PDFtoMusic pro V1.4.2C 爆破
PDFtoMusic pro V1.4.2C 爆破http://www.myriad-online.com/en/products/pdftomusicpro.htm
【逆向过程】
程序无壳,直接OD查找敏感字符串,查找到“already registered”,定位后可以看到其他的敏感信息
0045D82D|> \53 push ebx ; /Arg2
0045D82E|.68 94327200 push 00723294 ; |Unknown format %s\n
0045D833|.E8 98F2FFFF call 0045CAD0 ; \PDFToMus.0045CAD0
0045D838|.83C4 08 add esp, 0x8
0045D83B|.6A FE push -0x2
0045D83D|.E8 14E12300 call 0069B956
0045D842|>68 D4337200 push 007233D4 ; /PDFtoMusic: wrong registration number\n
0045D847|.E8 84F2FFFF call 0045CAD0 ; \PDFToMus.0045CAD0
0045D84C|.83C4 04 add esp, 0x4
0045D84F|.6A FC push -0x4
0045D851|.E8 00E12300 call 0069B956
0045D856|>68 FC337200 push 007233FC ; /PDFtoMusic: already registered\n
0045D85B|.E8 70F2FFFF call 0045CAD0 ; \PDFToMus.0045CAD0
0045D860|.83C4 04 add esp, 0x4
查看already registered的跳转,继续定位:
007233FC=007233FC (ASCII "PDFtoMusic: already registered",LF)
跳转来自 0045D49F
0045D46F|> \813F 2D70736E |cmp dword ptr , 0x6E73702D
0045D475|.0F84 84000000 |je 0045D4FF
0045D47B|.68 7C337200 |push 0072337C ;-register
0045D480|.57 |push edi
0045D481|.E8 5A0E2400 |call 0069E2E0
0045D486|.83C4 08 |add esp, 0x8
0045D489|.85C0 |test eax, eax
0045D48B|.75 64 |jnz short 0045D4F1
0045D48D|.B8 2801D400 |mov eax, 00D40128
0045D492|.E8 29CB0700 |call 004D9FC0
0045D497|.66:85C0 |test ax, ax
0045D49A|.0F94C0 |sete al
0045D49D|.84C0 |test al, al
0045D49F|.0F85 B1030000 |jnz 0045D856
重新调试跟踪,发现算法比较在
0045D492|.E8 29CB0700 |call 004D9FC0
0045D497|.66:85C0 |test ax, ax
0045D49A|.0F94C0 |sete al
0045D49D|.84C0 |test al, al
0045D49F|.0F85 B1030000 |jnz 0045D856
跟入004D9FC0查看,定位到核心位置:
004D9FC0/$56 push esi
004D9FC1|.8BF0 mov esi, eax
004D9FC3|.33D2 xor edx, edx
004D9FC5|.33C0 xor eax, eax
004D9FC7|.803E 5A cmp byte ptr , 0x5A ;第1位字符HEX必须为5A"Z"
004D9FCA|.74 05 je short 004D9FD1
004D9FCC|.8D42 01 lea eax, dword ptr
004D9FCF|.5E pop esi
004D9FD0|.C3 retn
004D9FD1|>807E 01 50 cmp byte ptr , 0x50 ;第2位字符HEX必须为50,"P"
004D9FD5|.74 07 je short 004D9FDE
004D9FD7|.B8 02000000 mov eax, 0x2
004D9FDC|.5E pop esi
004D9FDD|.C3 retn
004D9FDE|>57 push edi
004D9FDF|.90 nop
004D9FE0|>8A0E /mov cl, byte ptr ;堆栈 ds:=5A ('Z')
004D9FE2|.84C9 |test cl, cl
004D9FE4|.0F84 88000000 |je 004DA072
004D9FEA|.66:0FBEC9 |movsx cx, cl
004D9FEE|.0FB7C9 |movzx ecx, cx
004D9FF1|.66:83F9 41 |cmp cx, 0x41
004D9FF5|.7C 06 |jl short 004D9FFD
004D9FF7|.66:83F9 5A |cmp cx, 0x5A
004D9FFB|.7E 15 |jle short 004DA012
004D9FFD|>66:83F9 61 |cmp cx, 0x61
004DA001|.7C 06 |jl short 004DA009
004DA003|.66:83F9 7A |cmp cx, 0x7A
004DA007|.7E 09 |jle short 004DA012
004DA009|>8D79 D0 |lea edi, dword ptr
004DA00C|.66:83FF 09 |cmp di, 0x9
004DA010|.77 40 |ja short 004DA052
004DA012|>66:83F9 38 |cmp cx, 0x38
004DA016|.75 07 |jnz short 004DA01F
004DA018|.B9 42000000 |mov ecx, 0x42
004DA01D|.EB 25 |jmp short 004DA044
004DA01F|>66:83F9 30 |cmp cx, 0x30
004DA023|.75 07 |jnz short 004DA02C
004DA025|.B9 4F000000 |mov ecx, 0x4F
004DA02A|.EB 18 |jmp short 004DA044
004DA02C|>66:83F9 31 |cmp cx, 0x31
004DA030|.75 07 |jnz short 004DA039
004DA032|.B9 49000000 |mov ecx, 0x49
004DA037|.EB 0B |jmp short 004DA044
004DA039|>66:83F9 35 |cmp cx, 0x35
004DA03D|.75 05 |jnz short 004DA044
004DA03F|.B9 53000000 |mov ecx, 0x53
004DA044|>6BC0 61 |imul eax, eax, 0x61 ;累加结果处理,初始为0
004DA047|.81E1 DF000000 |and ecx, 0xDF ;5A AND 0xDF
004DA04D|.03C8 |add ecx, eax ;5A+0 处理累加
004DA04F|.8BC1 |mov eax, ecx ;ecx=0000005A
004DA051|.42 |inc edx
004DA052|>46 |inc esi
004DA053|.66:83FA 19 |cmp dx, 0x19 ;注册码长度为0x19 比较前25位
004DA057|.^ 7C 87 \jl short 004D9FE0
004DA059|.8A0E mov cl, byte ptr
004DA05B|.84C9 test cl, cl
004DA05D|.74 13 je short 004DA072
004DA05F|.90 nop
004DA060|>80F9 30 /cmp cl, 0x30
004DA063|.7C 05 |jl short 004DA06A
004DA065|.80F9 39 |cmp cl, 0x39
004DA068|.7E 08 |jle short 004DA072
004DA06A|>8A4E 01 |mov cl, byte ptr
004DA06D|.46 |inc esi
004DA06E|.84C9 |test cl, cl
004DA070|.^ 75 EE \jnz short 004DA060
004DA072|>25 FFFF0000 and eax, 0xFFFF
004DA077|.99 cdq
004DA078|.B9 64000000 mov ecx, 0x64
004DA07D|.F7F9 idiv ecx
004DA07F|.0FBE3E movsx edi, byte ptr
004DA082|.B8 67666666 mov eax, 0x66666667
004DA087|.8BCA mov ecx, edx
004DA089|.F7E9 imul ecx
004DA08B|.C1FA 02 sar edx, 0x2
004DA08E|.8BC2 mov eax, edx
004DA090|.C1E8 1F shr eax, 0x1F
004DA093|.03C2 add eax, edx
004DA095|.8D50 30 lea edx, dword ptr 比较第26位
004DA098|.3BD7 cmp edx, edi
004DA09A|.5F pop edi
004DA09B|.75 16 jnz short 004DA0B3
004DA09D|.0FBE56 01 movsx edx, byte ptr
004DA0A1|.8D0480 lea eax, dword ptr
004DA0A4|.03C0 add eax, eax
004DA0A6|.2BC8 sub ecx, eax
004DA0A8|.83C1 30 add ecx, 0x30
004DA0AB|.3BCA cmp ecx, edx //比较第27位
004DA0AD|.75 04 jnz short 004DA0B3 如果注册码不合法,则给EAX=04,合法则给EAX=0
004DA0AF|.33C0 xor eax, eax
004DA0B1|.5E pop esi
004DA0B2|.C3 retn
004DA0B3 B8 04000000 mov eax, 0x4
004DA0B8|.5E pop esi
004DA0B9\.C3 retn
直接NOP掉004DA0AD
或者修改004DA0B3 为xor eax,eax多余字节NOP掉。
保存,启动程序,输入注册信息,提示是否按照当前信息注册,确定,进入程序查看关于信息,注册信息已保存并显示。
重新启动程序,已无注册NAG,标题和关于信息为已注册。
但是在使用功能的时候,则提示试用版有限制,继续使用OD分析:
发现播放时候的试用信息的核心在:004D8D20/.55 push ebp
004D8D21|.8BEC mov ebp, esp
004D8D23|.57 push edi
004D8D24|.8B7D 08 mov edi, dword ptr
004D8D27|.E8 24990000 call 004E2650
004D8D2C|.66:85C0 test ax, ax
004D8D2F|.0F94C0 sete al
004D8D32|.5F pop edi
004D8D33|.5D pop ebp
004D8D34\.C3 retn
跟入分析,程序比较注册信息的处理不等就跳走,直接NOP。
004E2650 55 push ebp
004E2651 8BEC mov ebp, esp
004E2653 83EC 18 sub esp, 0x18
004E2656 A1 74A27400 mov eax, dword ptr
004E265B 33C5 xor eax, ebp
004E265D 8945 FC mov dword ptr , eax
004E2660 803F 5A cmp byte ptr , 0x5A //还是比较注册码第1位
004E2663 74 13 je short 004E2678
004E2665 B8 01000000 mov eax, 0x1
004E266A 8B4D FC mov ecx, dword ptr
004E266D 33CD xor ecx, ebp
004E266F E8 AB8B1B00 call 0069B21F
004E2674 8BE5 mov esp, ebp
004E2676 5D pop ebp
004E2677 C3 retn
004E2678 807F 01 50 cmp byte ptr , 0x50 //还是比较注册码第2位
004E267C 74 13 je short 004E2691
004E267E B8 02000000 mov eax, 0x2
004E2683 8B4D FC mov ecx, dword ptr
004E2686 33CD xor ecx, ebp
004E2688 E8 928B1B00 call 0069B21F
004E268D 8BE5 mov esp, ebp
004E268F 5D pop ebp
004E2690 C3 retn
004E2691 53 push ebx
004E2692 8D47 02 lea eax, dword ptr
004E2695 56 push esi
004E2696 50 push eax
004E2697 8D5D F0 lea ebx, dword ptr
004E269A E8 C1FDFFFF call 004E2460
004E269F 0FB64D F0 movzx ecx, byte ptr
004E26A3 0FB645 F1 movzx eax, byte ptr
004E26A7 BA 00010000 mov edx, 0x100
004E26AC 66:0FAFCA imul cx, dx
004E26B0 66:2BC1 sub ax, cx
004E26B3 66:C1E0 06 shl ax, 0x6
004E26B7 66:8BC8 mov cx, ax
004E26BA 8A45 F2 mov al, byte ptr
004E26BD 8AD0 mov dl, al
004E26BF C0EA 02 shr dl, 0x2
004E26C2 0FB6D2 movzx edx, dl
004E26C5 66:03CA add cx, dx
004E26C8 BA 593A0000 mov edx, 0x3A59
004E26CD 66:33CA xor cx, dx
004E26D0 BA FF7F0000 mov edx, 0x7FFF
004E26D5 66:23CA and cx, dx
004E26D8 0FB7D9 movzx ebx, cx
004E26DB 24 03 and al, 0x3
004E26DD 8845 F2 mov byte ptr , al
004E26E0 8D75 E8 lea esi, dword ptr
004E26E3 8D4D F2 lea ecx, dword ptr
004E26E6 8BC3 mov eax, ebx
004E26E8 66:C745 F0 00>mov word ptr , 0x0
004E26EE E8 9DFCFFFF call 004E2390
004E26F3 0FB607 movzx eax, byte ptr ; |
004E26F6 8A4F 01 mov cl, byte ptr ; |
004E26F9 50 push eax ; |Arg1
004E26FA 8D75 F0 lea esi, dword ptr ; |
004E26FD 8BC3 mov eax, ebx ; |
004E26FF E8 2CFEFFFF call 004E2530 ; \PDFToMus.004E2530
004E2704 8B4D F0 mov ecx, dword ptr
004E2707 83C4 08 add esp, 0x8
004E270A 5E pop esi
004E270B 5B pop ebx
004E270C 3B4D E8 cmp ecx, dword ptr ; 下面这里处理都是比较处理结果,不同则为非注册版,全都NOP
004E270F 75 28 jnz short 004E2739 //NOP
004E2711 8A55 EC mov dl, byte ptr
004E2714 3A55 F4 cmp dl, byte ptr
004E2717 75 20 jnz short 004E2739 //NOP
004E2719 8A45 ED mov al, byte ptr
004E271C 3A45 F5 cmp al, byte ptr
004E271F 75 18 jnz short 004E2739 //NOP
004E2721 8A4D EE mov cl, byte ptr
004E2724 3A4D F6 cmp cl, byte ptr
004E2727 75 10 jnz short 004E2739 //NOP
004E2729 33C0 xor eax, eax
004E272B 8B4D FC mov ecx, dword ptr
004E272E 33CD xor ecx, ebp
004E2730 E8 EA8A1B00 call 0069B21F
004E2735 8BE5 mov esp, ebp
004E2737 5D pop ebp
004E2738 C3 retn
004E2739 8B4D FC mov ecx, dword ptr
004E273C 33CD xor ecx, ebp
004E273E B8 04000000 mov eax, 0x4
004E2743 E8 D78A1B00 call 0069B21F
004E2748 8BE5 mov esp, ebp
004E274A 5D pop ebp
004E274B C3 retn
保存,执行,去查看播放,测试OK。
目测播放、导出1页的限制都没有了,英文不太懂,下面的限制应该没了。
The "Pro version" includes options and features that are not present in the "Standard" version:
- Batch file export, to convert in only one operation all PDF files from a folder and its subfolders.
- "Expert" mode to manually override individual default processing settings in order to have more precise control.
- Export in MusicXML format in order to preserve the score sheet layout when importing into one of the numerous programs that support this format.
===========================================
最直接的修改方法如下:
004D8D20 33C0 xor eax, eax
004D8D22 B0 01 mov al, 0x1
004D8D24 C3 retn
004D8D25 90 nop
004D8D26 90 nop
004D8D27|.E8 24990000 call 004E2650
004D8D2C|.66:85C0 test ax, ax
004D8D2F|.0F94C0 sete al
004D8D32|.5F pop edi
004D8D33|.5D pop ebp
004D8D34\.C3 retn
004D8D40 33C0 xor eax, eax
004D8D42 B0 01 mov al, 0x1
004D8D44 C3 retn
004D8D45 90 nop
004D8D46|.E8 75120000 call 004D9FC0
004D8D4B|.66:85C0 test ax, ax
004D8D4E|.0F94C0 sete al
004D8D51|.5D pop ebp
004D8D52\.C3 retn
测试功能正常
如果还有没测试到的功能,则最彻底的修改是,修改004D9FC0和004E2650直接返回EAX=0
膜拜算法牛出更多教程给学习...谢谢分享
{:5_121:}谢谢楼主分享,终于又可以登上来了呀。。。。。
学习了,感谢分享!
算法的教材.0.0
膜拜算法帝、感谢分享
那么,到底该怎么搞呀?软件下载安装然后怎么逆向呢? 楼主啊,你这逆向具体该怎么操作呢? 求各位大神详细指点步骤,谢谢 学习比较旧的教程 免费版软件文档文件格式转换,支持word doc docx wps execl表格图片转换
pdf转换成word转换器 http://www.downza.cn/soft/266336.html
pdf转换成word转换器 http://www.pdfoa.com
word转pdf http://www.downza.cn/soft/215618.html
免费版软件文档文件格式转换,完美支持word doc docx wps execl表格图片转换
pdf转换成word转换器 http://www.downza.cn/soft/266336.html
pdf转换成word转换器 http://www.pdfoa.com
word转pdf http://www.downza.cn/soft/215618.html
页:
[1]
2