- UID
- 38953
注册时间2007-12-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【文章标题】: Word方正转换器分析(完全破解)
【文章作者】: JackyChou
【作者邮箱】: [email protected]
【软件名称】: Word方正转换器
【下载地址】: 自己搜索下载
【加壳方式】: themida 1.0.0.5
【保护方式】: 加壳
【编写语言】: VB 6.0
【使用工具】: OD、PEID、LordPE、ImportREC
【操作平台】: XP Sp3正版
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这次分析的程序是一个word转Fbd文件的程序,软件是用themida加壳,可以用脱壳脚本脱,但是脚本跑完后有偷代码,
并且IAT需要修复的。也可以用脱壳机脱,但是脱壳后程序可以正常使用,但是OEP不是并不是真正的OEP,需要手动再处理
下,并把无用的区段删除,到达软件减肥的目的。详细过程略。
进入程序分析:软件未注册的情况下,只能转换1页,超过就会出错。
程序启动时,会进行网络检查,如果没有网络的情况下,那么【开始转换】就会变灰并显示【网络不通】。下面把程序
启动时的部分代码贴出来看下:
=============================================================================================
004AC050 mov dword ptr [ebp-178], 0
004AC05A lea ecx, dword ptr [ebp-48]
004AC05D push ecx
004AC05E lea edx, dword ptr [ebp-44]
004AC061 push edx
004AC062 push 2
004AC064 call dword ptr [<&msvbvm60.__vbaFreeObjList>] ; msvbvm60.__vbaFreeObjList
004AC06A add esp, 0C
004AC06D mov dword ptr [ebp-4], 12
004AC074 lea eax, dword ptr [ebp-10C]
004AC07A push eax ; /TMPend8
004AC07B lea ecx, dword ptr [ebp-FC] ; |
004AC081 push ecx ; |TMPstep8
004AC082 lea edx, dword ptr [ebp-30] ; |
004AC085 push edx ; |Counter8
004AC086 call dword ptr [<&msvbvm60.__vbaVarForNext>] ; \__vbaVarForNext
004AC08C mov dword ptr [ebp-124], eax
004AC092 cmp dword ptr [ebp-124], 0
004AC099 jnz 004ABC88
004AC09F mov dword ptr [ebp-4], 13
004AC0A6 call 004B0B10
004AC0AB cmp ax, 0FFFF ; 网络检查
004AC0AF jnz 004AC2EE ; 这边可以NOP,无网络也可以用
004AC0B5 mov dword ptr [ebp-4], 14
004AC0BC call 004ADE90
004AC0C1 mov dword ptr [ebp-4], 15
004AC0C8 push 004FE04C
004AC0CD call 004B0BF0
004AC0D2 mov dword ptr [ebp-4], 16
004AC0D9 lea eax, dword ptr [ebp-58]
004AC0DC push eax
004AC0DD call 004B3F40
004AC0E2 lea ecx, dword ptr [ebp-58]
004AC0E5 push ecx
004AC0E6 call dword ptr [<&msvbvm60.__vbaStrVarMove>] ; msvbvm60.__vbaStrVarMove
004AC0EC mov edx, eax
004AC0EE lea ecx, dword ptr [ebp-38]
004AC0F1 call dword ptr [<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004AC0F7 lea edx, dword ptr [ebp-38]
004AC0FA push edx
004AC0FB call 004B13E0
004AC100 xor ebx, ebx
004AC102 cmp ax, 0FFFF
004AC106 sete bl
004AC109 neg ebx
004AC10B call 004B4C20
004AC110 xor ecx, ecx
004AC112 cmp ax, 0FFFF
004AC116 sete cl
004AC119 neg ecx
004AC11B and bx, cx
004AC11E mov word ptr [ebp-D0], bx
004AC125 lea ecx, dword ptr [ebp-38]
004AC128 call dword ptr [<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
004AC12E lea ecx, dword ptr [ebp-58]
004AC131 call dword ptr [<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
004AC137 movsx edx, word ptr [ebp-D0]
004AC13E test edx, edx ; 程序启动时,注册比较
004AC140 je 004AC264 ; 这边可以NOP
004AC146 mov dword ptr [ebp-4], 17
004AC14D mov eax, dword ptr [ebp+8]
004AC150 mov ecx, dword ptr [eax]
004AC152 mov edx, dword ptr [ebp+8]
004AC155 push edx
004AC156 call dword ptr [ecx+328]
004AC15C push eax
004AC15D lea eax, dword ptr [ebp-44]
004AC160 push eax
004AC161 call dword ptr [<&msvbvm60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004AC167 mov dword ptr [ebp-D0], eax
004AC16D push 0040B974 ; 字符串(已注册)
004AC172 mov ecx, dword ptr [ebp-D0]
004AC178 mov edx, dword ptr [ecx]
004AC17A mov eax, dword ptr [ebp-D0]
004AC180 push eax
004AC181 call dword ptr [edx+54]
004AC184 fclex
004AC186 mov dword ptr [ebp-D4], eax
004AC18C cmp dword ptr [ebp-D4], 0
004AC193 jge short 004AC1B8
004AC195 push 54
004AC197 push 0040B008
004AC19C mov ecx, dword ptr [ebp-D0]
004AC1A2 push ecx
004AC1A3 mov edx, dword ptr [ebp-D4]
004AC1A9 push edx
004AC1AA call dword ptr [<&msvbvm60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004AC1B0 mov dword ptr [ebp-17C], eax
004AC1B6 jmp short 004AC1C2
004AC1B8 mov dword ptr [ebp-17C], 0
004AC1C2 lea ecx, dword ptr [ebp-44]
004AC1C5 call dword ptr [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004AC1CB mov dword ptr [ebp-4], 18
004AC1D2 mov eax, dword ptr [ebp+8]
004AC1D5 mov ecx, dword ptr [eax]
004AC1D7 mov edx, dword ptr [ebp+8]
004AC1DA push edx
004AC1DB call dword ptr [ecx+328]
004AC1E1 push eax
004AC1E2 lea eax, dword ptr [ebp-44]
004AC1E5 push eax
004AC1E6 call dword ptr [<&msvbvm60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004AC1EC mov dword ptr [ebp-D0], eax
004AC1F2 push 0
004AC1F4 mov ecx, dword ptr [ebp-D0]
004AC1FA mov edx, dword ptr [ecx]
004AC1FC mov eax, dword ptr [ebp-D0]
004AC202 push eax
004AC203 call dword ptr [edx+8C]
004AC209 fclex
004AC20B mov dword ptr [ebp-D4], eax
004AC211 cmp dword ptr [ebp-D4], 0
004AC218 jge short 004AC240
004AC21A push 8C
004AC21F push 0040B008
004AC224 mov ecx, dword ptr [ebp-D0]
004AC22A push ecx
004AC22B mov edx, dword ptr [ebp-D4]
004AC231 push edx
004AC232 call dword ptr [<&msvbvm60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004AC238 mov dword ptr [ebp-180], eax
004AC23E jmp short 004AC24A
004AC240 mov dword ptr [ebp-180], 0
004AC24A lea ecx, dword ptr [ebp-44]
004AC24D call dword ptr [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004AC253 mov dword ptr [ebp-4], 19
004AC25A call 004AD790
004AC25F jmp 004AC2E9
004AC264 mov dword ptr [ebp-4], 1B
004AC26B mov eax, dword ptr [ebp+8]
004AC26E mov ecx, dword ptr [eax]
004AC270 mov edx, dword ptr [ebp+8]
004AC273 push edx
004AC274 call dword ptr [ecx+328]
004AC27A push eax
004AC27B lea eax, dword ptr [ebp-44]
004AC27E push eax
004AC27F call dword ptr [<&msvbvm60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004AC285 mov dword ptr [ebp-D0], eax
004AC28B push 0040B980
004AC290 mov ecx, dword ptr [ebp-D0]
004AC296 mov edx, dword ptr [ecx]
004AC298 mov eax, dword ptr [ebp-D0]
004AC29E push eax
004AC29F call dword ptr [edx+54]
004AC2A2 fclex
004AC2A4 mov dword ptr [ebp-D4], eax
004AC2AA cmp dword ptr [ebp-D4], 0
004AC2B1 jge short 004AC2D6
004AC2B3 push 54
004AC2B5 push 0040B008
004AC2BA mov ecx, dword ptr [ebp-D0]
004AC2C0 push ecx
004AC2C1 mov edx, dword ptr [ebp-D4]
004AC2C7 push edx
004AC2C8 call dword ptr [<&msvbvm60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004AC2CE mov dword ptr [ebp-184], eax
004AC2D4 jmp short 004AC2E0
004AC2D6 mov dword ptr [ebp-184], 0
004AC2E0 lea ecx, dword ptr [ebp-44]
004AC2E3 call dword ptr [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004AC2E9 jmp 004AC4A0
004AC2EE mov dword ptr [ebp-4], 1E
004AC2F5 mov eax, dword ptr [ebp+8]
004AC2F8 mov ecx, dword ptr [eax]
004AC2FA mov edx, dword ptr [ebp+8]
004AC2FD push edx
004AC2FE call dword ptr [ecx+32C]
004AC304 push eax
004AC305 lea eax, dword ptr [ebp-44]
004AC308 push eax
004AC309 call dword ptr [<&msvbvm60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004AC30F mov dword ptr [ebp-D0], eax
004AC315 push 0
004AC317 mov ecx, dword ptr [ebp-D0]
004AC31D mov edx, dword ptr [ecx]
004AC31F mov eax, dword ptr [ebp-D0]
004AC325 push eax
004AC326 call dword ptr [edx+8C]
004AC32C fclex
004AC32E mov dword ptr [ebp-D4], eax
004AC334 cmp dword ptr [ebp-D4], 0
004AC33B jge short 004AC363
004AC33D push 8C
004AC342 push 0040B008
004AC347 mov ecx, dword ptr [ebp-D0]
004AC34D push ecx
004AC34E mov edx, dword ptr [ebp-D4]
004AC354 push edx
004AC355 call dword ptr [<&msvbvm60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004AC35B mov dword ptr [ebp-188], eax
004AC361 jmp short 004AC36D
004AC363 mov dword ptr [ebp-188], 0
004AC36D lea ecx, dword ptr [ebp-44]
004AC370 call dword ptr [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004AC376 mov dword ptr [ebp-4], 1F
004AC37D mov eax, dword ptr [ebp+8]
004AC380 mov ecx, dword ptr [eax]
004AC382 mov edx, dword ptr [ebp+8]
004AC385 push edx
004AC386 call dword ptr [ecx+32C]
004AC38C push eax
004AC38D lea eax, dword ptr [ebp-44]
004AC390 push eax
004AC391 call dword ptr [<&msvbvm60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004AC397 mov dword ptr [ebp-D0], eax
004AC39D push 0040B98C
004AC3A2 mov ecx, dword ptr [ebp-D0]
004AC3A8 mov edx, dword ptr [ecx]
004AC3AA mov eax, dword ptr [ebp-D0]
004AC3B0 push eax
004AC3B1 call dword ptr [edx+54]
004AC3B4 fclex
004AC3B6 mov dword ptr [ebp-D4], eax
004AC3BC cmp dword ptr [ebp-D4], 0
004AC3C3 jge short 004AC3E8
004AC3C5 push 54
004AC3C7 push 0040B008
004AC3CC mov ecx, dword ptr [ebp-D0]
004AC3D2 push ecx
004AC3D3 mov edx, dword ptr [ebp-D4]
004AC3D9 push edx
004AC3DA call dword ptr [<&msvbvm60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004AC3E0 mov dword ptr [ebp-18C], eax
004AC3E6 jmp short 004AC3F2
004AC3E8 mov dword ptr [ebp-18C], 0
004AC3F2 lea ecx, dword ptr [ebp-44]
004AC3F5 call dword ptr [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004AC3FB mov dword ptr [ebp-4], 20
004AC402 mov dword ptr [ebp-80], 80020004
004AC409 mov dword ptr [ebp-88], 0A
004AC413 mov dword ptr [ebp-70], 80020004
004AC41A mov dword ptr [ebp-78], 0A
004AC421 mov dword ptr [ebp-A0], 0040BA3C ; ASCII "衏:y"
004AC42B mov dword ptr [ebp-A8], 8
004AC435 lea edx, dword ptr [ebp-A8]
004AC43B lea ecx, dword ptr [ebp-68]
004AC43E call dword ptr [<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
004AC444 mov dword ptr [ebp-90], 0040B9BC ; 字符串(程序检测出电脑没有连接网络...)信息
004AC44E mov dword ptr [ebp-98], 8
004AC458 lea edx, dword ptr [ebp-98]
004AC45E lea ecx, dword ptr [ebp-58]
004AC461 call dword ptr [<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
004AC467 lea eax, dword ptr [ebp-88]
004AC46D push eax
004AC46E lea ecx, dword ptr [ebp-78]
004AC471 push ecx
004AC472 lea edx, dword ptr [ebp-68]
004AC475 push edx
004AC476 push 10
004AC478 lea eax, dword ptr [ebp-58]
004AC47B push eax
004AC47C call dword ptr [<&msvbvm60.rtcMsgBox>] ; 出现提示消息框
004AC482 lea ecx, dword ptr [ebp-88]
004AC488 push ecx
004AC489 lea edx, dword ptr [ebp-78]
004AC48C push edx
004AC48D lea eax, dword ptr [ebp-68]
004AC490 push eax
004AC491 lea ecx, dword ptr [ebp-58]
004AC494 push ecx
004AC495 push 4
004AC497 call dword ptr [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004AC49D add esp, 14
004AC4A0 mov dword ptr [ebp-4], 22
004AC4A7 push -1 ; /OnErrEvent = Resume Next
004AC4A9 call dword ptr [<&msvbvm60.__vbaOnError>] ; \__vbaOnError
004AC4AF mov dword ptr [ebp-4], 23
004AC4B6 mov edx, 0040BA48 ; s2gappdir
004AC4BB lea ecx, dword ptr [ebp-38]
004AC4BE call dword ptr [<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
004AC4C4 lea edx, dword ptr [ebp-38]
004AC4C7 push edx
004AC4C8 lea eax, dword ptr [ebp-58]
004AC4CB push eax
004AC4CC call 004AD550
004AC4D1 mov dword ptr [ebp-90], 0040BA60 ; /temp/*.tmp
004AC4DB mov dword ptr [ebp-98], 8
004AC4E5 lea ecx, dword ptr [ebp-58]
004AC4E8 push ecx
004AC4E9 lea edx, dword ptr [ebp-98]
004AC4EF push edx
004AC4F0 lea eax, dword ptr [ebp-68]
004AC4F3 push eax
004AC4F4 call dword ptr [<&msvbvm60.__vbaVarCat>] ; msvbvm60.__vbaVarCat
004AC4FA push eax
004AC4FB call dword ptr [<&msvbvm60.rtcKillFiles>] ; msvbvm60.rtcKillFiles
004AC501 lea ecx, dword ptr [ebp-38]
004AC504 call dword ptr [<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
004AC50A lea ecx, dword ptr [ebp-68]
004AC50D push ecx
004AC50E lea edx, dword ptr [ebp-58]
004AC511 push edx
004AC512 push 2
004AC514 call dword ptr [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004AC51A add esp, 0C
004AC51D mov dword ptr [ebp-4], 24
004AC524 mov edx, 0040BA48 ; s2gappdir
004AC529 lea ecx, dword ptr [ebp-38]
004AC52C call dword ptr [<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
004AC532 lea eax, dword ptr [ebp-38]
004AC535 push eax
004AC536 lea ecx, dword ptr [ebp-58]
004AC539 push ecx
004AC53A call 004AD550
004AC53F mov dword ptr [ebp-90], 0040BA7C ; /bin/*.bat
004AC549 mov dword ptr [ebp-98], 8
004AC553 lea edx, dword ptr [ebp-58]
004AC556 push edx
004AC557 lea eax, dword ptr [ebp-98]
004AC55D push eax
004AC55E lea ecx, dword ptr [ebp-68]
004AC561 push ecx
004AC562 call dword ptr [<&msvbvm60.__vbaVarCat>] ; msvbvm60.__vbaVarCat
004AC568 push eax
004AC569 call dword ptr [<&msvbvm60.rtcKillFiles>] ; msvbvm60.rtcKillFiles
004AC56F lea ecx, dword ptr [ebp-38]
004AC572 call dword ptr [<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
004AC578 lea edx, dword ptr [ebp-68]
004AC57B push edx
004AC57C lea eax, dword ptr [ebp-58]
004AC57F push eax
004AC580 push 2
004AC582 call dword ptr [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004AC588 add esp, 0C
004AC58B mov dword ptr [ebp-4], 25
004AC592 mov edx, 0040BA98 ; mathtypepath
004AC597 lea ecx, dword ptr [ebp-38]
004AC59A call dword ptr [<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
004AC5A0 lea ecx, dword ptr [ebp-38]
004AC5A3 push ecx
004AC5A4 lea edx, dword ptr [ebp-58]
004AC5A7 push edx
004AC5A8 call 004AD550
004AC5AD mov dword ptr [ebp-90], 0040ADBC
004AC5B7 mov dword ptr [ebp-98], 8008
004AC5C1 lea eax, dword ptr [ebp-58]
004AC5C4 push eax ; /var18
004AC5C5 lea ecx, dword ptr [ebp-98] ; |
004AC5CB push ecx ; |var28
004AC5CC call dword ptr [<&msvbvm60.__vbaVarTstEq>] ; \__vbaVarTstEq
004AC5D2 mov word ptr [ebp-D0], ax
004AC5D9 lea ecx, dword ptr [ebp-38]
004AC5DC call dword ptr [<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
004AC5E2 lea ecx, dword ptr [ebp-58]
004AC5E5 call dword ptr [<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
004AC5EB movsx edx, word ptr [ebp-D0]
004AC5F2 test edx, edx
004AC5F4 je 004AC873
004AC5FA mov dword ptr [ebp-4], 26
004AC601 mov edx, 0040BB10 ; progdir
004AC606 lea ecx, dword ptr [ebp-3C]
004AC609 call dword ptr [<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
004AC60F mov edx, 0040BAB8 ; software\design science\dsmt5\directories
004AC614 lea ecx, dword ptr [ebp-38]
004AC617 call dword ptr [<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
004AC61D mov dword ptr [ebp-CC], 80000002
004AC627 lea eax, dword ptr [ebp-3C]
004AC62A push eax
004AC62B lea ecx, dword ptr [ebp-38]
004AC62E push ecx
004AC62F lea edx, dword ptr [ebp-CC]
004AC635 push edx
004AC636 lea eax, dword ptr [ebp-58]
004AC639 push eax
004AC63A call 004ACE30
004AC63F lea ecx, dword ptr [ebp-58]
004AC642 push ecx
004AC643 call dword ptr [<&msvbvm60.__vbaStrVarMove>] ; msvbvm60.__vbaStrVarMove
004AC649 mov edx, eax
004AC64B lea ecx, dword ptr [ebp-34]
004AC64E call dword ptr [<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004AC654 lea edx, dword ptr [ebp-3C]
004AC657 push edx
004AC658 lea eax, dword ptr [ebp-38]
004AC65B push eax
004AC65C push 2
004AC65E call dword ptr [<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
004AC664 add esp, 0C
004AC667 lea ecx, dword ptr [ebp-58]
004AC66A call dword ptr [<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
004AC670 mov dword ptr [ebp-4], 27
004AC677 lea ecx, dword ptr [ebp-34]
004AC67A mov dword ptr [ebp-90], ecx
004AC680 mov dword ptr [ebp-98], 4008
004AC68A lea edx, dword ptr [ebp-98]
004AC690 push edx
004AC691 lea eax, dword ptr [ebp-58]
004AC694 push eax
004AC695 call dword ptr [<&msvbvm60.rtcTrimVar>] ; msvbvm60.rtcTrimVar
004AC69B mov ecx, dword ptr [ebp-34]
004AC69E push ecx ; /String
004AC69F call dword ptr [<&msvbvm60.__vbaLenBstr>] ; \__vbaLenBstr
004AC6A5 mov dword ptr [ebp-60], eax
004AC6A8 mov dword ptr [ebp-68], 3
004AC6AF lea edx, dword ptr [ebp-68]
004AC6B2 push edx ; /Length8
004AC6B3 push 1 ; |Start = 1
004AC6B5 lea eax, dword ptr [ebp-58] ; |
004AC6B8 push eax ; |dString8
004AC6B9 lea ecx, dword ptr [ebp-78] ; |
004AC6BC push ecx ; |RetBUFFER
004AC6BD call dword ptr [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar
004AC6C3 lea edx, dword ptr [ebp-78]
004AC6C6 push edx
004AC6C7 call dword ptr [<&msvbvm60.__vbaStrVarMove>] ; msvbvm60.__vbaStrVarMove
004AC6CD mov edx, eax
004AC6CF lea ecx, dword ptr [ebp-34]
004AC6D2 call dword ptr [<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004AC6D8 lea eax, dword ptr [ebp-78]
004AC6DB push eax
004AC6DC lea ecx, dword ptr [ebp-68]
004AC6DF push ecx
004AC6E0 lea edx, dword ptr [ebp-58]
004AC6E3 push edx
004AC6E4 push 3
004AC6E6 call dword ptr [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004AC6EC add esp, 10
004AC6EF mov dword ptr [ebp-4], 28
004AC6F6 mov eax, dword ptr [ebp-34]
004AC6F9 push eax
004AC6FA push 0040ADBC
004AC6FF call dword ptr [<&msvbvm60.__vbaStrCmp>] ; msvbvm60.__vbaStrCmp
004AC705 test eax, eax
004AC707 je short 004AC746
004AC709 mov dword ptr [ebp-4], 29
004AC710 mov edx, 0040BA98 ; mathtypepath
004AC715 lea ecx, dword ptr [ebp-38]
004AC718 call dword ptr [<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
004AC71E lea ecx, dword ptr [ebp-34]
004AC721 push ecx
004AC722 lea edx, dword ptr [ebp-38]
004AC725 push edx
004AC726 lea eax, dword ptr [ebp-58]
004AC729 push eax
004AC72A call 004AD440
004AC72F lea ecx, dword ptr [ebp-38]
004AC732 call dword ptr [<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
004AC738 lea ecx, dword ptr [ebp-58]
004AC73B call dword ptr [<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
004AC741 jmp 004AC873
004AC746 mov dword ptr [ebp-4], 2B
004AC74D mov dword ptr [ebp-80], 80020004
004AC754 mov dword ptr [ebp-88], 0A
004AC75E mov dword ptr [ebp-70], 80020004
004AC765 mov dword ptr [ebp-78], 0A
004AC76C mov dword ptr [ebp-A0], 0040BA3C ; 字符(未安装Mathtype...)
004AC776 mov dword ptr [ebp-A8], 8
004AC780 lea edx, dword ptr [ebp-A8]
004AC786 lea ecx, dword ptr [ebp-68]
004AC789 call dword ptr [<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
004AC78F mov dword ptr [ebp-90], 0040BB24
004AC799 mov dword ptr [ebp-98], 8
004AC7A3 lea edx, dword ptr [ebp-98]
004AC7A9 lea ecx, dword ptr [ebp-58]
004AC7AC call dword ptr [<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
004AC7B2 lea ecx, dword ptr [ebp-88]
004AC7B8 push ecx
004AC7B9 lea edx, dword ptr [ebp-78]
004AC7BC push edx
004AC7BD lea eax, dword ptr [ebp-68]
004AC7C0 push eax
004AC7C1 push 10
004AC7C3 lea ecx, dword ptr [ebp-58]
004AC7C6 push ecx ; 未安装MathType提示
004AC7C7 call dword ptr [<&msvbvm60.rtcMsgBox>] ; msvbvm60.rtcMsgBox
004AC7CD lea edx, dword ptr [ebp-88]
004AC7D3 push edx
004AC7D4 lea eax, dword ptr [ebp-78]
004AC7D7 push eax
004AC7D8 lea ecx, dword ptr [ebp-68]
004AC7DB push ecx
004AC7DC lea edx, dword ptr [ebp-58]
004AC7DF push edx
004AC7E0 push 4
004AC7E2 call dword ptr [<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004AC7E8 add esp, 14
004AC7EB mov dword ptr [ebp-4], 2C
004AC7F2 mov eax, dword ptr [ebp+8]
004AC7F5 mov ecx, dword ptr [eax]
004AC7F7 mov edx, dword ptr [ebp+8]
004AC7FA push edx
004AC7FB call dword ptr [ecx+32C]
004AC801 push eax
004AC802 lea eax, dword ptr [ebp-44]
004AC805 push eax
004AC806 call dword ptr [<&msvbvm60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004AC80C mov dword ptr [ebp-D0], eax
004AC812 push 0
004AC814 mov ecx, dword ptr [ebp-D0]
004AC81A mov edx, dword ptr [ecx]
004AC81C mov eax, dword ptr [ebp-D0]
004AC822 push eax
004AC823 call dword ptr [edx+8C]
004AC829 fclex
004AC82B mov dword ptr [ebp-D4], eax
004AC831 cmp dword ptr [ebp-D4], 0
004AC838 jge short 004AC860
004AC83A push 8C
004AC83F push 0040B008
004AC844 mov ecx, dword ptr [ebp-D0]
004AC84A push ecx
004AC84B mov edx, dword ptr [ebp-D4]
004AC851 push edx
004AC852 call dword ptr [<&msvbvm60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004AC858 mov dword ptr [ebp-190], eax
004AC85E jmp short 004AC86A
004AC860 mov dword ptr [ebp-190], 0
004AC86A lea ecx, dword ptr [ebp-44]
004AC86D call dword ptr [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004AC873 mov dword ptr [ebp-10], 0
004AC87A wait
004AC87B push 004AC8F7
004AC880 jmp short 004AC8CB
004AC882 lea eax, dword ptr [ebp-40]
004AC885 push eax
004AC886 lea ecx, dword ptr [ebp-3C]
004AC889 push ecx
004AC88A lea edx, dword ptr [ebp-38]
004AC88D push edx
004AC88E push 3
004AC890 call dword ptr [<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
004AC896 add esp, 10
004AC899 lea eax, dword ptr [ebp-48]
004AC89C push eax
=============================================================================================
通过上面的修改后,程序会显示已注册,并且在没有网络的情况下仍然可以使用。
下面开始分析点开始转换时的页数显示,解决完这个问题,就没有其他任何限制了,基本上是个无需注册的完美版了。
因为WORD超过页数,那么程序会提示错误并退出,所以比较容易找地方,这里就直接把转换那里的关键点贴出来分析下了。
=============================================================================================
004C121A mov dword ptr [ebp-2A4], 0
004C1224 mov dword ptr [ebp-134], 1
004C122E mov dword ptr [ebp-13C], 8002
004C1238 lea ecx, dword ptr [ebp-48]
004C123B push ecx ; /var18
004C123C lea edx, dword ptr [ebp-13C] ; |
004C1242 push edx ; |var28
004C1243 call dword ptr [<&msvbvm60.__vbaVarTstGt>] ; \__vbaVarTstGt
004C1249 mov word ptr [ebp-234], ax
004C1250 lea ecx, dword ptr [ebp-34]
004C1253 call dword ptr [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004C1259 lea ecx, dword ptr [ebp-48]
004C125C call dword ptr [<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
004C1262 movsx eax, word ptr [ebp-234]
004C1269 test eax, eax
004C126B je 004C1480 ; 关键比较1,这边可以跳
004C1271 mov dword ptr [ebp-4], 14
004C1278 lea ecx, dword ptr [ebp-48]
004C127B push ecx
004C127C call 004B3F40
004C1281 lea edx, dword ptr [ebp-48]
004C1284 push edx
004C1285 call dword ptr [<&msvbvm60.__vbaStrVarMove>] ; msvbvm60.__vbaStrVarMove
004C128B mov edx, eax
004C128D lea ecx, dword ptr [ebp-30]
004C1290 call dword ptr [<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004C1296 lea eax, dword ptr [ebp-30]
004C1299 push eax
004C129A call 004B13E0
004C129F mov si, ax
004C12A2 neg si
004C12A5 sbb esi, esi
004C12A7 inc esi
004C12A8 neg esi
004C12AA call 004B4C20
004C12AF neg ax
004C12B2 sbb eax, eax
004C12B4 inc eax
004C12B5 neg eax
004C12B7 or si, ax
004C12BA xor ecx, ecx
004C12BC cmp word ptr [4FE044], 0
004C12C4 sete cl
004C12C7 neg ecx
004C12C9 or si, cx
004C12CC mov word ptr [ebp-224], si
004C12D3 lea ecx, dword ptr [ebp-30]
004C12D6 call dword ptr [<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
004C12DC lea ecx, dword ptr [ebp-48]
004C12DF call dword ptr [<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
004C12E5 movsx edx, word ptr [ebp-224]
004C12EC test edx, edx
004C12EE je 004C1472 ; 关键比较2,也可以在这边跳过
004C12F4 mov dword ptr [ebp-4], 15
004C12FB mov dword ptr [ebp-70], 80020004
004C1302 mov dword ptr [ebp-78], 0A
004C1309 mov dword ptr [ebp-60], 80020004
004C1310 mov dword ptr [ebp-68], 0A
004C1317 mov dword ptr [ebp-144], 0040BA3C ; ASCII "衏:y"
004C1321 mov dword ptr [ebp-14C], 8
004C132B lea edx, dword ptr [ebp-14C]
004C1331 lea ecx, dword ptr [ebp-58]
004C1334 call dword ptr [<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
004C133A mov dword ptr [ebp-134], 0040D0F4 ; 未注册版本每次只能转换16K的一页...字符
004C1344 mov dword ptr [ebp-13C], 8
004C134E lea edx, dword ptr [ebp-13C]
004C1354 lea ecx, dword ptr [ebp-48]
004C1357 call dword ptr [<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
004C135D lea eax, dword ptr [ebp-78]
004C1360 push eax
004C1361 lea ecx, dword ptr [ebp-68]
004C1364 push ecx
004C1365 lea edx, dword ptr [ebp-58]
004C1368 push edx
004C1369 push 10
004C136B lea eax, dword ptr [ebp-48]
004C136E push eax
004C136F call dword ptr [<&msvbvm60.rtcMsgBox>] ; msvbvm60.rtcMsgBox
004C1375 lea ecx, dword ptr [ebp-78]
004C1378 push ecx
004C1379 lea edx, dword ptr [ebp-68]
004C137C push edx
004C137D lea eax, dword ptr [ebp-58]
004C1380 push eax
004C1381 lea ecx, dword ptr [ebp-48]
004C1384 push ecx
004C1385 push 4
004C1387 call dword ptr [<&msvbvm60.__vbaFreeVarList>>; msvbvm60.__vbaFreeVarList
004C138D add esp, 14
004C1390 mov dword ptr [ebp-4], 16
004C1397 cmp dword ptr [4FEC90], 0
004C139E jnz short 004C13BC
004C13A0 push 004FEC90
004C13A5 push 0040B22C
004C13AA call dword ptr [<&msvbvm60.__vbaNew2>] ; msvbvm60.__vbaNew2
004C13B0 mov dword ptr [ebp-2A8], 004FEC90
004C13BA jmp short 004C13C6
004C13BC mov dword ptr [ebp-2A8], 004FEC90
004C13C6 mov edx, dword ptr [ebp-2A8]
004C13CC mov eax, dword ptr [edx]
004C13CE mov dword ptr [ebp-224], eax
004C13D4 cmp dword ptr [4FE010], 0
004C13DB jnz short 004C13F9
004C13DD push 004FE010
004C13E2 push 00408714
004C13E7 call dword ptr [<&msvbvm60.__vbaNew2>] ; msvbvm60.__vbaNew2
004C13ED mov dword ptr [ebp-2AC], 004FE010
004C13F7 jmp short 004C1403
004C13F9 mov dword ptr [ebp-2AC], 004FE010
004C1403 mov ecx, dword ptr [ebp-2AC]
004C1409 mov edx, dword ptr [ecx]
004C140B push edx
004C140C lea eax, dword ptr [ebp-34]
004C140F push eax
004C1410 call dword ptr [<&msvbvm60.__vbaObjSetAddref>; msvbvm60.__vbaObjSetAddref
004C1416 push eax
004C1417 mov ecx, dword ptr [ebp-224]
004C141D mov edx, dword ptr [ecx]
004C141F mov eax, dword ptr [ebp-224]
004C1425 push eax
004C1426 call dword ptr [edx+10]
004C1429 fclex
004C142B mov dword ptr [ebp-228], eax
004C1431 cmp dword ptr [ebp-228], 0
004C1438 jge short 004C145D
004C143A push 10
004C143C push 0040B21C
004C1441 mov ecx, dword ptr [ebp-224]
004C1447 push ecx
004C1448 mov edx, dword ptr [ebp-228]
004C144E push edx
004C144F call dword ptr [<&msvbvm60.__vbaHresultCheck>; msvbvm60.__vbaHresultCheckObj
004C1455 mov dword ptr [ebp-2B0], eax
004C145B jmp short 004C1467
004C145D mov dword ptr [ebp-2B0], 0
004C1467 lea ecx, dword ptr [ebp-34]
004C146A call dword ptr [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004C1470 jmp short 004C147E
004C1472 mov dword ptr [ebp-4], 18
004C1479 call 004C1560
004C147E jmp short 004C148C
004C1480 mov dword ptr [ebp-4], 1B
004C1487 call 004C1560
004C148C push 004C1549
004C1491 jmp 004C152A
004C1496 lea ecx, dword ptr [ebp-30]
004C1499 call dword ptr [<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
004C149F lea eax, dword ptr [ebp-38]
004C14A2 push eax
004C14A3 lea ecx, dword ptr [ebp-34]
=============================================================================================
除了上面这处,另外有一个地方为了确保转换,也可以跳过,不然你启动的时候未跳过,这里就有可能在转换的时候在标题
栏显示猪头了哦,呵呵。
=============================================================================================
004C2CD0 mov dword ptr [ebp-18C], 0
004C2CDA mov eax, dword ptr [ebp-48]
004C2CDD push eax
004C2CDE push 0040B980
004C2CE3 call dword ptr [<&msvbvm60.__vbaStrCmp>] ; msvbvm60.__vbaStrCmp
004C2CE9 neg eax
004C2CEB sbb eax, eax
004C2CED inc eax
004C2CEE neg eax
004C2CF0 xor ecx, ecx
004C2CF2 cmp word ptr [4FE060], 1
004C2CFA setg cl
004C2CFD neg ecx
004C2CFF and ax, cx
004C2D02 mov word ptr [ebp-AC], ax
004C2D09 lea ecx, dword ptr [ebp-48]
004C2D0C call dword ptr [<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
004C2D12 lea ecx, dword ptr [ebp-50]
004C2D15 call dword ptr [<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004C2D1B movsx edx, word ptr [ebp-AC]
004C2D22 test edx, edx
004C2D24 je 004C2E82 ; 关键跳转,跳过即可
004C2D2A mov dword ptr [ebp-4], 49
004C2D31 cmp dword ptr [4FE010], 0
004C2D38 jnz short 004C2D56
004C2D3A push 004FE010
004C2D3F push 00408714
004C2D44 call dword ptr [<&msvbvm60.__vbaNew2>] ; msvbvm60.__vbaNew2
004C2D4A mov dword ptr [ebp-190], 004FE010
004C2D54 jmp short 004C2D60
004C2D56 mov dword ptr [ebp-190], 004FE010
004C2D60 mov eax, dword ptr [ebp-190]
004C2D66 mov ecx, dword ptr [eax]
004C2D68 mov dword ptr [ebp-AC], ecx
004C2D6E cmp dword ptr [4FE010], 0
004C2D75 jnz short 004C2D93
004C2D77 push 004FE010
004C2D7C push 00408714
004C2D81 call dword ptr [<&msvbvm60.__vbaNew2>] ; msvbvm60.__vbaNew2
004C2D87 mov dword ptr [ebp-194], 004FE010
004C2D91 jmp short 004C2D9D
004C2D93 mov dword ptr [ebp-194], 004FE010
004C2D9D mov edx, dword ptr [ebp-194]
004C2DA3 mov eax, dword ptr [edx]
004C2DA5 mov dword ptr [ebp-A4], eax
004C2DAB lea ecx, dword ptr [ebp-48]
004C2DAE push ecx
004C2DAF mov edx, dword ptr [ebp-A4]
004C2DB5 mov eax, dword ptr [edx]
004C2DB7 mov ecx, dword ptr [ebp-A4]
004C2DBD push ecx
004C2DBE call dword ptr [eax+50]
004C2DC1 fclex
004C2DC3 mov dword ptr [ebp-A8], eax
004C2DC9 cmp dword ptr [ebp-A8], 0
004C2DD0 jge short 004C2DF5
004C2DD2 push 50
004C2DD4 push 0040A6FC
004C2DD9 mov edx, dword ptr [ebp-A4]
004C2DDF push edx
004C2DE0 mov eax, dword ptr [ebp-A8]
004C2DE6 push eax
004C2DE7 call dword ptr [<&msvbvm60.__vbaHresultCheck>; msvbvm60.__vbaHresultCheckObj
004C2DED mov dword ptr [ebp-198], eax
004C2DF3 jmp short 004C2DFF
004C2DF5 mov dword ptr [ebp-198], 0
004C2DFF mov ecx, dword ptr [ebp-48]
004C2E02 push ecx ; 这边会显示猪头
004C2E03 push 0040D3D0 ; /^oo^
004C2E08 call dword ptr [<&msvbvm60.__vbaStrCat>] ; \__vbaStrCat
004C2E0E mov edx, eax
004C2E10 lea ecx, dword ptr [ebp-4C]
004C2E13 call dword ptr [<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004C2E19 push eax
004C2E1A mov edx, dword ptr [ebp-AC]
004C2E20 mov eax, dword ptr [edx]
004C2E22 mov ecx, dword ptr [ebp-AC]
004C2E28 push ecx
004C2E29 call dword ptr [eax+54]
004C2E2C fclex
004C2E2E mov dword ptr [ebp-B0], eax
004C2E34 cmp dword ptr [ebp-B0], 0
004C2E3B jge short 004C2E60
004C2E3D push 54
004C2E3F push 0040A6FC
004C2E44 mov edx, dword ptr [ebp-AC]
004C2E4A push edx
004C2E4B mov eax, dword ptr [ebp-B0]
004C2E51 push eax
004C2E52 call dword ptr [<&msvbvm60.__vbaHresultCheck>; msvbvm60.__vbaHresultCheckObj
004C2E58 mov dword ptr [ebp-19C], eax
004C2E5E jmp short 004C2E6A
004C2E60 mov dword ptr [ebp-19C], 0
004C2E6A lea ecx, dword ptr [ebp-4C]
004C2E6D push ecx
004C2E6E lea edx, dword ptr [ebp-48]
004C2E71 push edx
=============================================================================================
测试了下,转换没有问题,断开网络,仍然可以转换。程序跟不用注册一样。
提醒:如果你分析程序后,把程序修改过后保存为另一个文件名,转换程序虽然成功,但是程序自动关闭再次打开时,发现
这次又出现要注册,并且不能转换多页以及无网络不能使用时,这时不要以为是程序破解的不对。
原因:在程序目录下,有个文件名为"backrun.exe"的程序。程序在转换完毕后,退出本程序并调用backrun.exe,而
backrun.exe是打开Word方正转换器.exe程序的,所以你原版还在的话,当然是启用原版啦。你破解完后,把原文件删除,
再把破解文件修改成原名即可。(当然也可以采用补丁方式。)
--------------------------------------------------------------------------------
【经验总结】
拿到程序分析,首先要耐心,慢慢分析应该都能搞定的,不过小弟实在太菜,算法分析能力还比较差,目前还是在学习中,
以后可能会多分析算法,这样可能进步更快,希望高手多多指点,谢谢!!!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于飘云阁技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年05月21日 19:30:01
[ 本帖最后由 JackyChou 于 2008-5-22 08:18 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2008-5-21 19:31:19
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-5-22 10:04:09
发表于 2008-5-25 09:00:09
发表于 2008-9-18 16:15:46