PDF Password Remover 7.1逆向教程
网址:
http://www.pdfpasswordremover.com/
下载地址:
http://www.pdfpasswordremover.com/down/ppr.exe
安装,查壳,无壳,VB程序
OD载入,右键--中文搜索引擎--智能搜索,输入“serial”,确定
找到004FCF9C mov dword ptr ss:[ebp-0x98],PPR.004EDC80 Invaild Serial Code.
双击,返回主窗口。
向上找到004FCF51 > \C745 FC 13000000 mov dword ptr ss:[ebp-0x4],0x13
上面有一个跳转跳到004FCF51
004FCC28 . /74 0E je short PPR.004FCC38
004FCC2A . |C745 FC 06000000 mov dword ptr ss:[ebp-0x4],0x6
004FCC31 . |66:834D CC FF or word ptr ss:[ebp-0x34],0xFFFF
004FCC36 . |EB 31 jmp short PPR.004FCC69
004FCC38 > \C745 FC 09000000 mov dword ptr ss:[ebp-0x4],0x9
004FCC3F . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
004FCC45 . 50 push eax ; /TMPend8 = kernel32.BaseThreadInitThunk
004FCC46 . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8] ; |
004FCC4C . 50 push eax ; |TMPstep8 = kernel32.BaseThreadInitThunk
004FCC4D . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30] ; |
004FCC50 . 50 push eax ; |Counter8 = kernel32.BaseThreadInitThunk
004FCC51 . E8 E253F0FF call <jmp.&MSVBVM60.__vbaVarForNext> ; \__vbaVarForNext
004FCC56 . 8985 E0FEFFFF mov dword ptr ss:[ebp-0x120],eax ; kernel32.BaseThreadInitThunk
004FCC5C > 83BD E0FEFFFF 00 cmp dword ptr ss:[ebp-0x120],0x0
004FCC63 .^ 0F85 86FEFFFF jnz PPR.004FCAEF
004FCC69 > C745 FC 0A000000 mov dword ptr ss:[ebp-0x4],0xA
004FCC70 . 66:837D CC FF cmp word ptr ss:[ebp-0x34],0xFFFF
004FCC75 . 0F85 D6020000 jnz PPR.004FCF51
通过分析,004FCC28这个跳转很关键,它直接决定下面
004FCC2A . |C745 FC 06000000 mov dword ptr ss:[ebp-0x4],0x6
004FCC31 . |66:834D CC FF or word ptr ss:[ebp-0x34],0xFFFF
能否实现,也影响
004FCC70 . 66:837D CC FF cmp word ptr ss:[ebp-0x34],0xFFFF
004FCC75 . 0F85 D6020000 jnz PPR.004FCF51
这个跳转,跳转实现,注册失败,跳转不实现,注册成功。
查找立即数0xFFFF,发现一处赋值很可疑。004F175C . |66:830D 28305000 FF or word ptr ds:[0x503028],0xFFFF
来到这里
004F174F /0F85 96050000 jnz PPR.004F1CEB
004F1755 . |C745 FC 1D000000 mov dword ptr ss:[ebp-0x4],0x1D
004F175C . |66:830D 28305000 FF or word ptr ds:[0x503028],0xFFFF
004F1764 . |C745 FC 1E000000 mov dword ptr ss:[ebp-0x4],0x1E
在004F174F处F2下断,重新运行程序。程序被断下,jnz实现了,要让它不实现,所以直接NOP掉。
有兴趣的朋友,可以在内存地址0x503028下硬件访问断点,程序会来到下面的地址
004F9859 . 0FBF05 28305000 movsx eax,word ptr ds:[0x503028]
004F9860 . 85C0 test eax,eax
004F9862 . 0F85 38030000 jnz PPR.004F9BA0
下面的代码太长了,大家可以看一下,跳过了
004F9A55 . C745 80 90CE4E00 mov dword ptr ss:[ebp-0x80],PPR.004ECE90 ; Register
004F9A5C . C785 78FFFFFF 0800000>mov dword ptr ss:[ebp-0x88],0x8
004F9A66 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
004F9A6C . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
004F9A6F . E8 BA86F0FF call <jmp.&MSVBVM60.__vbaVarDup>
004F9A74 . C745 90 30D54E00 mov dword ptr ss:[ebp-0x70],PPR.004ED530 ; Trial version expired. Please register to continue using the product.
说明走向成功,好了,水平有限,只能爆破,追不了码。
爆破地址及代码:
原代码
004F174F /0F85 96050000 jnz PPR.004F1CEB
二进制代码
0F 85 96 05 00 00
修改后代码
004F174F 90 nop
004F1750 90 nop
004F1751 90 nop
004F1752 90 nop
004F1753 90 nop
004F1754 90 nop
修改后二进制代码
90 90 90 90 90 90
教程及相关资料下载地址:
|