【破文标题】AutoDWG PDF Converter V3.2.2.3简单分析
【破文作者】冰糖[BST]
【作者邮箱】bthulu#gmail.com
【作者主页】
【破解工具】peid0.94+OD
【破解平台】XPsp3
【软件名称】AutoDWG DWG2PDF Converter
【软件大小】6.66 MB
【原版下载】
【保护方式】注册码
【软件简介】AutoDWG DWG to PDF Converter allows you to convert DWG to PDF, DXF to PDF, DWF to PDF directly, NO AutoCAD required, batch conversion supported.
【破解声明】本文仅供研究学习,欧博本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处
------------------------------------------------------------------------
【破解过程】好久没破解,今天想把自己的CAD图纸转换成PDF格式的,就百度到这个软件,15天试用限制
准备好工具,下面开始动工
PEID查找无壳,欧博娱乐Microsoft Visual C++ 6.0
OD载入,运行,输入假码确定,弹出窗口提示“register failed!”
查找字符串,双击进入
0041518E/.55pushebp;F2下断
0041518F|.8BECmov ebp, esp
00415191|.51pushecx
00415192|.894D FC mov dword ptr [ebp-4], ecx
00415195|.6A 01 push1
00415197|.8B4D FC mov ecx, dword ptr [ebp-4]
0041519A|.E8 7DBA4600 call<jmp.&MFC42.#6334>
0041519F|.6A 00 push0
004151A1|.68 384BAB00 push00AB4B38
004151A6|.8B4D FC mov ecx, dword ptr [ebp-4]
004151A9|.81C1 B0030000 add ecx, 3B0
004151AF|.E8 88BB4600 call<jmp.&MFC42.#6877>
004151B4|.8B4D FC mov ecx, dword ptr [ebp-4]
004151B7|.81C1 B4030000 add ecx, 3B4
004151BD|.E8 FEC8FEFF call00401AC0
004151C2|.85C0testeax, eax ;是否输入EMAIL检测
004151C4|.74 19 jeshort 004151DF
004151C6|.6A 00 push0
004151C8|.68 3C4BAB00 push00AB4B3C ;autodwgdwg2pdf
004151CD|.68 4C4BAB00 push00AB4B4C ;please input your email!
004151D2|.8B4D FC mov ecx, dword ptr [ebp-4]
004151D5|.E8 D8BD4600 call<jmp.&MFC42.#4224>
004151DA|.E9 F8000000 jmp 004152D7
004151DF|>6A 00 push0
004151E1|.68 684BAB00 push00AB4B68 ;@
004151E6|.8B4D FC mov ecx, dword ptr [ebp-4]
004151E9|.81C1 B4030000 add ecx, 3B4
004151EF|.E8 B8BD4600 call<jmp.&MFC42.#6663>
004151F4|.85C0testeax, eax ;EMAIL格式检测
004151F6|.7F 14 jgshort 0041520C
004151F8|.6A 00 push0
004151FA|.68 6C4BAB00 push00AB4B6C ;autodwgdwg2pdf
004151FF|.68 7C4BAB00 push00AB4B7C ;please input correct email address.
00415204|.8B4D FC mov ecx, dword ptr [ebp-4]
00415207|.E8 A6BD4600 call<jmp.&MFC42.#4224>
0041520C|>8B4D FC mov ecx, dword ptr [ebp-4]
0041520F|.81C1 B0030000 add ecx, 3B0
00415215|.E8 A6C8FEFF call00401AC0
0041521A|.85C0testeax, eax ;是否输入注册码检测
0041521C|.74 19 jeshort 00415237
0041521E|.6A 00 push0
00415220|.68 A04BAB00 push00AB4BA0 ;autodwgdwg2pdf
00415225|.68 B04BAB00 push00AB4BB0 ;please input the register code!
0041522A|.8B4D FC mov ecx, dword ptr [ebp-4]
0041522D|.E8 80BD4600 call<jmp.&MFC42.#4224>
00415232|.E9 A0000000 jmp 004152D7
00415237|>8B4D FC mov ecx, dword ptr [ebp-4]
0041523A|.E8 EFB94600 call<jmp.&MFC42.#1669>
0041523F|.8B4D FC mov ecx, dword ptr [ebp-4]
00415242|.81C1 B0030000 add ecx, 3B0
00415248|.E8 23C9FEFF call00401B70
0041524D|.50pusheax;假码98765432101234567890123456
0041524E|.8B4D FC mov ecx, dword ptr [ebp-4]
00415251|.81C1 B4030000 add ecx, 3B4
00415257|.E8 14C9FEFF call00401B70
0041525C|.50pusheax;我的EMAIL:bthulu@gmail.com
0041525D|.E8 08A60300 call0044F86A ;算法CALL F7跟入
00415262|.83C4 08 add esp, 8
00415265|.25 FF000000 and eax, 0FF
0041526A|.85C0testeax, eax
0041526C|.74 4D jeshort 004152BB
0041526E|.8B4D FC mov ecx, dword ptr [ebp-4]
00415271|.E8 94B94600 call<jmp.&MFC42.#4853>
00415276|.8B45 FC mov eax, dword ptr [ebp-4]
00415279|.C780 B8030000 0>mov dword ptr [eax+3B8], 1
00415283|.8B4D FC mov ecx, dword ptr [ebp-4]
00415286|.83B9 B8030000 0>cmp dword ptr [ecx+3B8], 0
0041528D|.74 16 jeshort 004152A5
0041528F|.6A 00 push0
00415291|.68 D04BAB00 push00AB4BD0 ;autodwgdwg2pdf
00415296|.68 E04BAB00 push00AB4BE0 ;thank you, registered succeed !
0041529B|.8B4D FC mov ecx, dword ptr [ebp-4]
0041529E|.E8 0FBD4600 call<jmp.&MFC42.#4224>
004152A3|.EB 14 jmp short 004152B9
004152A5|>6A 00 push0
004152A7|.68 004CAB00 push00AB4C00 ;autodwgdwg2pdf
004152AC|.68 104CAB00 push00AB4C10 ;thank you, registered fail !
004152B1|.8B4D FC mov ecx, dword ptr [ebp-4]
004152B4|.E8 F9BC4600 call<jmp.&MFC42.#4224>
004152B9|>EB 1C jmp short 004152D7
004152BB|>6A 00 push0
004152BD|.68 304CAB00 push00AB4C30 ;autodwgdwg2pdf
004152C2|.68 404CAB00 push00AB4C40 ;register failed!
004152C7|.8B4D FC mov ecx, dword ptr [ebp-4]
004152CA|.E8 E3BC4600 call<jmp.&MFC42.#4224>
004152CF|.8B4D FC mov ecx, dword ptr [ebp-4]
004152D2|.E8 4BB94600 call<jmp.&MFC42.#2652>
004152D7|>8BE5mov esp, ebp
004152D9|.5Dpop ebp
004152DA\.C3retn
0044F86A/$55pushebp
0044F86B|.8BECmov ebp, esp
0044F86D|.6A FF push-1
0044F86F|.68 2BD49500 push0095D42B ;SE 处理程序安装
0044F874|.64:A1 00000000mov eax, dword ptr fs:[0]
0044F87A|.50pusheax
0044F87B|.64:8925 0000000>mov dword ptr fs:[0], esp
0044F882|.83EC 14 sub esp, 14
0044F885|.C645 EC 01mov byte ptr [ebp-14], 1
0044F889|.8B45 0C mov eax, dword ptr [ebp+C] ;假码98765432101234567890123456
0044F88C|.50pusheax
0044F88D|.8D4D F0 lea ecx, dword ptr [ebp-10]
0044F890|.E8 B1164300 call<jmp.&MFC42.#537>
0044F895|.C745 FC 0000000>mov dword ptr [ebp-4], 0
0044F89C|.8B4D 0C mov ecx, dword ptr [ebp+C]
0044F89F|.51pushecx
0044F8A0|.E8 36040000 call0044FCDB ;算法关键CALL
0044F8A5|.83C4 04 add esp, 4
0044F8A8|.25 FF000000 and eax, 0FF
0044F8AD|.85C0testeax, eax
0044F8AF|.75 19 jnz short 0044F8CA
0044F8B1|.8B55 0C mov edx, dword ptr [ebp+C]
0044F8B4|.52pushedx
0044F8B5|.E8 C3130000 call00450C7D
0044F8BA|.83C4 04 add esp, 4
0044F8BD|.85C0testeax, eax
0044F8BF|.75 09 jnz short 0044F8CA ;不跳就死
0044F8C1|.C645 EC 00mov byte ptr [ebp-14], 0
0044F8C5E9 A8000000 jmp 0044F972
0044F8CA|>8D4D E8 lea ecx, dword ptr [ebp-18]
0044F8CD|.E8 8E15FDFF call00420E60
0044F8D2|.C645 FC 01mov byte ptr [ebp-4], 1
0044F8D6|.6A 00 push0
0044F8D8|.6A 00 push0
0044F8DA|.68 3F000F00 push0F003F
0044F8DF|.6A 00 push0;下面把注册信息保存到注册表
0044F8E1|.6A 00 push0
0044F8E3|.68 88A1AB00 push00ABA188 ;software\autodwg\dwg_pdf_conver
0044F8E8|.68 02000080 push80000002
0044F8ED|.8D4D E8 lea ecx, dword ptr [ebp-18]
0044F8F0|.E8 DB180000 call004511D0
0044F8F5|.85C0testeax, eax
0044F8F7|.75 19 jnz short 0044F912
0044F8F9|.68 A8A1AB00 push00ABA1A8 ;key
0044F8FE|.8B45 0C mov eax, dword ptr [ebp+C]
0044F901|.50pusheax
0044F902|.8D4D E8 lea ecx, dword ptr [ebp-18]
0044F905|.E8 36190000 call00451240
0044F90A|.85C0testeax, eax
0044F90C|.74 04 jeshort 0044F912
0044F90E|.C645 EC 00mov byte ptr [ebp-14], 0
0044F912|>8D4D E4 lea ecx, dword ptr [ebp-1C]
0044F915|.E8 4615FDFF call00420E60
0044F91A|.C645 FC 02mov byte ptr [ebp-4], 2
0044F91E|.6A 00 push0
0044F920|.6A 00 push0
0044F922|.68 3F000F00 push0F003F
0044F927|.6A 00 push0
0044F929|.6A 00 push0
0044F92B|.68 ACA1AB00 push00ABA1AC ;software\autodwg\dwg_pdf_conver
0044F930|.68 01000080 push80000001
0044F935|.8D4D E4 lea ecx, dword ptr [ebp-1C]
0044F938|.E8 93180000 call004511D0
0044F93D|.85C0testeax, eax
0044F93F|.75 19 jnz short 0044F95A
0044F941|.68 CCA1AB00 push00ABA1CC ;key
0044F946|.8B4D 0C mov ecx, dword ptr [ebp+C]
0044F949|.51pushecx
0044FCDB/$55pushebp
0044FCDC|.8BECmov ebp, esp
0044FCDE|.6A FF push-1
0044FCE0|.68 85D49500 push0095D485 ;SE 处理程序安装
0044FCE5|.64:A1 00000000mov eax, dword ptr fs:[0]
0044FCEB|.50pusheax
0044FCEC|.64:8925 0000000>mov dword ptr fs:[0], esp
0044FCF3|.83EC 24 sub esp, 24
0044FCF6|.8B45 08 mov eax, dword ptr [ebp+8]
0044FCF9|.50pusheax; /s
0044FCFA|.E8 F7174300 call<jmp.&MSVCRT.strlen> ; \strlen
0044FCFF|.83C4 04 add esp, 4
0044FD02|.83F8 1A cmp eax, 1A;注册码是否等于26位
0044FD0574 07 jeshort 0044FD0E ;不跳就死
0044FD07|.32C0xor al, al
0044FD09|.E9 BF000000 jmp 0044FDCD
0044FD0E|>8B4D 08 mov ecx, dword ptr [ebp+8]
0044FD11|.51pushecx
0044FD12|.8D4D F0 lea ecx, dword ptr [ebp-10]
0044FD15|.E8 2C124300 call<jmp.&MFC42.#537>
0044FD1A|.C745 FC 0000000>mov dword ptr [ebp-4], 0
0044FD21|.8D4D EC lea ecx, dword ptr [ebp-14]
0044FD24|.E8 870E4300 call<jmp.&MFC42.#540>
0044FD29|.C645 FC 01mov byte ptr [ebp-4], 1
0044FD2D|.51pushecx
0044FD2E|.8BCCmov ecx, esp
0044FD30|.8965 E8 mov dword ptr [ebp-18], esp
0044FD33|.8D55 F0 lea edx, dword ptr [ebp-10]
0044FD36|.52pushedx
0044FD37|.E8 EC0E4300 call<jmp.&MFC42.#535>
0044FD3C|.8945 D8 mov dword ptr [ebp-28], eax
0044FD3F|.8D45 E4 lea eax, dword ptr [ebp-1C]
0044FD42|.50pusheax
0044FD43|.E8 C40B0000 call0045090C ;用户输入注册码的变换CALL
0044FD48|.83C4 08 add esp, 8
0044FD4B|.8945 D4 mov dword ptr [ebp-2C], eax
0044FD4E|.8B4D D4 mov ecx, dword ptr [ebp-2C]
0044FD51|.894D D0 mov dword ptr [ebp-30], ecx
0044FD54|.C645 FC 02mov byte ptr [ebp-4], 2
0044FD58|.8B55 D0 mov edx, dword ptr [ebp-30]
0044FD5B|.52pushedx
0044FD5C|.8D4D EC lea ecx, dword ptr [ebp-14]
0044FD5F|.E8 D00E4300 call<jmp.&MFC42.#858>
0044FD64|.C645 FC 01mov byte ptr [ebp-4], 1
0044FD68|.8D4D E4 lea ecx, dword ptr [ebp-1C]
0044FD6B|.E8 280E4300 call<jmp.&MFC42.#800>
0044FD70|.68 4CA2AB00 push00ABA24C ;结果比较字符串"&d#2*P"
0044FD75|.8D45 EC lea eax, dword ptr [ebp-14]
0044FD78|.50pusheax
0044FD79|.E8 2265FCFF call004162A0 ;关键比较,比较用户输入的注册码变换后转换成字符串是否和"&d#2*P"相同
0044FD7E|.25 FF000000 and eax, 0FF
0044FD83|.85C0testeax, eax
0044FD85|.74 24 jeshort 0044FDAB ;跳就死
0044FD87|.C645 E0 01mov byte ptr [ebp-20], 1
0045090C/$55pushebp
0045090D|.8BECmov ebp, esp
0045090F|.6A FF push-1
00450911|.68 47D59500 push0095D547 ;SE 处理程序安装
00450916|.64:A1 00000000mov eax, dword ptr fs:[0]
0045091C|.50pusheax
0045091D|.64:8925 0000000>mov dword ptr fs:[0], esp
00450924|.83EC 14 sub esp, 14
00450927|.C745 E4 0000000>mov dword ptr [ebp-1C], 0
0045092E|.C745 FC 0100000>mov dword ptr [ebp-4], 1
00450935|.8D4D F0 lea ecx, dword ptr [ebp-10]
00450938|.E8 73024300 call<jmp.&MFC42.#540>
0045093D|.C645 FC 02mov byte ptr [ebp-4], 2
00450941|.6A 00 push0
00450943|.68 10A3AB00 push00ABA310
00450948|.8D4D 0C lea ecx, dword ptr [ebp+C]
0045094B|.E8 EC034300 call<jmp.&MFC42.#6877>
00450950|.51pushecx
00450951|.8BCCmov ecx, esp
00450953|.8965 E8 mov dword ptr [ebp-18], esp
00450956|.68 14A3AB00 push00ABA314 ;ASCII "*2%^W#g@"
0045095B|.E8 E6054300 call<jmp.&MFC42.#537>
00450960|.8945 E0 mov dword ptr [ebp-20], eax
00450963|.8D45 0C lea eax, dword ptr [ebp+C]
00450966|.50pusheax;假吗98765432101234567890123456
00450967|.E8 8BCFFCFF call0041D8F7 ;算法变换CALL,变换结果ASCII "b05281811c1ae5211d96c6a7"
0045096C|.83C4 08 add esp, 8
0045096F|.C745 EC 0000000>mov dword ptr [ebp-14], 0
00450976|.EB 09 jmp short 00450981
00450978|>8B4D EC /mov ecx, dword ptr [ebp-14] ;算法变换结果隔两位取两位
0045097B|.83C1 02 |add ecx, 2
0045097E|.894D EC |mov dword ptr [ebp-14], ecx
00450981|>837D EC 0C cmp dword ptr [ebp-14], 0C
00450985|.7D 17 |jge short 0045099E
00450987|.8B55 EC |mov edx, dword ptr [ebp-14]
0045098A|.52|pushedx
0045098B|.8D4D 0C |lea ecx, dword ptr [ebp+C]
0045098E|.E8 DDE2FCFF |call0041EC70
00450993|.50|pusheax
00450994|.8D4D F0 |lea ecx, dword ptr [ebp-10]
00450997|.E8 E8064300 |call<jmp.&MFC42.#940>
0045099C|.^ EB DA \jmp short 00450978
0045099E|>8D45 F0 lea eax, dword ptr [ebp-10];上面计算结果 B0 81 1C E5 1D C6
004509A1|.50pusheax
004509A2|.8B4D 08 mov ecx, dword ptr [ebp+8]
004509A5|.E8 7E024300 call<jmp.&MFC42.#535>
004509AA|.8B4D E4 mov ecx, dword ptr [ebp-1C]
004509AD|.83C9 01 orecx, 1
004509B0|.894D E4 mov dword ptr [ebp-1C], ecx
004509B3|.C645 FC 01mov byte ptr [ebp-4], 1
004509B7|.8D4D F0 lea ecx, dword ptr [ebp-10]
004509BA|.E8 D9014300 call<jmp.&MFC42.#800>
004509BF|.C645 FC 00mov byte ptr [ebp-4], 0
004509C3|.8D4D 0C lea ecx, dword ptr [ebp+C]
004509C6|.E8 CD014300 call<jmp.&MFC42.#800>
004509CB|.8B45 08 mov eax, dword ptr [ebp+8]
------------------------------------------------------------------------
【破解总结】本软件是固定注册码的,与用户EMAIL无关
把输入的注册码经过一个算法变换和一个固定的字符串比较,爆破起来简单,既然固定注册码的,算法分析太麻烦,说不定还是不可逆算法,得不偿失
验证部分,
tt=固定算法(输入注册码)
For i = 1 To Len(tt) Step 4
a = Mid(tt, i, 2)
b = Val("&h" & a)
c = Chr(b)
TT2 = TT2 & c
Next i
如果TT2 和 “&d#2*P”相等,那么就注册成功了
------------------------------------------------------------------------
【版权声明】来自于BBS.THULU.COM 转载请注明作者并保持文章的完整, 谢谢!
