【文章标题】: 浅析Solid Converter PDF V3.0 Build 299
【文章作者】: yijun[OCN]
【作者邮箱】: yijun8354@sina.com
【作者QQ号】: 190282269
【软件名称】: SolidConverterPDF
【软件大小】: 145k
【下载地址】: http://www.skycn.com/soft/20929.html
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Microsoft Visual C++ 6.0 [Overlay]
【使用工具】: peid,ollydbg
【操作平台】: XP sp2
【软件介绍】: Solid Converter PDF是一套专门将PDF文件转换成DOC的软件,除了转换成DOC文件外
,还可以转换成RTF以及Word XML文件。除此之外,它还有一个图片撷取功能,可以让我们将PDF档里
的图片撷取出来,以及将PDF档里的表格撷取出来,并输出到Excel里,方便我们编辑表格里的资料。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
OD载入,输入基本信息:
姓名:yijun
电子邮箱:yijun8354@sina.com
机构名称:www.cqupt.edu.cn
解锁码:CQUPT
下断点MessageBoxW断在:
77D4071A > 8BFF mov edi,edi ;
Converte.10118130
77D4071C 55 push ebp
77D4071D 8BEC mov ebp,esp
77D4071F 833D A412D777 0>cmp dword ptr ds:[77D712A4],0
77D40726 0F85 9BE80000 jnz USER32.77D4EFC7
77D4072C 6A 00 push 0
77D4072E FF75 14 push dword ptr ss:[ebp+14]
77D40731 FF75 10 push dword ptr ss:[ebp+10]
77D40734 FF75 0C push dword ptr ss:[ebp+C]
77D40737 FF75 08 push dword ptr ss:[ebp+8]
77D4073A E8 09000000 call USER32.MessageBoxExW
77D4073F 5D pop ebp
77D40740 C2 1000 retn 10
确定错误对话框后返回到:
1003BF46 FF15 B8220C10 call dword ptr ds:[<&MFC71LU.#577>] ; MFC71LU.#577
1003BF4C 6A 10 push 10
1003BF4E 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
1003BF51 FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; MFC71LU.#2806
1003BF57 50 push eax
1003BF58 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
1003BF5B FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; MFC71LU.#2806
1003BF61 50 push eax
1003BF62 FF76 20 push dword ptr ds:[esi+20]
1003BF65 FF15 3C801110 call dword ptr ds:[1011803C] ;
USER32.MessageBoxW
1003BF6B 68 08310C10 push Converte.100C3108 //返回到这里
往上看来到:
1003BC8D E8 0CF5FFFF call Converte.1003B19E ; 重新运行程序,中
断后跟进~~~~~~
1003BC92 8BCF mov ecx,edi
1003BC94 E8 B1E9FFFF call Converte.1003A64A ; 比较CALL
1003BC99 84C0 test al,al
1003BC9B 8BCF mov ecx,edi
1003BC9D 0F84 E8000000 je Converte.1003BD8B ; 关键跳
1003BCA3 E8 84EDFFFF call Converte.1003AA2C
1003BCA8 8BCF mov ecx,edi
1003BCAA E8 97E9FFFF call Converte.1003A646
1003BCAF 83F8 04 cmp eax,4
1003BCB2 75 5F jnz short Converte.1003BD13
1003BCB4 68 98DB0C10 push Converte.100CDB98 ; UNICODE
"Successfully_Registered"
1003BCB9 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
1003BCBC FF15 9C220C10 call dword ptr ds:[<&MFC71LU.#283>] ; MFC71LU.#283
1003BCC2 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
1003BCC5 6A 01 push 1
1003BCC7 8D45 F0 lea eax,dword ptr ss:[ebp-10]
1003BCCA 50 push eax
1003BCCB 8D45 EC lea eax,dword ptr ss:[ebp-14]
1003BCCE 50 push eax
1003BCCF C645 FC 07 mov byte ptr ss:[ebp-4],7
1003BCD3 E8 5F18FFFF call Converte.1002D537
1003BCD8 53 push ebx
1003BCD9 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
1003BCDC 8945 E4 mov dword ptr ss:[ebp-1C],eax
1003BCDF FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; MFC71LU.#2806
1003BCE5 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
1003BCE8 50 push eax
1003BCE9 FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; MFC71LU.#2806
1003BCEF 50 push eax
1003BCF0 FF76 20 push dword ptr ds:[esi+20]
1003BCF3 FF15 3C801110 call dword ptr ds:[1011803C] ;
USER32.MessageBoxW
1003BCF9 8D4D EC lea ecx,dword ptr ss:[ebp-14]
1003BCFC FF15 B8220C10 call dword ptr ds:[<&MFC71LU.#577>] ; MFC71LU.#577
1003BD02 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
1003BD05 C645 FC 04 mov byte ptr ss:[ebp-4],4
1003BD09 FF15 B8220C10 call dword ptr ds:[<&MFC71LU.#577>] ; MFC71LU.#577
1003BD0F 6A 02 push 2
1003BD11 EB 69 jmp short Converte.1003BD7C
1003BD13 8BCF mov ecx,edi
1003BD15 E8 2CE9FFFF call Converte.1003A646
1003BD1A 83F8 02 cmp eax,2
1003BD1D 75 64 jnz short Converte.1003BD83
1003BD1F 68 6CDB0C10 push Converte.100CDB6C ; UNICODE
"Successfully_Unlocked"
1003BD24 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
1003BD27 FF15 9C220C10 call dword ptr ds:[<&MFC71LU.#283>] ; MFC71LU.#283
1003BD2D 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
跟进1003BC8D处CALL来到:
1003B19E B8 63AB0B10 mov eax,Converte.100BAB63
1003B1A3 E8 248C0700 call Converte.100B3DCC
1003B1A8 83EC 20 sub esp,20
1003B1AB 53 push ebx
1003B1AC 56 push esi
1003B1AD 57 push edi
1003B1AE 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
1003B1B1 50 push eax
1003B1B2 8BF1 mov esi,ecx
1003B1B4 E8 D4FEFFFF call Converte.1003B08D
1003B1B9 8BF8 mov edi,eax
1003B1BB 8365 FC 00 and dword ptr ss:[ebp-4],0
1003B1BF 8D45 D8 lea eax,dword ptr ss:[ebp-28]
1003B1C2 50 push eax
1003B1C3 8BCE mov ecx,esi
1003B1C5 E8 2BFEFFFF call Converte.1003AFF5
1003B1CA 8BD8 mov ebx,eax
1003B1CC 8D45 DC lea eax,dword ptr ss:[ebp-24]
1003B1CF 50 push eax
1003B1D0 8BCE mov ecx,esi
1003B1D2 C645 FC 01 mov byte ptr ss:[ebp-4],1
1003B1D6 E8 40FEFFFF call Converte.1003B01B
1003B1DB 8945 F0 mov dword ptr ss:[ebp-10],eax
1003B1DE 8D45 E0 lea eax,dword ptr ss:[ebp-20]
1003B1E1 50 push eax
1003B1E2 8BCE mov ecx,esi
1003B1E4 C645 FC 02 mov byte ptr ss:[ebp-4],2
1003B1E8 E8 7AFEFFFF call Converte.1003B067
1003B1ED 8945 EC mov dword ptr ss:[ebp-14],eax
1003B1F0 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
1003B1F3 50 push eax
1003B1F4 8BCE mov ecx,esi
1003B1F6 C645 FC 03 mov byte ptr ss:[ebp-4],3
1003B1FA E8 42FEFFFF call Converte.1003B041
1003B1FF 8945 E8 mov dword ptr ss:[ebp-18],eax
1003B202 8BCF mov ecx,edi
1003B204 C645 FC 04 mov byte ptr ss:[ebp-4],4
1003B208 FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; 取邮件
1003B20E 50 push eax
1003B20F 8BCB mov ecx,ebx
1003B211 FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; MFC71LU.#2806
1003B217 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
1003B21A 50 push eax
1003B21B FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; MFC71LU.#2806
1003B221 8B4D EC mov ecx,dword ptr ss:[ebp-14]
1003B224 50 push eax
1003B225 FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; MFC71LU.#2806
1003B22B 8B4D E8 mov ecx,dword ptr ss:[ebp-18]
1003B22E 50 push eax
1003B22F FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; MFC71LU.#2806
1003B235 50 push eax
1003B236 8BCE mov ecx,esi
1003B238 E8 1AFFFFFF call Converte.1003B157 ; 跟进
跟进1003B238处CALL来到:
1003B157 55 push ebp
1003B158 8BEC mov ebp,esp
1003B15A 56 push esi
1003B15B FF75 08 push dword ptr ss:[ebp+8]
1003B15E 8BF1 mov esi,ecx
1003B160 E8 9BFDFFFF call Converte.1003AF00
1003B165 FF75 0C push dword ptr ss:[ebp+C]
1003B168 8BCE mov ecx,esi
1003B16A E8 C2FDFFFF call Converte.1003AF31
1003B16F FF75 10 push dword ptr ss:[ebp+10]
1003B172 8BCE mov ecx,esi
1003B174 E8 4BFEFFFF call Converte.1003AFC4
1003B179 FF75 14 push dword ptr ss:[ebp+14]
1003B17C 8BCE mov ecx,esi
1003B17E E8 10FEFFFF call Converte.1003AF93
1003B183 FF75 18 push dword ptr ss:[ebp+18]
1003B186 8BCE mov ecx,esi
1003B188 E8 D5FDFFFF call Converte.1003AF62
1003B18D 6A 00 push 0
1003B18F 8BCE mov ecx,esi
1003B191 E8 1DFFFFFF call Converte.1003B0B3 ; 跟进
跟进1003B191处CALL来到:
1003B0B3 B8 2CAB0B10 mov eax,Converte.100BAB2C
1003B0B8 E8 0F8D0700 call Converte.100B3DCC
1003B0BD 83EC 0C sub esp,0C
1003B0C0 53 push ebx
1003B0C1 56 push esi
1003B0C2 57 push edi
1003B0C3 8BF1 mov esi,ecx
1003B0C5 E8 C6790700 call <jmp.&MFC71LU.#1079>
1003B0CA 8B40 04 mov eax,dword ptr ds:[eax+4]
1003B0CD 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
1003B0D0 51 push ecx
1003B0D1 8D88 B0000000 lea ecx,dword ptr ds:[eax+B0]
1003B0D7 E8 B1FFFFFF call Converte.1003B08D
1003B0DC 8BF8 mov edi,eax
1003B0DE 8365 FC 00 and dword ptr ss:[ebp-4],0
1003B0E2 E8 A9790700 call <jmp.&MFC71LU.#1079>
1003B0E7 8B40 04 mov eax,dword ptr ds:[eax+4]
1003B0EA 8D4D EC lea ecx,dword ptr ss:[ebp-14]
1003B0ED 51 push ecx
1003B0EE 8D88 B0000000 lea ecx,dword ptr ds:[eax+B0]
1003B0F4 E8 6EFFFFFF call Converte.1003B067
1003B0F9 8BD8 mov ebx,eax
1003B0FB C645 FC 01 mov byte ptr ss:[ebp-4],1
1003B0FF E8 8C790700 call <jmp.&MFC71LU.#1079>
1003B104 8B40 04 mov eax,dword ptr ds:[eax+4]
1003B107 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
1003B10A 51 push ecx
1003B10B 8D88 B0000000 lea ecx,dword ptr ds:[eax+B0]
1003B111 E8 2BFFFFFF call Converte.1003B041
1003B116 FF75 08 push dword ptr ss:[ebp+8]
1003B119 8B0E mov ecx,dword ptr ds:[esi]
1003B11B 8B11 mov edx,dword ptr ds:[ecx]
1003B11D 57 push edi
1003B11E 53 push ebx
1003B11F 50 push eax
1003B120 C645 FC 02 mov byte ptr ss:[ebp-4],2
1003B124 FF52 10 call dword ptr ds:[edx+10] ; 跟进
跟进1003B124处CALL来到:
10028180 8B4424 10 mov eax,dword ptr ss:[esp+10]
10028184 53 push ebx
10028185 8B5C24 0C mov ebx,dword ptr ss:[esp+C]
10028189 55 push ebp
1002818A 8B6C24 0C mov ebp,dword ptr ss:[esp+C]
1002818E 56 push esi
1002818F 57 push edi
10028190 8B7C24 1C mov edi,dword ptr ss:[esp+1C]
10028194 50 push eax
10028195 57 push edi
10028196 53 push ebx
10028197 55 push ebp
10028198 8BF1 mov esi,ecx
1002819A E8 89B40200 call Converte.10053628 ; 跟进
跟进1002819A处CALL来到:
10053628 55 push ebp
10053629 8BEC mov ebp,esp
1005362B 56 push esi
1005362C 8BF1 mov esi,ecx
1005362E 57 push edi
1005362F 8D4E 2C lea ecx,dword ptr ds:[esi+2C]
10053632 FF15 D8220C10 call dword ptr ds:[<&MFC71LU.#3927>] ; MFC71LU.#3928
10053638 84C0 test al,al
1005363A 74 0C je short Converte.10053648
1005363C 8BCE mov ecx,esi
1005363E E8 A2FCFFFF call Converte.100532E5
10053643 E8 F0C1FFFF call Converte.1004F838
10053648 33FF xor edi,edi
1005364A 57 push edi
1005364B 57 push edi
1005364C 57 push edi
1005364D 57 push edi
1005364E 57 push edi
1005364F 68 13FF0410 push Converte.1004FF13
10053654 E8 F1FD0500 call <jmp.&MFC71LU.#1021>
10053659 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
1005365C FF15 D8220C10 call dword ptr ds:[<&MFC71LU.#3927>] ; MFC71LU.#3928
10053662 84C0 test al,al
10053664 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
10053667 74 45 je short Converte.100536AE
10053669 FF15 C8220C10 call dword ptr ds:[<&MFC71LU.#2895>] ; MFC71LU.#2896
1005366F 85C0 test eax,eax
10053671 74 36 je short Converte.100536A9
10053673 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
10053676 FF15 C8220C10 call dword ptr ds:[<&MFC71LU.#2895>] ; MFC71LU.#2896
1005367C 85C0 test eax,eax
1005367E 74 29 je short Converte.100536A9
10053680 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
10053683 53 push ebx
10053684 FF75 14 push dword ptr ss:[ebp+14]
10053687 8B1E mov ebx,dword ptr ds:[esi]
10053689 FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; 取注册码
1005368F 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
10053692 50 push eax
10053693 FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; 取邮件地址
10053699 50 push eax
1005369A 57 push edi
1005369B 8BCE mov ecx,esi
1005369D FF53 0C call dword ptr ds:[ebx+C] ; 跟进
跟进1005369D处CALL来到:
10027770 6A FF push -1
10027772 68 04840B10 push Converte.100B8404
10027777 64:A1 00000000 mov eax,dword ptr fs:[0]
1002777D 50 push eax
1002777E 64:8925 0000000>mov dword ptr fs:[0],esp
10027785 83EC 0C sub esp,0C
10027788 53 push ebx
10027789 55 push ebp
1002778A 56 push esi
1002778B 57 push edi
1002778C 8D4424 18 lea eax,dword ptr ss:[esp+18]
10027790 6A 01 push 1
10027792 33F6 xor esi,esi
10027794 50 push eax
10027795 897424 18 mov dword ptr ss:[esp+18],esi
10027799 E8 D2FEFFFF call Converte.10027670
1002779E 83C4 08 add esp,8
100277A1 8B7C24 34 mov edi,dword ptr ss:[esp+34]
100277A5 8B6C24 30 mov ebp,dword ptr ss:[esp+30]
100277A9 8B4C24 2C mov ecx,dword ptr ss:[esp+2C]
100277AD 897424 24 mov dword ptr ss:[esp+24],esi
100277B1 8B7424 38 mov esi,dword ptr ss:[esp+38]
100277B5 56 push esi
100277B6 57 push edi
100277B7 55 push ebp
100277B8 51 push ecx
100277B9 BB 01000000 mov ebx,1
100277BE 8BC8 mov ecx,eax
100277C0 895C24 20 mov dword ptr ss:[esp+20],ebx
100277C4 FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ; MFC71LU.#2806
100277CA 50 push eax
100277CB E8 62340100 call Converte.1003AC32 ; 跟进
跟进100277CB处CALL来到:
1003AC32 B8 CEAA0B10 mov eax,Converte.100BAACE
1003AC37 E8 90910700 call Converte.100B3DCC
1003AC3C 51 push ecx
1003AC3D 837D 08 00 cmp dword ptr ss:[ebp+8],0
1003AC41 0F84 9F000000 je Converte.1003ACE6
1003AC47 837D 10 00 cmp dword ptr ss:[ebp+10],0
1003AC4B 0F84 95000000 je Converte.1003ACE6
1003AC51 837D 14 00 cmp dword ptr ss:[ebp+14],0
1003AC55 0F84 8B000000 je Converte.1003ACE6
1003AC5B 53 push ebx
1003AC5C FF75 10 push dword ptr ss:[ebp+10]
1003AC5F 8D45 08 lea eax,dword ptr ss:[ebp+8]
1003AC62 FF75 0C push dword ptr ss:[ebp+C]
1003AC65 FF75 08 push dword ptr ss:[ebp+8]
1003AC68 50 push eax
1003AC69 E8 64FCFFFF call Converte.1003A8D2 ;
1003AC6E 83C4 10 add esp,10
1003AC71 8365 FC 00 and dword ptr ss:[ebp-4],0
1003AC75 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
1003AC78 FF15 A8220C10 call dword ptr ds:[<&MFC71LU.#870>] ;将
SolidConverterPDFv3Pro和yijun8354@sina.com连接SolidConverterPDFv3Proyijun8354@sina.com
1003AC7E 50 push eax
1003AC7F 8D45 F0 lea eax,dword ptr ss:[ebp-10]
1003AC82 50 push eax
1003AC83 E8 CEFEFFFF call Converte.1003AB56
跟进1003AC83处CALL来到:
1003AB56 B8 BBAA0B10 mov eax,Converte.100BAABB
1003AB5B E8 6C920700 call Converte.100B3DCC
1003AB60 83EC 0C sub esp,0C
1003AB63 8365 E8 00 and dword ptr ss:[ebp-18],0
1003AB67 56 push esi
1003AB68 51 push ecx
1003AB69 8BCC mov ecx,esp
1003AB6B 8965 E8 mov dword ptr ss:[ebp-18],esp
1003AB6E FF75 0C push dword ptr ss:[ebp+C]
1003AB71 FF15 9C220C10 call dword ptr ds:[<&MFC71LU.#283>] ;
SolidConverterPDFv3Proyijun8354@sina.com送EDX
1003AB77 E8 2341FFFF call Converte.1002EC9F ; 跟进
1003AB7C 8D4D EC lea ecx,dword ptr ss:[ebp-14]
1003AB7F 8BF0 mov esi,eax ; EAX送ESI
1003AB81 C70424 C0D30C10 mov dword ptr ss:[esp],Converte.100CD3C0 ; 取字符串
bcdfghkmnpqrstvwxyz
1003AB88 FF15 9C220C10 call dword ptr ds:[<&MFC71LU.#283>] ; 字符串
bcdfghkmnpqrstvwxyz送EDX
1003AB8E 8365 FC 00 and dword ptr ss:[ebp-4],0
1003AB92 68 08310C10 push Converte.100C3108
1003AB97 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
1003AB9A FF15 9C220C10 call dword ptr ds:[<&MFC71LU.#283>] ; MFC71LU.#283
1003ABA0 C645 FC 01 mov byte ptr ss:[ebp-4],1
1003ABA4 EB 50 jmp short Converte.1003ABF6
1003ABA6 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
1003ABA9 FF15 C8220C10 call dword ptr ds:[<&MFC71LU.#2895>] ; 已循环次数送EAX
1003ABAF 83F8 04 cmp eax,4 ; EAX和4比较
1003ABB2 7D 46 jge short Converte.1003ABFA ; 不小于就跳出循环
1003ABB4 8D4D EC lea ecx,dword ptr ss:[ebp-14]
1003ABB7 FF15 C8220C10 call dword ptr ds:[<&MFC71LU.#2895>] ; EAX=13
1003ABBD 8BC8 mov ecx,eax ; EAX送ECX
1003ABBF 8BC6 mov eax,esi ; 将刚才计算结果送
EAX
1003ABC1 99 cdq ; 位扩展
1003ABC2 F7F9 idiv ecx ; EAX除以ECX(13)
,商保存在EAX,余数保存在EDX
1003ABC4 52 push edx
1003ABC5 E8 2E920700 call <jmp.&MSLUR71.labs>
1003ABCA 59 pop ecx
1003ABCB 50 push eax
1003ABCC 8D4D EC lea ecx,dword ptr ss:[ebp-14]
1003ABCF FF15 E8250C10 call dword ptr ds:[<&MFC71LU.#2444>] ; 跟进
1003ABD5 8845 E8 mov byte ptr ss:[ebp-18],al ; 查表结果送[ebp-
18]
1003ABD8 FF75 E8 push dword ptr ss:[ebp-18]
1003ABDB 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
1003ABDE FF15 F4280C10 call dword ptr ds:[<&MFC71LU.#897>] ; 查表结果
1003ABE4 8D4D EC lea ecx,dword ptr ss:[ebp-14]
1003ABE7 FF15 C8220C10 call dword ptr ds:[<&MFC71LU.#2895>] ; ***13送EAX***
1003ABED 8BC8 mov ecx,eax ; EAX送ECX
1003ABEF 8BC6 mov eax,esi ; 将刚才计算结果送
EAX
1003ABF1 99 cdq ; 位扩展
1003ABF2 F7F9 idiv ecx ; EAX除以ECX(13)
,商保存在EAX,余数保存在EDX
1003ABF4 8BF0 mov esi,eax ; 商保存在ESI中
1003ABF6 85F6 test esi,esi
1003ABF8 ^ 75 AC jnz short Converte.1003ABA6 ; ***商不为0就继续
,该段重复上面的循环过程,主要用于判断商是否为0***
1003ABFA 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
1003ABFD FF15 F0280C10 call dword ptr ds:[<&MFC71LU.#4078>] ; 结果变成大写
1003AC03 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
1003AC06 8D45 F0 lea eax,dword ptr ss:[ebp-10]
1003AC09 50 push eax
1003AC0A FF15 D0220C10 call dword ptr ds:[<&MFC71LU.#280>] ; MFC71LU.#280
1003AC10 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
1003AC13 FF15 B8220C10 call dword ptr ds:[<&MFC71LU.#577>] ; MFC71LU.#577
1003AC19 8D4D EC lea ecx,dword ptr ss:[ebp-14]
1003AC1C FF15 B8220C10 call dword ptr ds:[<&MFC71LU.#577>] ; MFC71LU.#577
1003AC22 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
1003AC25 8B45 08 mov eax,dword ptr ss:[ebp+8]
1003AC28 64:890D 0000000>mov dword ptr fs:[0],ecx
1003AC2F 5E pop esi
1003AC30 C9 leave
1003AC31 C3 retn //返回
跟进1003AB77处CALL来到:
1002EC9F B8 A6920B10 mov eax,Converte.100B92A6
1002ECA4 E8 23510800 call Converte.100B3DCC
1002ECA9 81EC 04040000 sub esp,404
1002ECAF A1 A07E1110 mov eax,dword ptr ds:[10117EA0]
1002ECB4 53 push ebx
1002ECB5 56 push esi
1002ECB6 8945 F0 mov dword ptr ss:[ebp-10],eax
1002ECB9 57 push edi
1002ECBA 33DB xor ebx,ebx
1002ECBC 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
1002ECBF 895D FC mov dword ptr ss:[ebp-4],ebx
1002ECC2 FF15 60280C10 call dword ptr ds:[<&MFC71LU.#4074>] ; MFC71LU.#4074
1002ECC8 53 push ebx
1002ECC9 53 push ebx
1002ECCA 68 00040000 push 400
1002ECCF 8D85 F0FBFFFF lea eax,dword ptr ss:[ebp-410]
1002ECD5 50 push eax
1002ECD6 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
1002ECD9 FF15 C8220C10 call dword ptr ds:[<&MFC71LU.#2895>] ; 计算连接后字符串
的长度
1002ECDF 50 push eax
1002ECE0 53 push ebx
1002ECE1 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
1002ECE4 FF15 CC230C10 call dword ptr ds:[<&MFC71LU.#2460>] ; MFC71LU.#5149
1002ECEA 50 push eax
1002ECEB 53 push ebx
1002ECEC 53 push ebx
1002ECED FF15 DC7F1110 call dword ptr ds:[10117FDC] ;
kernel32.WideCharToMultiByte
1002ECF3 8BF8 mov edi,eax
1002ECF5 6A FF push -1
1002ECF7 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
1002ECFA 889C3D F0FBFFFF mov byte ptr ss:[ebp+edi-410],bl
1002ED01 FF15 C8230C10 call dword ptr ds:[<&MFC71LU.#5398>] ; 字符串全部变成小
写
1002ED07 33C0 xor eax,eax ; 清空EAX
1002ED09 33F6 xor esi,esi ; 清空ESI
1002ED0B 3BFB cmp edi,ebx
1002ED0D 7E 13 jle short Converte.1002ED22
1002ED0F 0FBE8C05 F0FBFF>movsx ecx,byte ptr ss:[ebp+eax-410] ; 字符串逐位送ECX
1002ED17 8D740E 0D lea esi,dword ptr ds:[esi+ecx+D]
1002ED1B 03DE add ebx,esi ; 将字符串各位累加
,结果放EBX
1002ED1D 40 inc eax ; EAX加一
1002ED1E 3BC7 cmp eax,edi ; 取完了没
1002ED20 ^ 7C ED jl short Converte.1002ED0F ; 没有就继续
1002ED22 8D4D 08 lea ecx,dword ptr ss:[ebp+8] ; 循环结束后
EBX=000175B2
1002ED25 FF15 B8220C10 call dword ptr ds:[<&MFC71LU.#577>] ; MFC71LU.#577
1002ED2B 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
1002ED2E 8BC3 mov eax,ebx ; 结果送EAX
1002ED30 C1E0 10 shl eax,10 ; EAX左移10位(16
进制)
1002ED33 5F pop edi
1002ED34 03C6 add eax,esi ; EAX+ESI送EAX,
ESI为118A
1002ED36 5E pop esi
1002ED37 64:890D 0000000>mov dword ptr fs:[0],ecx
1002ED3E 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
1002ED41 5B pop ebx
1002ED42 E8 A24B0800 call Converte.100B38E9
1002ED47 C9 leave
1002ED48 C3 retn //返回
跟进1003ABCF处CALL来到
00521463 > 8B5424 04 mov edx,dword ptr ss:[esp+4]
00521467 85D2 test edx,edx
00521469 7C 0E jl short MFC71LU.00521479
0052146B 8B01 mov eax,dword ptr ds:[ecx] ; 字符表
bcdfghkmnpqrstvwxyz送EAX
0052146D 3B50 F4 cmp edx,dword ptr ds:[eax-C]
00521470 7F 07 jg short MFC71LU.00521479
00521472 66:8B0450 mov ax,word ptr ds:[eax+edx*2] ; [eax+edx*2]送AX
,查表结果
00521476 C2 0400 retn 4 ; 返回
--------------------------------------------------------------------------------
【经验总结】
注册码只和邮件地址有关,将SolidConverterPDFv3Pro和所填邮件地址连接起来然后将各位的ASCII码累加,将累加结果加上118A记为S,用S除以13(16进制),将商作为下次循环的被除数,余数用于查表bcdfghkmnpqrstvwxyz,循环次数大于4或商为零时退出循环,最后将查表结果转换成大写字母即为注册码!!!
比如:
姓名:yijun
电子邮箱:yijun8354@sina.com
机构名称:www.cqupt.edu.cn
解锁码:HSDX
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年04月19日 16:22:36
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!