Batch DOCX to DOC Converter 2010.2.531.1404暴破
本帖最后由 ifox 于 2010-6-1 21:28 编辑这个公司的其他各个软件,修改方法类似,有兴趣的自己分析其他的,对比下不同的地方。
http://batchwork.com/en/doc2doc/download.htm
刚去站点看了下到1407了,其实修改点和方法一样。
未注册版本,生成的文件名带“- Unlicensed”字样,OD载入后直接找“- Unlicensed”字样找不到,程序是运行中才把相关字符串资源释放出来,不如直接C32ASM查找。
定位到下面的代码:
0048B67F|.E8 0043FEFF call 0046F984 ;是否注册授权,核心CALL,跟进
0048B684|.84C0 test al, al
0048B686|.75 21 jnz short 0048B6A9
0048B688|.8D55 F0 lea edx, dword ptr
0048B68B|.8BC3 mov eax, ebx
0048B68D|.E8 8A17FCFF call 0044CE1C
0048B692|.8D45 F0 lea eax, dword ptr
0048B695|.BA 04B74800 mov edx, 0048B704 ;ASCII " - Unlicensed"
0048B69A|.E8 3D96F7FF call 00404CDC
0048B69F|.8B55 F0 mov edx, dword ptr
0048B6A2|.8BC3 mov eax, ebx
0048B6A4|.E8 A317FCFF call 0044CE4C
0046F984有多个地方调用,是注册与否的部分判断调用,分析下,直接处理如下:
=========================================================
跟踪调试发现未注册则返回eax=0,因此我们只需要在这里修改入口代码如下:
0046F984 33C0 xor eax, eax ;注册判断,直接返回EAX=1,启动注册,关于显示搞定。
0046F986 B0 01 mov al, 1
0046F988 C3 retn
相关代码如下:
0046F984/$55 push ebp ;注册相关判断,本地调用来自 0046FD07, 0046FE07, 004702B5, 00488EDD, 00488F12, 00489066, 004892DF, 0048AEAD, 0048AEC9, 0048B67F
0046F985|.8BEC mov ebp, esp
0046F987|.6A 00 push 0
0046F989|.6A 00 push 0
0046F98B|.53 push ebx
0046F98C|.8BD8 mov ebx, eax
0046F98E|.33C0 xor eax, eax
0046F990|.55 push ebp
0046F991|.68 02FA4600 push 0046FA02
0046F996|.64:FF30 push dword ptr fs:
0046F999|.64:8920 mov dword ptr fs:, esp
0046F99C|.8D4D FC lea ecx, dword ptr
0046F99F|.BA 18FA4600 mov edx, 0046FA18
0046F9A4|.8B83 4C040000 mov eax, dword ptr
0046F9AA|.E8 95D5FAFF call 0041CF44
0046F9AF|.837D FC 00 cmp dword ptr , 0
0046F9B3|.75 15 jnz short 0046F9CA
0046F9B5|.B9 24FA4600 mov ecx, 0046FA24
0046F9BA|.BA 18FA4600 mov edx, 0046FA18
0046F9BF|.8B83 4C040000 mov eax, dword ptr
0046F9C5|.E8 52DDFAFF call 0041D71C
0046F9CA|>8D4D F8 lea ecx, dword ptr
0046F9CD|.BA 18FA4600 mov edx, 0046FA18
0046F9D2|.8B83 4C040000 mov eax, dword ptr
0046F9D8|.E8 67D5FAFF call 0041CF44
0046F9DD|.8B45 F8 mov eax, dword ptr
0046F9E0|.E8 8399F9FF call 00409368
0046F9E5|.8BD8 mov ebx, eax
0046F9E7|.33C0 xor eax, eax
0046F9E9|.5A pop edx
0046F9EA|.59 pop ecx
0046F9EB|.59 pop ecx
0046F9EC|.64:8910 mov dword ptr fs:, edx
0046F9EF|.68 09FA4600 push 0046FA09
0046F9F4|>8D45 F8 lea eax, dword ptr
0046F9F7|.BA 02000000 mov edx, 2
0046F9FC|.E8 3350F9FF call 00404A34
0046FA01\.C3 retn
0046FA02 .^ E9 BD48F9FF jmp 004042C4
0046FA07 .^ EB EB jmp short 0046F9F4
0046FA09 .8BC3 mov eax, ebx
0046FA0B .5B pop ebx
0046FA0C .59 pop ecx
0046FA0D .59 pop ecx
0046FA0E .5D pop ebp
0046FA0F .C3 retn
====================================================
修改后保存为新程序,然后转换DOC文件,发现转出的文件在页眉有水印“Generated by Unregistered Batch DOC & DOCX Converter 2010.2.531.1404, please register!”
直接查找字符参考找不到此字符串,经过动态跟踪调试发现作者在软件中对字符串进行了乱序存储,然后再动态组合成水印。
00490758 55 push ebp
00490759 8BEC mov ebp, esp
0049075B .33C0 xor eax, eax
0049075D .55 push ebp
0049075E .68 17084900 push 00490817
00490763 .64:FF30 push dword ptr fs:
00490766 .64:8920 mov dword ptr fs:, esp
00490769 .832D D8754900>sub dword ptr , 1
00490770 0F83 93000000 jnb 00490809 ;直接跳走即可
00490776 .B2 01 mov dl, 1
00490778 .A1 00BE4600 mov eax, dword ptr
0049077D .E8 3E33F7FF call 00403AC0
00490782 .BA 01000000 mov edx, 1
00490787 .E8 60BAFDFF call 0046C1EC
0049078C .A3 DC754900 mov dword ptr , eax
00490791 .B8 E0754900 mov eax, 004975E0
00490796 .BA 28084900 mov edx, 00490828 ; t,senyln! %er sies ddresigarrtepese geer %betaug
0049079B .E8 C442F7FF call 00404A64
004907A0 .BA 01000000 mov edx, 1
004907A5 .A1 DC754900 mov eax, dword ptr
004907AA .E8 3DBAFDFF call 0046C1EC
004907AF .50 push eax
004907B0 .6A 01 push 1
004907B2 .A1 E0754900 mov eax, dword ptr
004907B7 .E8 1445F7FF call 00404CD0
004907BC .8BC8 mov ecx, eax ; |
004907BE .BA E0754900 mov edx, 004975E0 ; |
004907C3 .A1 00BE4600 mov eax, dword ptr ; |
004907C8 .E8 37BBFDFF call 0046C304 ; \doc2doc.0046C304
004907CD .B8 E4754900 mov eax, 004975E4
004907D2 .BA 64084900 mov edx, 00490864 ;inscduenle
004907D7 .E8 8842F7FF call 00404A64
004907DC .BA 01000000 mov edx, 1
004907E1 .A1 DC754900 mov eax, dword ptr
004907E6 .E8 01BAFDFF call 0046C1EC
004907EB .50 push eax
004907EC .6A 01 push 1
004907EE .A1 E4754900 mov eax, dword ptr
004907F3 .E8 D844F7FF call 00404CD0
004907F8 .8BC8 mov ecx, eax ; |
004907FA .BA E4754900 mov edx, 004975E4 ; |
004907FF .A1 00BE4600 mov eax, dword ptr ; |
00490804 .E8 FBBAFDFF call 0046C304 ; \doc2doc.0046C304
00490809 >33C0 xor eax, eax
=========================================================================================
进行批量转换时,出现“skipped,please register!”提示,转换失败,同样是乱序后的字符,直接C32ASM找吧,有两处:
00470568|.E8 93BCFFFF call 0046C200
0047056D|.83F8 03 cmp eax, 3
00470570|.75 7E jnz short 004705F0
00470572|.807B 68 00 cmp byte ptr , 0
00470576|.75 78 jnz short 004705F0
00470578|.8B43 44 mov eax, dword ptr
0047057B|.8B40 08 mov eax, dword ptr
0047057E|.84C0 test al, al
00470580 74 6E je short 004705F0 ;这里跳或者上面条都行。
00470582|.8D45 FC lea eax, dword ptr
00470585|.BA 3C064700 mov edx, 0047063C ;rs tdili,s pekpgeaees!pre
0047058A|.E8 1945F9FF call 00404AA8
0047058F|.8B43 44 mov eax, dword ptr
---------------------------------------------------------------------
00470B60/$55 push ebp
00470B61|.8BEC mov ebp, esp
00470B63|.83C4 EC add esp, -14
00470B66|.53 push ebx
00470B67|.56 push esi
00470B68|.33DB xor ebx, ebx
00470B6A|.895D FC mov dword ptr , ebx
00470B6D|.8BF1 mov esi, ecx
00470B6F|.33C0 xor eax, eax
00470B71|.55 push ebp
00470B72|.68 120C4700 push 00470C12
00470B77|.64:FF30 push dword ptr fs:
00470B7A|.64:8920 mov dword ptr fs:, esp
00470B7D|.84D2 test dl, dl
00470B7F 74 46 je short 00470BC7 ;跳走
00470B81|.8D45 FC lea eax, dword ptr
00470B84|.BA 280C4700 mov edx, 00470C28 ;rs tdili,s pekpgeaees!pre
00470B89|.E8 1A3FF9FF call 00404AA8
00470B8E|.8B5D FC mov ebx, dword ptr
00470B91|.85DB test ebx, ebx
00470B93|.74 05 je short 00470B9A
00470B95|.83EB 04 sub ebx, 4
==========================================================================================
转换的文件名前有"--"字符,找创建文件的相关内容
00470946 .E8 F18DF9FF call 0040973C
0047094B .84C0 test al, al
0047094D .75 1B jnz short 0047096A ;创建文件是否成功判断
0047094F .8D45 C8 lea eax, dword ptr
00470952 .8B4D FC mov ecx, dword ptr
00470955 .BA 7C0A4700 mov edx, 00470A7C ;createdir failed:
0047095A .E8 C143F9FF call 00404D20
0047095F .8B55 C8 mov edx, dword ptr
00470962 .8B45 F4 mov eax, dword ptr
00470965 .E8 AAC3FFFF call 0046CD14
0047096A >8B45 F8 mov eax, dword ptr
0047096D .8078 68 00 cmp byte ptr , 0
00470971 75 30 jnz short 004709A3 ;非注册就在生成的文件名前+上"--"字符串,跳走即可。
00470973 .FF75 FC push dword ptr
00470976 .68 980A4700 push 00470A98 ;-
0047097B .FF35 E4754900 push dword ptr
00470981 .68 980A4700 push 00470A98 ;-
00470986 .8D55 C4 lea edx, dword ptr
00470989 .8B45 08 mov eax, dword ptr
0047098C .8B00 mov eax, dword ptr
0047098E .E8 7191F9FF call 00409B04
00470993 .FF75 C4 push dword ptr
00470996 .8B45 08 mov eax, dword ptr
00470999 .BA 05000000 mov edx, 5
0047099E .E8 F143F9FF call 00404D94
004709A3 >8B45 08 mov eax, dword ptr
004709A6 .8B00 mov eax, dword ptr
004709A8 .E8 6B8DF9FF call 00409718
004709AD .84C0 test al, al
004709AF .74 68 je short 00470A19
004709B1 .A1 882F4900 mov eax, dword ptr
004709B6 .8B00 mov eax, dword ptr
004709B8 .E8 EBDAFFFF call 0046E4A8
004709BD .84C0 test al, al
004709BF .75 36 jnz short 004709F7
004709C1 .FF75 FC push dword ptr
004709C4 .68 980A4700 push 00470A98 ;-
004709C9 .A1 882F4900 mov eax, dword ptr
004709CE .8B00 mov eax, dword ptr
004709D0 .FF70 28 push dword ptr
004709D3 .68 980A4700 push 00470A98 ;-
004709D8 .8D55 C0 lea edx, dword ptr
004709DB .8B45 08 mov eax, dword ptr
004709DE .8B00 mov eax, dword ptr
004709E0 .E8 1F91F9FF call 00409B04
004709E5 .FF75 C0 push dword ptr
004709E8 .8B45 08 mov eax, dword ptr
004709EB .BA 05000000 mov edx, 5
004709F0 .E8 9F43F9FF call 00404D94
004709F5 .EB 22 jmp short 00470A19
004709F7 >A1 882F4900 mov eax, dword ptr
004709FC .8B00 mov eax, dword ptr
004709FE .E8 A5DAFFFF call 0046E4A8
00470A03 .3C 09 cmp al, 9
00470A05 .75 12 jnz short 00470A19
00470A07 .8B45 08 mov eax, dword ptr
00470A0A .E8 0140F9FF call 00404A10
00470A0F .8B45 F0 mov eax, dword ptr
00470A12 .C740 04 01000>mov dword ptr , 1
00470A19 >33C0 xor eax, eax
00470A1B .5A pop edx
00470A1C .59 pop ecx
00470A1D .59 pop ecx
00470A1E .64:8910 mov dword ptr fs:, edx
00470A21 .68 430A4700 push 00470A43
00470A26 >8D45 C0 lea eax, dword ptr
00470A29 .BA 0C000000 mov edx, 0C
00470A2E .E8 0140F9FF call 00404A34
00470A33 .8D45 FC lea eax, dword ptr
00470A36 .E8 D53FF9FF call 00404A10
00470A3B .C3 retn
00470A3C .^ E9 8338F9FF jmp 004042C4
00470A41 .^ EB E3 jmp short 00470A26
00470A43 .5F pop edi
00470A44 .5E pop esi
00470A45 .5B pop ebx
00470A46 .8BE5 mov esp, ebp
00470A48 .5D pop ebp
00470A49 .C2 0400 retn 4
=============================================================
查看关于里的信息不美观,找到相关内容,直接去软件里修改字符串吧。
00488F12 .E8 6D6AFEFF call 0046F984
00488F17 .84C0 test al, al
00488F19 .74 5A je short 00488F75
00488F1B .8B45 FC mov eax, dword ptr ;(initial cpu selection)
00488F1E .8B80 6C030000 mov eax, dword ptr
00488F24 .BA F48F4800 mov edx, 00488FF4 ;the software licensed to:
00488F29 .E8 1E3FFCFF call 0044CE4C
00488F2E .8D55 EC lea edx, dword ptr
00488F31 .A1 C42F4900 mov eax, dword ptr
00488F36 .8B00 mov eax, dword ptr
00488F38 .E8 136BFEFF call 0046FA50
00488F3D .FF75 EC push dword ptr
00488F40 .68 18904800 push 00489018 ;,
00488F45 .8D55 E8 lea edx, dword ptr
00488F48 .A1 C42F4900 mov eax, dword ptr
00488F4D .8B00 mov eax, dword ptr
00488F4F .E8 D46AFEFF call 0046FA28
00488F54 .FF75 E8 push dword ptr
到此,所存在的限制基本都已经去掉了,有需要的可自行修改测试。
附上对应版本吧。 强,我只是把注册信息爆了。但是水印一直搞不定。看后启发很大。 不错,确实不错
页:
[1]