6A 00 push 0
0044F92B|.68 ACA1AB00 push 00ABA1AC ;software\autodwg\dwg_pdf_conver
0044F930|.68 01000080 push 80000001
0044F935|.8D4D E4 lea ecx, dword ptr
0044F938|.E8 93180000 call 004511D0
0044F93D|.85C0 test eax, eax
0044F93F|.75 19 jnz short 0044F95A
0044F941|.68 CCA1AB00 push 00ABA1CC ;key
0044F946|.8B4D 0C mov ecx, dword ptr
0044F949|.51 push ecx
0044FCDB/$55 push ebp
0044FCDC|.8BEC mov ebp, esp
0044FCDE|.6A FF push -1
0044FCE0|.68 85D49500 push 0095D485 ;SE 处理程序安装
0044FCE5|.64:A1 00000000mov eax, dword ptr fs:
0044FCEB|.50 push eax
0044FCEC|.64:8925 0000000>mov dword ptr fs:, esp
0044FCF3|.83EC 24 sub esp, 24
0044FCF6|.8B45 08 mov eax, dword ptr
0044FCF9|.50 push eax ; /s
0044FCFA|.E8 F7174300 call <jmp.&MSVCRT.strlen> ; \strlen
0044FCFF|.83C4 04 add esp, 4
0044FD02|.83F8 1A cmp eax, 1A ;注册码是否等于26位
0044FD05 74 07 je short 0044FD0E ;不跳就死
0044FD07|.32C0 xor al, al
0044FD09|.E9 BF000000 jmp 0044FDCD
0044FD0E|>8B4D 08 mov ecx, dword ptr
0044FD11|.51 push ecx
0044FD12|.8D4D F0 lea ecx, dword ptr
0044FD15|.E8 2C124300 call <jmp.&MFC42.#537>
0044FD1A|.C745 FC 0000000>mov dword ptr , 0
0044FD21|.8D4D EC lea ecx, dword ptr
0044FD24|.E8 870E4300 call <jmp.&MFC42.#540>
0044FD29|.C645 FC 01 mov byte ptr , 1
0044FD2D|.51 push ecx
0044FD2E|.8BCC mov ecx, esp
0044FD30|.8965 E8 mov dword ptr , esp
0044FD33|.8D55 F0 lea edx, dword ptr
0044FD36|.52 push edx
0044FD37|.E8 EC0E4300 call <jmp.&MFC42.#535>
0044FD3C|.8945 D8 mov dword ptr , eax
0044FD3F|.8D45 E4 lea eax, dword ptr
0044FD42|.50 push eax
0044FD43|.E8 C40B0000 call 0045090C ;用户输入注册码的变换CALL
0044FD48|.83C4 08 add esp, 8
0044FD4B|.8945 D4 mov dword ptr , eax
0044FD4E|.8B4D D4 mov ecx, dword ptr
0044FD51|.894D D0 mov dword ptr , ecx
0044FD54|.C645 FC 02 mov byte ptr , 2
0044FD58|.8B55 D0 mov edx, dword ptr
0044FD5B|.52 push edx
0044FD5C|.8D4D EC lea ecx, dword ptr
0044FD5F|.E8 D00E4300 call <jmp.&MFC42.#858>
0044FD64|.C645 FC 01 mov byte ptr , 1
0044FD68|.8D4D E4 lea ecx, dword ptr
0044FD6B|.E8 280E4300 call <jmp.&MFC42.#800>
0044FD70|.68 4CA2AB00 push 00ABA24C ;结果比较字符串"&d#2*P"
0044FD75|.8D45 EC lea eax, dword ptr
0044FD78|.50 push eax
0044FD79|.E8 2265FCFF call 004162A0 ;关键比较,比较用户输入的注册码变换后转换成字符串是否和"&d#2*P"相同
0044FD7E|.25 FF000000 and eax, 0FF
0044FD83|.85C0 test eax, eax
0044FD85|.74 24 je short 0044FDAB ;跳就死
0044FD87|.C645 E0 01 mov byte ptr , 1
0045090C/$55 push ebp
0045090D|.8BEC mov ebp, esp
0045090F|.6A FF push -1
00450911|.68 47D59500 push 0095D547 ;SE 处理程序安装
00450916|.64:A1 00000000mov eax, dword ptr fs:
0045091C|.50 push eax
0045091D|.64:8925 0000000>mov dword ptr fs:, esp
00450924|.83EC 14 sub esp, 14
00450927|.C745 E4 0000000>mov dword ptr , 0
0045092E|.C745 FC 0100000>mov dword ptr , 1
00450935|.8D4D F0 lea ecx, dword ptr
00450938|.E8 73024300 call <jmp.&MFC42.#540>
0045093D|.C645 FC 02 mov byte ptr , 2
00450941|.6A 00 push 0
00450943|.68 10A3AB00 push 00ABA310
00450948|.8D4D 0C lea ecx, dword ptr
0045094B|.E8 EC034300 call <jmp.&MFC42.#6877>
00450950|.51 push ecx
00450951|.8BCC mov ecx, esp
00450953|.8965 E8 mov dword ptr , esp
00450956|.68 14A3AB00 push 00ABA314 ;ASCII "*2%^W#g@"
0045095B|.E8 E6054300 call <jmp.&MFC42.#537>
00450960|.8945 E0 mov dword ptr , eax
00450963|.8D45 0C lea eax, dword ptr
00450966|.50 push eax ;假吗98765432101234567890123456
00450967|.E8 8BCFFCFF call 0041D8F7 ;算法变换CALL,变换结果ASCII "b05281811c1ae5211d96c6a7"
0045096C|.83C4 08 add esp, 8
0045096F|.C745 EC 0000000>mov dword ptr , 0
00450976|.EB 09 jmp short 00450981
00450978|>8B4D EC /mov ecx, dword ptr ;算法变换结果隔两位取两位
0045097B|.83C1 02 |add ecx, 2
0045097E|.894D EC |mov dword ptr , ecx
00450981|>837D EC 0C cmp dword ptr , 0C
00450985|.7D 17 |jge short 0045099E
00450987|.8B55 EC |mov edx, dword ptr
0045098A|.52 |push edx
0045098B|.8D4D 0C |lea ecx, dword ptr
0045098E|.E8 DDE2FCFF |call 0041EC70
00450993|.50 |push eax
00450994|.8D4D F0 |lea ecx, dword ptr
00450997|.E8 E8064300 |call <jmp.&MFC42.#940>
0045099C|.^ EB DA \jmp short 00450978
0045099E|>8D45 F0 lea eax, dword ptr ;上面计算结果 B0 81 1C E5 1D C6
004509A1|.50 push eax
004509A2|.8B4D 08 mov ecx, dword ptr
004509A5|.E8 7E024300 call <jmp.&MFC42.#535>
004509AA|.8B4D E4 mov ecx, dword ptr
004509AD|.83C9 01 or ecx, 1
004509B0|.894D E4 mov dword ptr , ecx
004509B3|.C645 FC 01 mov byte ptr , 1
004509B7|.8D4D F0 lea ecx, dword ptr
004509BA|.E8 D9014300 call <jmp.&MFC42.#800>
004509BF|.C645 FC 00 mov byte ptr , 0
004509C3|.8D4D 0C lea ecx, dword ptr
004509C6|.E8 CD014300 call <jmp.&MFC42.#800>
004509CB|.8B45 08 mov eax, dword ptr
------------------------------------------------------------------------
【破解总结】本软件是固定注册码的,与用户EMAIL无关
把输入的注册码经过一个算法变换和一个固定的字符串比较,爆破起来简单,既然固定注册码的,算法分析太麻烦,说不定还是不可逆算法,得不偿失
验证部分,
tt=固定算法(输入注册码)
For i = 1 To Len(tt) Step 4
a = Mid(tt, i, 2)
b = Val("&h" & a)
c = Chr(b)
TT2 = TT2 & c
Next i
如果TT2 和 “&d#2*P”相等,那么就注册成功了
------------------------------------------------------------------------
【版权声明】来自于BBS.THULU.COM 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 冰糖 于 2008-10-15 22:11 编辑 ] 冰糖的作品,支持一下/:good 顶你啊,冰糖老大,分析的很详细 爆破方便,整个系列也是同样的加密方式 秒暴,o(∩_∩)o...哈哈,算法再看看 后面的版本就差不到字符串了。呵呵 向冰糖老大学习。 原帖由 lixy8888 于 2008-10-16 08:46 发表 https://www.chinapyg.com/images/common/back.gif
后面的版本就差不到字符串了。呵呵
可以看见的/:L ,push那个地址里有 分析的很详细,谢谢! 哇好东西...有时间拿来研究下...嘿
页:
[1]
2