-
-
[PDFlib-6.0.3p1-Windows] license key 算法分析[原创]
-
发表于: 2006-5-25 13:31 17665
-
*************************************************
* [PDFlib-6.0.3p1-Windows] license key 算法分析 *
* - AZMC.13 *
* - 2006.05.25 *
*************************************************
第一部分: 软件概述
1) 软件下载地址
http://www.pdflib.org/cn/index.html(中文)
http://www.pdflib.org/(英文)
2) 软件介绍
PDFlib产品家族
--------------
德国PDFlib 有限公司是一家软件公司,专门研发可通过应用程序,网络服务器或数据库实时生成和
处理批量PDF文档的软件包。PDFlib的软件作为函数库,可适用于当前所有主要开发平台和开发语言。
其所有产品均支持亚洲文字及Unicode,从而可高标准的支持国际化文档存档,印前和网络应用程序。
PDFlib 产品在现实世界里 (pdf)
-----------------------------
我们汇集了几个应用PDFlib的典型案例。想对此有更多的了解,请参见白皮书PDFlib 产品在现实世界里。
PDFlib, PDFlib+PDI, PPS ?助您批量生成高品质的PDF 文档 (pdf)
------------------------------------------------------------
PDFlib 产品家族是一组专门为服务器端动态生成及处理大批量 PDF 文档而设计的软件包。它不是一个成
品的应用程序 , 而是一个适用于当前所有主要开发平台和开发语言的中间件 PDFlib 提供了三个系列的软件
包 : PDFlib, PDFlib+PDI。及 PDFlib Personalization Server (PPS)。
PDFlib 程序库包含着各式模块 , 通过对它们的调用客户可以生成含有文本 , 矢量图 , 图象及超文本等
的 PDF 文档。
PDFlib+PDI 包括所有 PDFlib 功能 , 外加可处理已有的 PDF 文档页并在其基础生成新页的 PDF Import
Library (PDI)。
PDFlib Personalization Server (PPS) 包括所有 PDFlib +PDI 功能 , 外加可自动填充 PDFlib 块 (block)
的功能。 PDFlib 块是 PDF 页面上预留的矩形块 , 它们随后可被动态填充文本 , 图象和 PDF 页。 PPS 在实用
中大体分两步 : 第一步是建立 PDFlib 块 , 用户可通过 PDFlib 提供的 Adobe Acrobat 插件程序 --
PDFlib block, 在 Mac 或 Windows 平台上完成。第二步是自动填充 PDFlib 块 , 通过调用 PPS 相应功能实现。
PDFlib TET ?理想的文本提取软件包 (pdf | html)
----------------------------------------------
PDFlib 文本提取软件包 (TET) 是为在 PDF 文件中提取文本信息而设计的产品。它提供两种使用方式 -- 可执
行程序及程序库。 TET 可以提取 PDF 文件里的文本内容并转换成 Unicode 编码输出。它还可以获取详尽的字形,
字体信息 , 以及相应文字的页坐标信息。 TET 除了可以提取未处理过的文本流外 , 还提供可以判断单词边界限于
用空格或符号等分隔符间隔单词的语言 ) 及移去为产生阴影或其他艺术效果而导致的重复文字。通过附属的 pCOS
接口 , 用户还可以从文件中获取诸如元数据 (metadata), 超文本 (hypertext) 等的任意 PDF 对象。
PDFlib PLOP ?线性,优化,加密PDF 文档的最佳选择 (pdf)
------------------------------------------------------
PLOP 可以线性和优化 PDF 文档 , 从而使它们可以被更快捷地在网络上传输。PLOP 还可以增加或移去 Acrobat
标准的安全性功能 , 如可以让用户添加文档打开口令和许可口令 , 还可以让用户设置安全性选项来限制打开 , 编
辑 , 拷贝和打印文档等。 PLOP 支持 40-bit 和 128-bit 加密方法。它提供两种使用方式 -- 可执行程序及程序库。
PDFlib pCOS ?PDF 信息检索工具 (pdf)
------------------------------------
PDFlib pCOS 提供一个简单优雅的工具以便检索 PDF页面内容之外的文档信息。例如,使用 pCOS 可轻松查询
PDF 元数据、超文本或页面尺寸。
使用 pCOS 可以提取各种感兴趣的项目以及为不同目的创建输出。它只需一次调用即可处理多个 PDF 文档,
这样您就可以轻松创建包含文档信息项、页面格式、字体或任何其他属性的摘要。通过结合表格输出,为您提供了
一款功能强大的 PDF 管理工具。
PDFlib 参考手册
---------------
我们还提供中文PDFlib参考手册,请到 PDFlib 下载页 下载。
3) 不提供 license key 的话,利用 PDFLib 生成的 PDF 文档每个页面都会有 "www.PDFLib.com" 深色水印!
********************************************************************************************
第二部分: 准备工作
1) 下载 PDFlib-6.0.3p1-Windows 软件包
2) 根据手册说明,编写调用 PDFLib.dll 的辅助程序,PDFLib 软件包附带的 Hello Demo 代码如下:
说明: VC++ 编程环境,包含 PDFLib.h,链接 PDFLib.lib,编译成 Debug 版本
/* $Id: hello.c,v 1.35 2004/05/24 13:03:38 kurt Exp $
*
* PDFlib client: hello example in C
*/
#include <stdio.h>
#include <stdlib.h>
#include "pdflib.h"
int main(void)
{
PDF *p;
int font;
/* create a new PDFlib object */
if ((p = PDF_new()) == (PDF *) 0)
{
printf("Couldn't create PDFlib object (out of memory)!\n");
return(2);
}
// ------------------------------------------------------------------
// 下面语句就是设置 license key 的调用,我们就从这里进入 PDFLib.dll
// 如果注释掉下面代码,则生成的 PDF 文档都有"www.PDFLib.com" 深色水印
// ------------------------------------------------------------------
PDF_set_parameter( p,"license","W600105-009100-701111-C6EA46");
PDF_TRY(p) {
if (PDF_begin_document(p, "hello.pdf", 0, "") == -1) {
printf("Error: %s\n", PDF_get_errmsg(p));
return(2);
}
/* This line is required to avoid problems on Japanese systems */
PDF_set_parameter(p, "hypertextencoding", "host");
PDF_set_info(p, "Creator", "hello.c");
PDF_set_info(p, "Author", "Thomas Merz");
PDF_set_info(p, "Title", "Hello, world (C)!");
PDF_begin_page_ext(p, a4_width, a4_height, "");
/* Change "host" encoding to "winansi" or whatever you need! */
font = PDF_load_font(p, "Helvetica-Bold", 0, "host", "");
PDF_setfont(p, font, 24);
PDF_set_text_pos(p, 50, 700);
PDF_show(p, "Hello, world!");
PDF_continue_text(p, "(says C)");
PDF_end_page_ext(p, "");
PDF_end_document(p, "");
}
PDF_CATCH(p) {
printf("PDFlib exception occurred in hello sample:\n");
printf("[%d] %s: %s\n",
PDF_get_errnum(p), PDF_get_apiname(p), PDF_get_errmsg(p));
PDF_delete(p);
return(2);
}
PDF_delete(p);
return 0;
}
第三部分: 开膛破肚
1) 使用 Olly Debug 加载 hello.exe,跟进 PDF_set_parameter 调用
2) 关键代码段
* license key 外貌检查
-----------------------------------------
长度必须为: 0x1C(28) 字节
格式必须为: XXXXXXX-XXXXXX-XXXXXX-XXXXXX
-----------------------------------------
5538941C 8BFD mov edi,ebp ; edi = ebp = "license key"
5538941E 83C9 FF or ecx,FFFFFFFF
55389421 33C0 xor eax,eax
55389423 F2:AE repne scas byte ptr es:[edi]
55389425 F7D1 not ecx
55389427 49 dec ecx
55389428 83F9 1C cmp ecx,1C ; Length of "license key" is 0x1C ?
5538942B 75 12 jnz short pdflib.5538943F ; No,error!
5538942D 807D 07 2D cmp byte ptr ss:[ebp+7],2D ; XXXXXXX-
55389431 75 0C jnz short pdflib.5538943F ; Error!
55389433 807D 0E 2D cmp byte ptr ss:[ebp+E],2D ; XXXXXXX-XXXXXX-
55389437 75 06 jnz short pdflib.5538943F ; Error!
55389439 807D 15 2D cmp byte ptr ss:[ebp+15],2D ; XXXXXXX-XXXXXX-XXXXXX-
5538943D 74 1C je short pdflib.5538945B ; OK! Let's go on...
* 通过计算,查找 "license key" 是否在 保留的license key 中
------------------------------------------------------------------------------------------------------------
Data1[] = 554080D0
Data2[] = 55409A68
LK[] = "XXXXXXX-XXXXXX-XXXXXX-XXXXXX"
0x15(21) 个一组,共 312 组(0x1998/0x15),只检查 XXXXXXX-XXXXXX-XXXXXX 共 0x15(21) 个字符,也就是说 "license key"
的前 3 部分
Data1[i] XOR Data2[i] = LK[i] ?
如果找到完全匹配的数据,则 Error
如果不匹配,则继续下一组,看看是否匹配
如果没有找到匹配,则继续...
------------------------------------------------------------------------------------------------------------
5538945B 8B5C24 38 mov ebx,dword ptr ss:[esp+38]
5538945F 33F6 xor esi,esi ; esi = 0
55389461 8BC6 mov eax,esi ; eax = esi
55389463 25 FF000000 and eax,0FF ; mask
55389468 33C9 xor ecx,ecx ; ecx = 0
5538946A 8A940E D0804055 mov dl,byte ptr ds:[esi+ecx+554080D0] ; 获取 554080D0[esi+ecx] 处一个字节
55389471 3290 689A4055 xor dl,byte ptr ds:[eax+55409A68] ; 和 55409A68[eax] 处一个字节 XOR -> dl
; *******************************************
55389477 381429 cmp byte ptr ds:[ecx+ebp],dl ; 和 LK[ebp+ecx] 处一个字节比较
; 这里也是爆破点,把 dl 换成 ch,永远找不到匹配
; *******************************************
5538947A 75 0C jnz short pdflib.55389488 ; 不相等,跳转
5538947C 40 inc eax ; 相等,继续下一个字节比较,下一个数据Index
5538947D 25 FF000000 and eax,0FF ; mask
55389482 41 inc ecx ; 下一个数据Index
55389483 83F9 15 cmp ecx,15 ; 一组数据是否比较完?
55389486 ^ 7C E2 jl short pdflib.5538946A ; 没有,跳转,继续...
55389488 83F9 15 cmp ecx,15 ; 一组数据是否比较完?
5538948B 75 16 jnz short pdflib.553894A3 ; 没有,跳转
5538948D 6A 00 push 0 ; 找到一组匹配的数据,Error
5538948F 6A 00 push 0
55389491 6A 00 push 0
55389493 6A 00 push 0
55389495 68 C2070000 push 7C2
5538949A 53 push ebx
5538949B E8 60E0F7FF call pdflib.55307500 ; Error 处理
553894A0 83C4 18 add esp,18
553894A3 83C6 15 add esi,15 ; 下一组数据Index
553894A6 81FE 98190000 cmp esi,1998 ; 循环检查 直到 esi = 0x1998,没找到的话
553894AC ^ 7C B3 jl short pdflib.55389461 ; 所有组都检查完? 没有,继续...
* license key 最后一段外貌检查,并转换成 16 进制整数
-------------------------------------------------------------------
LK[] = "XXXXXXX-XXXXXX-XXXXXX-XXXXXX"
最后一段 6 字节必须是 '0-9'/'A-F' 字符集中的一个
Data = 55409B38
55409B38 B4 E1 B8 5C A6 E4 D2 78 C3 1E 5A 5C 6A E8 4D A6
55409B48 8E 1E 3C 2E E4 D1 55 9A 69 87 D2 63 8E 5C 39 4D
55409B58 A9 C9 55 27 55 2B B2 A9 39 AC 0F E1 C3 74 E4 65
'0-9'/'A-F' 入口在这里:
55409B68 00 01 02 03 04 05 06 07 08 09 00 00 00 00 00 00
55409B78 00 0A 0B 0C 0D 0E 0F 00 50 44 46 6C 69 62 20 6C
把 6 字节字符串序列转换成 16进制 整数,如 "12AB3C" -> 0x0012AB3C
res = 0
loop:
res << 4
"12" --> 查表 --> 0x01 0x02
--> (res + 0x01) 左移4位 + 0x02
--> res
--> loop
计算结果在 edi 中
--------------------------------------------------------------------
553894AE BE E9FFFFFF mov esi,-17
553894B3 33FF xor edi,edi ; edi = 0,用于保存计算结果
553894B5 8D45 17 lea eax,dword ptr ss:[ebp+17] ; eax = LK[0x17]
553894B8 2BF5 sub esi,ebp
553894BA 8A48 FF mov cl,byte ptr ds:[eax-1] ; LK[n-1]
553894BD 8A10 mov dl,byte ptr ds:[eax] ; LK[n]
553894BF 80F9 30 cmp cl,30 ; '0'
553894C2 0F8C E4020000 jl pdflib.553897AC ; LK[n-1] 小于 '0',Error
553894C8 80F9 46 cmp cl,46 ; 'F'
553894CB 0F8F DB020000 jg pdflib.553897AC ; LK[n-1] 大于 'F',Error
553894D1 80FA 30 cmp dl,30 ; '0'
553894D4 0F8C D2020000 jl pdflib.553897AC ; LK[n] 小于 '0',Error
553894DA 80FA 46 cmp dl,46 ; 'F'
553894DD 0F8F C9020000 jg pdflib.553897AC ; LK[n] 大于 'F',Error
553894E3 0FBEC9 movsx ecx,cl ; ecx = cl = LK[n-1]
553894E6 0FBED2 movsx edx,dl ; edx = dl = LK[n]
553894E9 0FBE89 389B4055 movsx ecx,byte ptr ds:[ecx+55409B38] ; ecx = Data[ecx] = Data[ LK[n-1] ]
553894F0 0FBE92 389B4055 movsx edx,byte ptr ds:[edx+55409B38] ; edx = Data[edx] = Data[ LK[n] ]
553894F7 C1E7 04 shl edi,4 ; edi 乘以 16
553894FA 03CF add ecx,edi ; ecx = ecx + edi
553894FC 83C0 02 add eax,2 ; eax = eax + 2,调整数据 Index
553894FF C1E1 04 shl ecx,4 ; ecx 乘以 16
55389502 03CA add ecx,edx ; ecx = ecx + edx
55389504 8BF9 mov edi,ecx ; 保存结果到 edi
55389506 8D0C06 lea ecx,dword ptr ds:[esi+eax] ; 获取 已经检查/计算的字符个数
55389509 83F9 06 cmp ecx,6 ; 是否检查/计算完毕?
5538950C ^ 7C AC jl short pdflib.553894BA ; 没有,继续...
* license key 前三段查表计算过程(分隔符'-'不参与计算)
--------------------------------------------------------
LK[] = "XXXXXXX-XXXXXX-XXXXXX-XXXXXX",前三段长度 21 字节
Data = 55407ED0 - 55407F24,范围 0x54(84) = 21 x 4
res = ss:[esp+10] = 0
eax = LK[n],检查 LK[n] 是不是 '-',是,则忽略,继续下一个
edx = Data[ LK[n] * 4 ]
edx = edx + Data[n]
edx = edx AND 0x0000007F
edx = Data[ edx * 4 ]
edx:eax = edx * eax
res = res XOR edx
计算结果在 ss:[esp+10] 中
---------------------------------------------------------
5538950E 8BF5 mov esi,ebp ; esi = ebp = LK[]
55389510 B9 D07E4055 mov ecx,pdflib.55407ED0 ; ecx = Data[]
55389515 8A06 mov al,byte ptr ds:[esi] ; al = LK[n]
55389517 8AD0 mov dl,al ; dl = al
55389519 80E2 7F and dl,7F ; dl and 0x7f
5538951C 3C 2D cmp al,2D ; al = '-' ?
5538951E 885424 44 mov byte ptr ss:[esp+44],dl ; save dl
55389522 74 23 je short pdflib.55389547 ; al is '-',ingore
55389524 8B4424 44 mov eax,dword ptr ss:[esp+44] ; eax = LK[n]
55389528 25 FF000000 and eax,0FF ; mask
5538952D 8B1485 D07E4055 mov edx,dword ptr ds:[eax*4+55407ED0] ; edx = Data[ eax * 4 ]
55389534 0311 add edx,dword ptr ds:[ecx] ; edx = edx + Data[ ecx ]
55389536 83E2 7F and edx,7F ; mask
55389539 8B1495 D07E4055 mov edx,dword ptr ds:[edx*4+55407ED0] ; edx = Data[ edx * 4 ]
55389540 0FAFD0 imul edx,eax ; edx * eax
55389543 315424 10 xor dword ptr ss:[esp+10],edx ; tmp XOR edx
55389547 83C1 04 add ecx,4 ; Adjust Data pointer
5538954A 46 inc esi ; Adjust LK pointer
5538954B 81F9 247F4055 cmp ecx,pdflib.55407F24 ; Is Data end?
55389551 ^ 7C C2 jl short pdflib.55389515 ; No,go on...
* license key 前三段查表计算结果 和 最后一段转换结果比较
--------------------------------------------------------
55389553 8B4424 10 mov eax,dword ptr ss:[esp+10] ; 前三段计算结果
55389557 25 FFFFFF00 and eax,0FFFFFF ; mask
5538955C 3BF8 cmp edi,eax ; 和最后一段转换结果比较
5538955E 74 16 je short pdflib.55389576 ; 相等,go on...
55389560 6A 00 push 0 ; 不相等,error
55389562 6A 00 push 0
55389564 6A 00 push 0
55389566 6A 00 push 0
55389568 68 C2070000 push 7C2
5538956D 53 push ebx
5538956E E8 8DDFF7FF call pdflib.55307500
55389573 83C4 18 add esp,18
* license key 第一段检查
------------------------------------------------------------------------------------
Index...................111111111111
Index...0123456789ABCDEF0123456789AB
LK[] = "XXXXXXX-XXXXXX-XXXXXX-XXXXXX"
Data[] = 55429C64: 57 69 6E 33 32 00 00 00 6C 65 00 00 5B 20 2D 2D Win32...le..[ --
ebp = LK[]
LK[0] = 'X'/'W'/'x'
LK[1] = 大于等于'6',如果等于'6',则必须
LK[2] = 大于等于'0'
------------------------------------------------------------------------------------
55389576 8A45 00 mov al,byte ptr ss:[ebp] ; al = LK[0]
55389579 3C 58 cmp al,58 ; Is 'X'?
5538957B 74 2E je short pdflib.553895AB ; Yes,go on...
5538957D 8A0D 649C4255 mov cl,byte ptr ds:[55429C64] ; cl = Data[0] = 'W'
55389583 3AC1 cmp al,cl ; Is 'W'?
55389585 74 24 je short pdflib.553895AB ; Yes,go on...
55389587 3C 78 cmp al,78 ; Is 'x'?
55389589 75 0A jnz short pdflib.55389595 ; No,error
5538958B 80F9 5A cmp cl,5A ; Is 'Z'?
5538958E 74 05 je short pdflib.55389595 ; Yes,error
55389590 80F9 49 cmp cl,49 ; Is 'I'?
55389593 75 16 jnz short pdflib.553895AB ; Yes,go on...
Error:
55389595 6A 00 push 0
55389597 6A 00 push 0
55389599 6A 00 push 0
5538959B 6A 00 push 0
5538959D 68 C0070000 push 7C0
553895A2 53 push ebx
553895A3 E8 58DFF7FF call pdflib.55307500
553895A8 83C4 18 add esp,18
Go on:
553895AB 0FBE45 01 movsx eax,byte ptr ss:[ebp+1] ; eax = LK[1]
553895AF 8B4C24 40 mov ecx,dword ptr ss:[esp+40] ; ecx = 0x00000006
553895B3 83C0 D0 add eax,-30 ; eax = eax - 0x30
553895B6 3BC1 cmp eax,ecx ; Is 0x00000006 ?
553895B8 7C 11 jl short pdflib.553895CB ; 小于,error
553895BA 75 25 jnz short pdflib.553895E1 ; 大于,go on...
553895BC 0FBE45 02 movsx eax,byte ptr ss:[ebp+2] ; 等于,eax = LK[2]
553895C0 8B4C24 14 mov ecx,dword ptr ss:[esp+14] ; ecx = 0x00000000
553895C4 83E8 30 sub eax,30 ; eax = eax - 0x30
553895C7 3BC1 cmp eax,ecx ; Is 0x00000000 ?
553895C9 7D 16 jge short pdflib.553895E1 ; 大于等于,go on...
Error:
553895CB 6A 00 push 0
553895CD 6A 00 push 0
553895CF 6A 00 push 0
553895D1 6A 00 push 0
553895D3 68 C2070000 push 7C2
553895D8 53 push ebx
553895D9 E8 22DFF7FF call pdflib.55307500
553895DE 83C4 18 add esp,18
* license key 第二段检查
-------------------------------------
Index...................111111111111
Index...0123456789ABCDEF0123456789AB
LK[] = "XXXXXXX-XXXXXX-XXXXXX-XXXXXX"
ebp = LK[]
LK[D]+LK[C]*10-0x210 <= 0x2A('*')
LK[9]+LK[8]*10-0x210 <= 0x40('@')
LK+LK[A]*10-0x210 <= 0x63('c')
-------------------------------------
553895E1 0FBE45 0C movsx eax,byte ptr ss:[ebp+C] ; eax = LK[C]
553895E5 0FBE55 0D movsx edx,byte ptr ss:[ebp+D] ; edx = LK[D]
553895E9 8D0C80 lea ecx,dword ptr ds:[eax+eax*4] ; ecx = LK[C] * 5
553895EC 0FBE45 08 movsx eax,byte ptr ss:[ebp+8] ; eax = LK[8]
553895F0 8DBC4A F0FDFFFF lea edi,dword ptr ds:[edx+ecx*2-210] ; edi = LK[D] + (LK[C] * 5)* 2 - 0x210
553895F7 0FBE4D 09 movsx ecx,byte ptr ss:[ebp+9] ; ecx = LK[9]
553895FB 8D0480 lea eax,dword ptr ds:[eax+eax*4] ; eax = LK[8] * 5
553895FE 83FF 2A cmp edi,2A ; Is '*'?
55389601 8D9C41 F0FDFFFF lea ebx,dword ptr ds:[ecx+eax*2-210] ; ebx = LK[9]+(LK[8]*5)*2 - 0x210
55389608 7F 1C jg short pdflib.55389626 ; 大于,error
5538960A 83FB 40 cmp ebx,40 ; Is '@'?
5538960D 7F 17 jg short pdflib.55389626 ; 大于,error
5538960F 0FBE45 0A movsx eax,byte ptr ss:[ebp+A] ; eax = LK[A]
55389613 8D1480 lea edx,dword ptr ds:[eax+eax*4] ; edx = LK[A]*5
55389616 0FBE45 0B movsx eax,byte ptr ss:[ebp+B] ; eax = LK
5538961A 8D8C50 F0FDFFFF lea ecx,dword ptr ds:[eax+edx*2-210] ; ecx = LK+(LK[A]*5)*2 - 0x210
55389621 83F9 63 cmp ecx,63 ; Is 'c'?
55389624 7E 1C jle short pdflib.55389642 ; 小于等于,go on...
Error:
55389626 8B7424 38 mov esi,dword ptr ss:[esp+38]
5538962A 6A 00 push 0
5538962C 6A 00 push 0
5538962E 6A 00 push 0
55389630 6A 00 push 0
55389632 68 C2070000 push 7C2
55389637 56 push esi
55389638 E8 C3DEF7FF call pdflib.55307500
5538963D 83C4 18 add esp,18
55389640 EB 04 jmp short pdflib.55389646
Stack:
0012F57C 50 00 51 00 52 00 53 00 54 00 55 00 56 00 57 00 P.Q.R.S.T.U.V.W. (UNICODE)
0012F58C 58 00 59 00 5A 00 7B 00 7C 00 7D 00 X.Y.Z.{.|.}. (UNICODE)
共 28 字节
Go on:
55389642 8B7424 38 mov esi,dword ptr ss:[esp+38] ; esi = 003C3E78
55389646 8D5424 18 lea edx,dword ptr ss:[esp+18] ; edx = 0012F57C
5538964A 52 push edx ; edx 入栈
Stack:
0012F560 0012F57C UNICODE "PQRSTUVWXYZ{|}" ; edx = UNICODE = 28 字节
0012F564 003C8E98 ASCII "W600105-009100-701111-C6EA46" ; "license key" = 28 字节
0012F568 003C3B88
0012F56C 00000000
0012F570 003C3B40
0012F574 29C6EA46
0012F578 00000000
0012F57C 00510050
0012F580 00530052
0012F584 00550054
0012F588 00570056
0012F58C 00590058
0012F590 007B005A
5538964B E8 40EFF7FF call pdflib.55308590
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
55308590 83EC 28 sub esp,28
55308593 8D4424 00 lea eax,dword ptr ss:[esp] ; eax = UNICODE
55308597 56 push esi ; esi = 003C3E78
55308598 57 push edi ; edi = 0
55308599 50 push eax ; eax = UNICODE
5530859A E8 8B010700 call pdflib.5537872A
5530859F 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
553085A3 51 push ecx
553085A4 E8 21000700 call pdflib.553785CA
553085A9 B9 09000000 mov ecx,9
553085AE 8BF0 mov esi,eax
553085B0 8B4424 3C mov eax,dword ptr ss:[esp+3C]
553085B4 8D7C24 14 lea edi,dword ptr ss:[esp+14]
553085B8 F3:A5 rep movs dword ptr es:[edi],dword ptr d>
553085BA 8B5424 14 mov edx,dword ptr ss:[esp+14]
553085BE 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
553085C2 8910 mov dword ptr ds:[eax],edx
553085C4 8B5424 1C mov edx,dword ptr ss:[esp+1C]
553085C8 8948 04 mov dword ptr ds:[eax+4],ecx
553085CB 8B4C24 20 mov ecx,dword ptr ss:[esp+20]
553085CF 8950 08 mov dword ptr ds:[eax+8],edx
553085D2 8B5424 2C mov edx,dword ptr ss:[esp+2C]
553085D6 83C4 08 add esp,8
553085D9 8948 0C mov dword ptr ds:[eax+C],ecx
553085DC 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
553085E0 8950 10 mov dword ptr ds:[eax+10],edx
553085E3 8B5424 20 mov edx,dword ptr ss:[esp+20]
553085E7 5F pop edi
553085E8 8948 14 mov dword ptr ds:[eax+14],ecx
553085EB 8950 18 mov dword ptr ds:[eax+18],edx
553085EE 5E pop esi
553085EF 83C4 28 add esp,28
553085F2 C3 retn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
55389650 8B4424 34 mov eax,dword ptr ss:[esp+34]
55389654 8B4C24 30 mov ecx,dword ptr ss:[esp+30]
55389658 83C4 04 add esp,4
5538965B 8D0440 lea eax,dword ptr ds:[eax+eax*2]
5538965E 85FF test edi,edi
55389660 8D8481 21FBFFFF lea eax,dword ptr ds:[ecx+eax*4-4DF]
55389667 74 1F je short pdflib.55389688
55389669 83F8 1A cmp eax,1A
5538966C 7C 04 jl short pdflib.55389672
5538966E 3BC7 cmp eax,edi
55389670 7E 16 jle short pdflib.55389688
55389672 6A 00 push 0
55389674 6A 00 push 0
55389676 6A 00 push 0
55389678 6A 00 push 0
5538967A 68 C4070000 push 7C4
5538967F 56 push esi
55389680 E8 7BDEF7FF call pdflib.55307500
55389685 83C4 18 add esp,18
* license key 第一段再次检查
----------------------------
55389688 0FBE45 05 movsx eax,byte ptr ss:[ebp+5] ; eax = LK[5]
5538968C 8D1480 lea edx,dword ptr ds:[eax+eax*4] ; edx = LK[5]*5
5538968F 0FBE45 06 movsx eax,byte ptr ss:[ebp+6] ; eax = LK[6]
55389693 8D8450 F0FDFFFF lea eax,dword ptr ds:[eax+edx*2-210] ; eax = LK[6]+(LK[5]*5)*2-0x210
5538969A 894424 40 mov dword ptr ss:[esp+40],eax ; Saved
5538969E 83C0 FE add eax,-2 ; 减去 2
553896A1 83F8 04 cmp eax,4 ; 和 4 比较
553896A4 77 14 ja short pdflib.553896BA ; 大于,error
553896A6 FF2485 40983855 jmp dword ptr ds:[eax*4+55389840]
553896AD 8B4424 4C mov eax,dword ptr ss:[esp+4C] ; eax = 1
553896B1 85C0 test eax,eax
553896B3 74 1B je short pdflib.553896D0
553896B5 8320 FE and dword ptr ds:[eax],FFFFFFFE
553896B8 EB 16 jmp short pdflib.553896D0 ; jmp
Error:
553896BA 6A 00 push 0
553896BC 6A 00 push 0
553896BE 6A 00 push 0
553896C0 6A 00 push 0
553896C2 68 C2070000 push 7C2
553896C7 56 push esi
553896C8 E8 33DEF7FF call pdflib.55307500
553896CD 83C4 18 add esp,18
jmp:
553896D0 0FBE45 03 movsx eax,byte ptr ss:[ebp+3] ; eax = LK[3]
553896D4 0FBE55 04 movsx edx,byte ptr ss:[ebp+4] ; edx = LK[4]
553896D8 8D0C80 lea ecx,dword ptr ds:[eax+eax*4] ; ecx = LK[3]*5
553896DB 8B4424 3C mov eax,dword ptr ss:[esp+3C] ; eax = 1
553896DF 8DB44A F0FDFFFF lea esi,dword ptr ds:[edx+ecx*2-210] ; esi = LK[4]+(LK[3]*5)*2-0x210
553896E6 3BC6 cmp eax,esi ; 比较
553896E8 74 29 je short pdflib.55389713 ; esi = 1,go on...
553896EA 83F8 01 cmp eax,1
553896ED 75 0A jnz short pdflib.553896F9 ; eax <> 1,error
553896EF 83FE 02 cmp esi,2 ; esi = 2?
553896F2 74 1F je short pdflib.55389713 ; esi = 2,go on...
553896F4 83FE 06 cmp esi,6 ; esi = 6?
553896F7 74 1A je short pdflib.55389713 ; esi <> 6,error; esi = 6,go on...
Error:
553896F9 8B4424 38 mov eax,dword ptr ss:[esp+38]
553896FD 6A 00 push 0
553896FF 6A 00 push 0
55389701 6A 00 push 0
55389703 6A 00 push 0
55389705 68 C2070000 push 7C2
5538970A 50 push eax
5538970B E8 F0DDF7FF call pdflib.55307500
55389710 83C4 18 add esp,18
go on:
55389713 8B5424 38 mov edx,dword ptr ss:[esp+38]
55389717 33C9 xor ecx,ecx
55389719 85FF test edi,edi
5538971B 56 push esi
5538971C 53 push ebx
5538971D 0F95C1 setne cl
55389720 55 push ebp ; license key
55389721 52 push edx
55389722 8BF9 mov edi,ecx
55389724 E8 D7EBF7FF call pdflib.55308300
55389729 8BD8 mov ebx,eax
5538972B 83C4 10 add esp,10
5538972E 83FB FF cmp ebx,-1
55389731 75 1C jnz short pdflib.5538974F
55389733 8B6C24 38 mov ebp,dword ptr ss:[esp+38]
55389737 6A 00 push 0
55389739 6A 00 push 0
5538973B 6A 00 push 0
5538973D 6A 00 push 0
5538973F 68 C8070000 push 7C8
55389744 55 push ebp
55389745 E8 B6DDF7FF call pdflib.55307500
5538974A 83C4 18 add esp,18
5538974D EB 04 jmp short pdflib.55389753
5538974F 8B6C24 38 mov ebp,dword ptr ss:[esp+38]
55389753 85FF test edi,edi
55389755 75 1C jnz short pdflib.55389773
55389757 8B4424 40 mov eax,dword ptr ss:[esp+40]
5538975B 83F8 05 cmp eax,5
5538975E 74 13 je short pdflib.55389773
55389760 83F8 06 cmp eax,6
55389763 74 0E je short pdflib.55389773
55389765 83F8 03 cmp eax,3
55389768 74 09 je short pdflib.55389773
5538976A E8 71F8FFFF call pdflib.55388FE0
5538976F 3BD8 cmp ebx,eax
55389771 7C 39 jl short pdflib.553897AC
55389773 83FE 01 cmp esi,1
55389776 75 54 jnz short pdflib.553897CC
55389778 8A4424 48 mov al,byte ptr ss:[esp+48]
5538977C 84C0 test al,al
5538977E 74 36 je short pdflib.553897B6
55389780 6A 00 push 0
55389782 6A 00 push 0
55389784 6A 00 push 0
55389786 6A 00 push 0
55389788 68 BC070000 push 7BC
5538978D 55 push ebp
5538978E E8 6DDDF7FF call pdflib.55307500
55389793 83C4 18 add esp,18
55389796 6A 00 push 0
55389798 6A 00 push 0
5538979A 6A 00 push 0
5538979C 6A 00 push 0
5538979E 68 C2070000 push 7C2
553897A3 55 push ebp
553897A4 E8 57DDF7FF call pdflib.55307500
553897A9 83C4 18 add esp,18
553897AC 5F pop edi
553897AD 5E pop esi
553897AE 5D pop ebp
553897AF 33C0 xor eax,eax
553897B1 5B pop ebx
553897B2 83C4 24 add esp,24
553897B5 C3 retn
553897B6 8B4424 50 mov eax,dword ptr ss:[esp+50]
553897BA C700 B2606912 mov dword ptr ds:[eax],126960B2
553897C0 8BC7 mov eax,edi
553897C2 5F pop edi
553897C3 5E pop esi
553897C4 5D pop ebp
553897C5 0C 04 or al,4
553897C7 5B pop ebx
553897C8 83C4 24 add esp,24
553897CB C3 retn
553897CC 83FE 02 cmp esi,2
553897CF 75 20 jnz short pdflib.553897F1
553897D1 8B4C24 50 mov ecx,dword ptr ss:[esp+50]
553897D5 8B5424 54 mov edx,dword ptr ss:[esp+54]
553897D9 8BC7 mov eax,edi
553897DB 5F pop edi
553897DC 5E pop esi
553897DD C701 B2606912 mov dword ptr ds:[ecx],126960B2
553897E3 5D pop ebp
553897E4 C702 B2606912 mov dword ptr ds:[edx],126960B2
553897EA 0C 06 or al,6
553897EC 5B pop ebx
553897ED 83C4 24 add esp,24
553897F0 C3 retn
553897F1 83FE 06 cmp esi,6
553897F4 75 2A jnz short pdflib.55389820
553897F6 8B4424 50 mov eax,dword ptr ss:[esp+50]
553897FA 8B4C24 54 mov ecx,dword ptr ss:[esp+54]
553897FE 8B5424 58 mov edx,dword ptr ss:[esp+58]
55389802 C700 B2606912 mov dword ptr ds:[eax],126960B2
55389808 8BC7 mov eax,edi
5538980A 5F pop edi
5538980B 5E pop esi
5538980C C701 B2606912 mov dword ptr ds:[ecx],126960B2
55389812 5D pop ebp
55389813 C702 B2606912 mov dword ptr ds:[edx],126960B2
55389819 0C 08 or al,8
5538981B 5B pop ebx
5538981C 83C4 24 add esp,24
5538981F C3 retn
55389820 83FE 07 cmp esi,7
55389823 ^ 0F85 6DFFFFFF jnz pdflib.55389796
55389829 8B4424 50 mov eax,dword ptr ss:[esp+50]
5538982D C700 B2606912 mov dword ptr ds:[eax],126960B2
55389833 8BC7 mov eax,edi
55389835 5F pop edi
55389836 5E pop esi
55389837 5D pop ebp
55389838 0C 0A or al,0A
5538983A 5B pop ebx
5538983B 83C4 24 add esp,24
5538983E C3 retn
5538983F 90 nop
55389840 D096 3855AD96 rcl byte ptr ds:[esi+96AD5538],1
55389846 3855 BA cmp byte ptr ss:[ebp-46],dl
55389849 96 xchg eax,esi
5538984A 3855 AD cmp byte ptr ss:[ebp-53],dl
5538984D 96 xchg eax,esi
5538984E 3855 D0 cmp byte ptr ss:[ebp-30],dl
55389851 96 xchg eax,esi
55389852 3855 90 cmp byte ptr ss:[ebp-70],dl
第四部分: 总结陈述
1) license key 格式: XXXXXXX-XXXXXX-XXXXXX-XXXXXX
2) license key 长度: 0x1C(28)字节
3) 前三段的查表计算结果 = 最后一段表示的16进制数值
4) 第一段/第二段的字节关系通过下面算法计算出的结果,必须满足一定的条件(正文中已经给出)
Result = LK[n]+(LK[n-1]*5)*2-0x210
5) 爆破点在
; *******************************************
55389477 381429 cmp byte ptr ds:[ecx+ebp],dl ; 和 LK[ebp+ecx] 处一个字节比较
; 这里也是爆破点,把 dl 换成 ch,永远找不到匹配
; *******************************************
6) 在爆破前,分别跟踪到 计算预留的 license key 处,得到预留的 license key,然后,跟踪到查表/计算 license
key 前三段结果的地方,拿到计算结果,就可以构造 license key 最后一段
7) 爆破,修改辅助程序 hello 中的 PDF_set_parameter(p,"license","---license key---"); 填入得到的 license key,
然后,编译运行 hello,可以看到,生成的 hello.pdf 里面已经没有"www.PDFLib.com"深色水印标记
第五部分: 关于注册机
1) 相关计算数据比较庞大
2) 可以打开 PDFLib.dll,定位到预留 license key 的计算数据处,编写程序,把 312 个预留的 license key 拿到
3) 定位到计算前三段查表/计算结果的地方所用到的数据处,计算出预留 312 个 license key 的最后一段
4) 这样,就可以利用预留的 license key + 爆破,搞定
5) 不爆破,如果根据上述分析写注册机,实在是太麻烦[不和预留的license key冲突,还得满足各个字节的限定条件,@^*(@*(&@(],
那位大虾有兴趣可以继续处理遗留问题,我也将有空继续处理
附注: 示例程序中的 "W600105-009100-701111-C6EA46" 就是预留的 license key 之一.
*********************** 补充 *************
又花了一点时间,提取出了预留的 license key
其中 'W'/'X'/'x' 开头的基本上都可以用
没有完全验证(@_^)
******************************************
序号 预留的 license key
-------------------------------------
No.0001: W600105-009100-701110-06A9CF
No.0002: W600105-009100-701111-C6EA46
No.0003: W600205-009100-701112-EFF510
No.0004: W600205-009100-701113-02FB09
No.0005: W600205-009100-701114-38A3B2
No.0006: W600605-009100-701115-0BD4AD
No.0007: W600605-009100-701116-92F8D4
No.0008: L600105-009100-701117-2B5B7F
No.0009: L600105-009100-701118-A1DCAA
No.0010: L600105-009100-701119-21A01F
No.0011: L600205-009100-701120-45140C
No.0012: L600205-009100-701121-855785
No.0013: L600205-009100-701122-90BD2A
No.0014: L600205-009100-701123-7DB333
No.0015: L600605-009100-701124-6D8AE4
No.0016: L600605-009100-701125-749C97
No.0017: x600105-009100-701126-F668A7
No.0018: x600205-009100-701127-DA748D
No.0019: x600205-009100-701128-50F358
No.0020: x600605-009100-701129-FAEE81
No.0021: x600105-009100-701130-03C24C
No.0022: S600202-040000-110061-E6D65E
No.0023: W600202-019000-108990-3BB31A
No.0024: W600102-019000-108537-D7A60A
No.0025: W600202-029000-110210-4A331B
No.0026: W600202-019000-107605-90D922
No.0027: W600102-019000-108713-3C3B8A
No.0028: W600102-019000-108991-C7056A
No.0029: W600102-019000-109157-AA20A1
No.0030: L600602-010000-108065-C167CF
No.0031: W600102-010000-108734-71B2D0
No.0032: S600602-010000-108430-8CE618
No.0033: S600102-010000-109131-CFDF8A
No.0034: L600102-019000-108258-0257B1
No.0035: W600202-010100-707194-EDBB6F
No.0036: W600102-010100-707041-2D89AB
No.0037: W600102-010100-707002-940190
No.0038: W600102-010100-707003-790F89
No.0039: W600202-010100-707205-285EFA
No.0040: S600102-029000-108604-C119CE
No.0041: W600202-020200-107074-3E768A
No.0042: L600102-029000-107566-A32E7B
No.0043: L600102-010500-721247-7AE2F2
No.0044: L600102-010500-721248-F06527
No.0045: W600602-010000-108692-DF205A
No.0046: L600102-010000-108020-E25159
No.0047: M600602-010000-108718-E8F05D
No.0048: W600602-019000-109323-C49AAD
No.0049: W600102-010000-107244-09126F
No.0050: x600602-010016-107875-43D072
No.0051: W600202-020000-107059-0D59DF
No.0052: W600202-010000-107060-A84F1E
No.0053: W600102-010000-108559-1C752D
No.0054: L600102-010000-107137-FEFB53
No.0055: W600202-029000-107757-9E2769
No.0056: L600102-010000-109076-7AE713
No.0057: W600102-020000-108514-55414B
No.0058: W600102-029000-109149-4CA773
No.0059: S600602-010400-108137-D88288
No.0060: S600602-010400-108138-52055D
No.0061: S600602-010400-108139-D279E8
No.0062: S600602-010400-108140-C2370A
No.0063: S600602-010400-108141-027483
No.0064: S600602-010400-108142-179E2C
No.0065: S600602-010400-108143-FA9035
No.0066: S600602-010400-108144-C0C88E
No.0067: S600602-010400-108145-D9DEFD
No.0068: S600602-010400-108146-40F284
No.0069: A600202-020000-109453-FD56AF
No.0070: W600602-099000-107825-A821C6
No.0071: W600202-109000-108891-124394
No.0072: L600202-010000-109042-39A8C3
No.0073: L600102-010000-108651-CAF5E3
No.0074: W600102-010000-108806-4AC51C
No.0075: W600102-010500-721613-80B510
No.0076: W600202-010000-107311-3C8CAB
No.0077: S600102-019000-109777-BAED43
No.0078: S600102-039000-109778-665E86
No.0079: L600102-020000-107798-FED695
No.0080: L600102-010000-109954-1E6948
No.0081: W600102-020000-107592-7AE586
No.0082: W600202-040000-108225-AB9DC7
No.0083: L600102-010500-721232-B5FE56
No.0084: L600102-010500-721233-58F04F
No.0085: S600102-160000-108819-133E08
No.0086: W600102-010000-108710-C4B4E6
No.0087: L600102-010007-106782-C8FAD5
No.0088: L600102-010000-108382-9D2826
No.0089: W600202-010000-107498-079F99
No.0090: W600102-020000-107188-C9A531
No.0091: B600602-010000-107018-57E172
No.0092: W600102-010000-108940-E78215
No.0093: W600102-010300-710533-C2989F
No.0094: S600108-010020-107385-823F95
No.0095: S600102-030000-107386-32686C
No.0096: W600102-020000-108462-85A2FB
No.0097: L600102-010000-110320-58F4AF
No.0098: W600102-020000-107862-E2EDB0
No.0099: L600102-010000-107435-2F8388
No.0100: W600102-020000-110048-DFCF16
No.0101: W600102-010000-106840-F9DA40
No.0102: W600202-019000-109243-E5BA26
No.0103: W600202-019000-109244-DFE29D
No.0104: W600202-029000-109662-6C8E08
No.0105: L600202-020000-107652-61716B
No.0106: W600202-010000-107801-D3C845
No.0107: L600202-010000-107345-679855
No.0108: L600602-010000-107466-F91FF5
No.0109: W600102-010000-106953-CB04A7
No.0110: S600102-019000-108675-395ED1
No.0111: L600102-019000-108675-703884
No.0112: W600102-010000-106995-413F01
No.0113: W600102-010000-107063-AC1DD8
No.0114: L600202-010000-107076-6C3FB2
No.0115: L600202-010500-720230-E3FEAA
No.0116: W600202-010000-107128-8038F7
No.0117: W600102-060000-107144-1AF581
No.0118: W600102-010500-720005-112D40
No.0119: W600102-010500-720006-880139
No.0120: W600102-010500-720001-CA873E
No.0121: W600102-010500-720002-DF6D91
No.0122: W600102-010500-720003-326388
No.0123: W600102-010500-720004-083B33
No.0124: L600602-010000-107213-A560C1
No.0125: L600602-010000-107214-9F387A
No.0126: L600102-010000-107266-E74BC6
No.0127: W600102-020000-107367-D92EDC
No.0128: L600202-010000-107380-930A5E
No.0129: W600202-010500-720213-D37ECA
No.0130: L600102-010000-107461-AD0D67
No.0131: L600202-020000-107469-AC8953
No.0132: H600602-010000-107555-3FEFE4
No.0133: W600102-010500-720049-3E711E
No.0134: W600102-010500-720610-074E0C
No.0135: A600102-010000-107595-ED38E0
No.0136: W600102-010500-720614-05B188
No.0137: L600102-010500-720576-1C2914
No.0138: L600102-010500-720577-0CC0C7
No.0139: B600602-010500-720390-093AA7
No.0140: L600202-010500-720235-F8175D
No.0141: L600102-010500-720052-454823
No.0142: B600102-010500-720178-ABF514
No.0143: L600102-010500-720073-090970
No.0144: W600102-010500-720026-DB9517
No.0145: W600102-010500-720038-369474
No.0146: W600102-010500-720034-2CC078
No.0147: W600102-010500-720040-A6A623
No.0148: W600102-010500-720042-730F05
No.0149: W600102-010500-720048-BE0DAB
No.0150: L600102-010500-720560-678755
No.0151: L600202-010500-720251-22BD37
No.0152: W600202-020500-720665-AB6A58
No.0153: W600102-010500-720046-2463AD
No.0154: L600102-010000-720046-E2DB97
No.0155: L600102-029000-107778-36C4E2
No.0156: L600102-010500-720572-4B45BC
No.0157: L600102-010500-720573-A64BA5
No.0158: W600202-020500-720672-9C4146
No.0159: W600102-010500-720618-1FE584
No.0160: W600102-010500-720619-9F9931
No.0161: W600102-010500-720646-BAEBEF
No.0162: W600202-020500-720677-DBC43D
No.0163: L600202-020500-720721-2670F8
No.0164: S600102-040000-107848-F2EBAE
No.0165: W600102-010500-720824-9DB415
No.0166: A600102-020000-107902-20AAB7
No.0167: L600102-010000-107933-0F1CBF
No.0168: L600202-010000-107936-898BF7
No.0169: s600102-010000-107960-7CAA5E
No.0170: W600102-010500-720848-7816A3
No.0171: W600202-010500-720697-B61B60
No.0172: L600102-010500-721236-E292FE
No.0173: W600102-010500-720853-D183DF
No.0174: W600102-010500-720854-EBDB64
No.0175: L600102-010500-720604-296D9C
No.0176: L600102-010500-720605-307BEF
No.0177: W600102-010500-721150-8EF45E
No.0178: L600202-010500-720745-67C945
No.0179: W600102-010500-721156-0C31D0
No.0180: W600602-010500-720327-67B54E
No.0181: W600602-010500-720328-ED329B
No.0182: W600102-010000-108227-8149AB
No.0183: L600102-010500-721210-D7AEC2
No.0184: L600602-010500-720771-BED4D6
No.0185: W600102-010500-721159-162363
No.0186: W600205-010000-109759-166F7A
No.0187: L600102-010500-721224-15C791
No.0188: S600102-010500-720169-07E37D
No.0189: W600202-020000-108349-D9E3AC
No.0190: S600202-010000-108390-F285F5
No.0191: W600102-010500-721176-AD7E9A
No.0192: L600102-010500-721234-62A8F4
No.0193: W600202-010500-721259-7AAB4D
No.0194: L600202-010500-720757-679524
No.0195: W600202-010500-721260-BA58F5
No.0196: W600102-010500-721180-E81669
No.0197: W600102-010500-721184-EAE9ED
No.0198: L600102-010500-721354-971FBD
No.0199: L600102-010500-721355-8E09CE
No.0200: L600102-010500-721356-1725B7
No.0201: W600102-010500-721186-6AD3E7
No.0202: W600202-010500-721264-B8A771
No.0203: W600102-010000-108488-13839E
No.0204: W600102-029000-108538-38C4A6
No.0205: W600102-099000-109833-C0B9A6
No.0206: L600102-010500-721358-8D4BB1
No.0207: L600102-010500-721359-0D3704
No.0208: W600102-010500-721552-EA8838
No.0209: W600102-010500-721556-BDE490
No.0210: B600202-010500-720296-552918
No.0211: B600602-010500-720395-12D350
No.0212: L600202-010500-721311-DFAFEF
No.0213: L600102-010500-721376-B66AFD
No.0214: W600102-019000-108615-D85085
No.0215: L600102-010500-721384-F1FD8A
No.0216: L600202-010500-721326-5DBF3F
No.0217: B600602-010500-720397-9B16FA
No.0218: S600202-010000-108747-A3B597
No.0219: S600202-010000-108820-51D9FD
No.0220: L600102-010500-721725-1B9625
No.0221: W600202-010500-721779-CCA3C0
No.0222: W600202-010500-721780-93D980
No.0223: W600102-040000-108842-2E2F1F
No.0224: L600102-010000-108857-C0097D
No.0225: B600202-010000-108861-6AD093
No.0226: W600102-010500-721890-FF0DAD
No.0227: W600102-010500-721891-3F4E24
No.0228: L600102-010500-721735-6CF940
No.0229: L600102-010500-721736-F5D539
No.0230: L600102-010500-721737-E53CEA
No.0231: M600102-010500-720105-2DC173
No.0232: L600102-020000-108880-51226E
No.0233: W600102-010000-108881-4B5A73
No.0234: W600102-010000-108882-5EB0DC
No.0235: W600102-010000-108883-B3BEC5
No.0236: W600102-010000-108884-89E67E
No.0237: W600102-010000-108885-90F00D
No.0238: W600102-010000-108886-09DC74
No.0239: W600102-010000-108887-1935A7
No.0240: W600102-010000-108888-93B272
No.0241: W600102-010000-108889-13CEC7
No.0242: W600102-010000-108890-448EA3
No.0243: W600102-050000-108901-4EDFE4
No.0244: W600202-029000-108915-5A335C
No.0245: B600102-010500-720187-E6DFBC
No.0246: W600102-010500-721904-F29C0B
No.0247: L600202-010500-721346-A24985
No.0248: W600202-010500-721790-5C4ED9
No.0249: W600202-010500-721791-9C0D50
No.0250: W600102-010500-721915-788881
No.0251: L600102-010500-721765-35DDD1
No.0252: W600102-010000-109136-7BE135
No.0253: W600102-010500-721925-B81E56
No.0254: W600102-010500-721926-21322F
No.0255: L600102-010500-722118-A88090
No.0256: L600102-010500-722119-28FC25
No.0257: W600202-010500-721807-DD5A38
No.0258: W600202-010500-721808-57DDED
No.0259: W600202-010500-721809-D7A158
No.0260: W600202-010500-721810-DC749C
No.0261: S600102-010500-721142-247C0B
No.0262: S600102-010500-721143-C97212
No.0263: S600102-010500-721144-F32AA9
No.0264: S600102-010500-721145-EA3CDA
No.0265: L600102-010500-722148-97E0FD
No.0266: W600202-010500-722173-1C11DF
No.0267: L600102-010500-722158-1E7936
No.0268: L600102-010500-722151-C69137
No.0269: L600102-010500-722155-1D3B49
No.0270: L600102-010500-722156-841730
No.0271: L600102-010500-722157-94FEE3
No.0272: L600102-010500-722161-9EB5B2
No.0273: L600102-010500-722163-665104
No.0274: W600102-010500-722480-875315
No.0275: W600202-010000-109372-14FDB0
No.0276: W600202-039000-109455-119993
No.0277: L600102-010500-722172-7234D2
No.0278: L600202-010000-109602-0B4215
No.0279: M600602-010000-109504-5A1A07
No.0280: W600102-010500-722494-4A3BC8
No.0281: W600102-010500-722495-532DBB
No.0282: L600102-010500-722140-8F4B75
No.0283: L600102-010500-722141-4F08FC
No.0284: L600102-010500-722588-C94E41
No.0285: W600102-010500-722652-ECBAA2
No.0286: W600202-019000-109719-6DED8E
No.0287: W600102-010500-722658-21B80C
No.0288: W600202-010500-722731-038027
No.0289: W600102-060000-109784-989935
No.0290: W600102-010500-722667-F31B5C
No.0291: L600102-010500-722634-8532F9
No.0292: M600202-010500-720270-DE14BF
No.0293: W600202-010500-722742-9EF357
No.0294: W600202-010500-722743-73FD4E
No.0295: W600202-010500-722744-49A5F5
No.0296: W600202-010500-722745-50B386
No.0297: W600102-010500-722506-AFE7C2
No.0298: W600102-020000-109930-C7AD4C
No.0299: x600105-010000-109957-8EA54C
No.0300: W600102-010500-722509-B5F571
No.0301: B600602-010500-722788-B552C2
No.0302: W600102-010500-723141-834B08
No.0303: L600102-010500-723108-481F70
No.0304: W600102-010500-723167-009992
No.0305: W600102-010500-724239-5487E7
No.0306: L600102-010500-724433-43E9AE
No.0307: W600102-010500-724254-CFAF4A
No.0308: M600102-010500-720112-70835B
No.0309: L600102-010500-724453-42E9BA
No.0310: W600102-010500-724280-ABB2F9
No.0311: W600102-029000-110521-97BB2B
No.0312: X600605-009100-4D8B4E-031E4E
代码如下:
VS.NET 2003,link with "PDFLib.lib"
#include "stdafx.h"
#include <conio.h>
#include <windows.h>
HINSTANCE hInst = NULL;
BYTE* pData1 = NULL;
BYTE* pData2 = NULL;
DWORD* pData3 = NULL;
int _tmain(int argc, _TCHAR* argv[])
{
char strtmp[1024];
char strnum[10];
char strpost[20];
int i,k,l,m;
BYTE b1,b2;
DWORD dw1,dw2,dw3;
printf("\r\nGet the inside license key of PDFlib-6-0-3p1-Windows - AZMC.13 - 2006.05.25\r\n\r\n");
hInst = LoadLibrary( "PDFLib.dll" );
pData1 = ( BYTE* )( ( DWORD )hInst + 0x1080d0 );
pData2 = ( BYTE* )( ( DWORD )hInst + 0x109a68 );
pData3 = ( DWORD* )( ( DWORD )hInst + 0x107ed0 );
sprintf( strtmp,"The PDFLib is loaded at: %p %p %p %p\r\n",( DWORD )hInst,pData1,pData2,pData3 );
printf( strtmp );
printf( "\r\nThe inside license key are:\r\n\r\n" );
k = 0;
for( i = 0; i < 0x1998; i ++ ) {
b1 = *( pData1 + i );
b2 = *( pData2 + ( i & 0xff ) );
b1 ^= b2;
strtmp[ k++ ] = b1;
if( k == 0x15 ) {
{
strtmp[ k++ ] = '-';
strtmp[ k ] = 0;
m = 0;
dw3 = 0;
for( l = 0; l < 21 * 4; l += 4 ) {
b1 = strtmp[ m++ ];
b2 = b1;
b2 &= 0x7f;
if( b2 == '-' ) continue;
dw1 = b2;
dw1 &= 0xff;
dw2 = *( ( DWORD* )( ( DWORD )pData3 + dw1 * 4 ) );
dw2 += *( ( DWORD* )( ( DWORD )pData3 + l ) );
dw2 &= 0x7f;
dw2 = *( ( DWORD* )( ( DWORD )pData3 + dw2 * 4 ) );
dw2 *= dw1;
dw3 ^= dw2;
}
dw3 &= 0xffffff;
sprintf( strpost,"%06X",dw3 );
strcat( strtmp,strpost );
}
k = 0;
sprintf( strnum,"No.%04d: ",( i+1 ) / 0x15 );
printf( strnum );
printf( strtmp );
printf( "\r\n" );
}
}
printf("\r\n\r\nPress any key to exit...\r\n");
getch();
FreeLibrary( hInst );
return 0;
}
================ 有空偶再看看能不能写出注册机来 =====================
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
|
|
|---|---|
|
|
不错!支持
|
|
|
很精彩
|
|
|
很详细啊,适合我这样的菜鸟
|
|
|
- [讨论]大家猜测一下: 5170
- [原创]某 电子白板 软件逆向分析 记要 14177
- [分享]获取 硬盘ID/网卡MAC 的代码 26739
- [原创]某 PDF 文档处理软件注册/激活文件格式及加密过程 7087
- [原创 + 抄袭]TinyBASIC Version 1.0 8278
