-
-
[旧帖] 向看雪致敬[原创]再接再厉,第二篇crack之外国篇 0.00雪花
-
发表于: 2009-9-16 14:38
-
标 题: 【原创】Crack————Image To PDF.exe [申请邀请码]
作 者: syrhades
时 间: 2009-09-16,14:40
【文章标题】: Crack————Image To PDF.exe [申请邀请码]
【文章作者】: syrhades
【软件名称】: Image To PDF.exe: http://www.adultpdf.com/products/image2pdf/index.html
【加壳方式】: 无壳
【编写语言】: Borland C++ 1999
【使用工具】: Ollydbg
【操作平台】: windows xp sp3
【Crack目的】:想把jpg做成pdf电子书, 去掉水印,开放所有功能。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!希望外国佬不要告我
________________________________________
【详细过程】
1.断所有的messageboxA,f9,会有多次警告。确定即可。
按提示输入邮箱地址syrhades@126.com和试炼码123456789。断在
00413B06 |. E8 3BB70C00 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
往上看 发现该断点在 在一个过程中,但是没有其它代码调用这段过程,因此,我猜测重要的判断过程应该在这段代码中
从00413B06 |. E8 3BB70C00 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA往上找
[I]---注释前的数字表示分析的先后过程[/I]
00413AA2 |. 6A 10 push 10 ;[I]4[/I].在此处下断,F9跟踪
00413AA4 |. 837D F8 00 cmp dword ptr ss:[ebp-8],0 ; [I]5[/I].比较假注册码位数是否大于0
00413AA8 |. 74 05 je short Image_To.00413AAF
00413AAA |. 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00413AAD |. EB 03 jmp short Image_To.00413AB2
00413AAF |> 8D4E 1E lea ecx,dword ptr ds:[esi+1E]
00413AB2 |> \51 push ecx ;[I]6[/I]. |将试炼码123456789压栈
00413AB3 |. 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
00413AB6 |. 50 push eax ;[I]7[/I]. |显示一窜ascii,怀疑是真注册码(JS6CZZ4T22LLOGLZ)
00413AB7 |. E8 20E50B00 call Image_To.004D1FDC ; [I]3[/I].因此很有可能是关键call
;[I]8[/I]. F8过关键call 看eax非0 证实我的想法。
00413ABC |. 83C4 0C add esp,0C
00413ABF |. 85C0 test eax,eax ;[I]2[/I].对00413AB7 call Image_To.004D1FDC的结果而eax进行判断,是0就跳过错误代码
00413AC1 |. /74 76 je short Image_To.00413B39 ;[I]1[/I].这一跳跳过了对错误对话框的调用,
测试输入syrhades@126.com和JS6CZZ4T22LLOGLZ 注册成功
附上文提到的代码段及注释
00413A0C /. 55 push ebp
00413A0D |. 8BEC mov ebp,esp
00413A0F |. 83C4 B4 add esp,-4C
00413A12 |. 53 push ebx
00413A13 |. 56 push esi
00413A14 |. 57 push edi
00413A15 |. 8BD8 mov ebx,eax
00413A17 |. BE 536C4E00 mov esi,Image_To.004E6C53
00413A1C |. 8D7D C8 lea edi,dword ptr ss:[ebp-38]
00413A1F |. B8 AC6E4E00 mov eax,Image_To.004E6EAC
00413A24 |. E8 A7E70B00 call Image_To.004D21D0
00413A29 |. 66:C747 10 14>mov word ptr ds:[edi+10],14
00413A2F |. 33D2 xor edx,edx
00413A31 |. 8955 FC mov dword ptr ss:[ebp-4],edx
00413A34 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00413A37 |. FF47 1C inc dword ptr ds:[edi+1C]
00413A3A |. 8B83 28050000 mov eax,dword ptr ds:[ebx+528]
00413A40 |. E8 975C0600 call Image_To.004796DC
00413A45 |. 66:C747 10 08>mov word ptr ds:[edi+10],8
00413A4B |. 66:C747 10 20>mov word ptr ds:[edi+10],20
00413A51 |. 33C9 xor ecx,ecx
00413A53 |. 894D F8 mov dword ptr ss:[ebp-8],ecx
00413A56 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00413A59 |. FF47 1C inc dword ptr ds:[edi+1C]
00413A5C |. 8B83 08050000 mov eax,dword ptr ds:[ebx+508]
00413A62 |. E8 755C0600 call Image_To.004796DC
00413A67 |. 66:C747 10 08>mov word ptr ds:[edi+10],8
00413A6D |. 837D FC 00 cmp dword ptr ss:[ebp-4],0
00413A71 |. 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00413A74 |. 74 05 je short Image_To.00413A7B
00413A76 |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
00413A79 |. EB 03 jmp short Image_To.00413A7E
00413A7B |> 8D56 1C lea edx,dword ptr ds:[esi+1C]
00413A7E |> 8BC3 mov eax,ebx
00413A80 |. E8 DF030000 call Image_To.00413E64
00413A85 |. 837D F8 00 cmp dword ptr ss:[ebp-8],0
00413A89 |. 74 05 je short Image_To.00413A90
00413A8B |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00413A8E |. EB 03 jmp short Image_To.00413A93
00413A90 |> 8D56 1D lea edx,dword ptr ds:[esi+1D]
00413A93 |> 8BC3 mov eax,ebx
00413A95 |. E8 AA060000 call Image_To.00414144
00413A9A |. 84C0 test al,al
00413A9C |. 0F85 97000000 jnz Image_To.00413B39
00413AA2 |. 6A 10 push 10
00413AA4 |. 837D F8 00 cmp dword ptr ss:[ebp-8],0 ; 比较假注册码位数是否大于0
00413AA8 |. 74 05 je short Image_To.00413AAF
00413AAA |. 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00413AAD |. EB 03 jmp short Image_To.00413AB2
00413AAF |> 8D4E 1E lea ecx,dword ptr ds:[esi+1E]
00413AB2 |> 51 push ecx ; |Arg2
00413AB3 |. 8D45 B4 lea eax,dword ptr ss:[ebp-4C] ; |下一行显示真注册码
00413AB6 |. 50 push eax ; |Arg1
00413AB7 |. E8 20E50B00 call Image_To.004D1FDC ; \Image_To.004D1FDC
00413ABC |. 83C4 0C add esp,0C
00413ABF |. 85C0 test eax,eax
00413AC1 |. 74 76 je short Image_To.00413B39
00413AC3 |. 66:C747 10 2C>mov word ptr ds:[edi+10],2C
00413AC9 |. 8D56 1F lea edx,dword ptr ds:[esi+1F]
00413ACC |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00413ACF |. E8 84A40C00 call Image_To.004DDF58
00413AD4 |. FF47 1C inc dword ptr ds:[edi+1C]
00413AD7 |. 8B10 mov edx,dword ptr ds:[eax]
00413AD9 |. 8B83 14050000 mov eax,dword ptr ds:[ebx+514]
00413ADF |. E8 285C0600 call Image_To.0047970C
00413AE4 |. FF4F 1C dec dword ptr ds:[edi+1C]
00413AE7 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00413AEA |. BA 02000000 mov edx,2
00413AEF |. E8 C4A50C00 call Image_To.004DE0B8
00413AF4 |. 6A 10 push 10
00413AF6 |. 8D4E 60 lea ecx,dword ptr ds:[esi+60]
00413AF9 |. 51 push ecx
00413AFA |. 8D46 2D lea eax,dword ptr ds:[esi+2D]
00413AFD |. 50 push eax
00413AFE |. 8BC3 mov eax,ebx
00413B00 |. E8 EBC20600 call Image_To.0047FDF0
00413B05 |. 50 push eax ; |hOwner
00413B06 |. E8 3BB70C00 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00413B0B |. FF4F 1C dec dword ptr ds:[edi+1C]
00413B0E |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00413B11 |. BA 02000000 mov edx,2
00413B16 |. E8 9DA50C00 call Image_To.004DE0B8
00413B1B |. FF4F 1C dec dword ptr ds:[edi+1C]
00413B1E |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
00413B21 |. BA 02000000 mov edx,2
00413B26 |. E8 8DA50C00 call Image_To.004DE0B8
00413B2B |. 8B0F mov ecx,dword ptr ds:[edi]
00413B2D |. 64:890D 00000>mov dword ptr fs:[0],ecx
00413B34 |. E9 15010000 jmp Image_To.00413C4E
00413B39 |> 837D F8 00 cmp dword ptr ss:[ebp-8],0
00413B3D |. 74 05 je short Image_To.00413B44
00413B3F |. 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00413B42 |. EB 03 jmp short Image_To.00413B47
00413B44 |> 8D4E 67 lea ecx,dword ptr ds:[esi+67]
00413B47 |> 837D FC 00 cmp dword ptr ss:[ebp-4],0
00413B4B |. 74 05 je short Image_To.00413B52
00413B4D |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
00413B50 |. EB 03 jmp short Image_To.00413B55
00413B52 |> 8D56 66 lea edx,dword ptr ds:[esi+66]
00413B55 |> 8BC3 mov eax,ebx
00413B57 |. E8 CC030000 call Image_To.00413F28
00413B5C |. 66:C747 10 38>mov word ptr ds:[edi+10],38
00413B62 |. 8D56 68 lea edx,dword ptr ds:[esi+68]
00413B65 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00413B68 |. E8 EBA30C00 call Image_To.004DDF58
00413B6D |. FF47 1C inc dword ptr ds:[edi+1C]
00413B70 |. 8B10 mov edx,dword ptr ds:[eax]
00413B72 |. 8B83 14050000 mov eax,dword ptr ds:[ebx+514]
00413B78 |. E8 8F5B0600 call Image_To.0047970C
00413B7D |. FF4F 1C dec dword ptr ds:[edi+1C]
00413B80 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00413B83 |. BA 02000000 mov edx,2
00413B88 |. E8 2BA50C00 call Image_To.004DE0B8
00413B8D |. 8D8E CF000000 lea ecx,dword ptr ds:[esi+CF]
00413B93 |. 6A 40 push 40
00413B95 |. 51 push ecx
00413B96 |. 8D46 7B lea eax,dword ptr ds:[esi+7B]
00413B99 |. 50 push eax
00413B9A |. 8BC3 mov eax,ebx
00413B9C |. C705 50014E00>mov dword ptr ds:[4E0150],2710
00413BA6 |. E8 45C20600 call Image_To.0047FDF0
00413BAB |. 50 push eax ; |hOwner
00413BAC |. E8 95B60C00 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00413BB1 |. 6A 00 push 0
00413BB3 |. 68 60F00000 push 0F060
00413BB8 |. 68 12010000 push 112
00413BBD |. 8BC3 mov eax,ebx
00413BBF |. E8 2CC20600 call Image_To.0047FDF0
00413BC4 |. 50 push eax ; |hWnd
00413BC5 |. E8 F4B60C00 call <jmp.&USER32.SendMessageA> ; \SendMessageA
00413BCA |. 33D2 xor edx,edx
00413BCC |. 8B83 24050000 mov eax,dword ptr ds:[ebx+524]
00413BD2 |. 8B08 mov ecx,dword ptr ds:[eax]
00413BD4 |. FF51 64 call dword ptr ds:[ecx+64]
00413BD7 |. 66:C747 10 44>mov word ptr ds:[edi+10],44
00413BDD |. 8D96 E2000000 lea edx,dword ptr ds:[esi+E2]
00413BE3 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00413BE6 |. E8 6DA30C00 call Image_To.004DDF58
00413BEB |. FF47 1C inc dword ptr ds:[edi+1C]
00413BEE |. 8B10 mov edx,dword ptr ds:[eax]
00413BF0 |. 8B83 1C050000 mov eax,dword ptr ds:[ebx+51C]
00413BF6 |. E8 115B0600 call Image_To.0047970C
00413BFB |. FF4F 1C dec dword ptr ds:[edi+1C]
00413BFE |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00413C01 |. BA 02000000 mov edx,2
00413C06 |. E8 ADA40C00 call Image_To.004DE0B8
00413C0B |. 33D2 xor edx,edx
00413C0D |. 8B83 08050000 mov eax,dword ptr ds:[ebx+508]
00413C13 |. 8B08 mov ecx,dword ptr ds:[eax]
00413C15 |. FF51 64 call dword ptr ds:[ecx+64]
00413C18 |. 33D2 xor edx,edx
00413C1A |. 8B83 28050000 mov eax,dword ptr ds:[ebx+528]
00413C20 |. 8B08 mov ecx,dword ptr ds:[eax]
00413C22 |. FF51 64 call dword ptr ds:[ecx+64]
00413C25 |. FF4F 1C dec dword ptr ds:[edi+1C]
00413C28 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00413C2B |. BA 02000000 mov edx,2
00413C30 |. E8 83A40C00 call Image_To.004DE0B8
00413C35 |. FF4F 1C dec dword ptr ds:[edi+1C]
00413C38 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
00413C3B |. BA 02000000 mov edx,2
00413C40 |. E8 73A40C00 call Image_To.004DE0B8
00413C45 |. 8B0F mov ecx,dword ptr ds:[edi]
00413C47 |. 64:890D 00000>mov dword ptr fs:[0],ecx
00413C4E |> 5F pop edi
00413C4F |. 5E pop esi
00413C50 |. 5B pop ebx
00413C51 |. 8BE5 mov esp,ebp
00413C53 |. 5D pop ebp
00413C54 \. C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
没人回帖,郁闷
|
|
|
|
|
|
|
|
|
|
|
|
详细,顶个先!
|
|
|
顶个
…………
|
|
|
帮顶
|
|
|
帮顶,学习了
|
|
|
|
|
|
|
|
|
不错 学习下
|
|
|
|
|
|
好好学习汇编..
|
|
|
|
|
|
|
|
|
学习中。帮顶了。
|
|
|
|
