- UID
- 73772
注册时间2014-2-1
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 难过
2024-3-10 19:49 |
|---|
签到天数: 473 天 [LV.9]以坛为家II
|
本帖最后由 吾爱学习 于 2014-10-23 10:04 编辑
【文章标题】: Softany CHM to PDF Converter v3.0
【文章作者】: Dxer
【软件名称】: Softany CHM to PDF Converter v3.0
【软件大小】: 1.45MB
【下载地址】: http://www.softany.com/chm-to-pdf/
【加壳方式】: 无
【保护方式】: 收费
【编写语言】: Dephi
【使用工具】: OD
【操作平台】: windows xp sp3
【软件介绍】: 很无聊
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
载入OD,直接F8单步。
00515B88 > 55 push ebp ; (initial cpu selection)
00515B89 8BEC mov ebp, esp
00515B8B 83C4 EC add esp, -14
00515B8E 53 push ebx
00515B8F 33C0 xor eax, eax
00515B91 8945 EC mov dword ptr [ebp-14], eax
00515B94 B8 E4B45000 mov eax, 0050B4E4 ; m
00515B99 E8 7A4AEFFF call 0040A618
00515B9E 33C0 xor eax, eax
00515BA0 55 push ebp
00515BA1 68 E25C5100 push 00515CE2
00515BA6 64:FF30 push dword ptr fs:[eax]
00515BA9 64:8920 mov dword ptr fs:[eax], esp
00515BAC A1 C4855100 mov eax, dword ptr [5185C4]
00515BB1 33D2 xor edx, edx
00515BB3 E8 2411EFFF call 00406CDC
00515BB8 A1 BC865100 mov eax, dword ptr [5186BC]
00515BBD BA FC5C5100 mov edx, 00515CFC ; softany chm to pdf converter
00515BC2 E8 1511EFFF call 00406CDC
00515BC7 A1 088A5100 mov eax, dword ptr [518A08]
00515BCC BA 445D5100 mov edx, 00515D44 ; v3.0
00515BD1 E8 0611EFFF call 00406CDC
00515BD6 A1 68895100 mov eax, dword ptr [518968]
00515BDB BA 5C5D5100 mov edx, 00515D5C ; (c) copyright 2010-2014 softany software.
00515BE0 E8 F710EFFF call 00406CDC
00515BE5 A1 A88C5100 mov eax, dword ptr [518CA8]
00515BEA BA BC5D5100 mov edx, 00515DBC ; http://www.softany.com/chm-to-pdf/
00515BEF E8 E810EFFF call 00406CDC
00515BF4 A1 208B5100 mov eax, dword ptr [518B20]
00515BF9 BA 105E5100 mov edx, 00515E10 ; http://www.softany.com/chm-to-pdf/purchase.htm?v30
00515BFE E8 D910EFFF call 00406CDC
00515C03 A1 108A5100 mov eax, dword ptr [518A10]
00515C08 BA 845E5100 mov edx, 00515E84 ; [email protected]
00515C0D E8 CA10EFFF call 00406CDC
00515C12 A1 C8895100 mov eax, dword ptr [5189C8]
00515C17 BA B85E5100 mov edx, 00515EB8 ; \software\softany\chm to pdf converter
00515C1C E8 BB10EFFF call 00406CDC
00515C21 E8 7E94FDFF call 004EF0A4
00515C26 A1 C4855100 mov eax, dword ptr [5185C4]
00515C2B 8338 00 cmp dword ptr [eax], 0
00515C2E 75 5E jnz short 00515C8E ; 把JNZ改成JMP,否则无法进入后面的Call
00515C30 A1 088B5100 mov eax, dword ptr [518B08]
00515C35 BA 145F5100 mov edx, 00515F14 ; unregistered
00515C3A E8 9D10EFFF call 00406CDC
00515C3F 8B0D 548A5100 mov ecx, dword ptr [518A54] ; chm2pdf.0051E2C0
00515C45 8B09 mov ecx, dword ptr [ecx]
00515C47 B2 01 mov dl, 1
00515C49 A1 14F94E00 mov eax, dword ptr [4EF914]
00515C4E E8 C539FBFF call 004C9618
00515C53 8BD8 mov ebx, eax
00515C55 A1 BC865100 mov eax, dword ptr [5186BC]
00515C5A FF30 push dword ptr [eax]
00515C5C 68 3C5F5100 push 00515F3C
00515C61 A1 088A5100 mov eax, dword ptr [518A08]
00515C66 FF30 push dword ptr [eax]
00515C68 8D45 EC lea eax, dword ptr [ebp-14]
00515C6B BA 03000000 mov edx, 3
00515C70 E8 0716EFFF call 0040727C
00515C75 8B55 EC mov edx, dword ptr [ebp-14]
00515C78 8BC3 mov eax, ebx
00515C7A E8 45D3F8FF call 004A2FC4
00515C7F 8BC3 mov eax, ebx
00515C81 8B10 mov edx, dword ptr [eax]
00515C83 FF92 10010000 call dword ptr [edx+110]
00515C89 83F8 02 cmp eax, 2
00515C8C 74 3E je short 00515CCC
00515C8E A1 548A5100 mov eax, dword ptr [518A54] ; 强制到这里,F8单步
00515C93 8B00 mov eax, dword ptr [eax]
00515C95 E8 3EE3FBFF call 004D3FD8
00515C9A A1 548A5100 mov eax, dword ptr [518A54]
00515C9F 8B00 mov eax, dword ptr [eax]
00515CA1 B2 01 mov dl, 1
00515CA3 E8 6C00FCFF call 004D5D14
00515CA8 8B0D B0885100 mov ecx, dword ptr [5188B0] ; chm2pdf.0051E3E4
00515CAE A1 548A5100 mov eax, dword ptr [518A54]
00515CB3 8B00 mov eax, dword ptr [eax]
00515CB5 8B15 28725000 mov edx, dword ptr [507228] ; chm2pdf.00507280
00515CBB E8 30E3FBFF call 004D3FF0
00515CC0 A1 548A5100 mov eax, dword ptr [518A54]
00515CC5 8B00 mov eax, dword ptr [eax]
00515CC7 E8 74E4FBFF call 004D4140 ; F7进Call,猥琐去
00515CCC 33C0 xor eax, eax
00515CCE 5A pop edx
00515CCF 59 pop ecx
00515CD0 59 pop ecx
00515CD1 64:8910 mov dword ptr fs:[eax], edx
00515CD4 68 E95C5100 push 00515CE9
00515CD9 8D45 EC lea eax, dword ptr [ebp-14]
00515CDC E8 EB0FEFFF call 00406CCC
00515CE1 C3 retn
由于提前下了断点,所以直接来到修改处
004EF0F0 55 push ebp ; 进来了。环境大不同啊
004EF0F1 68 5DF14E00 push 004EF15D
004EF0F6 64:FF30 push dword ptr fs:[eax]
004EF0F9 64:8920 mov dword ptr fs:[eax], esp
004EF0FC 8D4D F8 lea ecx, dword ptr [ebp-8]
004EF0FF BA 78F24E00 mov edx, 004EF278 ; regname
004EF104 8B45 FC mov eax, dword ptr [ebp-4]
004EF107 E8 C8FDF5FF call 0044EED4
004EF10C 8B55 F8 mov edx, dword ptr [ebp-8]
004EF10F A1 088B5100 mov eax, dword ptr [518B08]
004EF114 E8 C37BF1FF call 00406CDC
004EF119 8D45 F4 lea eax, dword ptr [ebp-C]
004EF11C 50 push eax
004EF11D 8D4D EC lea ecx, dword ptr [ebp-14]
004EF120 BA 94F24E00 mov edx, 004EF294 ; regcode
004EF125 8B45 FC mov eax, dword ptr [ebp-4]
004EF128 E8 A7FDF5FF call 0044EED4
004EF12D 8B45 EC mov eax, dword ptr [ebp-14]
004EF130 8D55 F0 lea edx, dword ptr [ebp-10]
004EF133 E8 20FEFFFF call 004EEF58
004EF138 8B45 F0 mov eax, dword ptr [ebp-10]
004EF13B 33C9 xor ecx, ecx
004EF13D 66:BA FE05 mov dx, 5FE
004EF141 E8 46FFFFFF call 004EF08C
004EF146 8B55 F4 mov edx, dword ptr [ebp-C]
004EF149 A1 A0875100 mov eax, dword ptr [5187A0]
004EF14E E8 897BF1FF call 00406CDC
004EF153 33C0 xor eax, eax
004EF155 5A pop edx
004EF156 59 pop ecx
004EF157 59 pop ecx
004EF158 64:8910 mov dword ptr fs:[eax], edx
004EF15B EB 40 jmp short 004EF19D
004EF15D ^ E9 4664F1FF jmp 004055A8
004EF162 33C9 xor ecx, ecx
004EF164 BA 78F24E00 mov edx, 004EF278 ; regname
004EF169 8B45 FC mov eax, dword ptr [ebp-4]
004EF16C E8 4BFCF5FF call 0044EDBC
004EF171 33C9 xor ecx, ecx
004EF173 BA 94F24E00 mov edx, 004EF294 ; regcode
004EF178 8B45 FC mov eax, dword ptr [ebp-4]
004EF17B E8 3CFCF5FF call 0044EDBC
004EF180 A1 088B5100 mov eax, dword ptr [518B08]
004EF185 33D2 xor edx, edx
004EF187 E8 507BF1FF call 00406CDC
004EF18C A1 A0875100 mov eax, dword ptr [5187A0]
004EF191 33D2 xor edx, edx
004EF193 E8 447BF1FF call 00406CDC
004EF198 E8 6368F1FF call 00405A00
004EF19D 8B45 FC mov eax, dword ptr [ebp-4]
004EF1A0 E8 BF5CF1FF call 00404E64
004EF1A5 8B15 A0875100 mov edx, dword ptr [5187A0] ; chm2pdf.0051E3AC
004EF1AB 8B12 mov edx, dword ptr [edx]
004EF1AD A1 088B5100 mov eax, dword ptr [518B08]
004EF1B2 8B00 mov eax, dword ptr [eax]
004EF1B4 E8 1FF5FFFF call 004EE6D8
004EF1B9 8BD8 mov ebx, eax
004EF1BB 8BC3 mov eax, ebx
004EF1BD 83E8 01 sub eax, 1
004EF1C0 90 nop ; 直接将JB,NOP填充
004EF1C1 90 nop
004EF1C2 74 17 je short 004EF1DB
004EF1C4 2D 0E270000 sub eax, 270E
004EF1C9 75 21 jnz short 004EF1EC ; JE改成JNZ就可以了。为了获得unlimited-user license授权版本。需要什么版本自己看
004EF1CB EB 30 jmp short 004EF1FD
004EF1CD A1 C4855100 mov eax, dword ptr [5185C4]
004EF1D2 33D2 xor edx, edx
004EF1D4 E8 037BF1FF call 00406CDC
004EF1D9 EB 3E jmp short 004EF219
004EF1DB A1 C4855100 mov eax, dword ptr [5185C4]
004EF1E0 BA B0F24E00 mov edx, 004EF2B0 ; single-user license
004EF1E5 E8 F27AF1FF call 00406CDC
004EF1EA EB 2D jmp short 004EF219
004EF1EC A1 C4855100 mov eax, dword ptr [5185C4]
004EF1F1 BA E4F24E00 mov edx, 004EF2E4 ; unlimited-user license
004EF1F6 E8 E17AF1FF call 00406CDC
004EF1FB EB 1C jmp short 004EF219
004EF1FD 8D55 E8 lea edx, dword ptr [ebp-18]
004EF200 8BC3 mov eax, ebx
004EF202 E8 4543F2FF call 0041354C
004EF207 8B55 E8 mov edx, dword ptr [ebp-18]
004EF20A A1 C4855100 mov eax, dword ptr [5185C4]
004EF20F B9 20F34E00 mov ecx, 004EF320 ; -user license
004EF214 E8 7F7FF1FF call 00407198
004EF219 A1 C4855100 mov eax, dword ptr [5185C4]
004EF21E 8338 00 cmp dword ptr [eax], 0
004EF221 75 11 jnz short 004EF234
004EF223 A1 38885100 mov eax, dword ptr [518838]
004EF228 BA 48F34E00 mov edx, 004EF348 ; [unregistered]
004EF22D E8 AA7AF1FF call 00406CDC
004EF232 EB 0C jmp short 004EF240
004EF234 A1 38885100 mov eax, dword ptr [518838]
004EF239 33D2 xor edx, edx
004EF23B E8 9C7AF1FF call 00406CDC
004EF240 33C0 xor eax, eax
004EF242 5A pop edx
004EF243 59 pop ecx
004EF244 59 pop ecx
004EF245 64:8910 mov dword ptr fs:[eax], edx
004EF248 68 62F24E00 push 004EF262
004EF24D 8D45 E8 lea eax, dword ptr [ebp-18]
004EF250 BA 05000000 mov edx, 5
004EF255 E8 7A7AF1FF call 00406CD4
004EF25A C3 retn
004EF25B ^ E9 FC65F1FF jmp 0040585C
004EF260 ^ EB EB jmp short 004EF24D
004EF262 5F pop edi
004EF263 5E pop esi
004EF264 5B pop ebx
004EF265 8BE5 mov esp, ebp
004EF267 5D pop ebp
004EF268 C3 retn
未注册:
已注册后:
【经验总结】
另一个改法是保证call后EAX的赋值为270F即可实现无限制破解。
先去官网下载安装,然后把我上传的附件覆盖之
附上百度网盘下载链接:http://pan.baidu.com/s/1c0szpMo 密码:o0ph
--------------------------------------------------------------------------------
【版权声明】: 本文原创于店小二,转载请注明作者并保存文章的完整,谢谢!
2014年10月22日 16:21:10
|
|
IP卡
发表于 2014-10-23 09:49:47
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2014-10-23 10:20:35
楼主
发表于 2014-10-23 13:03:15
发表于 2014-10-25 21:06:27
