TA的每日心情 | 慵懒
2018-2-11 09:23 |
|---|
签到天数: 8 天 [LV.3]偶尔看看II
|
【破文标题】AutoDWG PDF Converter V3.2.2.3简单分析
【破文作者】冰糖[BST]
【作者邮箱】[email protected]
【作者主页】http://bbs.thulu.com
【破解工具】peid0.94+OD
【破解平台】XPsp3
【软件名称】AutoDWG DWG2PDF Converter
【软件大小】6.66 MB
【原版下载】http://www.skycn.com//soft/22012.html
【保护方式】注册码
【软件简介】AutoDWG DWG to PDF Converter allows you to convert DWG to PDF, DXF to PDF, DWF to PDF directly, NO AutoCAD required, batch conversion supported.
【破解声明】本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处
------------------------------------------------------------------------
【破解过程】好久没破解,今天想把自己的CAD图纸转换成PDF格式的,就百度到这个软件,15天试用限制
准备好工具,下面开始动工
PEID查找无壳,Microsoft Visual C++ 6.0
OD载入,运行,输入假码确定,弹出窗口提示“register failed!”
查找字符串,双击进入
0041518E /. 55 push ebp ; F2下断
0041518F |. 8BEC mov ebp, esp
00415191 |. 51 push ecx
00415192 |. 894D FC mov dword ptr [ebp-4], ecx
00415195 |. 6A 01 push 1
00415197 |. 8B4D FC mov ecx, dword ptr [ebp-4]
0041519A |. E8 7DBA4600 call <jmp.&MFC42.#6334>
0041519F |. 6A 00 push 0
004151A1 |. 68 384BAB00 push 00AB4B38
004151A6 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004151A9 |. 81C1 B0030000 add ecx, 3B0
004151AF |. E8 88BB4600 call <jmp.&MFC42.#6877>
004151B4 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004151B7 |. 81C1 B4030000 add ecx, 3B4
004151BD |. E8 FEC8FEFF call 00401AC0
004151C2 |. 85C0 test eax, eax ; 是否输入EMAIL检测
004151C4 |. 74 19 je short 004151DF
004151C6 |. 6A 00 push 0
004151C8 |. 68 3C4BAB00 push 00AB4B3C ; autodwgdwg2pdf
004151CD |. 68 4C4BAB00 push 00AB4B4C ; please input your email!
004151D2 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004151D5 |. E8 D8BD4600 call <jmp.&MFC42.#4224>
004151DA |. E9 F8000000 jmp 004152D7
004151DF |> 6A 00 push 0
004151E1 |. 68 684BAB00 push 00AB4B68 ; @
004151E6 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004151E9 |. 81C1 B4030000 add ecx, 3B4
004151EF |. E8 B8BD4600 call <jmp.&MFC42.#6663>
004151F4 |. 85C0 test eax, eax ; EMAIL格式检测
004151F6 |. 7F 14 jg short 0041520C
004151F8 |. 6A 00 push 0
004151FA |. 68 6C4BAB00 push 00AB4B6C ; autodwgdwg2pdf
004151FF |. 68 7C4BAB00 push 00AB4B7C ; please input correct email address.
00415204 |. 8B4D FC mov ecx, dword ptr [ebp-4]
00415207 |. E8 A6BD4600 call <jmp.&MFC42.#4224>
0041520C |> 8B4D FC mov ecx, dword ptr [ebp-4]
0041520F |. 81C1 B0030000 add ecx, 3B0
00415215 |. E8 A6C8FEFF call 00401AC0
0041521A |. 85C0 test eax, eax ; 是否输入注册码检测
0041521C |. 74 19 je short 00415237
0041521E |. 6A 00 push 0
00415220 |. 68 A04BAB00 push 00AB4BA0 ; autodwgdwg2pdf
00415225 |. 68 B04BAB00 push 00AB4BB0 ; please input the register code!
0041522A |. 8B4D FC mov ecx, dword ptr [ebp-4]
0041522D |. E8 80BD4600 call <jmp.&MFC42.#4224>
00415232 |. E9 A0000000 jmp 004152D7
00415237 |> 8B4D FC mov ecx, dword ptr [ebp-4]
0041523A |. E8 EFB94600 call <jmp.&MFC42.#1669>
0041523F |. 8B4D FC mov ecx, dword ptr [ebp-4]
00415242 |. 81C1 B0030000 add ecx, 3B0
00415248 |. E8 23C9FEFF call 00401B70
0041524D |. 50 push eax ; 假码98765432101234567890123456
0041524E |. 8B4D FC mov ecx, dword ptr [ebp-4]
00415251 |. 81C1 B4030000 add ecx, 3B4
00415257 |. E8 14C9FEFF call 00401B70
0041525C |. 50 push eax ; 我的EMAIL:[email protected]
0041525D |. E8 08A60300 call 0044F86A ; 算法CALL F7跟入
00415262 |. 83C4 08 add esp, 8
00415265 |. 25 FF000000 and eax, 0FF
0041526A |. 85C0 test eax, eax
0041526C |. 74 4D je short 004152BB
0041526E |. 8B4D FC mov ecx, dword ptr [ebp-4]
00415271 |. E8 94B94600 call <jmp.&MFC42.#4853>
00415276 |. 8B45 FC mov eax, dword ptr [ebp-4]
00415279 |. C780 B8030000 0>mov dword ptr [eax+3B8], 1
00415283 |. 8B4D FC mov ecx, dword ptr [ebp-4]
00415286 |. 83B9 B8030000 0>cmp dword ptr [ecx+3B8], 0
0041528D |. 74 16 je short 004152A5
0041528F |. 6A 00 push 0
00415291 |. 68 D04BAB00 push 00AB4BD0 ; autodwgdwg2pdf
00415296 |. 68 E04BAB00 push 00AB4BE0 ; thank you, registered succeed !
0041529B |. 8B4D FC mov ecx, dword ptr [ebp-4]
0041529E |. E8 0FBD4600 call <jmp.&MFC42.#4224>
004152A3 |. EB 14 jmp short 004152B9
004152A5 |> 6A 00 push 0
004152A7 |. 68 004CAB00 push 00AB4C00 ; autodwgdwg2pdf
004152AC |. 68 104CAB00 push 00AB4C10 ; thank you, registered fail !
004152B1 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004152B4 |. E8 F9BC4600 call <jmp.&MFC42.#4224>
004152B9 |> EB 1C jmp short 004152D7
004152BB |> 6A 00 push 0
004152BD |. 68 304CAB00 push 00AB4C30 ; autodwgdwg2pdf
004152C2 |. 68 404CAB00 push 00AB4C40 ; register failed!
004152C7 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004152CA |. E8 E3BC4600 call <jmp.&MFC42.#4224>
004152CF |. 8B4D FC mov ecx, dword ptr [ebp-4]
004152D2 |. E8 4BB94600 call <jmp.&MFC42.#2652>
004152D7 |> 8BE5 mov esp, ebp
004152D9 |. 5D pop ebp
004152DA \. C3 retn
0044F86A /$ 55 push ebp
0044F86B |. 8BEC mov ebp, esp
0044F86D |. 6A FF push -1
0044F86F |. 68 2BD49500 push 0095D42B ; SE 处理程序安装
0044F874 |. 64:A1 00000000 mov eax, dword ptr fs:[0]
0044F87A |. 50 push eax
0044F87B |. 64:8925 0000000>mov dword ptr fs:[0], esp
0044F882 |. 83EC 14 sub esp, 14
0044F885 |. C645 EC 01 mov byte ptr [ebp-14], 1
0044F889 |. 8B45 0C mov eax, dword ptr [ebp+C] ; 假码98765432101234567890123456
0044F88C |. 50 push eax
0044F88D |. 8D4D F0 lea ecx, dword ptr [ebp-10]
0044F890 |. E8 B1164300 call <jmp.&MFC42.#537>
0044F895 |. C745 FC 0000000>mov dword ptr [ebp-4], 0
0044F89C |. 8B4D 0C mov ecx, dword ptr [ebp+C]
0044F89F |. 51 push ecx
0044F8A0 |. E8 36040000 call 0044FCDB ; 算法关键CALL
0044F8A5 |. 83C4 04 add esp, 4
0044F8A8 |. 25 FF000000 and eax, 0FF
0044F8AD |. 85C0 test eax, eax
0044F8AF |. 75 19 jnz short 0044F8CA
0044F8B1 |. 8B55 0C mov edx, dword ptr [ebp+C]
0044F8B4 |. 52 push edx
0044F8B5 |. E8 C3130000 call 00450C7D
0044F8BA |. 83C4 04 add esp, 4
0044F8BD |. 85C0 test eax, eax
0044F8BF |. 75 09 jnz short 0044F8CA ; 不跳就死
0044F8C1 |. C645 EC 00 mov byte ptr [ebp-14], 0
0044F8C5 E9 A8000000 jmp 0044F972
0044F8CA |> 8D4D E8 lea ecx, dword ptr [ebp-18]
0044F8CD |. E8 8E15FDFF call 00420E60
0044F8D2 |. C645 FC 01 mov byte ptr [ebp-4], 1
0044F8D6 |. 6A 00 push 0
0044F8D8 |. 6A 00 push 0
0044F8DA |. 68 3F000F00 push 0F003F
0044F8DF |. 6A 00 push 0 ; 下面把注册信息保存到注册表
0044F8E1 |. 6A 00 push 0
0044F8E3 |. 68 88A1AB00 push 00ABA188 ; software\autodwg\dwg_pdf_conver
0044F8E8 |. 68 02000080 push 80000002
0044F8ED |. 8D4D E8 lea ecx, dword ptr [ebp-18]
0044F8F0 |. E8 DB180000 call 004511D0
0044F8F5 |. 85C0 test eax, eax
0044F8F7 |. 75 19 jnz short 0044F912
0044F8F9 |. 68 A8A1AB00 push 00ABA1A8 ; key
0044F8FE |. 8B45 0C mov eax, dword ptr [ebp+C]
0044F901 |. 50 push eax
0044F902 |. 8D4D E8 lea ecx, dword ptr [ebp-18]
0044F905 |. E8 36190000 call 00451240
0044F90A |. 85C0 test eax, eax
0044F90C |. 74 04 je short 0044F912
0044F90E |. C645 EC 00 mov byte ptr [ebp-14], 0
0044F912 |> 8D4D E4 lea ecx, dword ptr [ebp-1C]
0044F915 |. E8 4615FDFF call 00420E60
0044F91A |. C645 FC 02 mov byte ptr [ebp-4], 2
0044F91E |. 6A 00 push 0
0044F920 |. 6A 00 push 0
0044F922 |. 68 3F000F00 push 0F003F
0044F927 |. 6A 00 push 0
0044F929 |. 6A 00 push 0
0044F92B |. 68 ACA1AB00 push 00ABA1AC ; software\autodwg\dwg_pdf_conver
0044F930 |. 68 01000080 push 80000001
0044F935 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
0044F938 |. E8 93180000 call 004511D0
0044F93D |. 85C0 test eax, eax
0044F93F |. 75 19 jnz short 0044F95A
0044F941 |. 68 CCA1AB00 push 00ABA1CC ; key
0044F946 |. 8B4D 0C mov ecx, dword ptr [ebp+C]
0044F949 |. 51 push ecx
0044FCDB /$ 55 push ebp
0044FCDC |. 8BEC mov ebp, esp
0044FCDE |. 6A FF push -1
0044FCE0 |. 68 85D49500 push 0095D485 ; SE 处理程序安装
0044FCE5 |. 64:A1 00000000 mov eax, dword ptr fs:[0]
0044FCEB |. 50 push eax
0044FCEC |. 64:8925 0000000>mov dword ptr fs:[0], esp
0044FCF3 |. 83EC 24 sub esp, 24
0044FCF6 |. 8B45 08 mov eax, dword ptr [ebp+8]
0044FCF9 |. 50 push eax ; /s
0044FCFA |. E8 F7174300 call <jmp.&MSVCRT.strlen> ; \strlen
0044FCFF |. 83C4 04 add esp, 4
0044FD02 |. 83F8 1A cmp eax, 1A ; 注册码是否等于26位
0044FD05 74 07 je short 0044FD0E ; 不跳就死
0044FD07 |. 32C0 xor al, al
0044FD09 |. E9 BF000000 jmp 0044FDCD
0044FD0E |> 8B4D 08 mov ecx, dword ptr [ebp+8]
0044FD11 |. 51 push ecx
0044FD12 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
0044FD15 |. E8 2C124300 call <jmp.&MFC42.#537>
0044FD1A |. C745 FC 0000000>mov dword ptr [ebp-4], 0
0044FD21 |. 8D4D EC lea ecx, dword ptr [ebp-14]
0044FD24 |. E8 870E4300 call <jmp.&MFC42.#540>
0044FD29 |. C645 FC 01 mov byte ptr [ebp-4], 1
0044FD2D |. 51 push ecx
0044FD2E |. 8BCC mov ecx, esp
0044FD30 |. 8965 E8 mov dword ptr [ebp-18], esp
0044FD33 |. 8D55 F0 lea edx, dword ptr [ebp-10]
0044FD36 |. 52 push edx
0044FD37 |. E8 EC0E4300 call <jmp.&MFC42.#535>
0044FD3C |. 8945 D8 mov dword ptr [ebp-28], eax
0044FD3F |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0044FD42 |. 50 push eax
0044FD43 |. E8 C40B0000 call 0045090C ; 用户输入注册码的变换CALL
0044FD48 |. 83C4 08 add esp, 8
0044FD4B |. 8945 D4 mov dword ptr [ebp-2C], eax
0044FD4E |. 8B4D D4 mov ecx, dword ptr [ebp-2C]
0044FD51 |. 894D D0 mov dword ptr [ebp-30], ecx
0044FD54 |. C645 FC 02 mov byte ptr [ebp-4], 2
0044FD58 |. 8B55 D0 mov edx, dword ptr [ebp-30]
0044FD5B |. 52 push edx
0044FD5C |. 8D4D EC lea ecx, dword ptr [ebp-14]
0044FD5F |. E8 D00E4300 call <jmp.&MFC42.#858>
0044FD64 |. C645 FC 01 mov byte ptr [ebp-4], 1
0044FD68 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
0044FD6B |. E8 280E4300 call <jmp.&MFC42.#800>
0044FD70 |. 68 4CA2AB00 push 00ABA24C ; 结果比较字符串"&d#2*P"
0044FD75 |. 8D45 EC lea eax, dword ptr [ebp-14]
0044FD78 |. 50 push eax
0044FD79 |. E8 2265FCFF call 004162A0 ; 关键比较,比较用户输入的注册码变换后转换成字符串是否和"&d#2*P"相同
0044FD7E |. 25 FF000000 and eax, 0FF
0044FD83 |. 85C0 test eax, eax
0044FD85 |. 74 24 je short 0044FDAB ; 跳就死
0044FD87 |. C645 E0 01 mov byte ptr [ebp-20], 1
0045090C /$ 55 push ebp
0045090D |. 8BEC mov ebp, esp
0045090F |. 6A FF push -1
00450911 |. 68 47D59500 push 0095D547 ; SE 处理程序安装
00450916 |. 64:A1 00000000 mov eax, dword ptr fs:[0]
0045091C |. 50 push eax
0045091D |. 64:8925 0000000>mov dword ptr fs:[0], esp
00450924 |. 83EC 14 sub esp, 14
00450927 |. C745 E4 0000000>mov dword ptr [ebp-1C], 0
0045092E |. C745 FC 0100000>mov dword ptr [ebp-4], 1
00450935 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00450938 |. E8 73024300 call <jmp.&MFC42.#540>
0045093D |. C645 FC 02 mov byte ptr [ebp-4], 2
00450941 |. 6A 00 push 0
00450943 |. 68 10A3AB00 push 00ABA310
00450948 |. 8D4D 0C lea ecx, dword ptr [ebp+C]
0045094B |. E8 EC034300 call <jmp.&MFC42.#6877>
00450950 |. 51 push ecx
00450951 |. 8BCC mov ecx, esp
00450953 |. 8965 E8 mov dword ptr [ebp-18], esp
00450956 |. 68 14A3AB00 push 00ABA314 ; ASCII "*2%^W#g@"
0045095B |. E8 E6054300 call <jmp.&MFC42.#537>
00450960 |. 8945 E0 mov dword ptr [ebp-20], eax
00450963 |. 8D45 0C lea eax, dword ptr [ebp+C]
00450966 |. 50 push eax ; 假吗98765432101234567890123456
00450967 |. E8 8BCFFCFF call 0041D8F7 ; 算法变换CALL,变换结果ASCII "b05281811c1ae5211d96c6a7"
0045096C |. 83C4 08 add esp, 8
0045096F |. C745 EC 0000000>mov dword ptr [ebp-14], 0
00450976 |. EB 09 jmp short 00450981
00450978 |> 8B4D EC /mov ecx, dword ptr [ebp-14] ; 算法变换结果隔两位取两位
0045097B |. 83C1 02 |add ecx, 2
0045097E |. 894D EC |mov dword ptr [ebp-14], ecx
00450981 |> 837D EC 0C cmp dword ptr [ebp-14], 0C
00450985 |. 7D 17 |jge short 0045099E
00450987 |. 8B55 EC |mov edx, dword ptr [ebp-14]
0045098A |. 52 |push edx
0045098B |. 8D4D 0C |lea ecx, dword ptr [ebp+C]
0045098E |. E8 DDE2FCFF |call 0041EC70
00450993 |. 50 |push eax
00450994 |. 8D4D F0 |lea ecx, dword ptr [ebp-10]
00450997 |. E8 E8064300 |call <jmp.&MFC42.#940>
0045099C |.^ EB DA \jmp short 00450978
0045099E |> 8D45 F0 lea eax, dword ptr [ebp-10] ; 上面计算结果 B0 81 1C E5 1D C6
004509A1 |. 50 push eax
004509A2 |. 8B4D 08 mov ecx, dword ptr [ebp+8]
004509A5 |. E8 7E024300 call <jmp.&MFC42.#535>
004509AA |. 8B4D E4 mov ecx, dword ptr [ebp-1C]
004509AD |. 83C9 01 or ecx, 1
004509B0 |. 894D E4 mov dword ptr [ebp-1C], ecx
004509B3 |. C645 FC 01 mov byte ptr [ebp-4], 1
004509B7 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
004509BA |. E8 D9014300 call <jmp.&MFC42.#800>
004509BF |. C645 FC 00 mov byte ptr [ebp-4], 0
004509C3 |. 8D4D 0C lea ecx, dword ptr [ebp+C]
004509C6 |. E8 CD014300 call <jmp.&MFC42.#800>
004509CB |. 8B45 08 mov eax, dword ptr [ebp+8]
------------------------------------------------------------------------
【破解总结】本软件是固定注册码的,与用户EMAIL无关
把输入的注册码经过一个算法变换和一个固定的字符串比较,爆破起来简单,既然固定注册码的,算法分析太麻烦,说不定还是不可逆算法,得不偿失
验证部分,
tt=固定算法(输入注册码)
For i = 1 To Len(tt) Step 4
a = Mid(tt, i, 2)
b = Val("&h" & a)
c = Chr(b)
TT2 = TT2 & c
Next i
如果TT2 和 “&d#2*P”相等,那么就注册成功了
------------------------------------------------------------------------
【版权声明】来自于BBS.THULU.COM 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 冰糖 于 2008-10-15 22:11 编辑 ] |
|
IP卡
发表于 2008-10-15 18:34:19
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-10-15 18:38:26
发表于 2008-10-15 22:48:49
发表于 2008-10-16 20:32:18
发表于 2008-10-17 00:57:37